GTRI Case Studies: Log Management & Security

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied.© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied.
GTRI & Splunk Case Studies
Presented by Taylor Williams
December 8, 2015

© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents
herein contain confidential information not to be copied.
Case Study: Multi-Site Security/Compliance
Customer:
Multi-national systems and (cloud) services-provider with 140,000+ employees and
140 data centers globally.
Challenge:
Many different services within corporation with proprietary and shared compliance
and security concerns with no structured or centralized log management solution in
place. Various missing components company-wide:
• Accountability and Audit
• Purchasing and Healthcare Compliance (PCI, HIPPA, etc.)
• Network and System Security

Solution Process:
Phased approach for requirements gathering, proof of concept, pilot rollout, and a
production rollout. RFP released for solution proposal (not specific to Splunk) awarded
to GTRI for depth of Splunk practice and solutions provided.
• Phase 1: Requirements gathering for use cases in 8 defined data centers out of 140
• Phase 2: Proof of Concept of solution for approximately 10% subset of data
• Phase 3: Pilot Rollout of solution to all use cases for 8 defined data centers
• Phase 4: Production Rollout to data centers globally
Project currently nearing conclusion of Phase 2 with use cases met by viability of data
thus far collected and indexed into Splunk

GTRI Solution:
Scalable and repeatable Splunk solution designed for implementation on Cisco
Flexpod solution(s). Designed for scalability to data centers beyond original 8
proposed with standard operating procedures (SOPs) defined for both Splunk
operations as well as hardware. Overall project inclusions:
• Full “ground-up” Splunk Architectural design
• Multi-site solution
• Repeatable philosophy in architecture and deployment
• Standard operating procedures and staffing plan for full 24x7 management
• GTRI Splunk Managed Service

Case Study: Multi-Site Security
Customer:
Private aerospace and engineering firm that designs and launches next generation
rockets and propulsion systems. Data centers located in Denver and various launch
locations across the US.
Challenge:
No central security incident and event management (SIEM) solution in place to have
holistic view of network security posture from all data centers. Security concerns are
great especially in monitoring those central to launch locations.
• Create a centrally deployed and managed SIEM
• Filter and fine-tune system to only see events deemed critical

Solution Process:
RFP released for vendors to propose a security solution inclusive of full design and
deployment methodologies to be enacted upon after award and project execution.
Discovery stage included to assess and capture complete security use case, inclusive of
relevant and irrelevant network sources to the central SIEM. Steps:
1. Design multi-site Splunk architecture. Two main data center locations for storage
of logs, fully replicated for redundancy between each.
2. Execute on validated design, deploying Splunk Enterprise servers to all proposed
locations
3. Ingest of logs from all validated sources
4. Filter nearly 1800+ hosts into a 200GB Splunk solution

GTRI Solution:
Fully executed multi-site SIEM solution using Splunk and the Splunk App for Enterprise
security. Security requirements and objectives met and exceeded using this solution
and its fully executed design. Work continues today with full time GTRI Splunk
Certified Architect on-site to manage solution. Overall project inclusions:
• Full “ground-up” Splunk Architectural design
• Multi-site solution
• Assessment of all relevant use cases to meet licensing threshold
• Splunk Enterprise Security Application installation and managed service

Case Study: SOC Staffing and Managed Service
Customer:
Self-funding not-for-profit US federal agency part of the United States Department of
Energy. Main location(s) located in the US Pacific Northwest region.
Challenge:
No SIEM in place to manage and monitor the agency’s overall network security
posture. Security operations in place, but incident management and response was
lacking and without use of proper tools. Customer needed to:
• Create a centrally deployed and managed SIEM
• Develop and deploy a 24x7 staffing model to fully staff and enable Security
Operations Center with Splunk

Solution Process:
RFP released for vendors to propose a security solution inclusive of full design and
deployment methodologies, as well as a proposed staffing model to fully enable
customer SOC with use of the proposed tool. Phased approach to execution of project
included:
1. Execute on validated design, deploying Splunk App for Enterprise Security within
the deployed architecture for SIEM enablement
2. Propose finalized staffing model to customer for approval. Once approved, source,
hire, and train staff on use of Splunk and ES

GTRI Solution:
Staffing model to manage 24x7 security operations: Shift times proposed for all
personnel
• SOC-specific personnel to be network security subject matter experts used for
incident response and resolution.
– SOC Manager (1)
– Security – Lead Analyst (1)
– Security – Senior Analyst (3)
– Security – Analyst (9)
• Splunk Operations personnel, to be used to manage to integrity of the Splunk
architecture and be first tier for SOC personnel in event mining.
– Operations Manager (1 per site)
– Operations Architect (1 FTE)
– Operations Data Scientist (1 per site and 1 FTE)

Additional Case Studies
Denver Water:
Use Splunk for overall service health dashboards. A deluge of machine data from logs
and databases overwhelmed IT administrators, hampering efforts to pinpoint
problems when users notified the help desk.
• Monitor and maintain applications
– Asset management, customer information, geospatial, mobile, Web services, REST services
• Dashboards provide visibility into:
– Current performance and availability
– Historical performance trending and availability
– Average daily performance
– Recent issues (uptime and failures)

Additional Case Studies
The University of Texas at Austin:
• Began using Splunk for security forensics
• Now using Splunk for identification and control, outbreak management, and
visibility of 120,000+ network devices
The City and County of San Francisco:
• Using Splunk for network security services to become proactive versus reactive
• Help identify what is/isn’t normal for web traffic to City and County’s website
• “With Splunk, instead of spending 40% of an FTE’s day to understand what the
web filters are telling us, we now just look at the dashboards to show us
abnormalities”

GTRI Case Studies: Log Management & Security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie GTRI Case Studies: Log Management & Security

Ähnlich wie GTRI Case Studies: Log Management & Security (20)

Mehr von Zivaro Inc

Mehr von Zivaro Inc (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

GTRI Case Studies: Log Management & Security