A few years ago, we set out to solve one of the oldest problems in security operations. Data is everywhere, but too often goes unused when it matters most. While you could argue that there is more data being used across security operations in recent years, the amount of data movement and duplication required to power security tools is staggering.
Security teams have the data they need, but it is stranded in too many tools and systems, making it hard to use when needed. While I’m not good at predictions, I believe we will see more security products and tools accessing and using data where it lives in the coming years.
An example of this trend is Federated Search. Riding on the explosion of API access to data, Federated Search proves that it’s possible to bring search to the data, and not always move the data to the search.
Acting as an API gateway, Query Federated Search enables searching data where it resides without having to know the underlying data structure or search language — returning results back in a normalized OCSF format. Query can be used via a browser, Splunk App plugin, or API. Security operators use Query when investigating, threat hunting, and other data forward tasks, to be more efficient with fewer tool pivots and reduce costs by not having to centralize or duplicate all of the data.
Query enables security teams to use data to get answers and make better decisions, faster.
Federated Security
At Query, we are thinking beyond Federated Search to a broader concept of Federated Security. Federated Security builds on everything we’ve learned, leveraging federated search to improve security operations in enterprise environments. While not a silver bullet, adding this approach to your reference architecture delivers a new and valuable way to make use of your data.
It gives security teams a way to do more with their data without moving it, copying it, or building pipelines each time a new data source emerges or data volumes exceed budgets.
Building on our patented Federated Search platform, Federated Security includes:
- Federated Insights – Data-driven insights, dashboards, and reporting from all your Query integrations without stitching them together manually.
- Federated Detections – Expand the reach of your detections beyond the walls of any one platform. Available today in our Splunk app with more on the way.
- Query Copilot – Structured, federated data feeding LLMs so you get data driven answers you can trust, not limited summaries and hallucinations.
- AI Powered Schema Mapping – (In Preview) Map new dynamic data sources to the Open Cybersecurity Schema Framework (OCSF) in less than 15 minutes, leaving your data right where it is.
- Federated Analytics – (Coming soon) Further unlocking the power inside your distributed tools and systems.
This is just the beginning. Federated Security isn’t just a collection of features. It unlocks a new way to use data anywhere and a new approach to data architectures.
Real Value
One security team tripled the data reach of their Splunk deployment without any increase in Splunk license fees or ingestion costs.
Another enterprise team recently onboarded data stored in 10 Amazon S3 buckets in under 60 minutes, enabling them to search faster and more completely than they could before.
No centralization project. No six-month pipeline build. No professional services. No extra headcount. Just answers from their data when they needed it.
This isn’t theoretical anymore.
Federated Search delivers.
Federated Security makes it even more powerful.
Different Approach = Different Results
I joined Query because I spent too many years in security operations feeling the pain we’re solving.
The industry doesn’t need another platform promising to fix everything if you just move all your data into it.
You need answers. You need speed. You need flexibility through choice.
Federated Security is about giving you all three without the cost, complexity, and false promises.
You already have the data. Now you can put it to work.
See It In Action
If you want a closer look, reach out.
I love giving demos. (Although, fair warning, my team is much better than I am.) You can also catch up with me in person at the RSA Conference. Check out where to find us here.
The power of Federated Search has been proven.
The future is Federated.
Join us.
-Matt
