Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SplunkLive! Customer Presentation - University of Alabama at Birmingham


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Retail loss prevention report. Being able to change the questions.
  • Transcript

    • 1. Copyright © 2013 Splunk Inc. George Starcher, CISSP University of Alabama at Birmingham Enterprise Information Security Engineer II
    • 2. About UAB Established in 1936 18,568 students Peak 175 GB log data/day 2
    • 3. About Me George Starcher, Enterprise Information Security Engineer II, CISSP Splunk Certified Knowledge Manager and Splunk Certified Administrator Splunk IRC Channel; Birmingham, AL - Splunk User Group Log all the things! RaspberryPi + Splunk = Optimal Laundry Time Yes, there is a Splunk Universal Forwarder now! 3
    • 4. One Year Ago License Usage was 150GB/day Ingesting normal log types Base parsing of fields We saw huge increase on speed for investigating issues The honeymoon period with our data
    • 5. Now License Usage averaging 175GB/day Added a lot of log metadata and simplifying searches Common Information Model Starting to add external Intelligence Sources We were already doing geo lookups Keeping the magic in the relationship Automating Splunk control over other systems
    • 6. Securing the University 6 Before: • Lots of “typical” log mining • Not as vibrant integration to ES App as wanted • Manual Daily Operations Processes After: • Searches easier to understand and resilient to new log sources • ES App much better populated • Alert Script Control of Other Systems
    • 7. Common Information Model index=os_osx sshd invalid • This is an abstraction process going from raw machine data to a usable nomenclature • Institutionalizes knowledge of log data • Puts focus on the questions not the technical details • Canned questions miss things
    • 8. Data Parsing Index Time Search Time
    • 9. Common Information Model tag=authentication action=failure | stats values(user) by src_ip
    • 10. @SplunkDev Team - THANKS!! @gblock - Glenn Block @damiendallimore -Damien Dallimore David Noble - Twitter App
    • 11. Alert Scripts - IPS Control Had manual process for blocking abusive scanners: SSH, RDP, VNC, etc – Consumed 30-45 minutes per day – Permanent blacklist entries Moved to automated process – Scheduled Splunk Searches driven by any log source – Greatly reduced time and static blacklist maintenance – Plugged in Web Services (REST) calls to the IPS
    • 12. Alert Scripts - How it Works Intrusion Prevention ApplianceIntrusion Prevention Appliance
    • 13. Alert Scripts - How it Works
    • 14. Alert Scripts - How it Works
    • 15. Alert Scripts - In Action IPS Quarantine Activity:
    • 16. Alert Scripts - In Action Splunk Quarantine Activity:
    • 17. Phishing
    • 18. Phishing
    • 19. Phishing
    • 20. Phishing Initial Activity (Nigeria):
    • 21. Phishing Started Feb 10, 2014 • Blocked for any access from Nigeria every 5 minutes Expanded Multi-Country Feb 15, 2014 • Blocked for combination from certain countries and a lookup table of hosted providers Feb 17, 2014 • Noticed unexpected Exchange from Nigeria
    • 22. Phishing Single User by src_ip_country: Hosted by src_ip:
    • 23. Splunk from Tool to Team Member We recovered an hour of daily operations labor per day by automating existing processes and some regular intelligence reports. The automation provides the ability of our IPS to respond to data it could never handle directly. Combining the automated response with different quarantine policies in the IPS we change the ground under the attacker’s feet. Simplifying searches based on Common Information Model helps with cross training staff and integration of new log sources.
    • 24. What is Next Update to Splunk v6 Update to Splunk App for Enterprise Security Application v. 3.0 Add automation to more of our systems Add Data exchange from/to Intelligence sharing systems
    • 25. Thank You!