SplunkLive! Kansas City April 2013 - UMB Bank


Published on

Published in: Technology
1 Comment
1 Like
  • so what else u do apart from scanning logs?
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The content marked in red and orange needs editing or additional detail.
  • SplunkLive! Kansas City April 2013 - UMB Bank

    1. 1. Copyright © 2012 Splunk, Inc.UMB Financial ServicesSean WhiteSenior Information Security Engineer
    2. 2. UMB Financial OverviewHolding company for four UMB branded banks serving seven statesOver 130 branchesServices: Checking, savings, credit and debit cards, investments services, commercial realestate loansSubsidiaries offer insurance, brokerage, leasing, treasury management, health savings etc.2
    3. 3. My Role at UMBSean White, Senior Information Security EngineerB.S. in Computer Science from University of Kansas 1994.In the last 15 years, have worked information security for 3 of the top 4 USwireless carriers.IT team (8 engineers) responsible for specifying, installing and operating most ofsecurity equipment: Firewalls, IDS, IPS, WAF, e-mail gateways, enterprise unifiedlogging etc. Pretty much everything except physical security.Security Operations (2 engineers)3
    4. 4. How We Started?At UMB, started as single use case for fraud detection– Started with 100 GB per day– Third party vendor for fraud detection– Splunk used for centralizing and correlating many different logs from various areas in thecompany– Before Splunk we used legacy tools which were inefficientInitially chose Splunk to support PCI compliance effortsSplunk chosen due to previous successful experience and because it is anindustry leading log solutionNeeded a solution for PCI but also to aggregate machine data for operationalimprovements4
    5. 5. Splunk at UMBImplementing enterprise-wide SplunkPrimary data center and businesscontinuity data centerPre-production environmentSecurity, OS and Application data sources:Firewalls, IPS, IDS, email gateways,networking devicesSplunk apps deployed at UMB: PCICompliance, Splunk for MS Exchange,Blue Coat Proxy, SourcefirePotential to grow to 600+GBInitially 60-80 usersTwo search headsFive indexers100+ forwarders(to grow to hundreds)5
    6. 6. Splunk at UMB Enterprise-wide SolutionLegacySyslog-NGcollectorNocentralizedloggingforWindowsLegacylogcollectionsolutionnotmeetingUMBneedsManualpollingofvarioussecuritydevices(Checkpoint, Sourcefire,..)forlogs.grepandawk.“By-Hand”logcorrelationOS logs fromhundreds ofservers (Windows,Linux, UNIX OS)Various ApplicationLogs – both 3rd party andin-houseNovell AccessManager Logs,WebSphere LogsUMB Splunk Environment:6Enter SplunkBefore SplunkFirewalls, IPS, IDS,WAF, email gateways,switches and routermachine dataPCIComplianceEasyaccesstovarioussecuritydataProactivemonitoringofmultipleapplicationsInstanttimetoresolutionMiddleware,Databaselogs
    7. 7. AHA! Moment: Splunk for Fraud Detection andPrevention7Splunk for DShield helped get Splunkto UMBSplunk retrieves firewall data directlyfrom DShieldExternal network IPs monitoredIdentified a compromised host fromwithin our internal networkresponsible for the attack
    8. 8. Splunk For Outage Detection8Splunk helps to identify outage quicklyEngineers don’t need to log to both sides of clusterJust search for a specific issue
    9. 9. Splunk for UMB Applications Management9• Online banking– Troubleshooting and capacity planning– Security• Mobile banking• Credit card management suite• Novell Access Manager (web front end)• ACH batch transfer logs• IBM Websphere Application Server• Apache
    10. 10. Best Practice RecommendationsEducate other departments by conducting Lunch-and-Learn sessions.Customize Splunk Getting Started App for your data to make gentleintroduction to othersPlan your distributed deployment. UMB went from a single server todistributed system of indexers and search heads. Use the deployment server!Splunk Apps to use: S.O.S., Deployment Monitor, Getting StartedUtilize the many resources at splunk.com: Documentation, Answers, Blogs,Splunkbase, etc.10
    11. 11. 11
    12. 12. 12
    13. 13. 13
    14. 14. 14
    15. 15. 15
    16. 16. 16
    17. 17. 17
    18. 18. 18
    19. 19. 19
    20. 20. Splunk at UMB: Future20• Expand Splunk for other uses once in production• Add more sources of data to Splunk• Install more apps and TAs from Splunkbase• Train and add more users: developers, web platform team, system admins,business users, etc.• Educate developers on best logging practices• Develop Splunk Apps/Dashboards for internal business audience• Add dedicated Splunk admin for growing and customizing Splunk for UMBneeds• Replace or augment other monitoring solutions with Splunk
    21. 21. SummarySplunk allows us to have all our machine data logs in one placeSplunk is intuitive and powerfulAs a fraud prevention and detection solution, Splunk helps UMB savemoney.Splunk makes it possible for us to achieve and maintain our PCIcompliance21
    22. 22. Thank You!22