SplunkLive! Customer Presentation - University of Alabama at Birmingham


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Retail loss prevention report. Being able to change the questions.
  • SplunkLive! Customer Presentation - University of Alabama at Birmingham

    1. 1. Copyright © 2013 Splunk Inc. George Starcher, CISSP University of Alabama at Birmingham Enterprise Information Security Engineer II
    2. 2. About UAB Established in 1936 18,568 students Peak 175 GB log data/day 2
    3. 3. About Me George Starcher, Enterprise Information Security Engineer II, CISSP Splunk Certified Knowledge Manager and Splunk Certified Administrator Splunk IRC Channel; Birmingham, AL - Splunk User Group Log all the things! RaspberryPi + Splunk = Optimal Laundry Time Yes, there is a Splunk Universal Forwarder now! www.georgestarcher.com 3
    4. 4. One Year Ago License Usage was 150GB/day Ingesting normal log types Base parsing of fields We saw huge increase on speed for investigating issues The honeymoon period with our data
    5. 5. Now License Usage averaging 175GB/day Added a lot of log metadata and simplifying searches Common Information Model Starting to add external Intelligence Sources We were already doing geo lookups Keeping the magic in the relationship Automating Splunk control over other systems
    6. 6. Securing the University 6 Before: • Lots of “typical” log mining • Not as vibrant integration to ES App as wanted • Manual Daily Operations Processes After: • Searches easier to understand and resilient to new log sources • ES App much better populated • Alert Script Control of Other Systems
    7. 7. Common Information Model http://docs.splunk.com/Documentation/CIM/latest/User/Overview index=os_osx sshd invalid • This is an abstraction process going from raw machine data to a usable nomenclature • Institutionalizes knowledge of log data • Puts focus on the questions not the technical details • Canned questions miss things
    8. 8. Data Parsing Index Time Search Time
    9. 9. Common Information Model tag=authentication action=failure | stats values(user) by src_ip
    10. 10. @SplunkDev Team - THANKS!! @gblock - Glenn Block @damiendallimore -Damien Dallimore David Noble - Twitter App
    11. 11. Alert Scripts - IPS Control Had manual process for blocking abusive scanners: SSH, RDP, VNC, etc – Consumed 30-45 minutes per day – Permanent blacklist entries Moved to automated process – Scheduled Splunk Searches driven by any log source – Greatly reduced time and static blacklist maintenance – Plugged in Web Services (REST) calls to the IPS
    12. 12. Alert Scripts - How it Works Intrusion Prevention ApplianceIntrusion Prevention Appliance
    13. 13. Alert Scripts - How it Works
    14. 14. Alert Scripts - How it Works
    15. 15. Alert Scripts - In Action IPS Quarantine Activity:
    16. 16. Alert Scripts - In Action Splunk Quarantine Activity:
    17. 17. Phishing
    18. 18. Phishing
    19. 19. Phishing
    20. 20. Phishing Initial Activity (Nigeria):
    21. 21. Phishing Started Feb 10, 2014 • Blocked for any access from Nigeria every 5 minutes Expanded Multi-Country Feb 15, 2014 • Blocked for combination from certain countries and a lookup table of hosted providers Feb 17, 2014 • Noticed unexpected Exchange from Nigeria
    22. 22. Phishing Single User by src_ip_country: Hosted by src_ip:
    23. 23. Splunk from Tool to Team Member We recovered an hour of daily operations labor per day by automating existing processes and some regular intelligence reports. The automation provides the ability of our IPS to respond to data it could never handle directly. Combining the automated response with different quarantine policies in the IPS we change the ground under the attacker’s feet. Simplifying searches based on Common Information Model helps with cross training staff and integration of new log sources.
    24. 24. What is Next Update to Splunk v6 Update to Splunk App for Enterprise Security Application v. 3.0 Add automation to more of our systems Add Data exchange from/to Intelligence sharing systems
    25. 25. Thank You!