• Save
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
 

Like this? Share it with your network

Share

SplunkLive! Customer Presentation - Penn State Hershey Medical Center

on

  • 636 views

 

Statistics

Views

Total Views
636
Views on SlideShare
636
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SplunkLive! Customer Presentation - Penn State Hershey Medical Center Presentation Transcript

  • 1. Copyright © 2013 Splunk Inc. Penn State Hershey Medical Center Jeff Campbell Information Security Architect
  • 2. My Background and Role Jeff Campbell, CISSP+ISSAP  Penn State Hershey Medical Center since 1997  Security practitioner for about 9 years  Splunk user since 2010 – Architecture, Administration, Knowledge Expert – Building advanced searches, summary indexing, alerting, reporting – Splunk SME
  • 3. 5 major institutes 24 academic departments 4 hospitals & 19 hospital affiliates 58 ambulatory care practices > 9,000 employees Combined $1.5 billion budget Penn State Hershey Children's Hospital has been ranked in five specialties in U.S. News & World Report's 2013-14 Best Children's Hospitals rankings.
  • 4. Before Splunk • Most logs decentralized (firewall logs in SIEM system) • • • • • • Limited retention Searching over extended time ranges very slow Lots of silos  limited visibility between systems It could take hours to find a needle in the haystack Manual correlation between different log files Poor results We needed a faster way to get answers
  • 5. Choosing Flexibility and Fast Time to Value Requirements •Central repository •Quickly search for needed data •Correlate & report across systems > • • • • Splunk Flexible framework Fast time to value Centralized real time data Google for IT.. but more!
  • 6. Splunk Use Cases at Penn State Hershey Started as a security tool (firewall, Active Directory) – Satisfy legal requests for data Immediate “operational” improvements – Account lockouts (major win) – Associate users with Ips – Performance monitoring Added additional sources – Dhcp, AV, network auth, Exchange, network infrastructure…
  • 7. Splunk Architecture splunk1 ~70GB per day from 140 forwarders (~20%) AD Security Exchange Windows Linux FTP splunk2 Servers running dedicated lightweight Splunk agents gather local system log data and forward to one of the four Splunk indexers, alternating on a predetermined time interval splunk3 splunk4 Rsyslog ... and growing Expand coverage VMware Citrix rsyslog1 splunkutil rsyslog2 Systems without Splunk Agents may send syslog data. A Cisco SLB IP address will load balance between two redundant Syslog servers. The Syslog servers will run Splunk agents and forward to the indexers. host Firewalls ACS DHCP Network infrastructure Smtp Web proxies Some data useful to Splunk will not come from log files which can be monitored. The SplunkUtil server runs scripts to "scrape" data from various data sources (databases, file systems, directory services, web services, etc) and forwards the data onto Splunk indexers.
  • 8. Splunk Applications Windows MS Exchange Vulnerability Data
  • 9. Vulnerability Overview
  • 10. Return on Investment Labor cost savings from Splunk easily offset the purchase price
  • 11. Future Plans “Splunk for Everything” (infrastructure) – VMware & Citrix end-to-end performance Executive dashboards & reports Key applications (financials, trouble ticketing, asset management, etc.) – Better data aggregation – Expand Splunk user base Clinical Systems? (HIPAA/HITECH compliance, “meaningful use”) 12
  • 12. Best Practices and Lessons Learned Plan data intake well; Know what logs look like before they come in Don’t be afraid to play; Fully explore the product & its capabilities RTFM (try to Google “Splunk propsconf”) If you’re stuck, go to Splunk Answers – great community there People in your organization will see the value – help them find something in their data
  • 13. Thank You