Mining	  Security	  Data	  	  Security	  Surveillance	  and	  the	  case	  for	  data	  reuse	  
Na0onal	  Australia	  Bank	  •    Financial	  services	  organisa5on	  with	  over	  40,000	  employees	  •    Opera5ng	  ...
Introducing	  Jamie	  •    Security	  Program	  Manager,	  Informa5on	  Security	  Services	  •    Senior	  Manager,	  nab...
Five	  Areas	  of	  Interest	                                        What’s	  the	                                        ...
Defining	  (some	  of)	  the	  Issues	  the	  SOC	  Faced	  •    Need	  to	  improve	  incident	  response	  5mes	  •    Re...
Why	  Splunk?	  ROI	  for	  nabCERT	  •    Stood	  up	  Splunk	  quickly	  •    Onboard	  and	  integrate	  data	  once—ea...
Case	  Study	  One	    •    Primary	  objec5ve:	  Significantly	  reduce	  the	  5me	  to	  complete	  electronic	  searche...
You’re	  Mining	  For	  Gold	  In	  Your	  Data…	                                  Au
If	  You	  Are	  Going	  To	  That	  Much	  Trouble	                                                Ag                    ...
Who	  Are	  Our	  Data	  Consumers?	                                                               Infrastructure	   Busin...
Case	  Study	  Two:	  DHCP	  Logs	                                                                               Service	 ...
DHCP	  Dashboard—Security	  View	                                      Use	  commentary	  on	  the	                       ...
DHCP	  Dashboard	  –	  Network	  Service	  View	  	                                     Don’t	  use	  Average,	           ...
Network	  Service	  View	  #2	                                         Users	  cannot	  connect	  to	                     ...
DHCP	  Dashboard	  –	  Infrastructure	  View	                                              Capacity	  and	  availability	 ...
Case	  Study	  Three:	  The	  AUer	  Hours	  Worker	                                         Who	  is	  working	  late	  a...
Case	  Study	  4:	  SOC	  to	  the	  Rescue	                                      The	  ‘gold’	  in	  this	  case	  happen...
Enriched	  Data	  Drives	  Ac0on	  "    Single	  log	  type	  (DHCP)	  from	  1,000+	  DHCP	  servers	  "    Security	  (n...
Democra0zing	  Data	  (In	  A	  Secure	  Fashion)	  •    Take	  a	  collabora5ve	  approach	  •    Give	  us	  your	  data...
Back	  to	  the	  Case	  Study	  One	  (Legal)	                                                     •    Reuse	  case	  1:...
What’s	  Next?	  	         •    More	  re-­‐use	  cases	  from	  our	  data	  	         •    More	  applica5on	  and	  dat...
Splunk	  Company	  Overview	                          Company	  (NASDAQ:	  SPLK)	                          "    Founded	  ...
Upcoming SlideShare
Loading in...5

Delivering Operational Intelligence at NAB with Splunk, Gartner Symposium ITXpo 2012


Published on

National Australia Bank has gained new operational visibility and intelligence using Splunk and their machine data. Learn how hundreds of Splunk users within these organizations turn terabytes of machine data into increased uptime, improved service delivery, real-time customer insights, enhanced security posture, informed capacity planning and more.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Delivering Operational Intelligence at NAB with Splunk, Gartner Symposium ITXpo 2012

