How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
December 6, 2017 | 10:00 AM PT
How BrightEdge Achieved End-to-
End Security Visibility with Splunk
and AWS
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Today’s Presenters
Scott Ward, Solutions Architect, Amazon Web Services
Jae An, Head of Security, BrightEdge Technologies
Erin Sweeney, Senior Director, Product Marketing, Splunk

• An overview of Amazon Web Services (AWS) and AWS
Marketplace, with an emphasis on AWS security solutions and
Splunk
• Challenges faced by BrightEdge Technologies
• BrightEdge Technologies success story with AWS and Splunk
• Overview of the Splunk solutions featured in our story
• Q&A/Discussion
Today’s Agenda

Learning Objectives
• How proactive security measures help prevent breaches that can
significantly impact business
• How Splunk’s analytics-driven approach to security helps you gain
end-to-end visibility across your AWS and hybrid environment and
prevent or resolve threats

Introduction to AWS Security
Partnering to achieve protection from every vantage point

Your Data and IP Are Your Most Valuable Assets
$6.53M 56% 70%
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-
breaches/
Average cost of a
data breach
https://www.csid.com/resources/stats/data-breaches/

AWS Can Be More Secure Than Your Existing
Environment
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication

AWS and You Share Responsibility for Security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption

Constantly Monitor Your Environment
Leverage AWS services to have constant visibility into what is going on in
your AWS account
 AWS CloudTrail lets you monitor
and record all API calls
 Amazon Inspector automatically assesses
applications for vulnerabilities
 VPC Flow Logs provides details about traffic
flowing in and out of your VPC
 AWS Config gives an inventory of your AWS
account and visibility into changes

Control and Protect Your Data
Implement data protection to meet your security requirements
 44 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
 Retain control of where your data resides
for compliance with regulatory requirements
 Use AWS Shield to protect your infrastructure and
applications from DDoS attacks
 Implement server side or client side encryption to
protect the data you store in AWS

Integrated with Your Existing Resources
AWS enables you to improve your security using many of your existing
tools and practices
 Integrate your existing Active Directory
 Use dedicated connections as a secure,
low-latency extension of your data center
 Provide and manage your own encryption
keys if you choose
 Implement partner security solutions in the
customer portion of the shared responsibility model

Key AWS Certifications and Assurance Programs

BrightEdge Boosts Security with
Splunk Cloud

Revenue Generated
Through the BrightEdge
Platform in 2016
BrightEdge Certified
Professionals
$65B+ 1,500+ 8 6,000+
Major Software
Releases a year
Market Leadership Innovations
Delivering Value to
Customers
A global leader in SEO and Content Performance Marketing
Direct Customers
Community
Development
BrightEdge Company Overview

165 COUNTRIES
MULTIPLE
DEVICES
DEFAULT LANGUAGES.
ADD LOCAL LANGUAGES
MAJOR SEARCH ENGINES
70K DEFAULT SEARCH ENGINES
ADD CUSTOM LOCATIONS
7
45
GOOGLE
YAHOO
BING
BAIDU
SO CHINA
NAVER KOREA
YANDEX
BrightEdge Global Coverage

Sample BrightEdge Product View

BrightEdge Reputation in SEO

BrightEdge’s Security Challenge
BrightEdge is a Software-as-a-Service company, and our business depends on
our software platform running 24/7/365. Our customers expect BrightEdge to:
• Continue innovating our core software technology to help customers to be
successful in digital marketing
• Have at least 99.9 % Uptime
• Protect customer data from unauthorized access or change
• Maintain ISO 27001 certification
• Demonstrate best information security practice with annually conducting
independent security audit and assessment

Our Senior Executives and Board of Directors also expect InfoSec to:
• Protect company’s intellectual property and trade secrets
• Provide a secure corporate computing environment for 400+ employees
(and growing at double digits every year)
• Ensure confidentiality, integrity and availability of an environment that
processes 20+ Petabytes data (and growing)
• Maintain company’s security reputation

