2. 2
Agenda
09:30 – 09:45 Introduction & Welcome
09:45 – 10:00 A Day in the Life
10:00 – 10:15 So, What is Splunk?
10:15 –11:00 Session One: Data-driven insights into your IT Operations to support a digital transformation
11:00 –11:30 Break
11:30– 12:15 Session Two: Best Practices for Scoping Infections and Disrupting Breaches
12:15 –12:30 Interactive Demo & Morning Session Wrap Up
12:30– 13:30 Lunch
13:30 – Event Concludes
3. Big Data, Splunk and stuff
Sam Routledge – CTO, Softcat
15th March 2017
5. Big data basics
Data
Nirvana!
Business data
– ERP, CRM..
Machine/
sensor data –
temp,
vibration…
Marketing –
location, app,
click…
Log data –
firewall, av…
6. Digitisation considerations
Digital business model
Workforce
Mobility
Operational
Efficiency
Customer
Satisfaction
IoT/ sensor
Mobile Devices
Wearables
Industrial
Ready network
Ready infrastructure
Ready security
Ready applications
7. Data = Disruptor (if used correctly)
The retailer
•App data
•Location/ direction from Wifi
•Make stores a destination
The ‘precision agronomist’
•Sensor data – temp/ humidity etc
•Soil quality
•Pests
The dairy farmer
•Internet connected cows!
•Stomach temperature sensors
8. Security and IT: a first use case
Actionable insight
Velocity
of
threat
Volume
of data
Variety
of
sources
A learning opportunity
Understand ‘big data techniques
Equip yourself to be the ‘data plumber’
Solve the big security problem
Unify a fragmented toolset
Respond with killer speed!
9. 9
How Gatwick Airport Ensures Better
Passenger Experience With Splunk Cloud
On-time efficiency & dramatic queue reduction
with 925 flights per day
Real-time, predictive airfield analytics
deliver on mobile app & Apple watch
Data from airport gates, board pass scans,
x-ray, travel, passenger flow
10. 10
Track end-to-end
transactions
Monitor & model
customer behavior
Billion dollar website
business & IT dashboards
Prevent lost revenue
via machine data insight
How John Lewis Uses Splunk For
Multi-channel Retail Analytics
11. Why Yoox/Net-A-Porter Built A Security
Intelligence Platform Using Splunk
Intrusion detection and identification of
patterns of malicious behaviour
Comprehensive real-time security analytics
and monitoring
Automatic security alerts and deep incident
investigation
12. ITOA & performance monitoring to
ensure the BBC Store is available
Splunk Cloud allows team to focus on
monitoring not running infrastructure
Business analytics, customer
experience and sales reports
How BBC Worldwide Improves Customer
Experience With Splunk
13. Why Tesco Uses Splunk To Accelerate
Development And Understand Customers
Cut Investigation & Resolution time 95%
Reduce Escalations 50%, Accelerate Dev Cycles 30%
Activity Tracking Dashboards with Improved
Customer Experience and Reduced Lost Revenue
Operational Analytics with Live Transaction Tracing
and End-to-end Infrastructure Insight
14. Saving The US Rail Industry A Billion Dollars And 250
Million Acres Of Trees in CO2
Train sensor data in real-time
Fuel savings resulting $1bn savings
Better trained drivers & predictive maintenance
16. 16
Better customer decisions
Analyse the success of campaigns as well as
one-off promotions in real time
Proactively adjust marketing campaigns in
real-time based on customer behaviour
Device & promotion trends
Which devices (iPhones, Androids or Kindle
Fires) are being used to place orders
Where and when it is more lucrative to run
promotional campaigns- real time
Revenue insights
Online sales data across entire network of
more than 10,000 stores
Visualise key metrics - orders per
minute/per store, popular pizza and what
coupons
How Dominos Delivered Real-time Marketing
Analytics With Splunk
33. Platform for Machine Data
Application
Delivery
Security,
Compliance
and Fraud
Business
Analytics Industrial
Data and
Internet of
Things
IT
Operations
Servers
RFID
Networks
GPS
Location
Packaged
Applications
Custom
Applications
Messaging
Desktops
Online
Shopping
Cart
Storage
Smartphones
and Devices
Energy
Meters
Web
Clickstreams
Telecoms
Databases
Call Detail
Records
Web
Services
Online
ServicesOn-
Premises
Private
Cloud
Security
Public
Cloud
…but has multiple uses
34. 34
Turning Machine Data Into Operational Intelligence
Reactive
Proactive
Proactive
Monitoring
and Alerting
Real-Time
Business
InsightOperational
Visibility
Search
and
Investigate
36. Identify and fix problems fast Prevention rather than cure
Just to recap
37. Index and Analyze Data Across Your Technology Stack
Splunk Add-Ons, Templates and Apps Accelerate Value From Machine Data
No rigid schemas– add in data from any other source.
API
SDKs UI
Server, Storage,
Network
Virtualization,
Containers
Operating Systems
+ Databases
Custom
Applications
Business
Applications
Cloud Services
Web Intelligence
Mobile
Applications
Stream
Operations and
Service Desks
App Performance
Monitoring
DB Connect
49. Social Media
Campaign
Visit
Website
Book on
Mobile App
Check-in in
Reception
Connect to
Wifi in Room
Watch TV in
Room
Check-out
On Mobile
The Digital Journey
The Hotel Booking
The Customer Experience is the
Digital Experience
54. CONFIDENTIAL. INTERNAL USE ONLY.
War
Room
App
DB
Network
Storage
System
Data
Gathering
War
Room
??
