- Harry McLaren is the founder and leader of the Splunk User Group in Edinburgh. He works as a security consultant specializing in Splunk at ECS.
- The agenda includes presentations on using Splunk for IT operations and use case development, as well as a demo of IT service intelligence. There will also be a discussion on developing organizational insights from business pains.
- Developing use cases involves defining roles, system requirements, and goals. Examples provided are using Splunk for insider threat detection and monitoring customer experience on an e-commerce platform.
5. Agenda
• Housekeeping: Overview & House Rules
• Presentation: IT Operations with IT Service Intelligence
• Demo: IT Service Intelligence Demo
• Presentation: Use Case Development
• Discussion: Business Pain to Organisational Insight
5
6. Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
6
9. What is a Use Case?
9
● Software & Systems Engineering Definition (via Wikipedia)
“A use case is a list of actions or event steps, typically defining the
interactions between a role and a system, to achieve a goal.”
Roles / Actors System Goals
10. Use Case Examples
Security
10
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
DETECT
UNKNOWN THREATS
INCIDENT
INVESTIGATIONS &
FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
11. Security - Insider Threat
11
● Roles / Actors
– Security Analyst / SOC Manager / CISO
● System Requirements
– Real-time monitoring based on event logs from relevant systems.
– Abnormal Behaviour detection based on ‘Normal’ baselining.
● Goals
– Detect / Alert on Insider Threats within the organisation.
– Respond to Insider Threats with as much workflow automation as possible.
INSIDER
THREAT
12. Insider Threats using Splunk
12
● Roles / Actors
– Security Analyst / SOC Manager / CISO
● System (Splunk)
– Real-time monitoring based on correlation search's of event logs such as
Active Directory (AD) and Data Loss Prevention (DLP) software.
– Insider Threat detection using Machine Learning models to baseline expected behaviour
and alerting on outliers and abnormal behaviour patterns.
– Workflow actions via ‘Enterprise Security’ App and the Adaptive Response Framework.
● Goals Achieved
– Detection / alerting on Insider Threats within the organisation.
– Responding to Insider Threats with workflow automation.
INSIDER
THREAT
14. Business Analytics - Customer Experience
14
● Roles / Actors
– Marketing Analyst / Product Owner / Website Manager
● System Requirements
– Minimal ingestion of additional system logs / hardware (low cost / fast ROI).
– Real-time mapping of customer journey of e-commerce platform.
– Allow contextual information to be correlated with event information.
● Goals
– Alerting when customer experience is degraded past defined KPIs.
– Visual representation of useful information for non-technical users.
– Create a single view of e-commerce platform for high level monitoring.
Customer
Experience
Analytics
15. Customer Experience using Splunk
15
● Roles / Actors
– Marketing Analyst / Product Owner / Website Manager
● System (Splunk)
– Leverages existing event logs and requires minimal additional log sources.
– Processes event data into wide selection of interactive visual representations.
– Pulls contextual information and correlate with event data for greater insight.
● Goals Achieved
– Alerting based on time-sensitive KPIs which can self-set dynamically.
– Dashboards showing business relevant information about SLAs in RAG.
– High level view supporting drill downs and dependencies via Glass Tables.
Customer
Experience
Analytics
19. Challenge: How Could You Use This?
19
Transformation & Delivery
Data Enrichment & Acceleration Visualisation & Reporting Development
Data Collection & On-boarding
Collection Configuration & Optimisation Data Segmentation & Normalisation
Use Case Discovery & Definition
Discovery Workshops / Questionnaires Use Case Specification Document
21. Updates Announced at .conf 2016
● Introducing Splunk Enterprise 6.5 - Available Now
‣ Splunk ML Toolkit: Guided workbench and SPL extensions to help you create and
operationalize your own custom analytics based on your choice of algorithms.
‣ Tables: New feature that lets you create and analyse tabular data views without
using SPL.
‣ Hadoop Data Roll: Gives you another way to reduce historical data storage costs
while keeping full search capability.
● Premium Apps - New Releases:
– Splunk Enterprise Security [Minor Release]
– Splunk IT Service Intelligence [Major Release]
– Splunk User Behaviour Analytics [Major Release]
21
22. Get Involved!
● Splunk User Group Edinburgh
– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html
– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group
– Register via www.splunk402.com/chat
– Channel: #edinburgh
● Present & Share at the User Group?
Connect:
‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk
‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
22