Key common threats that BrightEdge would face:
• Software vulnerability exploitation
• Random or targeted DDoS attack on website or infrastructure
• Natural disaster or other unexpected catastrophe
• Malware infection and spreads
• Insider data theft or sabotage

There are many subject areas in Information Security to address these
challenges, but we are going to focus on only two areas today for our
presentation:
• High Availability Infrastructure
• Threat Monitoring and Detection

High Availability Infrastructure
BrightEdge needed:
• Secure, reliable and resilient infrastructure for our software service
• Easily scale as business requires
• No up-front large capital investment
• No daily hardware and equipment maintenance
• Business partners with highest reputation in their
service
• Not just a service provider
• Our customer demands the best of the best

The Solution – Why AWS for Infrastructure?
BrightEdge uses Amazon Web Services (AWS) for its Cloud Infrastructure.
• Global infrastructure with highest reputation in Cloud Computing
• Designed for Security
• ISO 27001 certified and have SOC1/SOC2 Audit Reports
• DDoS protection, full DR-ready Infrastructure
• Provide high availability of its services
• Scale to meet customer demand as needed

Threat Monitoring and Detection
BrightEdge needed:
• Intelligent security monitoring solution that quickly detect threats and alert
TechOps and InfoSec
• We can minimize risk of encountering security breach, but we cannot completely
eliminate the risk. Threat deterrence is key. We also have to assume that security
breach will occur someday, because PEOPLE make mistakes.
• PEOPLE writes bad codes with bugs that cause vulnerabilities, become a victim of phishing,
insider threat is real, etc.
• If a security breach does occur, then a fast detection/response can significantly
minimize the damage and exposure, and rapid response can stop data breach.
• A solution can be easily integrated with our multi-layered defense
architecture
• Our system architecture will slow down the process of a security breach becoming a
data breach, but we need a tool that can quickly detect real threats and/or security
breaches.

The Solution – Why Splunk?
BrightEdge uses Splunk Cloud running on Amazon Web Services (AWS) for
security intelligence platform.
• Isolated and secured from the internal environment
• Scale to meet customer demand as needed
• Provide high availability of its services
• Reduce operational support cost – than hosting internally
• Speed incident investigations and response times
• Provide analysts with rich contextual info for informed decision-making
• Large community with many free Apps

The Solution – How it is deployed
Risk-based approach is used in threat monitoring to prioritize alerts based on
risk threshold and reliable threat information sources.
• Receives threat intelligence data from multiple external sources
• Vulnerability management system data integrated
• Logs from infrastructure AWS, Firewalls, IPS/IDS, etc.
• Logs from business applications: CRM, Cloud storage, etc.
• Alerts are generated based on risk score
• Work tasks for the security response team are automatically created by
Splunk

Putting All Things Together

Sample Splunk Cloud View

Enterprise-Wide Visibility
 Security:
Threats are monitored and alerts are generated based on risk
Security investigations that took 3 days now take <1 hour
 Compliance:
Automated process to ensure security incident responses are consistently
followed
 Operations:
Service had no downtime since deployment  No internal technical
infrastructure support resource required to maintain Splunk and its Apps
 Application Development:
Enabled real time visibility into internal operation activities, without slowing
down the SDLC process

Open Source vs. Splunk
• Splunk Cloud operational in 1 day
• OS would require 2 additional headcounts and >5 custom apps to get close to
baseline feature parity with Splunk
• Splunk has apps available for some of the most leading and emerging
security vendors
• No infrastructure to manage
• ROI of using Splunk has exceeded the benefit of using OS solution
• There are other monitoring needs (high volume, less critical, simple logic) that
OS may be better suited for (cost saving)

Highlights Since the First Launch of Splunk
• Splunk has detected multiple intrusion attempts
that no one had expected, and identified the
network vulnerability
• Splunk had detected malware infections in the
endpoint computing devices that even an anti-
malware system could not detect
• Splunk detected corporate data export policy
violations
• Impressed our customers’ own security auditors
with our security operation capabilities