? Now
What?
Outage
55. CONFIDENTIAL. INTERNAL USE ONLY.
War
Room
App
DB
Network
Storage
System
Data
Gathering
War
Room
??
? Now
What?
GAINING
INSIGHTS
IS HARD
Human latency
measured in hours or days
Outage
56. 56
New Solution is Required
Central
location for all
machine data
Data indexed
for rapid
investigation
Correlation
&
Visualisation
Draw business
insights
59. 59
Based on our number of data
sources, volumes & use cases is
driving increased customer adoption
Leader in ITOA 2015
(for 2nd year in a row)
60. Your IT Ops Backbone
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema
61. Your IT Ops Backbone
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema
Incident & Problem
Management
Win, Unix,
Network, Storage
teams
Capacity
Managers
Change, Release
Managers
Developers
& QA
IT
Managers
Compliance
Managers
App Mng
62. Your IT Ops Backbone
Over 1300 Apps available on splunkbase.com
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema
77. Model user journeys on $1.5 Billion
Online Sales for Load Testing
Enhanced Operational
Intelligence
Collaboration across
all business
Operational
visibility
of issues before
they are reported
79. 79
Business Insights & Alerting
79
• Monitors trending of Website activity
including conversion
• Instant alerting if product sells quicker
than is normal
• Able to identify if product is miss-
priced – leading to reduced risk of
bad PR and customer satisfaction
Value:
80. 80
Customer Journeys
80
• All user journeys tracked
end-to-end
• Ability to drilldown to
any order to view the
state
• Provides true user journeys
• Better understanding of
customer interactions
• Provides business with real-
time visibility and metrics
of online channel
Value:
94. 94
The Ever-Changing Threat Landscape
9
53%
Victims notified by
external entity
100%
Valid credentials
were used
229
Median # of days
before detection
Source: Mandiant M-Trends Report 2012-2016
95. 95
Source: Verizon DBR
Attacks often start with an email:
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
23%OF RECIPENTS OPEN PHISHING
MESSAGES
11%OF RECIPENTS CLICK ON
ATTACHMENTS
96. 96
True Story: State of Michigan (SOM) – User account spoofing
Phishing Mail: Mailbox reached storage limit...
Outlook Web Access Portal custom design of
SOM was rebuilt by attacker
Provide E-Mail, Username, Password and Date
of Birth...
To how many Users was the mail delivered?
How many clicked?
How many filled out?
Delivered to 2800 Employees before being
blocked
155 Employees clicked the link
144 Employees provided their credentials
Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
103. 103
Capabilities—Scoping Infections and Breaches
Report
and
Analyze
Custom
Dashboards
Monitor
and Alert
Ad hoc
Search
Threat
Intelligence
Asset
& CMDB
Employee
Info
Data
Stores
Applications
Raw Events
Online
Services
Web
Services
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
Threat
Intelligence
Servers
Endpoint
105. 106
Adversary Perspective—Attack Kill Chain
Discovery
Weaponization
Delivery
Exploitation
Installation
Command and
Control (C2)
Actions on
Objectives
Lockheed Martin white paper: Intelligence-Driven Computer Network Defense of Analysis of Adversary Campaigns and Intrusion Kill Chains
107. 108
Kill Chain—Breach Example
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat Intelligence
Access/Identity
Endpoint
Network
110. 111
Demo Review
Challenges
– Difficult to go from threat-intel match to root cause
– Hard to determine – was there a breach?
Sources
– Threat intel – open source threat intel feed
– Network – web proxy logs, email logs
– Endpoint – endpoint monitoring agent
– Access/identity – asset management database
Finding the root cause: connecting the dots
– Match the threat-intel IP to network data to identify the infected machine
– Identify the malicious process by mapping network data to endpoint data
– Discover the infected email by matching local file access to email data
111. 112
Best Practices—Breach Response Posture
Bring in data from at least one from each category:
– Network – next gen firewall or web proxy, email, DNS
– Endpoint – Windows logs, registry changes, file changes
– Threat intelligence – open source or subscription based
– Access and identity – authentication events, machine-user mapping
Establish a security intelligence platform so analysts can:
– Contextualize events, analytics and alerts
– Automate analysis and exploration
– Share techniques and results to learn and improve
112. 113
Source: Verizon DBR2015
IF IT HAPPENS TODAY?
HOW LONG DOES IT TAKE YOU TO
ANSWER UPCOMING QUESTIONS?
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
5
113. Travis Perkins built a lean
SOC with Splunk
Close collaboration with IT-Operations
Team for remediation
Moved from a failed SIEM deployment
with appliances to a lean and agile SOC
Quicker from ingesting new data to
creating meaningful correlations
115. 116
Next Step: Discovery Workshop
What’s your Security Use Case?
• Cost justification against your management
• Success measurement
• Prioritization
• Scoping of data sources / data volume / costs
• Establishing organizational processes
• Data privacy justification
1
116. Explore:
How Travis Perkins built
a SOC in the Cloud
http://blogs.splunk.com/2016/09/14/trust-
and-resilience-at-the-speed-of-business-
how-travis-perkins-built-a-lean-soc-with-
splunk-in-the-cloud/
Join:
Our Community with
Apps, Ask Questions or
join a SplunkLive! event
https://www.splunk.com/en_us/community.html
Try:
Splunk Enterprise Security
in our Sandbox with 50+
Data Sources
https://www.splunk.com/getsplunk/es_sandbox
Q&A
Thank you