2. UMB Financial Overview
Holding company for four UMB branded banks serving seven states
Over 130 branches
Services: Checking, savings, credit and debit cards, investments services, commercial real
estate loans
Subsidiaries offer insurance, brokerage, leasing, treasury management, health savings etc.
2
3. My Role at UMB
Sean White, Senior Information Security Engineer
B.S. in Computer Science from University of Kansas 1994.
In the last 15 years, have worked information security for 3 of the top 4 US
wireless carriers.
IT team (8 engineers) responsible for specifying, installing and operating most of
security equipment: Firewalls, IDS, IPS, WAF, e-mail gateways, enterprise unified
logging etc. Pretty much everything except physical security.
Security Operations (2 engineers)
3
4. How We Started?
At UMB, started as single use case for fraud detection
– Started with 100 GB per day
– Third party vendor for fraud detection
– Splunk used for centralizing and correlating many different logs from various areas in the
company
– Before Splunk we used legacy tools which were inefficient
Initially chose Splunk to support PCI compliance efforts
Splunk chosen due to previous successful experience and because it is an
industry leading log solution
Needed a solution for PCI but also to aggregate machine data for operational
improvements
4
5. Splunk at UMB
Implementing enterprise-wide Splunk
Primary data center and business
continuity data center
Pre-production environment
Security, OS and Application data sources:
Firewalls, IPS, IDS, email gateways,
networking devices
Splunk apps deployed at UMB: PCI
Compliance, Splunk for MS Exchange,
Blue Coat Proxy, Sourcefire
Potential to grow to 600+GB
Initially 60-80 users
Two search heads
Five indexers
100+ forwarders
(to grow to hundreds)
5
6. Splunk at UMB Enterprise-wide Solution
LegacySyslog-NGcollector
NocentralizedloggingforWindows
LegacylogcollectionsolutionnotmeetingUMB
needs
Manualpollingofvarioussecuritydevices
(Checkpoint, Sourcefire,..)forlogs.grepandawk.
“By-Hand”logcorrelation
OS logs from
hundreds of
servers (Windows,
Linux, UNIX OS)
Various Application
Logs – both 3rd party and
in-house
Novell Access
Manager Logs,
WebSphere Logs
UMB Splunk Environment:
6
Enter SplunkBefore Splunk
Firewalls, IPS, IDS,
WAF, email gateways,
switches and router
machine data
PCICompliance
Easyaccesstovarioussecuritydata
Proactivemonitoringofmultipleapplications
Instanttimetoresolution
Middleware,
Database
logs
7. AHA! Moment: Splunk for Fraud Detection and
Prevention
7
Splunk for DShield helped get Splunk
to UMB
Splunk retrieves firewall data directly
from DShield
External network IPs monitored
Identified a compromised host from
within our internal network
responsible for the attack
8. Splunk For Outage Detection
8
Splunk helps to identify outage quickly
Engineers don’t need to log to both sides of cluster
Just search for a specific issue
9. Splunk for UMB Applications Management
9
• Online banking
– Troubleshooting and capacity planning
– Security
• Mobile banking
• Credit card management suite
• Novell Access Manager (web front end)
• ACH batch transfer logs
• IBM Websphere Application Server
• Apache
10. Best Practice Recommendations
Educate other departments by conducting Lunch-and-Learn sessions.
Customize Splunk Getting Started App for your data to make gentle
introduction to others
Plan your distributed deployment. UMB went from a single server to
distributed system of indexers and search heads. Use the deployment server!
Splunk Apps to use: S.O.S., Deployment Monitor, Getting Started
Utilize the many resources at splunk.com: Documentation, Answers, Blogs,
Splunkbase, etc.
10
20. Splunk at UMB: Future
20
• Expand Splunk for other uses once in production
• Add more sources of data to Splunk
• Install more apps and TAs from Splunkbase
• Train and add more users: developers, web platform team, system admins,
business users, etc.
• Educate developers on best logging practices
• Develop Splunk Apps/Dashboards for internal business audience
• Add dedicated Splunk admin for growing and customizing Splunk for UMB
needs
• Replace or augment other monitoring solutions with Splunk
21. Summary
Splunk allows us to have all our machine data logs in one place
Splunk is intuitive and powerful
As a fraud prevention and detection solution, Splunk helps UMB save
money.
Splunk makes it possible for us to achieve and maintain our PCI
compliance
21