Presentations from Softcat Splunk Discovery Day.

1. Copyright © 2016 Splunk Inc.
Manchester
Social | #SplunkDisco17
WIFI: guest2017

2. 2
Agenda
09:30 – 09:45 Introduction & Welcome
09:45 – 10:00 A Day in the Life
10:00 – 10:15 So, What is Splunk?
10:15 –11:00 Session One: Data-driven insights into your IT Operations to support a digital transformation
11:00 –11:30 Break
11:30– 12:15 Session Two: Best Practices for Scoping Infections and Disrupting Breaches
12:15 –12:30 Interactive Demo & Morning Session Wrap Up
12:30– 13:30 Lunch
13:30 – Event Concludes

3. Big Data, Splunk and stuff
Sam Routledge – CTO, Softcat
15th March 2017

4. A brief introduction…

5. Big data basics
Data
Nirvana!
Business data
– ERP, CRM..
Machine/
sensor data –
temp,
vibration…
Marketing –
location, app,
click…
Log data –
firewall, av…

6. Digitisation considerations
Digital business model
Workforce
Mobility
Operational
Efficiency
Customer
Satisfaction
IoT/ sensor
Mobile Devices
Wearables
Industrial
Ready network
Ready infrastructure
Ready security
Ready applications

7. Data = Disruptor (if used correctly)
The retailer
•App data
•Location/ direction from Wifi
•Make stores a destination
The ‘precision agronomist’
•Sensor data – temp/ humidity etc
•Soil quality
•Pests
The dairy farmer
•Internet connected cows!
•Stomach temperature sensors

8. Security and IT: a first use case
Actionable insight
Velocity
of
threat
Volume
of data
Variety
of
sources
A learning opportunity
Understand ‘big data techniques
Equip yourself to be the ‘data plumber’
Solve the big security problem
Unify a fragmented toolset
Respond with killer speed!

9. 9
How Gatwick Airport Ensures Better
Passenger Experience With Splunk Cloud
On-time efficiency & dramatic queue reduction
with 925 flights per day
Real-time, predictive airfield analytics
deliver on mobile app & Apple watch
Data from airport gates, board pass scans,
x-ray, travel, passenger flow

10. 10
Track end-to-end
transactions
Monitor & model
customer behavior
Billion dollar website
business & IT dashboards
Prevent lost revenue
via machine data insight
How John Lewis Uses Splunk For
Multi-channel Retail Analytics

11. Why Yoox/Net-A-Porter Built A Security
Intelligence Platform Using Splunk
Intrusion detection and identification of
patterns of malicious behaviour
Comprehensive real-time security analytics
and monitoring
Automatic security alerts and deep incident
investigation

12. ITOA & performance monitoring to
ensure the BBC Store is available
Splunk Cloud allows team to focus on
monitoring not running infrastructure
Business analytics, customer
experience and sales reports
How BBC Worldwide Improves Customer
Experience With Splunk

13. Why Tesco Uses Splunk To Accelerate
Development And Understand Customers
Cut Investigation & Resolution time 95%
Reduce Escalations 50%, Accelerate Dev Cycles 30%
Activity Tracking Dashboards with Improved
Customer Experience and Reduced Lost Revenue
Operational Analytics with Live Transaction Tracing
and End-to-end Infrastructure Insight

14. Saving The US Rail Industry A Billion Dollars And 250
Million Acres Of Trees in CO2
Train sensor data in real-time
Fuel savings resulting $1bn savings
Better trained drivers & predictive maintenance

15. How TravisPerkinsbuilttheir
SecurityOperationsCentreinthe Cloud
Migrated on-prem to cloud based SOC
using Splunk Enterprise Security
Protect the organisation through
real-time data driven security
Identify incidents, security investigation,
support compliance

16. 16
Better customer decisions
Analyse the success of campaigns as well as
one-off promotions in real time
Proactively adjust marketing campaigns in
real-time based on customer behaviour
Device & promotion trends
Which devices (iPhones, Androids or Kindle
Fires) are being used to place orders
Where and when it is more lucrative to run
promotional campaigns- real time
Revenue insights
Online sales data across entire network of
more than 10,000 stores
Visualise key metrics - orders per
minute/per store, popular pizza and what
coupons
How Dominos Delivered Real-time Marketing
Analytics With Splunk

