Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security

324 views

Published on

Slide deck delivered at the June Splunk User Group in Edinburgh: Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security.
Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/

Published in: Data & Analytics
  • Be the first to comment

Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security

  1. 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk User Group Edinburgh
  2. 2. © 2017 SPLUNK INC. Introduction - Harry McLaren ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS ● Leader of the Splunk User Group Edinburgh
  3. 3. © 2017 SPLUNK INC. Introduction to ECS Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year
  4. 4. © 2017 SPLUNK INC.
  5. 5. © 2017 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Supporting Splunk at Scale with Chris Chalmers • Splunking at Home with David Prior • Introduction to Enterprise Security with Adam Thomson • Latest Features in Splunk 6.6 with Richa Singh
  6. 6. © 2017 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! ● We Have 140 Members!
  7. 7. © 2017 SPLUNK INC. Supporting Splunk at Scale Chris Chalmers
  8. 8. © 2017 SPLUNK INC. Christopher Chalmers Alumnus of Edinburgh Napier university ECS - SOC Analyst, Senior SOC Analyst and Associate Security Consultant
  9. 9. © 2017 SPLUNK INC. What’s the scope? – Application Upgrades & Patching – Application Health Monitoring – Application Management – First Line Break/Fix – Data Management
  10. 10. © 2017 SPLUNK INC. Clustered Environment
  11. 11. © 2017 SPLUNK INC. My Challenges? ● Managing customer expectations ● Supporting a developing environment ● Human Error ● Universal Forwarders / logging ● Maintenance
  12. 12. © 2017 SPLUNK INC. Where Do I Start? ● Management Console ( AKA DMC) ● Splunk knows what's wrong! ● Btool and grep ● Documentation ● Community Support ● Vendor Support
  13. 13. © 2017 SPLUNK INC. Troubleshooting ● Ulimits ● Hardware restrictions ● Duplication of logs (SPL-127095 / SPL127079) ● Warm / Hot Volume full ● Bucket Collision
  14. 14. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  15. 15. © 2017 SPLUNK INC. Splunking at Home David Prior
  16. 16. © 2017 SPLUNK INC. Enterprise Security Adam Thomson
  17. 17. © 2017 SPLUNK INC. Adam Thomson Alumnus of Edinburgh Napier university ECS - Associate Security Consultant
  18. 18. © 2017 SPLUNK INC. Current Security Problems ● Organizations need scalable central logging, visibility with the ability to efficiently analyze their data ● Large numbers of log sources all of large quantities make it hard for analysts identify anomalies ● Limitations in data integration create a huge set back as no security context can be gathered from data ● Rigid architecture limits the need of flexible analysis and customization
  19. 19. © 2017 SPLUNK INC. Enterprise Security
  20. 20. © 2017 SPLUNK INC. What is Enterprise Security? • Just another Splunk App with Special Requirements • Needs dedicated search head • Has high Splunk performance requirements • Requires a fair amount of configuration to work properly • Helps find security threats and anomalies • Contains a number of supporting add-ons and technology add-ons to help it do its work
  21. 21. © 2017 SPLUNK INC. ES is (mostly) just Splunk • Dashboards and Views (with some fancy |rest) • Data Models • Macros • Saved Searches • Summary Indexed Events • Eventtypes / Tags • Lookup Tables
  22. 22. © 2017 SPLUNK INC. Bringing all the Logs together • Ingesting multiple data sources from a variety of vendors sounds like a tricky task • Splunk’s solution to this is the Common Information Model • CIM = Data Normalization • CIM gets applied at Search Time Common Information Model (CIM)
  23. 23. © 2017 SPLUNK INC. ES Architecture • Current recommendations stretch core • Core: 12 CPU / 12 GB RAM (Indexer) • Core: 16 CPU / 12 GB RAM (SH) • ES: 16 CPU / 32 GB RAM (Indexers and SH) MINIMUM! • Recommended volume / indexer / day is 100 GB MAXIMUM! • This is primarily to manage search load • Less volume if the environment also has IT SI or other apps. • ES Requires its own dedicated search head – no other apps!
  24. 24. © 2017 SPLUNK INC. What data? All Data is Security Data
  25. 25. © 2017 SPLUNK INC. How does it all come together? A collection of Frameworks
  26. 26. © 2017 SPLUNK INC. Notable Events Where Correlation Searches are Surfaced
  27. 27. © 2017 SPLUNK INC. Asset and Identity Know your estate and who’s using it
  28. 28. © 2017 SPLUNK INC. Risk Analysis Risk score displayed in Incident Review for each Notable Risk score displayed in Incident Review for each Notable Event Adds context to the event
  29. 29. © 2017 SPLUNK INC. Threat Intelligence/Data Indicators Everywhere…
  30. 30. © 2017 SPLUNK INC. Adaptive Response Actions Mitigate the Threat
  31. 31. © 2017 SPLUNK INC. Adaptive Response Analytics-driven Decisions and Automation
  32. 32. © 2017 SPLUNK INC. Supporting Security Operations Alerting, Monitoring, Auditing, Correlations, Incident/Breach Response
  33. 33. © 2017 SPLUNK INC. An Analytics-driven SIEM
  34. 34. © 2017 SPLUNK INC. Enterprise Security Demo
  35. 35. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  36. 36. © 2017 SPLUNK INC. Latest Features in Splunk 6.6 Richa Singh
  37. 37. © 2017 SPLUNK INC. Agenda Introduction to Splunk 6.6 What's there for end-users? What's there for administrators ? What’s there for SPL Ninja ? Before you upgrade to 6.6! Case Study Questions 37
  38. 38. © 2017 SPLUNK INC. Introduction to Splunk 6.6 ● Splunk 6.6.0 minor release was published in May 2017 addresses following arenas : ● Environment performance & enhancement features ● Add a number of new features for end users ● Cluster related features ● New Visualizations 38
  39. 39. © 2017 SPLUNK INC. What's there for end-users? Dashboard Drilldown Editor Dashboard Search Controls Table Dataset Exploration Trellis Layout 39
  40. 40. © 2017 SPLUNK INC. What’s there for SPL Ninjas ? Enhanced search editing Search optimizer Improvements New union SPL command New SQL-like IN SPL operator Auto-format search syntax 40
  41. 41. © 2017 SPLUNK INC. What's there for administrators ? - “How about some productivity enhancements for the almighty admin?” Search Head Clustering enhancements Indexer Clustering user interface Forwarder site high availability in multisite indexer cluster Volume-based data forwarding Packaging toolkit Reassign knowledge objects Data Quality Dashboards 11 new REST API(s) 41
  42. 42. © 2017 SPLUNK INC. Before you upgrade to 6.6! Compatibility of apps and add-ons Upgrade path for full Splunk Enterprise & UF Upgrade notes for search head & index clusters Customers who run version 6.4.7 of Splunk Enterprise might reintroduce software defects by upgrading to version 6.6.0 or 6.6.1 A new load-balancing scheme & 'autoLB' universal forwarder setting in outputs.conf Data model acceleration sizes on disk might appear to increase The number of potential data model acceleration searches has increased Protection for the '/server/info' REST endpoint is now on by default 42
  43. 43. © 2017 SPLUNK INC. Case Study & Reviews 43
  44. 44. © 2017 SPLUNK INC. QUESTIONS ?
  45. 45. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  46. 46. © 2017 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via www.splunk402.com/chat – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
  47. 47. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

×