2. About Fieldglass
Vendor Management System (VMS) system provider founded in 1999
Helps Global 2000 firms procure and manage the flexible workforce
(contingent labor, project-based services, independent contractors)
200 customers, including GlaxoSmithKline, Johnson & Johnson,
Monsanto, Rio Tinto & Salesforce, use Fieldglass in 78 countries, 14+
languages
Ranked largest VMS with highest satisfaction rating for past three
consecutive years, according to Staffing Industry Analysts
2
3. About the Speaker
Jim Krev
Responsible for information security and
compliance requirements
With Fieldglass for 5 years
Full time in security since 2004
Lecturer at DePaul University
– Encourages students to use Splunk for OSSEC
3
4. From Logging Only to SIEM Replacement
Been using Splunk for several years
Release of Enterprise Security made Splunk viable SIEM replacement
SIEM was overly complex
Made the argument to replace SIEM with Splunk = FTW!
“Our SIEM was overly complex and not as easy to
use as Splunk”
4
5. Saving Time and Money with Splunk
Only one analyst
Don’t have time to wait on two menus
With Splunk I can create a search, I can create a dashboard from that, I
can schedule a report
Don't waste a lot of time going back and forth between screens trying to
figure out how to produce a report
“One person can do the job of two with Splunk.”
5
6. Indexing Fieldglass Data (Exact Amount?)
Collecting data from physical and logical network:
– Network devices
– Server events
– Application logs
– Anti-virus
– Vulnerability scanning events
– IDS events from firewalls
– Custom csv
– Nmap scans
– We have built apps and created some cool looking dashboards
Nessus and Nmap dashboard that correlates inventory
Virus statistics over systems and time
6
7. Tracking Continuous Improvement for ISO
Certification
Tracking vulnerabilities in the
infrastructure
Need to showcase continuous
improvement for ISO certification
Senior Management looks at
dashboard
7
8. Building our own App with Splunk
Internal Audit App
– Proactively monitor passes
– Monitors incompletes
– Monitors failures
– Tracks control area and
owner
– Shows how we did on
internal Audit
8
10. AHA!
Search on a fragment of an event and find the root cause
Correlate against all networking devices by index
Can see what's happening in all three networks
The ability to get down to the raw event
“Splunk is very addicting…once you start
playing around with it, it’s hard to shake.”
10
11. Extending with Splunk Apps
Splunk App for
Windows
Splunk on Splunk
Google Maps for
Splunk (IP mapping)
Splunk for Symantec
11
12. Growing Splunk within IT
Daily reports to DBAs
Gaining momentum by showing Splunk environment in home
infrastructure
Showcasing internally as to how easy it is to correlate data in Splunk
12
13. Future
• Splunk App for VMware
• Building out scalable Splunk
infrastructure
• Active directory integration
• Using Splunk for advanced
persistent threats detection
13
14. ROI
Replaced SIEM with Splunk
Saving $30,000/year and an additional resource
Saved hours of work to find issues/resolution
Easy to show continuous improvement for ISO
Quickly identify patches
14
We index by environment and device type, so I can correlate against all of our networking devices by the indexes, and that’s incredibly cool because I can see if something’s happening in all three networks.
Talk here to how splunk can use math/stats to find the outliers/anomalies that may be APTs. These APTS evade detection from traditional security products.Maybe make a note here on how Splunk does what a SIEM can do, plus much more, at a lower cost. And that is just for security use cases. Once you extend Splunk into the non-security use cases, the ROI gets even better