3. Challenges We Faced
! Wide Range of Security Requirements
– Internal audits (Financial, PCI)
– Contractual security program requirements with customers
– Internal informaCon and asset protecCon
– Security products (Cloud Firewall/DDoS)
! Cultural and OrganizaConal Challenges
– Security not a priority for everyone
– Outsourced security operaCons
– Limited resources
– Data not available for security operaCons
ê InformaCon hoarders and data silos
7. Buy the Right Tools – We Chose Splunk
! Meets all of our requirements:
– Supports our security and non-security needs
– Provides visibility across the organizaCon
– Delivers immediate value
– Meets our longer term goals to be proacCve and predicCve
! Solves many organizaConal challenges:
– Gives the organizaCon a reason to care (break the silos)
– Increases visibility sold them on insourcing
– Fast Cme to value and low TCO jusCfies the investment
7
10. Use Case #1
Security Challenge:
! DetecCon and response to possible
brute force adacks
– Check for brute force paderns from logon events
ê AcCve Directory
ê Win: Security logs
ê Cisco Secure ACS logs
ê Unix authenCcaCon logs
How Splunk Helped:
! Facilitated rapid detecCon and
deep invesCgaCon
– Enabled SecOps to detect the adempts
– Provided substanCal forensic data
ê Determined source of the adack
ê IdenCfied compromised systems
10
12. Use Case #3
Security Challenge:
! DetecCon of suspicious behavior from log
sources
– CorrelaCon of organizaCon-wide machine data
– Analysis of security and non-security data
How Splunk Helped:
! Discovered compromised JetDirect cards
– Able to index, correlate and analyze data from all
device types
– Rapidly discovered common paderns and trends
12
14. Key Takeaways
! Engage and enable the business
! Create a balanced informaCon security program
! Employ a solid foundaCon of security
controls first
! Don’t be overwhelmed – take one step at a Cme
! Create security program valuing transparency,
accountability & oversight
! Remove the limits of outsourced
security operaCons
14
Editor's Notes
Yeah, the way we got started is we had a number of different homegrown log aggregation processes that were in place that were fairly absent of any kind of UI or analytics capability. It was typical log collection onto a central server using command line tools to do some analysis, et cetera.
We also had some managed service providers that were giving us some very, very basic analytics by also aggregating some of our log information into some of their tools. It wasn't really delivering the kind of service and capability we were looking for. It was very slow, very reactive, not a lot of ability to do any kind of trend analysis.
We went down a path to evaluate where do we want to be from a log collection and analytics standpoint. Obviously, we went down the path of looking at a number of the SIEM tools available in the market and give an evaluation of the typical players like QRadar, ArcSight.
We really found that while a lot of them had a good SIEM profile, they weren't really designed to be log archive tools. In order to use them as a log archives tool you had to invest a tremendous amount of overhead in storage, processing power, et cetera. Once you try to use those platforms as aggregators for any kind of real historic data, they just went to a crawl from a usability perspective.
We were much more interested in doing deep, historical forensic analysis, and analytics than we were in having a real‑time dashboard of things that were going on because most of that work we view as we want to outsource that to somebody who can staff an eyes on glass capability in a much more 24/7 way.
We want the internal platform to really be about how do we go back to six months ago and understand what happened from a security forensic stand‑point or how do we do trend analytics on potential events or that type of activity. We quickly eliminated some of the tools that were much more focused on what I'll call security operations type users and started to look for tools that were much more of a log aggregation type platform.
We looked at a couple of different options there, and that how we ended up with Splunk. Really, one of the deciding factors was we wanted something that would scale to be able to collect data, not just security data, but data from the whole organization, so that we weren't buying one platform for security and then buying another platform for normal IT operations because the view was, if we don't comingle all the data together, the value of that analysis is reduced.
showed how they can bring security and non-security value through visibility —> gave the org more reason to care (FUNDAMENTAL!)
could sell the org to care about it in a fundamentally different way —> everybody cared about their data
security was no longer the only reason - but allowed them to get what they needed (sold non-sec use cases to get the data so that they could solve their security use cases)
let me give you what you really need/want, and a side benefit is that I get what I need …’
