Your SlideShare is downloading. ×

SplunkLive! Boston June 2013 - UCONN


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SplunkLive! BostonJason Pufahl, Chief InformationSecurity Officer
  • 2. About Jason•  Chief Information Security Officer at the University ofConnecticutCurrent Date:
  • 3. Original Issues•  Not enough people had access to the datao  Making sense of the data for non-technical types and visualizationso  Today: 130 people with access to Splunk, widely viewed as a resource•  Decentralized IT structure doesn’t allow for a full scopeacross departments•  Incident response times and capacity planning•  Helping law enforcemento  Track down missing studentso  Find stolen IT assetsCurrent Date:
  • 4. Decreasing Incident Response Times•  Heavily centralized the authentication system + Splunk allowsus to correlate locations and incidents•  Response times have decreased from hours to minutes•  Example: servicing law enforcement request dropped from3 day turnaround to 20 minutesCurrent Date:
  • 5. Data Sources and Splunk Apps•  Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers,Active Directory, Exchange, VMware, SCCM, switches,custom applications, many others•  Apps: Splunk for Exchange, Splunk for AD, Splunk onSplunk, Google Maps, DNS, DB Connect, Deploymentmonitor, many custom apps and commands•  Volume: 90 to 180 GB/day (rare spikes during data intake ofnew departments)Current Date:
  • 6. Encouraging Departments toUnderstand their Data•  Encourages standardizing of operating systems•  SecureU initiativeo  If you run an IT device of some sort, your log data has to be collectedo  Each school/division gets 2 gigs each thus increased adoption•  Allows for central IT to see trends across entire University•  Reports sent to Deans, Directors at each departmento  Encourages healthy competition for security compliance•  The “Security Score”o  Getting university departments to understand importance of security and valueCurrent Date:
  • 7. Encouraging Departments toUnderstand their Data (example)Operating System demographicsCurrent Date:
  • 8. Encouraging Departments toUnderstand their Data (example)OperatingSystemsby populationCurrent Date:
  • 9. Encouraging Departments toUnderstand their Data (example)Departmental Antivirus demographicsCurrent Date:
  • 10. Demographics by Campus (example)Campus Antivirus demographicsCurrent Date:
  • 11. •  Alerts set for stolen IT assets when they get back on thenetworko  MACs of lost devices flagged => triggers Splunk alert•  Missing person’s alerts? Well they aren’t missing, they justaren’t calling Mom back – they’ve been on the network•  Resolving a bomb threato  Able to identify culprit due to accessory data collected bySplunko  "Fringe" data can be security data tooHelping Law EnforcementCurrent Date:
  • 12. GeoIP AnalysisGoal:Flag user logins occurring further from campus than the user norm(e.g. Phishing attack immediately followed by login from China,Russia)Search foundation:sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoipsrc_ip | haversine origin="41.808333,-72.249444"inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitudeunits=mi | stats max(mi) by netid, geo_infoCurrent Date:
  • 13. GeoIP AnalysisVPN loginsover 24hCurrent Date:
  • 14. Capacity Planning•  Splunk allows us to see and anticipate which wired andwireless points on campus are being used at which times ofday to allocate accordingly•  Two examples :o  Single sign on authentication via CAS: rate of usage overtimeo  Wireless networks: utilization high water marks over timeCurrent Date:
  • 15. Capacity Planning (example)Capacity planningas influenced byrate of growth(Single sign on)Current Date:
  • 16. Capacity Planning (example)Capacity planningas influenced byrate of growth(Wireless network)Current Date:
  • 17. Protecting Against Breaches and Fines forPersonal Identifiable Information•  Used Splunk to identify PII across systemso  DLP tool finds the PII and Splunk used for reportingo  Removed to avoid breaches and fines•  Identified PII used in security scoreo  Avoided millions in fineso  Increased program participationCurrent Date:
  • 18. Future Goals and Plans•  Doing more correlation across systems and become moreproactiveo  e.g., across auth systems, AV, NAC, IPS, and PII to provide granular andactionable threat prioritization•  UCONN as a service provider for other educational facilitiesacross the state of ConnecticutCurrent Date:
  • 19. Results/ROI•  Response times have decreased from hours to minutes•  Standardized operating systems•  Changed each department’s behavior to encourage upgradinganti-virus software and security measures•  Huge risk reduction•  Saved millions in potential fines from PII and breachesCurrent Date: