Splunk and Cisco UCS Breakout Session

1. Robert Novak, Cisco Big Data Partner CSE
March 2016
Splunk in the Cisco UCS Ecosystem
How Cisco and its customers deploy,
use, and scale Splunk environments
with the Cisco Unified Computing System

2. Who am I and why am I here?
Today: Consulting Systems Engineer
for Cisco’s Americas Partner Organization
Focused on big data and analytics
UNIX Sysadmin for ~20 years (retired)
Full stack: servers, storage, network, coffee
149 to 149k person companies
Sun, Nortel, 3PAR, Ebay, Trulia, Disney, etc
“Big Data” herder since 2003
Hadoop admin (certifiable) since 2009
Cisco UCS C-Series admin since 2011 (early adopter!)
Charter Cisco Champion, VMware vExpert since 2013
Blogger at rsts11.com and Cisco Blogs
Tweeter at @gallifreyan and @rsts11

3. Agenda
• Hardware still matters!
• How Cisco uses Splunk internally
• How some of our customers use Splunk on UCS
• Cisco integrations with Splunk
• The Unified Computing System advantage
• Learn More

4. Hardware Still Matters
A quick glance at infrastructure for Splunk

5. Why does hardware still matter?
5
• Splunk will run on almost anything (even my laptop)
• Standalone servers have lower admin overhead
• Build up your clusters and you have to keep them consistent
• Grow your data sources (and uses) and you have to add
servers
• Cluster constipation is bad, mmmkay?

6. Why does hardware still matter?
6
• Cisco customer big data pools tend to grow 2-3x/year
• Cisco customer IT staff doesn’t grow as fast
• The Cisco Unified Computing System (UCS) provides
scalable, repeatable, predictable, and manageable
deployments across dozens to thousands of servers for any
application deployment
• Pallet to production in hours, not days or weeks
• Deep engineering integration between Cisco and Splunk with
tested and proven configurations
More on this later…

7. How Cisco Uses Splunk
Part 1
Operational Analytics at Enterprise Scale
within Cisco IT

8. Big Data at a Big Customer: Cisco
8
• 10s of thousands of employees, contractors, devices
• 100s of offices, business apps, audiences
• Lots of data in lots of places
• No one tool (not even Splunk) can do everything for
everyone all the time
• High volume, low value, low shelf life
• Lancope, Hadoop feed into Splunk
• Low to moderate volume, high value, (any) shelf life
• Splunk on its own, sometimes with fronting dashboards
• Additional visualizations with Platfora, Tableau, etc

9. A closer look at Splunk within Cisco
9
• Customer for 7+ years, strategic partner for 3+ years
• Geographically disparate data collection and analysis
• Over 70 business applications/use cases across the company
• Around 20 teams using Splunk including Cisco IT and CSIRT
• Nearly 10x growth in search volume from 2014-2016

10. 10 Indexers
16 Search Heads
thanks to search head
clustering in Splunk 6.3
47 Search Heads
20 Indexers
Daily Indexing
~ 2TB
2014
2014
2015
2015
2015
Cisco’s IT Operations Evolving with Splunk
Daily Indexing
300G
2010

11. Splunk Searches – Daily Average
1. Interactive Searches = 55K+ 2. Scheduled Searches = 45K+
3. Total Searches = 100K+ 4. Number of Users = 180+

14. How Cisco Uses Splunk
Part 2
Security Analytics at Enterprise Scale:
Cisco’s Computer Security Incident Response
Team (CSIRT)

15. About CSIRT
• Cisco Computer Security Incident Response Team (CSIRT)
• CSIRT = Security Monitoring and Incident Response
• Architecture, Engineering, Research, and Investigations
• Enterprise global threat and 24x7 incident response

16. CSIRT Environments Recent Snapshot
 300 locations in 90 countries
 400 buildings
 1500+ labs
 100,000+ employees on network
 50-300 malware-related cases opened in a typical week
 650,000+ ip devices on network
 130,000 windows hosts
 50,000 Linux hosts
 40,000 routers
 2-3 million highly tuned ids events per day
 10+ billion netflow records per day

