SlideShare una empresa de Scribd logo

SplunkLive! Boston June 2013 - UCONN

Splunk
Splunk
TecnologíaEmpresariales
1 de 19
SplunkLive! Boston Jason Pufahl, Chief Information Security Officer
About Jason •  Chief Information Security Officer at the University of Connecticut Current Date:
Original Issues •  Not enough people had access to the data o  Making sense of the data for non-technical types and visualizations o  Today: 130 people with access to Splunk, widely viewed as a resource •  Decentralized IT structure doesn’t allow for a full scope across departments •  Incident response times and capacity planning •  Helping law enforcement o  Track down missing students o  Find stolen IT assets Current Date:
Decreasing Incident Response Times •  Heavily centralized the authentication system + Splunk allows us to correlate locations and incidents •  Response times have decreased from hours to minutes •  Example: servicing law enforcement request dropped from 3 day turnaround to 20 minutes Current Date:
Data Sources and Splunk Apps •  Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers, Active Directory, Exchange, VMware, SCCM, switches, custom applications, many others •  Apps: Splunk for Exchange, Splunk for AD, Splunk on Splunk, Google Maps, DNS, DB Connect, Deployment monitor, many custom apps and commands •  Volume: 90 to 180 GB/day (rare spikes during data intake of new departments) Current Date:
Encouraging Departments to Understand their Data •  Encourages standardizing of operating systems •  SecureU initiative o  If you run an IT device of some sort, your log data has to be collected o  Each school/division gets 2 gigs each thus increased adoption •  Allows for central IT to see trends across entire University •  Reports sent to Deans, Directors at each department o  Encourages healthy competition for security compliance •  The “Security Score” o  Getting university departments to understand importance of security and value Current Date:
Encouraging Departments to Understand their Data (example) Operating System demographics Current Date:
Encouraging Departments to Understand their Data (example) Operating Systems by population Current Date:
Encouraging Departments to Understand their Data (example) Departmental Antivirus demographics Current Date:
Demographics by Campus (example) Campus Antivirus demographics Current Date:
•  Alerts set for stolen IT assets when they get back on the network o  MACs of lost devices flagged => triggers Splunk alert •  Missing person’s alerts? Well they aren’t missing, they just aren’t calling Mom back – they’ve been on the network •  Resolving a bomb threat o  Able to identify culprit due to accessory data collected by Splunk o  "Fringe" data can be security data too Helping Law Enforcement Current Date:
GeoIP Analysis Goal: Flag user logins occurring further from campus than the user norm (e.g. Phishing attack immediately followed by login from China, Russia) Search foundation: sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoip src_ip | haversine origin="41.808333,-72.249444" inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitude units=mi | stats max(mi) by netid, geo_info Current Date:
GeoIP Analysis VPN logins over 24h Current Date:
Capacity Planning •  Splunk allows us to see and anticipate which wired and wireless points on campus are being used at which times of day to allocate accordingly •  Two examples : o  Single sign on authentication via CAS: rate of usage over time o  Wireless networks: utilization high water marks over time Current Date:
Capacity Planning (example) Capacity planning as influenced by rate of growth (Single sign on) Current Date:
Capacity Planning (example) Capacity planning as influenced by rate of growth (Wireless network) Current Date:
Protecting Against Breaches and Fines for Personal Identifiable Information •  Used Splunk to identify PII across systems o  DLP tool finds the PII and Splunk used for reporting o  Removed to avoid breaches and fines •  Identified PII used in security score o  Avoided millions in fines o  Increased program participation Current Date:
Future Goals and Plans •  Doing more correlation across systems and become more proactive o  e.g., across auth systems, AV, NAC, IPS, and PII to provide granular and actionable threat prioritization •  UCONN as a service provider for other educational facilities across the state of Connecticut Current Date:
Results/ROI •  Response times have decreased from hours to minutes •  Standardized operating systems •  Changed each department’s behavior to encourage upgrading anti-virus software and security measures •  Huge risk reduction •  Saved millions in potential fines from PII and breaches Current Date:

