SplunkLive! Customer Presentation - Penn State Hershey Medical Center


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SplunkLive! Customer Presentation - Penn State Hershey Medical Center

  1. 1. Copyright © 2013 Splunk Inc. Penn State Hershey Medical Center Jeff Campbell Information Security Architect
  2. 2. My Background and Role Jeff Campbell, CISSP+ISSAP  Penn State Hershey Medical Center since 1997  Security practitioner for about 9 years  Splunk user since 2010 – Architecture, Administration, Knowledge Expert – Building advanced searches, summary indexing, alerting, reporting – Splunk SME
  3. 3. 5 major institutes 24 academic departments 4 hospitals & 19 hospital affiliates 58 ambulatory care practices > 9,000 employees Combined $1.5 billion budget Penn State Hershey Children's Hospital has been ranked in five specialties in U.S. News & World Report's 2013-14 Best Children's Hospitals rankings.
  4. 4. Before Splunk • Most logs decentralized (firewall logs in SIEM system) • • • • • • Limited retention Searching over extended time ranges very slow Lots of silos  limited visibility between systems It could take hours to find a needle in the haystack Manual correlation between different log files Poor results We needed a faster way to get answers
  5. 5. Choosing Flexibility and Fast Time to Value Requirements •Central repository •Quickly search for needed data •Correlate & report across systems > • • • • Splunk Flexible framework Fast time to value Centralized real time data Google for IT.. but more!
  6. 6. Splunk Use Cases at Penn State Hershey Started as a security tool (firewall, Active Directory) – Satisfy legal requests for data Immediate “operational” improvements – Account lockouts (major win) – Associate users with Ips – Performance monitoring Added additional sources – Dhcp, AV, network auth, Exchange, network infrastructure…
  7. 7. Splunk Architecture splunk1 ~70GB per day from 140 forwarders (~20%) AD Security Exchange Windows Linux FTP splunk2 Servers running dedicated lightweight Splunk agents gather local system log data and forward to one of the four Splunk indexers, alternating on a predetermined time interval splunk3 splunk4 Rsyslog ... and growing Expand coverage VMware Citrix rsyslog1 splunkutil rsyslog2 Systems without Splunk Agents may send syslog data. A Cisco SLB IP address will load balance between two redundant Syslog servers. The Syslog servers will run Splunk agents and forward to the indexers. host Firewalls ACS DHCP Network infrastructure Smtp Web proxies Some data useful to Splunk will not come from log files which can be monitored. The SplunkUtil server runs scripts to "scrape" data from various data sources (databases, file systems, directory services, web services, etc) and forwards the data onto Splunk indexers.
  8. 8. Splunk Applications Windows MS Exchange Vulnerability Data
  9. 9. Vulnerability Overview
  10. 10. Return on Investment Labor cost savings from Splunk easily offset the purchase price
  11. 11. Future Plans “Splunk for Everything” (infrastructure) – VMware & Citrix end-to-end performance Executive dashboards & reports Key applications (financials, trouble ticketing, asset management, etc.) – Better data aggregation – Expand Splunk user base Clinical Systems? (HIPAA/HITECH compliance, “meaningful use”) 12
  12. 12. Best Practices and Lessons Learned Plan data intake well; Know what logs look like before they come in Don’t be afraid to play; Fully explore the product & its capabilities RTFM (try to Google “Splunk propsconf”) If you’re stuck, go to Splunk Answers – great community there People in your organization will see the value – help them find something in their data
  13. 13. Thank You