17. Deploying Splunk as SIEM
• SIEM: Security Information and Event Management platform
– Easy to index any type of machine data from any source
– Over 60 users doing investigations, correlations, reporting, advanced threat detection
– All the data + flexible searches and reporting = empowered and effective team
– 2TB/day and searches take less than a minute. 7 global data centers with 350TB stored data
– Flashback Malware contained to a fraction of the environment
– Replaced older pre-big-data SIEM
 Previous solution didn’t scale effectively
 Queries in the minutes (or worse) rather than seconds with Splunk
 Diverse functionality across the same aggregate data

18. Looking at our customers
Successful deployments
with Cisco UCS and Splunk

19. Threat Management at Govt Agency
19
• Agency wanted to manage and monitor all relevant alert data
• Needed visibility across multiple security platforms
• Centralized on scalable appliance model through a partner
• Splunk Enterprise with Enterprise Security[1] premium app
• By deploying on Cisco UCS with proven Cisco Validated
Design, partner was able to deliver easily upgraded and
expanded deployment with predictable results
[1] Splunk won Best SIEM Solution (Enterprise Security) and Best Fraud Prevention Solution
(Splunk Enterprise) awards from SC Magazine this month (Splunk press release)

20. Fraud prevention for Online School
20
• Leading online university needed to track student activity
• Federal agencies have stringent requirements for loan
qualifications and fulfillment
• Deployed Splunk on UCS for student activity tracking
• Blocking millions in fraudulent loan claims
• Saving over 75% on auditing and compliance expenses
• Saving over $1M/year on data processing
• Deployed and expanded other analytics (security operations,
IT operations, and application deployment)
• Splunk on UCS grows beyond initial use cases and teams at
most of our customers

21. 21
• Leading worldwide financial services company used Splunk
for IT Operations analytics
• When an electronic payment platform deployment came up,
Splunk was enlisted to support rollout and monitoring in
ridiculously short time frame
• Speed and scalability led to use cases for security and fraud
detection/prevention, marketing optimization, customer
engagement and offers, and more
• Customer continues to grow their Splunk environment (over
10x in first year, and still growing!)
IT Ops & beyond for financial services

22. 22
• Customer needed quick updates, secure services, and high availability
• Deployed Splunk Enterprise on UCS to replace older hardware and
software platforms that didn’t scale well
• Splunk and UCS delivered a more robust security posture with faster
investigation and resolution of security events
• High performance security analytics solution enables hospital to identify
attack patterns and unauthorized actions that would otherwise go
undetected.
• Reduced space/power/cooling by 75%
• Server deployment time reduced from 7 days to 1 day.
See Cisco’s case study at cisco.com
and Splunk’s case study at splunk.com
Secure Healthcare at Union Hospital

23. Got Cisco?
There’s an app for that…
(or a technology add-on, at least)

24. CiscoSecuritySuiteApp
Splunk & Cisco Integrations
Security
Identity Services
Engine (pxGrid)
Sourcefire
(including AMP)
ASA/PIX/FWSM
Firewalls
Web Security
Appliance (WSA)
Email Security
Appliance (ESA)
IPS
Cloud Web Security
(CWS)
AnyConnect
OpenDNS, ThreatGrid
(in development)
Data Center/
Insieme
Cisco UCS
Nexus 9K
Application Centric
Infrastructure
(ACI - APIC)
UCS Integrated
Infrastructures Optimized
for Splunk Enterprise
High Performance
High Capacity
Enterprise
Networking
Switching and
Routing
Catalyst Switches
Nexus
(1000V, 2000, 3000, 4000,
5000, 6000, 7000, 9000)
Meraki Wireless
NGN Routers
(CRS, ASR, ISR)
Open SDN Network
Controller
APIC EM
Collaboration
Call Manager
• Inaugural SIEM & Threat Defense Partner
• Inaugural pxGrid partner
• Inaugural member of new Cisco Security
Technical Alliances program
• Inaugural ACI Partner
• Inaugural Data Analytics
Partner
• Cisco Cloud Security for VMDC 1.0 Design Guide (link)
• Cisco UCS Integrated Infrastructure for Splunk Enterprise (Distributed Deployment, High Capacity) (link)
CiscoNetworksApp

