Spread our blog

Starbucks using Splunk for security automation to reduce the cyber staff workload

Starbucks is the world’s leading coffee retailer, making its brand matchless with expertise and the right decisions. Starbucks is renowned for its unique brew and luxury image.

The company has a massive number of employees, more than 291000 worldwide, so you can estimate how difficult it can be for Starbucks to manage and run its business on a large scale.

Initially, Starbucks also faced problems just like other giant companies usually face in the beginning. Yet, Starbucks too found a solution with Splunk tool that helped it to rank number one in the food and beverage industry. But what was the problem and how it was solved? Let’s discuss this.

Complications Starbucks was facing

Mike Hughes, the director of information security at Starbucks, distinguished two use cases in its operations of security.

According to him, cyber attackers are a big problem that breach security operations. He also had a view that the main drivers behind attacks are organized crime rings, nation-states, hackers as well as other dissident insiders who practice stealing data of customers.

But the real topic of concern was who is the attacker and to detect them and what problem they are going to create for us in the future? And the most important thing what crucial steps must be taken?


For instance, the attacks that are high in velocity and high in the volume are the ones that can be very problematic, and if these issues are left undetected, then it can give rise to a lot of problems.

You can also know about :  Vodafone Optimized and Standardized Performance with Splunk Intelligence

However, these attacks bring significant issues, and to detect them, they sometimes require a large team when paired with the challenges presented by the technology pace change. Moreover, the whole process becomes incredibly hard in doing so.

But somehow, Starbucks managed to collect data across its hundreds of organizations. In brief, they were capable of assembling data from 200,000 endpoints, from usual computers to IoT (Internet of things) linked to coffee machines. The company had 1000 analysts, but at some points, they were still missing something.

Therefore Starbucks aimed to automate all those areas where there is a high volume of tasks, including identity management and mail hygiene, vulnerability management and antivirus.

The aim is to make it easy for security personnel to calculate return on investment (ROI) and to eliminate time-consumptive activities or vast quantities of the same issue.

It can be tough to retain safety staff as their talents are commonly pursued, and many businesses have been working to make safety jobs more exciting to maintain skilled personnel. However, no one had the solution except Splunk’s phantom.

Splunk phantom aid to security operations

Splunk Phantom SOAR stands for security orchestration, automation and response capabilities that help to improve the efficiency of analysts and cut down the response times of incidents.


Most of the organizations are now proficient to advance their security and better manage risk by integrating teams, processes, and tools. How Splunk phantom assisted Starbuck can become clear with the two below cases.

Use case one: Malware triage response event

If the urgency level of a search case is being decided whether it should be elevated or not, then these incidents are robotically transferred to Splunk Phantom, which utilizes its proficiency to identify threats and communicate with antivirus to observe whether this is a challenge or not.

You can also know about :  Splunk amplifies innovation & perk-up customer experience for BookMyShow

Variables like the URL score are also well tested, based on the case form. A Splunk query can analyze data relating to the use of a computer for detecting risk whether this behavior is normal, particularly on this system.


However, the phantom never takes action on the overall score of events’ threats and never opens all tickets regardless of urgency.

Hughes claims this phase is one of the most time-consuming for a security analyst. The analysts need to see a dashboard when a ticket is issued, but by automating it, only the correct and accurate response is obtained.

Everything takes one to two minutes. After this, only the correct tickets are assessed “In quantity, this is an essential thing.”

Use case two: Mail hygiene

Hughes considered the bad email hygiene is responsible for the majority of the profile infringements which have been identified in the past ten years, and that gives origin to troubles.

92 million Starbucks emails prevented from reaching the business, and mail is stored and released before the client can pass.

If tools have not identified a threat, still action is required before a danger spreads. Therefore for this, Starbucks trusted Splunk Phantom since the Splunk alerts about these threats.

Manifolds of processes are run by Splunk and together with a Splunk query for the user’s information from where the threat originates, for any previous action a consultation has been taken, and if essential a ticket is opened.

If for some reason, within real-time, the user has to deal with the issue, Starbucks is proficient to auto-close the ticket. So yes, with the introduction of Splunk phantom, Starbucks got to see a significant change in their business.

You can also know about :  Restrict Splunk drill-down for a Specific Field
What’s your Reaction?

Spread our blog


Please enter your comment!
Please enter your name here