Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing the Enterprise/Cloud with Splunk at the Centre

189 views

Published on

Using orchestration tools with Splunk to automate and respond to events of interest and what types of use cases and logs you can leverage AWS/Cloud as the source.
Delivered as part of the Splunk User Group in Edinburgh in August 2017
Steam: http://productfor.ge/SUGE0817

Published in: Data & Analytics
  • Be the first to comment

Securing the Enterprise/Cloud with Splunk at the Centre

  1. 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk User Group Edinburgh
  2. 2. © 2017 SPLUNK INC. Recording In Progress Provided by: Product Forge
  3. 3. © 2017 SPLUNK INC. Introduction to Harry McLaren ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS ● Leader of the Splunk User Group Edinburgh
  4. 4. © 2017 SPLUNK INC. Introduction to ECS Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year
  5. 5. © 2017 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Splunk and Orchestration - Robert Williamson • Cloud (AWS) Security with Splunk - Harry McLaren • Operation Honey-Splunk - James Rowell - Cancelled
  6. 6. © 2017 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! ● We Have 140 Members!
  7. 7. © 2017 SPLUNK INC. Splunk and Orchestration Robert Williamson
  8. 8. © 2017 SPLUNK INC. Introduction – Robert Williamson ▶ Alumnus of Edinburgh Napier ▶ Security Consultant at ECS ▶ Co-leader of the Splunk User Group Edinburgh
  9. 9. © 2017 SPLUNK INC. ▶ “ Security orchestration is the method of connecting security tools and integrating disparate security systems.” ▶ “It is the connected layer that streamlines security processes and powered security automation” What is orchestration?
  10. 10. © 2017 SPLUNK INC. ▶ Question: Are they the same? ▶ Answer: No… • “The difference between “Automatize” and “Orchestrate” is comparable to the difference between “tasks” and “Processes”. This difference allows us to get the best of each process and the advantage of its combination in a joint execution.” Orchestration v.s. Automation
  11. 11. © 2017 SPLUNK INC. Orchestration Adaptation Develop ment Schedule Monitor Workflow Process Work Flow The “Engine”
  12. 12. © 2017 SPLUNK INC. Splunk Adaptive Response Orchestration the Splunk way The Adaptive Response Initiative: Acalvio, AlgoSec, Anomali, Blue Coat + Symantec, Carbon Black, Cisco, CrowdStrike, CyberArk, Demisto, DomainTools, ForeScout, Fortinet, Okta, OpenDNS, Palo Alto Networks, Phantom, Proofpoint, Qualys, Recorded Future, RedSeal, Resolve Systems, Splunk, Tanium, ThreatConnect, and Ziften.
  13. 13. © 2017 SPLUNK INC. ▶ Splunk as the trigger. Where an alert or event of interest has been established and depending on the alert, a certain path of pre-defined actions will take place, which is then passed to the orchestration tool. ▶ Splunk being queried. Where Splunk becomes the source of contextual information to make a decision based on the results gathered from the orchestration toolset. Splunk with Orchestration
  14. 14. © 2017 SPLUNK INC. Orchestration Tools What is available?
  15. 15. © 2017 SPLUNK INC. Questions?
  16. 16. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  17. 17. © 2017 SPLUNK INC. Cloud (AWS) Security with Splunk Harry McLaren
  18. 18. © 2017 SPLUNK INC. ▶ Amazon Web Services Products ▶ Shared Security Model ▶ Built-in Controls/Features ▶ Security Framework/Model ▶ Collection & Use Cases ▶ Splunk Infrastructure ▶ Splunk App for AWS ▶ Demo ▶ Other Clouds ▶ Resources Cloud (AWS) Security with Splunk Agenda
  19. 19. © 2017 SPLUNK INC. 59+ Products (SaaS, PaaS, IaaS)
  20. 20. © 2017 SPLUNK INC. Shared Security Model: Infrastructure Services Such as Amazon EC2, Amazon EBS, and Amazon VPC
  21. 21. © 2017 SPLUNK INC. ▶ Built-in Firewalls ▶ Role-based Access Control ▶ Multi-factor Authentication ▶ Private Subnets ▶ Encrypt Your Data At Rest ▶ Cloud HSM ▶ Dedicated Connections ▶ Security Logs ▶ More… Built-in Controls/Features All Available with AWS
  22. 22. © 2017 SPLUNK INC. Identify Protect Detect Respond Recover Standard Security Approach NIST Cyber Security Framework: Model
  23. 23. © 2017 SPLUNK INC. Detection Processes Security Continuous Monitoring Anomalies & Events Detection NIST Cyber Security Framework: Detect
  24. 24. © 2017 SPLUNK INC. Collection & Use Cases Sourcetypes & Collection Methods Data Sources Use Cases Config + Config Rules • Configuration snapshots and historical configuration data. • Configuration change notifications. • Descriptions of your AWS EC2 instances. • Compliance details, compliance summary, and evaluation. Inspector • Assessment Runs and Findings data from the Inspector service. CloudTrail • Management and change events. CloudWatch • Data from the CloudWatch Logs and VPC logs. • Performance and billing metrics. S3 • Generic log data, access logs from your S3 buckets. • CloudFront and ELB access logs. Kinesis • Data from Kinesis streams. SQS • Generic data from SQS.
  25. 25. © 2017 SPLUNK INC. Build it Yourself Hosted On-Premise or Cloud Based (or Hybrid)
  26. 26. © 2017 SPLUNK INC. As a Service Built and Hosted by Splunk (On AWS)
  27. 27. © 2017 SPLUNK INC. Splunk App for AWS Demo URL
  28. 28. © 2017 SPLUNK INC. Dashboards Alerts Traffic Analysis (VPC, CloudFront, ELB, S3) IAM: Create/Delete Roles Network ACLs IAM: Create/Delete/Update Access Keys Security Groups Instances: Reboot/Stop/Terminate Actions IAM Activity Key Pairs: Create/Delete/Import Key Pairs Key Pairs Activity Unauthorized Actions S3 Data Events VPC: Create/Delete VPC Resource Activity VPC: Create/Delete/Replace Network ACLs User Activity New Non-Compliant Resource Security Anomaly Detection Splunk App for AWS Contains: Dashboards, Reports, Alerts, Inputs, Scripts
  29. 29. © 2017 SPLUNK INC. Microsoft Cloud • Splunk Add-on for Microsoft Cloud Services Google Cloud • Splunk Add-on for Google Cloud Platform Cloud Foundry • Splunk Add-on for Cloud Foundry Clouds Everywhere! What about other peoples Clouds?
  30. 30. © 2017 SPLUNK INC. ▶ Splunk App for AWS (Documentation) ▶ Splunk Add-on for AWS (Documentation) ▶ Splunk with AWS Case Study ▶ AWS Technical Whitepaper ▶ AWS CloudFormation Templates for Splunk Cluster ▶ Deploying Splunk on AWS Whitepaper ▶ AWS CloudTrail with Splunk ▶ Splunk on AWS (Quick Start) ▶ Add-ons for Cloud Foundry, Microsoft Cloud, Google Cloud Resources
  31. 31. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  32. 32. © 2017 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via https://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu ‣ ECS | enquiries@ecs.co.uk | @ECS_Cybersec | ecs.co.uk
  33. 33. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

×