Recomendados

Web and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisWeb and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisArtificial Intelligence Institute at UofSC
 
How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?Michigan State University Research
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunk
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
Managing Security with Splunk Enterprise
Managing Security with Splunk EnterpriseManaging Security with Splunk Enterprise
Managing Security with Splunk EnterpriseSplunk
 
Purpose
PurposePurpose
PurposePriviledge Haruzivi
 
Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands prosvsports
 
Resumen clases plexo
Resumen clases plexoResumen clases plexo
Resumen clases plexoEmmanuel Gonzalez
 

Recomendados

Web and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisWeb and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisArtificial Intelligence Institute at UofSC
 
How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?Michigan State University Research
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunk
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
Managing Security with Splunk Enterprise
Managing Security with Splunk EnterpriseManaging Security with Splunk Enterprise
Managing Security with Splunk EnterpriseSplunk
 
Purpose
PurposePurpose
PurposePriviledge Haruzivi
 
Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands prosvsports
 
Resumen clases plexo
Resumen clases plexoResumen clases plexo
Resumen clases plexoEmmanuel Gonzalez
 
Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast EnglandBritish Studies
 
Embriologia nervioso
Embriologia nerviosoEmbriologia nervioso
Embriologia nerviosoLaura Hernandez Montealegre
 
Dif 2012
Dif 2012Dif 2012
Dif 2012medico
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatsonzuhitoslide
 
00 peg71-120dpi
00 peg71-120dpi00 peg71-120dpi
00 peg71-120dpiEVANDRO OLIVEIRA
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014ObesityHelp
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environmentSasha Citino
 
Tejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASTejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASLuis de la Barrera
 
Ascoli test
Ascoli testAscoli test
Ascoli testDr. Waqas Nawaz
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del PerúKAtiRojChu
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Rika Takegata
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?Aki Luostarinen
 
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...Florence Hudson
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 yearsMehedi Hasan
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...ICPSR
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 

Más contenido relacionado

Destacado

Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast EnglandBritish Studies
 
Dif 2012
Dif 2012Dif 2012
Dif 2012medico
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatsonzuhitoslide
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014ObesityHelp
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environmentSasha Citino
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del PerúKAtiRojChu
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Rika Takegata
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?Aki Luostarinen
 

Destacado (12)

Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast England
 
Embriologia nervioso
Embriologia nerviosoEmbriologia nervioso
Embriologia nervioso
 
Dif 2012
Dif 2012Dif 2012
Dif 2012
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatson
 
00 peg71-120dpi
00 peg71-120dpi00 peg71-120dpi
00 peg71-120dpi
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environment
 
Tejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASTejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVAS
 
Ascoli test
Ascoli testAscoli test
Ascoli test
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del Perú
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
 

Similar a SplunkLive! Boston June 2013 - UCONN

PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...Florence Hudson
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 yearsMehedi Hasan
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...ICPSR
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Clinton DSouza
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Data analytics introduction
Data analytics introductionData analytics introduction
Data analytics introductionamiyadash
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
Improving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceImproving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceNorman Johnson
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Updated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystUpdated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystTiffany Doby
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityMark Scanlon
 
Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Jerry Sheehan
 

Similar a SplunkLive! Boston June 2013 - UCONN (20)

PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdf
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Data analytics introduction
Data analytics introductionData analytics introduction
Data analytics introduction
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
Improving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceImproving cyber security using biosecurity experience
Improving cyber security using biosecurity experience
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Updated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystUpdated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analyst
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
 
Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...
 

