• Save
SplunkLive! Philadelphia - University of Scranton
 

SplunkLive! Philadelphia - University of Scranton

on

  • 2,602 views

 

Statistics

Views

Total Views
2,602
Views on SlideShare
2,565
Embed Views
37

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 37

http://www.twylah.com 25
http://a0.twimg.com 7
https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Automated searches for certain conditions – what are those searches – Internal/External Firewalls
  • ROI/PCO are huge right now - what need does it full fill - are there other products lower price same functionality. We did due diligence. Picked the right fit. (response time, transaction tracing) Challenges: No one was looking at security toolsWe knew we needed centralized logging..Because of the inefficiencies that were going around. Looking at logs in different systems for troubleshooting and forensics. Limited with Switches and routing – that could hold internal logs. We played around with i don't even know how many open source syslog applications. Splunk was brought to my attentionFree for 500 MB – let's throw it in and see how it works...about 4 yrs ago. Initially we were just using it for centralized log collectionBut it got more embedded into our operations“I am amazed at how easy it is to index and analyze data in Splunk.
  • ROI/PCO are huge right now - what need does it full fill - are there other products lower price same functionality. We did due diligence. Picked the right fit. (response time, transaction tracing) Challenges: No one was looking at security toolsWe knew we needed centralized logging..Because of the inefficiencies that were going around. Looking at logs in different systems for troubleshooting and forensics. Limited with Switches and routing – that could hold internal logs. We played around with i don't even know how many open source syslog applications. Splunk was brought to my attentionFree for 500 MB – let's throw it in and see how it works...about 4 yrs ago. Initially we were just using it for centralized log collectionBut it got more embedded into our operations“I am amazed at how easy it is to index and analyze data in Splunk.
  • Network knew what type of user you were – student, faculty staffWe needed to take 10. address space to cut it upNetwork Access Translation: private vs public address
  • Alert goes out to campus policeIf it's wireless we put it up on a University map down to floor and roomNarrow down to a cable location
  • Installing 4.3 was super easy2 yr effort to support ipv6 natively on campus.Analyzing Netflow data – which buckets that have which IP addresses
  • Online MBA program, some other online programs less familiar.Dept education - dear colleague letter - concerned about financial aid fraud in higher edu. Some controls are comparing geo location from where they register, where they do their test, where they lived etc. etc.

SplunkLive! Philadelphia - University of Scranton SplunkLive! Philadelphia - University of Scranton Presentation Transcript

  • Calvin Krzywiec Network EngineerCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 11 Listen to your data. Copyright © 2012, Splunk Inc.
  • About University of Scranton• Jesuit University, founded in 1888• Regional, comprehensive university with a total enrollment of more than 6,000 students in 86 undergraduate and graduate programs• Scranton stands among the top tier of universities recognized nationally, with rankings in a multitude of venues (US News Top 10 Regional, Princeton Review Top 300, Forbes.com)Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 2 Listen to your data. Copyright © 2012, Splunk Inc.
  • What We Do... • Ensure security (C-I-A) of all University information assets • Focus on detection and quarantine of infected endpoints • Data stewardship / Security governance • Distributed security responsibilities (SecOPs) • Network Security Infrastructure “Splunk is our Security Solution.”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 3 Listen to your data. Copyright © 2012, Splunk Inc.
  • Splunk at the UofS • Splunk users for ~4 years • Needed enterprise solution for syslog collection/correlation • Evaluated Open Source solutions • 500 MB evaluation license of Splunk • Focused on collection from key network systems • But now….Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 4 Listen to your data. Copyright © 2012, Splunk Inc.
  • If You Got It, Splunk It Centralized log collection • Key Enterprise systems • Firewalls • Networking equipment • Intrusion detection/prevention systems • DNS queries, URL access • DHCP servers • Active Directory, LDAP “We didnt do anything like this before Splunk.”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 5 Listen to your data. Copyright © 2012, Splunk Inc.
  • Security at a Mobile Friendly Campus PROBLEM: Network Address Translation: private vs public IP address. Most external reports give time stamp and public IP address information but we need to know who is behind it. Higher Education Opportunity Act requires a system in place to combat copyright infringement. • Cisco Network Access Control logs, DHCP logs, NAT translation logs in Splunk • Ability to connect the dots quickly • Wrote an IP tracker app (java) – which talks to Splunk over APIs – lookup functionCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 6 Listen to your data. Copyright © 2012, Splunk Inc.
  • External Application IntegrationCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 7 Listen to your data. Copyright © 2012, Splunk Inc.
  • External Application IntegrationCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 8 Listen to your data. Copyright © 2012, Splunk Inc.
  • Automated Searches • Saved searches – Network access control system – Things being dropped by internal and external firewalls (dashboard) – Automated alert for stolen goods (MAC address) Detect – SPAM – Alert conditions on servers – Activity with routing protocols – Bad actors trying to access VPN / Digital Reserves / SSH / etc. “Splunk helped us immensely with indexing, analyzing and correlating data. ”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 9 Listen to your data. Copyright © 2012, Splunk Inc.
  • Network Security DashboardsCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 10 Listen to your data. Copyright © 2012, Splunk Inc.
  • Network Security DashboardsCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 11 Listen to your data. Copyright © 2012, Splunk Inc.
  • Network Operations DashboardsCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 12 Listen to your data. Copyright © 2012, Splunk Inc.
  • Computer Security Incident Response Team Investigations• Splunk – MAC address, User Name, Public and Private IP addresses• Set window around known time of infection• Result: insight into how, when and where host was compromised “Being able to put 1 parameter in and chasing it across the network is great! ”Copyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 13 Listen to your data. Copyright © 2012, Splunk Inc.
  • Splunk 4.3 – Winner! • Bloom-filters • IPv6 support • Non-Flash UI • Historic Versions (whoops!) • JSON XML field extractions • Native Python and Java SDKs excitingCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 14 Listen to your data. Copyright © 2012, Splunk Inc.
  • Future Plans • Synchronization with Active Directory • Identify financial aid fraud with correlation of event logs • Data mining webserver logs • Using Splunk for Institutional Research • Speed of light calculations on geoip dataCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 15 Listen to your data. Copyright © 2012, Splunk Inc.
  • Thank you! Tony "Pancakes" Maszeroski Information Security Manager Calvin Krzywiec Network EngineerCopyright © 2011, Splunk Inc. Philadelphia, February 2, 2012 16 16 Listen to your data. Copyright © 2012, Splunk Inc.