What does “Cloud First” really mean for your processes, customers, and the future of your business? In this session, learn from Hub International’s CISO and Head of Architecture how the insurance company is transforming their business by migrating to the cloud for greater scale, cost savings, performance, and security. With a goal to go all-in on AWS by end of 2018, Hub International needed real-time visibility across its cloud and hybrid environments to mitigate risks and ensure seamless migrations—thereby keeping customers happy and their data safe. See how Hub International is harnessing machine data and predictive analytics to secure applications and infrastructure, control costs and improve capacity planning. This session is brought to you by AWS partner, Splunk.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Cloud First” Helps Hub Intl Grow the
Business with Splunk on AWS
Seth Morrell
Vice President,
Enterprise Architecture
and Design
HUB International
A N T 3 3 0 - S
Jeremy Embalabala
Director, Security
Architecture &
Engineering
HUB International
Jae Lee
Director Product
Marketing, Security
Splunk

3. “Our partnership with Splunk is
incredibly important for our
customers. Customers love AWS agility
with Splunk visibility.”
Andy Jassy, CEO
Amazon Web Services

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
One consolidated solutionManage hybrid
infrastructure
Cost, capacity, and resource
management
Cloud migration
Splunk takes the place of the
multitude of monitoring tools
because sometimes one is
better than many.
Hybrid infrastructure creates
a complex monitoring
environment. Legacy tools
can't keep up. Splunk can.
Understand how your
resources are performing –
and how many are being
used – then optimize
utilization and billing.
Get visibility at all stages of
the migration process –
whether before, during, or
long after.
End state: Comprehensive AWS visibility

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Splunk and AWS
Custom
dashboards
Report and
analyze
Monitor
and alert
Developer
Platform
Ad hoc
search
Real-time
machine data
References – Coded fields, mappings, aliases
Dynamic information – Stored in non-traditional formats
Environmental context – Human-maintained files, documents
System/application – Available only using application request
Intelligence/analytics – Indicators, anomaly, research, white/blacklist
On-premises
Private cloud
Public cloud
Storage
Online
shopping cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
clickstreams
RFID
Smartphones
and devices
Servers
Messaging
GPS
location
Packaged
applications
Custom
applications
Online
services
DatabasesCall detail
records
AWS
CloudTrail
AWS Config
Index untapped data: Any source, type, volume
Amazon EC2
AWS Lambda
AWS app & add-on
Amazon GuardDuty
Amazon Kinesis
Data
Firehose

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
End state: Comprehensive AWS visibility

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Sudden change in the number of security group rules?
 Sudden change in the number of ACL modifications?
 Spike in error activity caused by unauthorized actions?
 Are there any publicly accessible Amazon Simple Storage Service
(Amazon S3) buckets?
 Any provisioning activity from an unusual country?
 API calls from users who have not made API calls before?
 First time a user provisioned an instance / account / other?
Examples: Basic posture methods

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Who added that rule in the security group that protects our
application servers?
 Where is the blocked traffic into that VPC coming from?
 What was the activity trail of a particular user before and after
an incident?
 Alert me when a user imports key-pairs or when a security
group allows all ports
 What instances are provisioned outside of a VPC, by whom,
and when?
 What security groups are defined but not attached to
any resource?
Example investigative methods
Splunk App for AWS

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Seth Morrell
Vice President, Enterprise Architecture and Design
Jeremy Embalabala
Director, Security Architecture and Engineering
• Currently lead the information security, governance, and risk
management programs at HUB
• Previously the CISO of Beam Suntory
• Specialize in building cloud-first security programs tightly
aligned with business risks and goals
• Currently am married and live in Woodstock, IL, and enjoy
sustainable farming and fishing
• Responsible for security architecture and engineering at HUB
• Background in information security, Insuretech, and deep
learning
• AWS Certified Solutions Architect
• Global Information Security certification – GSEC, GCED
Who are we?

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCOPE & SCALE FOOTPRINT
National HUB 2017
15%
27%
2%
51%
5%
Commercial Lines
Employee Benefits
Personal Lines
Wholesale
Other
Total Revenue: $2 Billion+
OWNERSHIP
Hellman & Friedman: Our Private Equity Partner
o Partners since October 2013
o One of the most experienced and successful investment
organizations in the private equity industry
o Strong track record for investors in H&F’s portfolio companies
o Extensive investment experience in the insurance industry and
related verticals
25%
Principals
& Employees
75%
H&F and Co-investors
400+
locations in
North America
Top 5
Global Broker
based on
revenue
11,000+
employees
1 million+
clients
92%
client
retention
$17 billion+
in premium
Who is HUB?

