Slides from my most recent presentation on how Ive grown & utilize Splunk from my former IT Ops days onward... This was my 6th time doing a customer presentation at a Splunk event. Original copy had my employer's branding, etc but I've removed that to make things simpler, hence some of the ugly empty space :)
5. So we went looking…
Reviewed LogLogic, ArcSight, others
Bought on Price, Speed, Support for
Open Source platforms
Bring logs together in a single system
Try and Buy model
5
7. What’s Feeding Splunk
Active Directory
IPS/HIPS
Host performance data
Syslog
Custom application data
AV Data
Webserver logs
Firewall data
Enterprise storage metrics
VPN data
Database audit logs
SNMP data
SSO application data
Backup event data
External sources (ie. blacklists)
Proxy logs
Physical Badge Access Data
7
8. Use Cases
Application
Monitoring Traffic
Monitoring and
Troubleshooting
and Trends
Reporting for
Enterprise Storage Security Analysis
System
9. Building an Enterprise Security App
Worked with the Security dept.
GQM (Goal-Question-Metric) approach to understand
their goals and map to metrics
Worked with IT architecture and development
Menu and form driven – users can quickly find the view
and information they need
Over 80 reports driven through 8 menus and
26 individual views!
9
10. Enterprise Security App
Menu driven
navigation
Easily access the
reports needed
Enables better
control and policy
decisions
10
11. Enterprise Security App – Highlights!
Ability to build relationships between data from different sources
Proper relationship analysis leads to proactive alerting and event triggers
On demand access to data and reports enables the ability to make timely decisions
Alerting on “out of the norm” privilege escalations from unauthorized users and
applications enhanced by external lookup tables that act as information registry's for
users and provide asset classifications
Monitors possible data loss by identifying and alerting on attachments and files
destined for external domains
Correlate physical data (i.e. badge swipe) with network and application logs to provide
a clear understanding of where and when users are accessing the network
Identify malicious behavior based on event timing between web applications and
underlying technologies (i.e. databases)
11
12. Enterprise Security App - Session Profiling
1. Using given “Session ID” builds 2. Ability to save the
earliest known footprint, even if search, export, print &
Session ID is not known in the events share results
from other applications or devices
4. Visually differentiate device &
application events based on icon
type
3. Entire footprint is constructed
through all applications and
devices that were touched
during the user’s session
12
14. RSA SecurID Appliance
Provides entire view of
all actions against your
SecurID appliance
Understand user
actions, admin
actions, etc…
Identify “out of the
norm” events over short
time frames.
Dashboards:
Summary, User
Activity, Network
Activity & Event Search
Form
14
15. HDS Enterprise Storage Analytics
Provides the ability
to easily drill down
resource utilization
by
host, port, parity
group & cache
partition.
Easily identify
bottlenecks
Allows to access
activity in near
real-time
15
16. Application Monitoring
Provides access to production data
without need for access to production
systems
Ability to understand user actions
throughout their lifetime in the
application
Understand function & method calls –
execution times, responses, size of
calls, etc…
16
17. Summarized Benefits
A more proactive view of the applications and infrastructure
Faster investigations & fault identification
Improved performance of business initiatives such as marketing
campaigns
Simplified business processes meaning resource time is freed up
allowing for focus on new initiatives.
17
18. Provides $100,000 ROI as an analytics engine for our enterprise storage system
File delivery issues were previously costing $1,125 per incident with an avg. of one incident per
week costing $58,500 per year.
− Splunk reduced the cost per incident to $75 or $3900 per year -- $54,600 savings per year!!
Extensive soft cost savings:
− Ability to configure real-time alerts for quicker response times preventing potential data &
profit loss.
− Improved performance of business initiatives such as marketing campaigns
Splunk TCO is less than 10% of the $$ savings.
18