Presented at SplunkLive! Paris 2018: Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying:
- Why?
- SIEM Replacement
- Use Cases
- Data Sources & Data Onboarding
- Architecture
- Third Party Integrations
- You Got This
-
3. Agenda
What Will We Be Talking About Today?
You Got This
Things you can do
today, to get âreadyâ
for a SIEM
replacement
SIEM Replacement
Methodology
Splunk PS best practices
Use Cases
These drive migrations
DataSources &
Data Onboarding
Parsers / connectors / TAs
Architecture
Measure twice, cut once
Third Party Integrations
Smart? Great! But do you play
well with others?
?
Why ?
Splunk key advantages
compared to your old
SIEM
6. Why do you want to
upgrade your SIEM ?
What the SOC ?
7. ⶠWorthy reasons:
âą Limited security data type
âą Inability to effectively ingest data
âą Slow investigations
âą Instability and scalability
âą End-of-life or uncertain roadmap
âą Closed ecosystem
âą Limited to on-premises
âą Limted to Vendor Cloud
ⶠSplunkâs a great product. Can it help you to resolve your issues ?
Most Common Reasons for Replacement
20. SIEM replacements can be complex, but if the following things are taken into
account, you wonât lose your job | shirt over it:
ⶠUse cases matter:
âą Audit & prioritize use cases
âą Planned response ... do something!
ⶠKnow your data / datasources
âą Identify datasources & owners
âą Audit datasources
âą Identify enrichment requirements
ⶠCurrent / future state integrations
ⶠResearch & preparation is key
ⶠAssets & identities
ⶠWork with Splunk + PS & Partner
Things You Should Know About Legacy SIEM
Replacement and Splunk Best Practices
22. ⶠDocument describing a single
detection activity.
âą What is the condition to detect?
âą What is the event data required?
âą What enrichment is required to scope
down events?
âą What enrichment will reduce noise
(false positives)?
âą Point to the response plan
âą What are your current use cases?
âą Which ones provide value?
âą Which ones donât?
What Is a Use Case?
Spiral
Analysis
Planning
Evaluation
Development
Waterfall
Prototyping
Determine Objectives Test Implement
Requirements
Design
Implementation
Verification
Maintenance
DEVE
LOP
DEMONSTRATE
REFI
NE
23. ⶠDocument describing a single
response activity
âą For a response what event data is required
to triage
âą What actions should be taken
âą Escalation communication and do we need
to order pizza
âą Can we reduce the cost of pizza by
providing better data for response
decisions?
What Is a Response Plan?
24. ⶠThe first step in embarking on a SIEM replacement initiative is
âą Identifying and prioritizing high value use cases, response plans and compliance reports:
âą Splunk PS has a 1-2 week SIEM replacement workshop where we come
in and help customers:
â Identify and develop high-fidelity use cases slated for migration/development
â Datasources and enrichment identified via use case prioritization process
â Plan the solution architecture
âą We typically see a 30-60% reduction in use cases selected for migration generally due to:
â Old and/or stale rules
â Housekeeping rules no longer needed
â Rule consolidation due to advanced Splunk Query Language
So no, you donât have to migrate ALL your old funky rules!
Putting the Horse Before the CartâŠ
26. ⶠUse case analysis determines in-scope datasources
ⶠWhy you donât need to migrate your historical data from Legacy SIEM
ⶠData Source Onboarding via:
How Do You Migrate Datasources to Splunk?
âą Universal Forwarder (UF)
Deployed alongside existing
parsers/connectors
âą UF deployed on syslog
aggregator to read and ship
logs into Splunk
âą Modern HTTP Event
Collection
âą Database Tables (DBX)
âą Never forget: Splunk Stream!
âą Fields from raw data
âą Data Normalization
âą Splunkbase
- splunkbase.com
- Easy Button: Custom TAs via
âSplunk Add-on Builderâ App
Splunk Log Forwarding:
Syslog Aggregation
TAs (Technology Add-ons)Other Common Methods
28. ⶠPlan for modern data collection,
deprecate legacy log collection
infrastructure and stop accepting log
loss today
ⶠPlan for disaster recovery and
availability
ⶠPlan to remediate logging policies and
source configuration
Plan the Architecture
Now that we know what we want to do, how will we execute it?
31. Smart? Great! But Do You Play Well With Others?
âAt this point in the interview, Johnson, we would like to see
how well you play with others.â
â Richard Stevens, Penfield, NY
35. You Got This!
Things You Can Do Today, to Get Prepared
for Your SIEM Replacement
36. ⶠIdentify/audit and prioritize use cases
for migrations
ⶠIdentify/audit and prioritize datasources
for migration
ⶠIdentify datasource owners
ⶠResearch Splunk Technology Add-ons for
datasource at splunkbase.com
ⶠAssets and identities: identify CMDB sources
ⶠThird-party integrations
ⶠDevelop logging standards
Replacement Checklist:
69. ⶠContact your Account
Executive
ⶠContact an Expert
ⶠBi-weekly security
demos
ⶠSchedule a pre-
assessment session
with a Sales Engineer
Transform Your Security: Next Steps