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What was the Initiative?
HUB International working
on slide or two
Hub team to create content

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A best-in-class technology
strategy with a cloud-first
mandate
Ability to detect and
remediate next-
generation threats quickly
before breach or impact
Drive revenue and organic
growth through M&A,
process optimization, and
digital transformation
Building security according
to best practices, which
allows HUB to stay ahead of
future regulations
Leverage data analytics to
make faster and more
accurate business decisions
Optimizing process and
change management across
our organization
HUB transformation goals

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rapid program development

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sept Oct Nov Dec Jan 2018 Feb Mar Apr May June July
Network Transition
Office 365 Migration
Information Security Rollout
AugAug
CRM Cloud
Data Analytics Buildout
Cloud End User Computing
Risk Management Project
2016 SharePoint Migration
Cloud Migration
Transformation roadmap

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The immediate challenge – Secure migration
• Controlling AWS costs
• Track AWS infrastructure and service usage
• Capacity planning
• Security of applications and infrastructure across hybrid
environments
• Organizations with multiple accounts
• Services and infrastructure deployed in many AWS Regions and
Availability Zones
• Data taking on many different formats

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
○ Extremely flexible architecture and cost structure
○ Ability to log and report on both security and
cloud health
○ Ability to grow with our business, security, and
cloud needs
○ Great network of support and knowledge
○ Strong app integrations
○ Ability to host existing system and provide
options to “fail fast”
○ Exceptional service options and availability
○ Ability to leverage security capability that was
previously unavailable to HUB
○ Enhance HUB’s disaster recovery and backup
strategy
Cost-effective, agile dev environmentSecure cloud migration
Why we chose Splunk and AWS

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security use cases
• Security Operation Center (SOC)
• One of the cornerstones of our InfoSec program
• Partnered with an MSSP to build and manage
• Partner brings agility and high-level experience
• Splunk Enterprise Security for SIEM
• Security priority
• Also offers benefits to our IT operations, applications, and engineering teams

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Splunk design
MSSP Account
HUB Datacenter
HUB Account(s)
AWS Direct
Connect
VPN
connection
VPN
connection
VPN
connection
Data Sources
Search Head
Data SourcesIndexers
Forwarders
Forwarders

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
EC2
Flow logs
Amazon
S3
Amazon
CloudWatch
AWS
Config
AWS
CloudTrailIAM
Amazon Kinesis
Amazon
SQS
Amazon
SNS
Amazon
VPC
Amazon elastic
load balancers
Source Capture Delivery Consumption
AWS API
Splunk Indices
AWS integration

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat
Hunting
Analysis
Correlation
Complexity
Investment
Efficacy
Adapted from Yuval Sinay’s Cybersecurity Monitoring Maturity Model
Threat detection

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why Amazon Kinesis Data Firehose?
• Data sources
• Change logs
• Log-in activity
• Storage logs
• Performance telemetry
• Network activity
Amazon VPC
Flow Logs
Queue-based messaging
• Not necessarily ordered
• Low read/write frequency limits
Real-time data stream
• Ordered messages
• Message receipt acknowledgement
• Re-playable messages
• High read/write frequency limits
Flow Data Index Correlation Alerting

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat intelligence integration
Threat bulletins
Indicators of compromise
Import into Splunk
High-confidence incidents
• Command & control
• Malware traffic
• Anonymizers & proxies
• Tor traffic
• Vulnerability context
• Threat actor attribution

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboards

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App search and reporting

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboards

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lessons learned
• Use IAM roles instead of AWS access keys
• Large volume of VPC flow data
• Make sure your indexers have enough horsepower
• Understand the licensing cost
• Invest in third-party threat intelligence feeds and integrate with Splunk
• Use the Splunk App for AWS to identify misconfigurations in the environment
and for greater insights into billing

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Roadmap – Leveraging AWS and Splunk
• SOC automation
• Proactive threat hunting
• Microservices, containers, & transient workloads
• Amazon Macie data classification for M&A data transfers
• Enterprise monitoring

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017 SPLUNK INC.
1. Splunk and AWS partner across data
ingestion, cloud migration, and AWS
best practices to ensure joint customer
success
2. Get deep visibility into AWS – Security,
operations, and cost management with
the Splunk App for AWS
3. Monitor your on-premises to AWS
migrations and help ensure your AWS
environment is well-architected with
Splunk
To get end-to-end
visibility with Splunk +
AWS
Key takeaways

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017 SPLUNK INC.
1. Drop by booth #2816 – Grab a Splunk
T-shirt and participate in a demo
2. Start your free trial of Splunk solutions
on AWS Marketplace today!

33. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.