Summary of Results
Since deploying Splunk solutions for analytics-driven security, BrightEdge has
seen benefits including:
• Correlates with multiple data sources and eliminates need to build multiple
apps
• Seamless integration with CRM and other cloud applications
• Helps comply with ISO 27001 and other security standards
• Stopped security breach by quickly detecting threats & responding to
incidents through automation of process
• Stopped malware spreading

Splunk Analytics-Driven Security

“You can’t protect what
you can’t see.”
Best Practices for
Securing Workloads in
Amazon Web Services
Gartner, April 2015
Neil MacDonald, Greg Young
“Security
requires visibility.”
Amazon Web Services
“Intro to AWS Security”
2015 AWS Summit Series
“Security monitoring
will make or break
a technology risk
management program.”
Assessing the Risk:
Yes, the Cloud Can Be
More Secure Than Your
On-Premises Environment
IDC, July 2015, Pete Lindstrom
Analytics-Driven Security Provides End-to-End
Visibility

On-Premises
Cloud
Storage
Online
Shopping
Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstream
s
RFID
AWS Lambda
Servers
Online
Services
Call
Detail
Records
Energy Meters
GPS
Location
Databases
Messaging
AWS
CloudTrail
End-to-End VisibilityIndex Untapped Data: Any Source, Type, Volume
Application Delivery
IT Operations
Security, Compliance
and Fraud
Business Analytics
Internet of Things
and Industrial Data
AWS Config
Amazon
EC2
Splunk App for AWS
Amazon
VPC
AWS
IAM
Amazon
Macie
AWS
GuardDuty
Amazon
Kinesis
Firehose
Splunk Cloud: Complete Hybrid Visibility

• Search and investigate –
Search and navigate all of your machine
data in real time.
• Correlate and analyze – Easily
find relationships between events or
activities. Correlate based on time, location,
or custom search results.
• Monitor and alert – Prioritize
investigation + response with threshold
based alerting.
• Visualize and report – Visualize
long-term and historical trends; build reports
and dashboards suited to any business,
operational, or security need.
Splunk Cloud Features

End-to-end security visibility and posture assessment
to make remediation decisions with confidence
Security &
Compliance
Reporting
Real-time
Monitoring of
Known Threats
Advanced Threat
Detection and
Response
Fraud
Detection
Insider
Threat
Incident
Investigations
& Forensics
Security Intelligence Use Cases

• Real time monitoring
• Prioritize and act
• Rapid investigations
• Handle multi-step
investigations
• Deploy on-prem, Splunk Cloud
or private hybrid cloud
• Improve operational efficiency
• Migrate or replace legacy SIEM
Splunk Enterprise Security (ES)
Analytics-Driven SIEM

AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications and content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You +
Inventory
& Config
Data
Encryption
Shared Responsibility for Security

AWS Serverless Repository
• AWS Lambda blueprints
for Splunk:
– 7 different Serverless
Applications designed to
help AWS customers easily
send AWS data at scale to
Splunk for further analysis
and insights
– https://github.com/splunk/splunk-aws-lambda-blueprints
• AWS Adaptive Response (AR) action for Splunk:
– Serverless Applications for automated incident response and remediation for
AWS triggered by Splunk analytics

AWS GuardDuty
• Provides intelligent
alerting on potentially
malicious activity
based on VPC flow +
AWS CloudTrail data
• Splunk provides the ability to:
– Prioritize analyst time and investigations with aggregated alerts and
correlation across availability zones
– Speed response with additional context and data to fully scope and remediate

