Thanks MaureenGood morning. I must tell you folks you’ve got a gorgeous city here. I landed the other night, during sunset, the clouds were reflecting on the lake. Simply stunning. So we’ll spend some time today educating you about Splunk and I hope you’ll walk away with some ideas about how you can use Splunk to become more proactive (as Overstock, Familysearch and seamless will tell you) and save time in your organizations so you can get out there an enjoy this beautiful city with your friends and families.
I was always taught to start any presentation out with a joke. Unfortunately our legal team doesn’t have much of a sense of humor, so they’ve asked us to do the complete opposite. Thus I give you our first slide—a legal disclaimer! (Have to show it, but now we can get to the good stuff.)
Understanding the security of the enterprise requires collecting data from our security systems monitoring ‘known threats and all of our operations data representing user and machine activity for context and unknown threats.This data is not normalized – its fully indexed so that it is optimized for exploration using analytics correlation and visualizationQuestions about the data can be asked by the Security professional or the Security Intelligence analyst in the context of data criticality for riskWhat threats are my security systems telling me about? Where are the abnormal patterns in user activities?The Splunk app for Enterprise Security contains automated searches that create data visualizations of traditional security data, and provides workflows for incident handling of known and unknown threatsAnomalous user activity searches can be created on the fly and saved as automated searches related to the most critical data assets. Examples to follow.You might notice that the dots are entering a bucket and not a funnel – there’s no data reduction here – all raw data is available on-demand. New data can be added to existing collected data sources to re-examine a security incident that my have happened years ago.
Safe Harbor StatementDuring the course of this presentation, we may make forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentation may not contain current or accurate information. We do notassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytime without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release. 2
E. W. ScrippsLeading media enterprise19 television stations in majormarkets and 13 newspapermarketshas operated the NationalSpelling Bee since 1941Expanding into social gamingfor multiple platforms6000 employees across 29locations 3
Jim Bundy, CISSP, CISMTechnology + Security roles across military, financial services and mediaorganizationsImplemented security program from start to finish at E.W. ScrippsCISSP, CISMWrites security articles in spare time 4
Getting Started with SecurityNeeded data/ log aggregation solution across 29 locations– WMI– Network logs, syslog– Servers, firewalls– TippingPoint IDS/ IPS, Symantec Virus– Unified threat management– DesktopsNeeded to secure across users and locations 5
Investigating SIEMEvaluated ArcSight, LogRhythm, Symantec/ McAfee, othersFound SIEM market to be immature– Relies on interoperability– Needed specific versions or specific OS on various devices to make it work– Too rigid– Each branch manages own IT, so broad spectrum of devices and solutions in play– SIEM provided canned reports Data points, but no “context” – Last hour 50 failed logins. “Yes, but??” 6
Why Splunk? Role-based access + Flexibility and Speed Consolidated view Splunk ingests any data format withoutStaffers only see specific data, admins have parsers or adapters on our endpoints. view into entire infrastructure for alerting This sped the deployment and our time + troubleshooting. to value. Limited Visibility Dashboards and Reporting As with most IT and security Very limited prior to Splunk. Now we environments we had siloed views into have answers to the most importantour data. We needed to see everything in questions: Who? What? Where? When? Operations and Security … now we do! And Why? 7
How We Use Splunk: Single Source of Truth Automated and ad-hoc Time- Real-time alerting, Who created/ deleted this Based Data Analysis monitoring and dashboards UNIX account, for whom? What human behaviors vs. IDS IPS visibility + reporting malware vs. virus? Verification and Validation What are my known + Change monitoring and threats? management What data is being accessed Detecting brute force out of typical patterns for Cyberattacks this user?
“Execs love dashboards. I give them enough to know what’s going on without panicking them.” 9
INSERT DASHBOARD 2 HERE“If I can provide something with a dial I’m like a god!” 10
Flexibility to Use and Create AppsUsing– *Nix– Symantec– Juniper FirewallsInvestigating– Splunk App for VMware– Splunk App for Active DirectoryBuilt own CA app 11
Finding ROICan use Splunk beyond just security—network team + others– Significant operational value: server, desktop, etc.Small team, better to manage fewer apps; will likely decommissionother tools:– Quest change auditor– TippingPoint “We believe all tools should have operational as well as security value—Splunk does, and it’s just plain simple to use.” 12