  1. 1.    Mining  Security  Data    Security  Surveillance  and  the  case  for  data  reuse  
  2. 2. Na0onal  Australia  Bank  •  Financial  services  organisa5on  with  over  40,000  employees  •  Opera5ng  more  than  1,800  branches  and  service  centres  •  Responsible  to  more  than  460,000  shareholders  •  Major  financial  services  franchises  in  Australia,  New  Zealand,  Asia,  the  United   Kingdom  and  the  United  States  •  CommiKed  to  providing  quality  products  and  services,  fair  fees  and  charges,  and   rela5onships  built  on  the  principles  of  help,  guidance  and  advice  
  3. 3. Introducing  Jamie  •  Security  Program  Manager,  Informa5on  Security  Services  •  Senior  Manager,  nabCERT  SOC   •  Na5onal  Australia  Bank’s  Computer  Emergency  Response  Team   •  Won  SC  Magazine  Award  for  Organiza5onal  Excellence  in   Informa5on  Security  •  12+  years  in  technology  •  Held  various  roles  at  NAB:   •  Info  Security  team  leader   •  Architecture  and  strategy   •  Project  management   •  Consul5ng  
  4. 4. Five  Areas  of  Interest   What’s  the   user  doing?   What’s   What’s  the   happening  on   machine   the  network?   doing?   What’s   What’s  the   happening  to   app  doing?   the  data?  
  5. 5. Defining  (some  of)  the  Issues  the  SOC  Faced  •  Need  to  improve  incident  response  5mes  •  Require  greater  visibility  into  security  events  •  Achieve  contextualized  /  enriched  aler5ng  •  Correlate  across  systems  •  Deal  with  different  log  formats    •  Add  new  or  modified  log  formats  •  Avoid  custom  code  (10  different  security  analysts)  •  Limit  to  resource  availability  for  manual  (bespoke)  inves5ga5ons  
  6. 6. Why  Splunk?  ROI  for  nabCERT  •  Stood  up  Splunk  quickly  •  Onboard  and  integrate  data  once—easily   •  No  need  to  re-­‐import  when  applica5ons  or  formats  change  •  Keeps  the  team  in  the  business  of  security  analysis  and  out  of  the   business  of  building  parsers  and  connectors  •  Proven  to  be  effec$ve  and  efficient   “Splunk  gave  us  the  speed  of  deployment     and  results  we  were  looking  for.”  
  7. 7. Case  Study  One   •  Primary  objec5ve:  Significantly  reduce  the  5me  to  complete  electronic  searches  of   email  archives  to  meet  legal  requests   •  Email  logs  easily  searchable,  by  user,  subject,  5meframe   –  Effec5ve?  Yes   •  Ability  to  perform  searches  based  on  subject,  sender,  recipient,  date  /  5me   •  Results  used  by  the  team  to  finalise  acquisi5on  of  all  per5nent  material   –  Efficient?  Yes   •  No  more  grep   •  Search  5mes  reduced  to  minutes  vs.  hours  or  days  (per  inves5gator)   •  Concurrent  searching  of  datasets  by  the  inves5ga5ve  team  
  8. 8. You’re  Mining  For  Gold  In  Your  Data…   Au
  9. 9. If  You  Are  Going  To  That  Much  Trouble   Ag Pb Fe Cu Ni
  10. 10. Who  Are  Our  Data  Consumers?   Infrastructure   Business   Applica0on   Fraud  Team   Performance   Partners   Support   Management   Service   Network   Delivery   Security   Managers  
  11. 11. Case  Study  Two:  DHCP  Logs   Service  Delivery   Security   Opera5ons  •  Detec5ng  unauthorized  devices   •  Ensuring  op5mum  connec5vity  /   •  Monitor  based  on  standard  naming   produc5vity   conven5on  +  Ac5ve  Directory   •  Alerts  for  insufficient  IP/  subnet   creden5als   coverage  across  the  network   •  Add  MAC  address  lookup  to  confirm   •  Alerts  when  subnets  are  full   a  "good"  device   •  Visibility  into  underu5lized  subnets   •  Triggers  ac5on  for  Network  team  to   reallocate/  reassign  Subnet   Our  approach  is  to  maximise  the  u=lity  from  every  log  source  collected  and   indexed,  not  j11   for  security   ust  
  12. 12. DHCP  Dashboard—Security  View   Use  commentary  on  the   dashboard   Cause  /  Impact  /  Resolu5on  
  13. 13. DHCP  Dashboard  –  Network  Service  View     Don’t  use  Average,   use  Most  Common   (mode),  median  and   90%  Percen5le.   13  
  14. 14. Network  Service  View  #2   Users  cannot  connect  to   the  network,  or  have   delays  connec5ng  in  hot   desk  areas.  
  15. 15. DHCP  Dashboard  –  Infrastructure  View   Capacity  and  availability   issues  for  the  team   suppor5ng  these  services,  as   well  as  Service  Desk.  
  16. 16. Case  Study  Three:  The  AUer  Hours  Worker   Who  is  working  late  and  how   open  during  the  week?   Are  they  using  the  same   worksta5on?  
  17. 17. Case  Study  4:  SOC  to  the  Rescue   The  ‘gold’  in  this  case  happens  to   be  a  log  line  that  resolved  a  three   week  issue  causing  significant   disrup5on  to  a    business  unit.  
  18. 18. Enriched  Data  Drives  Ac0on  "  Single  log  type  (DHCP)  from  1,000+  DHCP  servers  "  Security  (nabCERT  SOC)  gets  the  “gold”  it  is  aper  "  Networks,  Security  Opera5ons  (Firewalls),  Service  Management,   Infrastructure  support,  Building  services  get  what  is  of  value  to  them  " Splunk  search  language  calcula5ons  to  pinpoint  most  cri5cal     –  Min,  Median,  Mode,  Max,  90th  percen5le    "  Cross-­‐reference  with  other  data  (IP  address  database)    "  Provide  the  teams  with  the  facts,  in  context,  with  an  explana5on  and   remedy   18  
  19. 19. Democra0zing  Data  (In  A  Secure  Fashion)  •  Take  a  collabora5ve  approach  •  Give  us  your  data,  we’ll  give   you  more  value    •  Dashboards  for  specific  teams   so  they  can  drill  down   themselves  for  problem  solving  •  Role-­‐based  access  ensures   access  only  to  relevant  data  •  Look  beyond  the  gold  (what   you  are  aper)  
  20. 20. Back  to  the  Case  Study  One  (Legal)   •  Reuse  case  1:  Data  loss  Primary  objec5ve:   protec5on  supplement  Significantly  reduce  5me  to   •  Reuse  case  2:  User  ac5vity  complete  electronic   baselining  searches  for  legal   •  Reuse  case  3:  Validate  spam  /   spoof  controls   •  Reuse  case  4:  User  Access   Revalida5on  supplement   20  
  21. 21. What’s  Next?     •  More  re-­‐use  cases  from  our  data     •  More  applica5on  and  databases   •  Complete  key  infrastructure  collec5on   •  Look  for  the  opportuni5es   •  Take  the  5me  to  look  for  the  win:win   Think  and  plan  strategically,  work  tac=cally  
  22. 22. Ques0ons?  
  23. 23. Splunk  Company  Overview   Company  (NASDAQ:  SPLK)   "  Founded  2004,  first  sopware  release  in  2006   "  HQ:  San  Francisco  /  Region  HQ:  London,  Hong  Kong   "  Over  600  employees,  based  in  10  countries   "  Q2  Revenue:  $44.5  million;  +71%  year-­‐over-­‐year   Business  Model  /  Products   "  Free  download  to  massive  scale   "  On-­‐premise,  in  the  cloud  and  SaaS     4,400+  Customers   "  Customers  in  over  80  countries   "  54  of  the  Fortune  100   "  Largest  license:  100  Terabytes  per  day     See  us  on  the  ITXpo  Showfloor  in  booth  S2   23  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.