Más de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Más de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

SplunkLive! Boston June 2013 - UCONN

  • 1. SplunkLive! Boston Jason Pufahl, Chief Information Security Officer
  • 2. About Jason •  Chief Information Security Officer at the University of Connecticut Current Date:
  • 3. Original Issues •  Not enough people had access to the data o  Making sense of the data for non-technical types and visualizations o  Today: 130 people with access to Splunk, widely viewed as a resource •  Decentralized IT structure doesn’t allow for a full scope across departments •  Incident response times and capacity planning •  Helping law enforcement o  Track down missing students o  Find stolen IT assets Current Date:
  • 4. Decreasing Incident Response Times •  Heavily centralized the authentication system + Splunk allows us to correlate locations and incidents •  Response times have decreased from hours to minutes •  Example: servicing law enforcement request dropped from 3 day turnaround to 20 minutes Current Date:
  • 5. Data Sources and Splunk Apps •  Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers, Active Directory, Exchange, VMware, SCCM, switches, custom applications, many others •  Apps: Splunk for Exchange, Splunk for AD, Splunk on Splunk, Google Maps, DNS, DB Connect, Deployment monitor, many custom apps and commands •  Volume: 90 to 180 GB/day (rare spikes during data intake of new departments) Current Date:
  • 6. Encouraging Departments to Understand their Data •  Encourages standardizing of operating systems •  SecureU initiative o  If you run an IT device of some sort, your log data has to be collected o  Each school/division gets 2 gigs each thus increased adoption •  Allows for central IT to see trends across entire University •  Reports sent to Deans, Directors at each department o  Encourages healthy competition for security compliance •  The “Security Score” o  Getting university departments to understand importance of security and value Current Date:
  • 7. Encouraging Departments to Understand their Data (example) Operating System demographics Current Date:
  • 8. Encouraging Departments to Understand their Data (example) Operating Systems by population Current Date:
  • 9. Encouraging Departments to Understand their Data (example) Departmental Antivirus demographics Current Date:
  • 10. Demographics by Campus (example) Campus Antivirus demographics Current Date:
  • 11. •  Alerts set for stolen IT assets when they get back on the network o  MACs of lost devices flagged => triggers Splunk alert •  Missing person’s alerts? Well they aren’t missing, they just aren’t calling Mom back – they’ve been on the network •  Resolving a bomb threat o  Able to identify culprit due to accessory data collected by Splunk o  "Fringe" data can be security data too Helping Law Enforcement Current Date:
  • 12. GeoIP Analysis Goal: Flag user logins occurring further from campus than the user norm (e.g. Phishing attack immediately followed by login from China, Russia) Search foundation: sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoip src_ip | haversine origin="41.808333,-72.249444" inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitude units=mi | stats max(mi) by netid, geo_info Current Date:
  • 13. GeoIP Analysis VPN logins over 24h Current Date:
  • 14. Capacity Planning •  Splunk allows us to see and anticipate which wired and wireless points on campus are being used at which times of day to allocate accordingly •  Two examples : o  Single sign on authentication via CAS: rate of usage over time o  Wireless networks: utilization high water marks over time Current Date:
  • 15. Capacity Planning (example) Capacity planning as influenced by rate of growth (Single sign on) Current Date:
  • 16. Capacity Planning (example) Capacity planning as influenced by rate of growth (Wireless network) Current Date:
  • 17. Protecting Against Breaches and Fines for Personal Identifiable Information •  Used Splunk to identify PII across systems o  DLP tool finds the PII and Splunk used for reporting o  Removed to avoid breaches and fines •  Identified PII used in security score o  Avoided millions in fines o  Increased program participation Current Date:
  • 18. Future Goals and Plans •  Doing more correlation across systems and become more proactive o  e.g., across auth systems, AV, NAC, IPS, and PII to provide granular and actionable threat prioritization •  UCONN as a service provider for other educational facilities across the state of Connecticut Current Date:
  • 19. Results/ROI •  Response times have decreased from hours to minutes •  Standardized operating systems •  Changed each department’s behavior to encourage upgrading anti-virus software and security measures •  Huge risk reduction •  Saved millions in potential fines from PII and breaches Current Date: