2. 2
• At Group Health since 2012
• Part of Information Security
Engineering and Operations
• Splunk user since 2011.
• Favorite joke
My Background and Role
3. 3
Company Overview
Member-governed, nonprofit health care
system coordinating care and coverage
Founded in 1947 and based in Seattle,
Washington
25 locations in 17 cities
Serves more than 600,000 residents in
Washington and North Idaho
4. 4
Enterprise Security Assurance
• Detect when prevention
mechanisms fail
• Manage and measure incident
response
• Enterprise log management and
analysis
• All things security engineering
Protect the systems, patients and the patient data
Enterprise Security
Assurance
Governance
and Policy
Engineering
and Operations
Operations (2)
Engineering
(me)
5. 5
Splunk at Group Health
~10 active users
Significant effort towards
managing knowledge objects
Git repositories on top of all
Splunk configurations
Complete set of config
packaged into single
application for easier
deployment
Load balancer used for all
inbound syslog. (No more
facility/priority shuffling!)
1 search head
3 indexers
Dev Search Head
Deployment Server
Git Deployment Versioning
Syslog-ng
Heavy Forwarder
Sentry
Win/*NIX
6. 6
Splunk Development at Group Health
Simple XML
•Basic dashboards
•Drag & drop
Simple XML
•Advanced
•Drag & drop
Advanced XML
•Full customization
•Obsolete
Web framework
•Rich, interactive
experiences
2013 Present
7. 7
Anomaly
Detection
• Snort IDS
• Bro IDS
• Sandboxing
•
Alerting
•
•
Investigation &
Incident Tracking
• CIRTA
•
Incident Response at Group Health
8. 8
Incident Response Workflow
CIRTA
(Computer Incident
Response Team Analysis)
• Original incident
response system
• Accelerates post
detection Incident
Response
• Automates and archives
data for incidents
• Builds picture of event
over time
• Incident contextual
visualization, anomaly
detection and search
• Nearly instantaneous
results
• Tracks each incident
stage
• Measures incident
response effectiveness
• Incident categorizations
Incident Logs
CIRTA Logs
Collected Logs
Collateral Events
16. 16
Example: Java Vulnerabilities
• Rule: Resource must have latest
version of Java to access Internet
• Vulnerable java requests for exploit
code blocked
• Incidents processed in CIRTA and
pushed to Splunk for incident
metrics on compromises
• 50% decrease in incidents/mon
17. 17
Splunk for Privacy Monitoring
Simple, dynamic, multiuser analysis experience
Complete context through demographics and encounters
Increase efficacy through weighted scores
Reporting performance
– Avoid live analytical searches
– Summarize scenario reports
– Display pre-analyzed data
Framework design supports
pluggable sources of privacy data.
On Splunkbase
18. 18
Why Splunk?
Easier to
visualize data
to detect
anomalies
Endless
possibilities with
SDK and Web
Framework
Log analysis
accessible vs.
command line
expertise
Notas del editor
You mentioned your team is 3 including you? What is the name of your team? Your extended team is 4, what team is that and how does it fit with the overall IT team?