25. Splunk App for Cisco UCS
NEW AND IMPROVED as of May 28, 2016
Aggregates, monitors, trends and analyzes all
relevant data from Cisco UCS Manager
instances
Enables proactive capacity and performance
monitoring/ management, fault trending,
power and cooling, and more
Works with other Splunk add-ons and data
sources (including Enterprise Security and
PCI Compliance add-ons) to aggregate and
correlate data across your enterprise
25
Application
s
Operating Systems
Hypervisors
UCS server, storage,
network

26. Splunk on Cisco UCS

27. What is
Cisco’s
Unified
Computing
System
(UCS)?
Unified Management: UCS Manager
uses policy-based configuration to
ensure consistent deployments
Unified Fabric: Integrated 10/40 Gigabit
Ethernet and Storage Networking
(FCoE/iSCSI)
Service Profiles: Maintain consistency
across batches of servers and multiple
applications. Deploy and expand in
record time.
Performance: Built with 10GbE and
40GbE at the core, repeatable
configurations and performance, and
over 100 benchmark records

28. Why Splunk
on Cisco
UCS?
Time to Deployment: Spin up a
mutually validated, pre-tested
environment in hours rather than days or
weeks
Total Cost of Ownership: Integrated
networking and management reduce
customer cost and effort to migrate,
deploy, and expand
Time to Grow: Expand servers and
network capacity quickly and
consistently

29. Cisco UCS + Splunk = Better Together
Seamless Scalability Facilitates Rapid Growth
– Scale Splunk from a single server to distributed/clustered deployment
– Grow your clusters efficiently and consistently
– Runs on the same UCS C-Series servers as other big data platforms
Split Second Response Times
– Exceptional performance for “needle-in-a-haystack” searches
– Consistent performance as simultaneous users increase
Simplified Repeatable Deployments
– Four pre-tested UCS Integrated Infrastructures
– Capacity or performance optimization
– NEW! Cisco Validated Design (CVD) with HA and Archiving

30. 250 GB indexed per day
4 months retention
250 GB indexed per day
1 month retention
Single Server
Cisco UCS Reference Architectures
UP to 4TB indexed per day
3 months Retention
Up to 4TB indexed per day
1 year Retention
Clustered Deployment
Retention
optimized
Performance
optimized

31. Cisco Validated Design (CVD) for Splunk
• Developed by Cisco and Splunk
engineers in Spring 2016
• 250+ page guide to design and
deployment, pallet to production
• Based on UCS C-Series (C220, C240,
C3160) servers and Splunk Enterprise
software
• Includes high availability & data archiving
• Download for free at
cisco.com/go/bigdata_design

32. Splunk on UCS : Performance Benchmark Test bed Topology

33. Cisco UCS Benchmark Results
(Splunk Enterprise 6.2 vs 6.3)

34. Learn more about
Splunk and Cisco UCS

35. SplunkBase app resources: splunkbase.splunk.com
Cisco’s Big Data Design Hub: cisco.com/go/bigdata_design
features Cisco Validated Designs (CVDs) and other architectural docs
Big Data Applications Hub: cisco.com/go/bigdata
features reference architectures, solution briefs, infrastructure, automation, etc.
Reach Out!
Already using Splunk? Talk to your Splunk team about Cisco UCS!
Already using Cisco UCS? Talk to your Cisco team about Splunk!
Learn More About Splunk on Cisco UCS!

36. Cisco’s CSIRT engineers
applied their experiences during
the CSIRT deployment to a new
O’Reilly book now available
bitly.com/infosecplaybook
“they wrote the book …”
36

37. Thank you.