17. Copyright © 2016 Splunk Inc.
So what is Splunk?
Al Costigan
Partner Account Manager, Splunk

18. Is this your first Splunk presentation?

19. Do you think the name sounds rude?

20. Spelunking:
Splunking:
to explore
underground caves
to explore
machine data

21. pothole>

22. 2016 Gartner CIO Agenda

23. DIGITAL REVOLUTION
UNDER-PINNED BY DATA
Music Shopping Phone Car Banking Healthcare GovernmentWeb TV

24. 2424
STRUCTURED DATA

26. 2626
MACHINE DATA
time series, in motion, unstructured

27. 27
The data we
know and use
The available data
we don’t know or use

28. Your machine data is…
Messy Lazy

29. Escalating IT Complexity…
SaaS/PaaS
IaaS
VIRTUALIZATION
STORAGE
PACKAGED
APPLICATIONS
CUSTOM
APPLICATIONS
HR
Email
Finance
App Svr
DB
Web Svr
INFRASTRUCTURE
APPLICATIONS
VPN
IP Phone
Identify
SERVERS NETWORKING

31. Security AnalyticsITOperationsAnalytics
(ITOA)
Splunk’s TwoMainUseCases

32. Deadly Ice Creams!!!

33. Platform for Machine Data
Application
Delivery
Security,
Compliance
and Fraud
Business
Analytics Industrial
Data and
Internet of
Things
IT
Operations
Servers
RFID
Networks
GPS
Location
Packaged
Applications
Custom
Applications
Messaging
Desktops
Online
Shopping
Cart
Storage
Smartphones
and Devices
Energy
Meters
Web
Clickstreams
Telecoms
Databases
Call Detail
Records
Web
Services
Online
ServicesOn-
Premises
Private
Cloud
Security
Public
Cloud
…but has multiple uses

34. 34
Turning Machine Data Into Operational Intelligence
Reactive
Proactive
Proactive
Monitoring
and Alerting
Real-Time
Business
InsightOperational
Visibility
Search
and
Investigate

35. Security
Operations
IT
Operations
Business
Operations
With Splunk…
SAME DATAOf the
Asking different QUESTIONS
Different PEOPLE

36. Identify and fix problems fast Prevention rather than cure
Just to recap

37. Index and Analyze Data Across Your Technology Stack
Splunk Add-Ons, Templates and Apps Accelerate Value From Machine Data
No rigid schemas– add in data from any other source.
API
SDKs UI
Server, Storage,
Network
Virtualization,
Containers
Operating Systems
+ Databases
Custom
Applications
Business
Applications
Cloud Services
Web Intelligence
Mobile
Applications
Stream
Operations and
Service Desks
App Performance
Monitoring
DB Connect

38. JUST IMAGINE – ALL THAT FROM ONE PLATFORM

39. Copyright © 2016 Splunk Inc.
Thank you

40. Copyright © 2016 Splunk Inc.
Data Driven insights into your IT
Operations to support a digital transformation
Guillaume Ayme
ITOA Evangelist, Splunk

41. DIGITAL
MOBILE
CONNECTED

42. 42
New Digital
Services

43. CONFIDENTIAL. INTERNAL USE ONLY.
No way to
differentiate

44. 44

45. 45
Digital Workspace

46. CONFIDENTIAL. INTERNAL USE ONLY.
Causing an Explosion in
Machine-Generated Data
Need insights to move at
warp speed

47. 47
The Customer Experience is
ever more important than
ever

48. 48
The Customer Experience is ever more
important

49. Social Media
Campaign
Visit
Website
Book on
Mobile App
Check-in in
Reception
Connect to
Wifi in Room
Watch TV in
Room
Check-out
On Mobile
The Digital Journey
The Hotel Booking
The Customer Experience is the
Digital Experience

52. 52

53. CONFIDENTIAL. INTERNAL USE ONLY.

54. CONFIDENTIAL. INTERNAL USE ONLY.
War
Room
App
DB
Network
Storage
System
Data
Gathering
War
Room
??
? Now
What?
Outage

55. CONFIDENTIAL. INTERNAL USE ONLY.
War
Room
App
DB
Network
Storage
System
Data
Gathering
War
Room
??
? Now
What?
GAINING
INSIGHTS
IS HARD
Human latency
measured in hours or days
Outage

56. 56
New Solution is Required
Central
location for all
machine data
Data indexed
for rapid
investigation
Correlation
&
Visualisation
Draw business
insights

57. Machine Learning

58. IT Operational
Analytics

59. 59
Based on our number of data
sources, volumes & use cases is
driving increased customer adoption
Leader in ITOA 2015
(for 2nd year in a row)

60. Your IT Ops Backbone
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema

61. Your IT Ops Backbone
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema
Incident & Problem
Management
Win, Unix,
Network, Storage
teams
Capacity
Managers
Change, Release
Managers
Developers
& QA
IT
Managers
Compliance
Managers
App Mng

62. Your IT Ops Backbone
Over 1300 Apps available on splunkbase.com
Rapid Search &
Investigation
Advanced
Correlation
Powerful
Visualisation
Real Time
Alerting
Machine
Learning
Collect any Machine Data. No Connectors. No Schema

63. 63
● Logs
● Audit
● Performance
● Availability
Performance Mng
Capacity Mng
Compliance
Incident Mng
Security

64. 64
Collect
● Audit
● Billing
● Peformance
● Configuration
More visibility,
security and
reliability of your
migration to the
cloud

65. 65

66. 66
Splunk Stream: Performance on the Wire
66
• End/Real User Performance
• Application Performance
• Network Performance
• Transaction Management
• Protocol Payload
• End/Real User Performance
• Application Performance
• Network Performance
• Transaction Management
• Protocol Payload

67. Built on top of Splunk
Data-driven Service Insights and streamlined Root Cause
Investigation of your Business Services

68. 68
Dynamic Service
Models of your
Business Services

69. 69
Define KPIs on those
Services based on Raw
Data

70. 70
Adaptive Thresholds
through Machine
Learning & Anomaly
Detection

71. 71
Global Health of your
Services from Service
Analyser

72. 72
Instant Investigation
Framework for Rapid
TTM

73. 73
Glass Tables

74. 74
Supporting the Transformation of over 13,000
customers

75. Users complain of
failed checkout
process

76. Checkout Process
Realtime
breakdown of
checkout
process

77. Model user journeys on $1.5 Billion
Online Sales for Load Testing
Enhanced Operational
Intelligence
Collaboration across
all business
Operational
visibility
of issues before
they are reported

78. 78

79. 79
Business Insights & Alerting
79
• Monitors trending of Website activity
including conversion
• Instant alerting if product sells quicker
than is normal
• Able to identify if product is miss-
priced – leading to reduced risk of
bad PR and customer satisfaction
Value:

80. 80
Customer Journeys
80
• All user journeys tracked
end-to-end
• Ability to drilldown to
any order to view the
state
• Provides true user journeys
• Better understanding of
customer interactions
• Provides business with real-
time visibility and metrics
of online channel
Value:

81. 81
Magistor
81

82. 82
Magistor

83. 83
Magistor “sexy” logs
83

84. 84
Magistor app Dashboard
84

85. 85
#Splunk4Rookies

86. Thank You

87. Thank You

88. Copyright © 2016 Splunk Inc.
Time for a Break

89. Copyright © 2016 Splunk Inc.
Weclome Back

90. Copyright © 2016 Splunk Inc.
Scoping Infections and Disrupting
Breaches
Matthias Maier
Security Evangelist, Splunk

91. 91
Splunk Security Solutions
MORE
…
SECURITY APPS & ADD-ONS SPLUNK
USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
SPLUNK
ENTERPRISE SECURITY
SECURITY &
COMPLIANCE
REPORTING
MONITORING
OF KNOWN
THREATS
ADVANCED AND
UNKNOWN
THREAT
DETECTION
INCIDENT
INVESTIGATION
S & FORENSICS
FRAUD
DETECTION
INSIDER
THREAT

92. 92
Single Platform for Security Intelligence
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING
OF KNOWN
THREATS
DETECT
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
Splunk Complements, Replaces and Goes Beyond Existing SIEMs

93. 939
TRADITIONAL DEFENSES ARE NO
LONGER EFFICENT ENOUGH

94. 94
The Ever-Changing Threat Landscape
9
53%
Victims notified by
external entity
100%
Valid credentials
were used
229
Median # of days
before detection
Source: Mandiant M-Trends Report 2012-2016

95. 95
Source: Verizon DBR
Attacks often start with an email:
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
23%OF RECIPENTS OPEN PHISHING
MESSAGES
11%OF RECIPENTS CLICK ON
ATTACHMENTS

96. 96
True Story: State of Michigan (SOM) – User account spoofing
Phishing Mail: Mailbox reached storage limit...
Outlook Web Access Portal custom design of
SOM was rebuilt by attacker
Provide E-Mail, Username, Password and Date
of Birth...
To how many Users was the mail delivered?
How many clicked?
How many filled out?
Delivered to 2800 Employees before being
blocked
155 Employees clicked the link
144 Employees provided their credentials
Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann

97. 97
Required Data Sources
Required Capabilities
The Attack Kill Chain
Demo Investigation
Learn More
Roadmap

98. 98
Required Data Sources
Roadmap

99. 99
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMBD
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Authentication
9
Data Sources
Traditional SIEM

100. Persist, Repeat
Threat Intelligence
Access/Identity
Endpoint
Network
Attacker, know relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went to, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware
artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating system
• Database
• VPN, AAA, SSO
Data Sources for our investigation today
• Web proxy
• NetFlow
• Network

101. Required Data Sources
Required Capabilities
Roadmap

102. Splunk Analytics-driven Security
Risk-
Based
Context and
Intelligence
Connecting Data
and People

103. 103
Capabilities—Scoping Infections and Breaches
Report
and
Analyze
Custom
Dashboards
Monitor
and Alert
Ad hoc
Search
Threat
Intelligence
Asset
& CMDB
Employee
Info
Data
Stores
Applications
Raw Events
Online
Services
Web
Services
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
Threat
Intelligence
Servers
Endpoint

104. 105
Required Data Sources
Required Capabilities
The Attack Kill Chain
Roadmap

105. 106
Adversary Perspective—Attack Kill Chain
Discovery
Weaponization
Delivery
Exploitation
Installation
Command and
Control (C2)
Actions on
Objectives
Lockheed Martin white paper: Intelligence-Driven Computer Network Defense of Analysis of Adversary Campaigns and Intrusion Kill Chains

106. 107
Exploitation != GameOver

107. 108
Kill Chain—Breach Example
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat Intelligence
Access/Identity
Endpoint
Network

108. 109
Required Data Sources
Required Capabilities
The Attack Kill Chain
Demo Investigation
Roadmap

109. 110
Demo

110. 111
Demo Review
Challenges
– Difficult to go from threat-intel match to root cause
– Hard to determine – was there a breach?
Sources
– Threat intel – open source threat intel feed
– Network – web proxy logs, email logs
– Endpoint – endpoint monitoring agent
– Access/identity – asset management database
Finding the root cause: connecting the dots
– Match the threat-intel IP to network data to identify the infected machine
– Identify the malicious process by mapping network data to endpoint data
– Discover the infected email by matching local file access to email data

111. 112
Best Practices—Breach Response Posture
Bring in data from at least one from each category:
– Network – next gen firewall or web proxy, email, DNS
– Endpoint – Windows logs, registry changes, file changes
– Threat intelligence – open source or subscription based
– Access and identity – authentication events, machine-user mapping
Establish a security intelligence platform so analysts can:
– Contextualize events, analytics and alerts
– Automate analysis and exploration
– Share techniques and results to learn and improve

112. 113
Source: Verizon DBR2015
IF IT HAPPENS TODAY?
HOW LONG DOES IT TAKE YOU TO
ANSWER UPCOMING QUESTIONS?
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
5

113. Travis Perkins built a lean
SOC with Splunk
Close collaboration with IT-Operations
Team for remediation
Moved from a failed SIEM deployment
with appliances to a lean and agile SOC
Quicker from ingesting new data to
creating meaningful correlations

114. 115
Required Data Sources
Required Capabilities
The Attack Kill Chain
Demo Investigation
Learn More
Roadmap

115. 116
Next Step: Discovery Workshop
What’s your Security Use Case?
• Cost justification against your management
• Success measurement
• Prioritization
• Scoping of data sources / data volume / costs
• Establishing organizational processes
• Data privacy justification
1

116. Explore:
How Travis Perkins built
a SOC in the Cloud
http://blogs.splunk.com/2016/09/14/trust-
and-resilience-at-the-speed-of-business-
how-travis-perkins-built-a-lean-soc-with-
splunk-in-the-cloud/
Join:
Our Community with
Apps, Ask Questions or
join a SplunkLive! event
https://www.splunk.com/en_us/community.html
Try:
Splunk Enterprise Security
in our Sandbox with 50+
Data Sources
https://www.splunk.com/getsplunk/es_sandbox
Q&A
Thank you

117. Thank You

118. Copyright © 2016 Splunk Inc.
Interactive Demo

119. Copyright © 2016 Splunk Inc.
www.discoversplunk.com

120. Copyright © 2016 Splunk Inc.
Q&A

121. Copyright © 2016 Splunk Inc.
Lunch