Slides from my most recent presentation on how Ive grown & utilize Splunk from my former IT Ops days onward... This was my 6th time doing a customer presentation at a Splunk event. Original copy had my employer's branding, etc but I've removed that to make things simpler, hence some of the ugly empty space :)

1. Josh Diakun
Specialist, Info Sec Operations
@iam_joshd
December 14, 2012
PUBLIC

2. The Challenge Before Splunk
Fault occurs Confusion ensues Weekend work No clarity, lots of stress
2

3. Why Splunk?
3

4. Security was the primary driver
4

5. So we went looking…
 Reviewed LogLogic, ArcSight, others
 Bought on Price, Speed, Support for
Open Source platforms
 Bring logs together in a single system
 Try and Buy model
5

6. Splunk = Simplicity & Clarity
6

7. What’s Feeding Splunk
 Active Directory
 IPS/HIPS
 Host performance data
 Syslog
 Custom application data
 AV Data
 Webserver logs
 Firewall data
 Enterprise storage metrics
 VPN data
 Database audit logs
 SNMP data
 SSO application data
 Backup event data
 External sources (ie. blacklists)
 Proxy logs
 Physical Badge Access Data
7

8. Use Cases
Application
Monitoring Traffic
Monitoring and
Troubleshooting
and Trends
Reporting for
Enterprise Storage Security Analysis
System

9. Building an Enterprise Security App
 Worked with the Security dept.
 GQM (Goal-Question-Metric) approach to understand
their goals and map to metrics
 Worked with IT architecture and development
 Menu and form driven – users can quickly find the view
and information they need
Over 80 reports driven through 8 menus and
26 individual views!
9

10. Enterprise Security App
Menu driven
navigation
Easily access the
reports needed
Enables better
control and policy
decisions
10

11. Enterprise Security App – Highlights!
 Ability to build relationships between data from different sources
 Proper relationship analysis leads to proactive alerting and event triggers
 On demand access to data and reports enables the ability to make timely decisions
 Alerting on “out of the norm” privilege escalations from unauthorized users and
applications enhanced by external lookup tables that act as information registry's for
users and provide asset classifications
 Monitors possible data loss by identifying and alerting on attachments and files
destined for external domains
 Correlate physical data (i.e. badge swipe) with network and application logs to provide
a clear understanding of where and when users are accessing the network
 Identify malicious behavior based on event timing between web applications and
underlying technologies (i.e. databases)
11

12. Enterprise Security App - Session Profiling
1. Using given “Session ID” builds 2. Ability to save the
earliest known footprint, even if search, export, print &
Session ID is not known in the events share results
from other applications or devices
4. Visually differentiate device &
application events based on icon
type
3. Entire footprint is constructed
through all applications and
devices that were touched
during the user’s session
12

13. 13

14. RSA SecurID Appliance
 Provides entire view of
all actions against your
SecurID appliance
 Understand user
actions, admin
actions, etc…
 Identify “out of the
norm” events over short
time frames.
 Dashboards:
Summary, User
Activity, Network
Activity & Event Search
Form
14

15. HDS Enterprise Storage Analytics
 Provides the ability
to easily drill down
resource utilization
by
host, port, parity
group & cache
partition.
 Easily identify
bottlenecks
 Allows to access
activity in near
real-time
15

16. Application Monitoring
 Provides access to production data
without need for access to production
systems
 Ability to understand user actions
throughout their lifetime in the
application
 Understand function & method calls –
execution times, responses, size of
calls, etc…
16

17. Summarized Benefits
 A more proactive view of the applications and infrastructure
 Faster investigations & fault identification
 Improved performance of business initiatives such as marketing
campaigns
 Simplified business processes meaning resource time is freed up
allowing for focus on new initiatives.
17

18.  Provides $100,000 ROI as an analytics engine for our enterprise storage system
 File delivery issues were previously costing $1,125 per incident with an avg. of one incident per
week costing $58,500 per year.
− Splunk reduced the cost per incident to $75 or $3900 per year -- $54,600 savings per year!!
 Extensive soft cost savings:
− Ability to configure real-time alerts for quicker response times preventing potential data &
profit loss.
− Improved performance of business initiatives such as marketing campaigns
 Splunk TCO is less than 10% of the $$ savings.
18

19. Splunk increases productivity for our Security
department by approximately $500,000 PER YEAR!
19

20. Everyone's Happy!
20

21. What Splunk Taught Me…
Listen
Prioritize the data
Make the data sexy
21

22. “Make everything as simple as possible
but not simpler” – Albert Einstein
22