Any AWS Data Source, Visualize + Analyze in
Splunk
Billing Reports
Amazon
S3 Access Logs
AWS
CloudTrail Logs
ELB Access Logs Amazon
CloudFront Access Logs
Application Logs
AWS Config Snapshots
& History Files
Other Service Logs
Amazon
SQS
AWS
Lambda
Amazon
RDS
Amazon
Redshift
AWS
CloudTrail
Amazon
SNS
Amazon
S3
Amazon
CloudWatch
Metrics
Amazon
CloudWatch
Events
Amazon
CloudWatch
Logs
AWS
Config
Amazon ElastiCache
Cluster Events
AWS
CloudFormation
Stack Events
Amazon
CloudWatch
Alarms
ELB Metrics
Amazon CloudFront
Metrics
Amazon
EC2 Metrics
Amazon
EBS Metrics
Amazon
ECS Metrics
Amazon
DynamoDB
Metrics
Amazon
EMR Metrics
Amazon
Kinesis
Metrics
AWS Lambda Metrics
Amazon
API Gateway
Metrics
Amazon
S3 Metrics
Amazon
Route 53 Metrics
Amazon
SNS Metrics
Amazon
RDS
Metrics
AWS
Add-on
DB
Connect
Amazon
VPC Flow Logs
AWS
Lambda Logs
Amazon
API Gateway Logs
AWS IoT
API Gateway
Custom Events
DynamoDB
Table Updates
Amazon
S3 Events
Amazon Cognito Events
Custom
Config Rules
AWS CodeCommit
Repo Events
Amazon
EC2 System
Manager Events
Amazon
ECS Container & Task
State Changes
Amazon
EBS Volume & Snapshot
Notifications
Amazon
EMR Cluster & Instance
State Changes
Auto Scaling Group
State Changes
AWS
CodeDeploy
Instance & Deployment
State Changes
AWS Management
Console
Sign-In Events
AWS Health &
Trusted Advisor Events
AWS
KMS Events
HTTP Event
Collector
Amazon Kinesis
Firehose
Amazon
Kiinesis
Stream
Amazon
Macie Alerts

Usage
Topology
Security
Timeline
Billing
Insights
▶ View user activity
▶ Gain a full audit trail
▶ Detect anomalous behavior
▶ Compare and correlate events
▶ View in a time-series ribbon
▶ Accelerate investigations
▶ Visualize your AWS
Environment
▶ View resource relationships
▶ Gain playback history
Security Visibility
▶ Who added that rule in the security
group that protects our application
servers?
▶ Where is the blocked traffic into that
VPC coming from?
▶ What was the activity trail of a
particular user before and after that
incident?
▶ Alert me when a user imports
key-pairs or when a security group
allows all ports
▶ What instances are provisioned
outside of a VPC, by whom and when?
▶ What security groups are defined but
not attached to any resource?
Security Use Cases
Splunk App for AWS: The Value

Thousands of Global Security Customers

IT
Operations
Application
Management
Developer Platform (REST API, SDKs)
Security,
Compliance
and Fraud
Business
Analytics
Industrial
Data and
Internet of
Things
Delivers Value Across IT and the Business

Try it out!
https://www.splunk.com/en_us/form/security-investigation-online-experience-endpoint.html
Step-by-step instruction1
Launch instruction video2
One click
Online Session
3
Learn Splunk Skills for
Security
•Use sample data to safely
practice security
investigation techniques
•Embedded help features
step-by-step how to guides
on finding security
problems
•Contains sample
ransomware data set
and tips and tricks for you
to learn
Splunk Online Experience

Benefit of AWS Marketplace
• Easily discover & deploy
software & SaaS
• Simplified Buying Process
• Reduces Time to Procure
• Eliminate License Management
• One, consolidated AWS Bill
• Apply to contract commitments
• Automatic Renewals
Splunk Cloud Specifics
• Annual and Multi-Annual contract
subscriptions
• Automatic discount for Multi-
Annual Options
• Buy in increments of 5GB,10GB,
and 20GB index/day
• Easily Upgrade Splunk License
• Private pricing available for larger
index volumes, apps and add-
ons.
Now Available on AWS Marketplace
www.splunk.com/aws-marketplace
Find out more or Buy Now:
Splunk Cloud

Recommendations
• Organizations should look for a seamless AWS security solution fit
• Ensure the solution you choose has expertise on, in and around AWS
• End-to-end visibility and actionable security best practices are the
keys to success

Q & A

Thank you!

How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS

Similar to How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS