SplunkLive! Philadelphia - University of Scranton

About University of Scranton• Jesuit University, founded in 1888• Regional, comprehensive university with a total enrollment of more than 6,000 students in 86 undergraduate and graduate programs• Scranton stands among the top tier of universities recognized nationally, with rankings in a multitude of venues (US News Top 10 Regional, Princeton Review Top 300, Forbes.com)Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 2 Listen to your data. Copyright © 2012, Splunk Inc.

What We Do... • Ensure security (C-I-A) of all University information assets • Focus on detection and quarantine of infected endpoints • Data stewardship / Security governance • Distributed security responsibilities (SecOPs) • Network Security Infrastructure “Splunk is our Security Solution.”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 3 Listen to your data. Copyright © 2012, Splunk Inc.

Splunk at the UofS • Splunk users for ~4 years • Needed enterprise solution for syslog collection/correlation • Evaluated Open Source solutions • 500 MB evaluation license of Splunk • Focused on collection from key network systems • But now….Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 4 Listen to your data. Copyright © 2012, Splunk Inc.

If You Got It, Splunk It Centralized log collection • Key Enterprise systems • Firewalls • Networking equipment • Intrusion detection/prevention systems • DNS queries, URL access • DHCP servers • Active Directory, LDAP “We didnt do anything like this before Splunk.”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 5 Listen to your data. Copyright © 2012, Splunk Inc.

Security at a Mobile Friendly Campus PROBLEM: Network Address Translation: private vs public IP address. Most external reports give time stamp and public IP address information but we need to know who is behind it. Higher Education Opportunity Act requires a system in place to combat copyright infringement. • Cisco Network Access Control logs, DHCP logs, NAT translation logs in Splunk • Ability to connect the dots quickly • Wrote an IP tracker app (java) – which talks to Splunk over APIs – lookup functionCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 6 Listen to your data. Copyright © 2012, Splunk Inc.

Automated Searches • Saved searches – Network access control system – Things being dropped by internal and external firewalls (dashboard) – Automated alert for stolen goods (MAC address) Detect – SPAM – Alert conditions on servers – Activity with routing protocols – Bad actors trying to access VPN / Digital Reserves / SSH / etc. “Splunk helped us immensely with indexing, analyzing and correlating data. ”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 9 Listen to your data. Copyright © 2012, Splunk Inc.

Computer Security Incident Response Team Investigations• Splunk – MAC address, User Name, Public and Private IP addresses• Set window around known time of infection• Result: insight into how, when and where host was compromised “Being able to put 1 parameter in and chasing it across the network is great! ”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 13 Listen to your data. Copyright © 2012, Splunk Inc.

Splunk 4.3 – Winner! • Bloom-filters • IPv6 support • Non-Flash UI • Historic Versions (whoops!) • JSON XML field extractions • Native Python and Java SDKs excitingCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 14 Listen to your data. Copyright © 2012, Splunk Inc.

Future Plans • Synchronization with Active Directory • Identify financial aid fraud with correlation of event logs • Data mining webserver logs • Using Splunk for Institutional Research • Speed of light calculations on geoip dataCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 15 Listen to your data. Copyright © 2012, Splunk Inc.

Thank you! Tony "Pancakes" Maszeroski Information Security Manager Calvin Krzywiec Network EngineerCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 16 16 Listen to your data. Copyright © 2012, Splunk Inc.

SplunkLive! Philadelphia - University of Scranton

by Splunk on Feb 06, 2012

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 20

Statistics

SplunkLive! Philadelphia - University of Scranton — Presentation Transcript

http://www.twylah.com	13
http://a0.twimg.com	7