SlideShare a Scribd company logo

Customer Presentation - Financial Services Organization

Splunk
Splunk

Customer Presentation - Financial Services Organization

Technology
1 of 24
Copyright © 2015 Splunk Inc. Enterprise Security
15+ Years Information Security 10+ Years Financial Services 2 Years Director Security Operations Bill Ebel
Discuss My Experience: - Coming to the decision to change SIEM - Why we opted for Splunk with ES vs just core Splunk - How we did it? Provide some pointers for a successful deployment. Agenda
What is it?
5 Overall a pain in the … Noise Machine Too Difficult Compliance Checkbox Ignored Too Expensive
Common SIEM Features and Services • Data aggregation • Event Correlation • Automated Alerting • Dashboards • Compliance Reporting • Log Retention • Asset Discovery SIEM
Gartner: Pitfall 1: Failure to Plan Before Buying Pitfall 2: Failure to Define Scope Pitfall 3: Overly Optimistic Scoping Pitfall 4: Monitoring Noise Pitfall 5: Lack of Sufficient Context Pitfall 6: Insufficient Resources Deployment Challenges
My 5 year old SIEM (in leaders quadrant) • Difficult to Maintain and Support • Extremely Slow Search • Poor Vendor Support • No Active User Community • Not Used Outside of Information Security • Poor Development Capabilities • End-of-Life Ended up being centralized log management Loathed by all that used it My Old SIEM
Need access to more log sources High performance searching More advanced searching and analysis Must support very high volume of data • Firewall > 3.5K e/s. • Web Logs> 1.6K e/s • Proxy > 1.6K e/s Integration/enrichment with threat intel data Need a more agile/nimble integration and development New Requirements
IT Operations already supported and maintained a large Splunk deployment. • Several important logs were already being indexed and normalized. • High performance deployment • Being broadly adopted by other teams Decision was made to partner with IT Operations to test the waters We Already Had Splunk
Keep existing SIEM running Setup a new search head for Information Security Configure a few devices to ship logs to Splunk • Firewall • Proxy Normalize Events (CIM) Install Some Useful Apps for the event sources Provide Analysts basic Splunk training Let them go to town Testing The Waters
Analysts much happier with performance. • Example Simple proxy search over 30 days for a user • Old SIEM: 2 Days • Splunk: >10 min • More than 1 user could search at a time. Analysts could easily correlate events across different sources Analysts could easily enrich events with external lookups and intelligence data Results
We like Splunk now what?
Moved sources one at a time. • Focused on CIM compatibility (normalization) • Brought in Splunk Apps to give Analysts baseline searches and dashboards (as available) • Corrected issues with apps and add-ons • Corrected issues with varying log formats • Open source to Analysts. Core Splunk was our SIEM • Immediate value • Analyst write their own searches and alerts • We had a ton more work Moved all logs to Splunk
Enough knowledge to be dangerous Not enough knowledge to be smart Thoughts on ES: • Why pay for this? • We can write our own searches • We already have several alerts based on our own correlations • We can make our own dashboards Build or Buy
Migrated most SIEM log sources to Splunk Engaged Splunk Professional Services to perform a “ES Readiness Review” Scope (2 weeks): • Evaluate available sources for CIM compliance • Correct any issues with CIM compliance and log inputs • Install Splunk Enterprise Security and light it up • Enable a few basic correlations. 1 Month to let us play Enterprise Security POC
ES was much more than core Splunk: • Seeing how searches were created and all of the different dashboards opened my eyes. • ES provides a good template for how it should be done. • Wouldn’t have used accelerated data models in correlation searches. • Alerts would have went into email and may not have been tracked (i.e. notable) • Would have taken months to recreate • Existing correlations provide a good starting point for creating more customized and advanced rules Ignorance is Bliss
Incident Review is critical for a SOC • Provides single pane of glass for all items that must be reviewed by SOC • Correlation searches are written to a notable event • Notable events can be assigned workflow stages. Provides a solid foundation for Incident Review workflow. Allows me to better manage what is open and who is working it. Incident Review
Ability to enrich log data with asset and identity information. • Simplifies a tracking down owners of a server • Simplifies identifying managers, users etc Event Investigator • Quickly visualize all events for a user or system Asset Management
Provide much faster searches across data • Minimizes the time to detect issues • Speeds up the time to cross reference out logs with Threat Intelligence feeds Data Models
Things to consider if you are planning or have implemented ES.
23 • Partner with other teams that may already have or could use Splunk – More sources better for IOC hunting – If possible have another team support infrastructure. Be a consumer of Splunk. • Focus on CIM compliance (aka normalization) first with your sources – Correct issues with logs first – Prioritize highest value logs first • Train analysts as early as possible – Search, Pivot, Data Model • Start small with use cases (correlations) – Turn them all off get – Turn one on high value correlation and tune – Build a response plan for the notable – Start staff following procedure – Rinse and repeat with another high value correlation • Take it easy with the threat feeds – Turn on what you trust – Assign confidence to your feeds – Consider looking backwards not forward for IOC activity – Consider Third Party Threat Intel Platform • Data models are your friend – Leverage these for IOC searches or search across large sets of logs – Pivot is an easy way for analyst to work with data – Consider changing default constraints to speed up build and pivot
Customer Presentation - Financial Services Organization

Recommended

Nordstrom Customer Presentation
Nordstrom Customer PresentationNordstrom Customer Presentation
Nordstrom Customer Presentation
Splunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
Splunk
 
Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS) Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS)
Splunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for Developers
Splunk
 
Splunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout SessionSplunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout Session
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
Splunk
 

Recommended

Nordstrom Customer Presentation
Nordstrom Customer PresentationNordstrom Customer Presentation
Nordstrom Customer Presentation
Splunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
Splunk
 
Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS) Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS)
Splunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for Developers
Splunk
 
Splunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout SessionSplunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout Session
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
Splunk
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - Intuit
Splunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk Administration
Greg Hanchin
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
Splunk
 
SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco
Splunk
 
University of Alberta Customer Presentation
University of Alberta Customer PresentationUniversity of Alberta Customer Presentation
University of Alberta Customer Presentation
Splunk
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
Splunk
 
Splunk @ Adobe
Splunk @ AdobeSplunk @ Adobe
Splunk @ Adobe
Splunk
 
SplunkLive! Customer Presentation – Covance Inc"
SplunkLive! Customer Presentation – Covance Inc"SplunkLive! Customer Presentation – Covance Inc"
SplunkLive! Customer Presentation – Covance Inc"
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
Splunk
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats new
Splunk
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Splunk
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-Boarding
Splunk
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
Splunk
 
Cisco UCS and Splunk Workshop
Cisco UCS and Splunk WorkshopCisco UCS and Splunk Workshop
Cisco UCS and Splunk Workshop
Robb Boyd
 
SplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin InternationalSplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin International
Splunk
 
CA Technologies Customer Presentation
CA Technologies Customer PresentationCA Technologies Customer Presentation
CA Technologies Customer Presentation
Splunk
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
Splunk
 
Splunk at Weill Cornell Medical College
Splunk at Weill Cornell Medical CollegeSplunk at Weill Cornell Medical College
Splunk at Weill Cornell Medical College
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 

More Related Content

What's hot

SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - Intuit
Splunk
 
SplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin InternationalSplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin International
Splunk
 

What's hot (20)

Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - Intuit
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk Administration
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco
 
University of Alberta Customer Presentation
University of Alberta Customer PresentationUniversity of Alberta Customer Presentation
University of Alberta Customer Presentation
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
 
Splunk @ Adobe
Splunk @ AdobeSplunk @ Adobe
Splunk @ Adobe
 
SplunkLive! Customer Presentation – Covance Inc"
SplunkLive! Customer Presentation – Covance Inc"SplunkLive! Customer Presentation – Covance Inc"
SplunkLive! Customer Presentation – Covance Inc"
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats new
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-Boarding
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
 
Cisco UCS and Splunk Workshop
Cisco UCS and Splunk WorkshopCisco UCS and Splunk Workshop
Cisco UCS and Splunk Workshop
 
SplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin InternationalSplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin International
 
CA Technologies Customer Presentation
CA Technologies Customer PresentationCA Technologies Customer Presentation
CA Technologies Customer Presentation
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
 

Similar to Customer Presentation - Financial Services Organization

SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCP
Splunk
 
SplunkLive! Minneapolis April 2013 - Moneygram
SplunkLive! Minneapolis April 2013 - MoneygramSplunkLive! Minneapolis April 2013 - Moneygram
SplunkLive! Minneapolis April 2013 - Moneygram
Splunk
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
Jon Papp
 

Similar to Customer Presentation - Financial Services Organization (20)

Splunk at Weill Cornell Medical College
Splunk at Weill Cornell Medical CollegeSplunk at Weill Cornell Medical College
Splunk at Weill Cornell Medical College
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
 
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
 
Taking Splunk to the Next Level - Management Breakout Session
Taking Splunk to the Next Level - Management Breakout SessionTaking Splunk to the Next Level - Management Breakout Session
Taking Splunk to the Next Level - Management Breakout Session
 
SplunkLive! Paris 2018: Legacy SIEM to Splunk
SplunkLive! Paris 2018: Legacy SIEM to SplunkSplunkLive! Paris 2018: Legacy SIEM to Splunk
SplunkLive! Paris 2018: Legacy SIEM to Splunk
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCP
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
 
SplunkLive! Minneapolis April 2013 - Moneygram
SplunkLive! Minneapolis April 2013 - MoneygramSplunkLive! Minneapolis April 2013 - Moneygram
SplunkLive! Minneapolis April 2013 - Moneygram
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
Customer Presentation, FirstSolar
Customer Presentation, FirstSolarCustomer Presentation, FirstSolar
Customer Presentation, FirstSolar
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - Baylor
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
 
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
 
Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoE
 
(ATS6-APP05) Deploying Contur ELN to large organizations
(ATS6-APP05) Deploying Contur ELN to large organizations(ATS6-APP05) Deploying Contur ELN to large organizations
(ATS6-APP05) Deploying Contur ELN to large organizations
 
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
 

More from Splunk

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

Customer Presentation - Financial Services Organization

  • 1. Copyright © 2015 Splunk Inc. Enterprise Security
  • 2. 15+ Years Information Security 10+ Years Financial Services 2 Years Director Security Operations Bill Ebel
  • 3. Discuss My Experience: - Coming to the decision to change SIEM - Why we opted for Splunk with ES vs just core Splunk - How we did it? Provide some pointers for a successful deployment. Agenda
  • 5. 5 Overall a pain in the … Noise Machine Too Difficult Compliance Checkbox Ignored Too Expensive
  • 6. Common SIEM Features and Services • Data aggregation • Event Correlation • Automated Alerting • Dashboards • Compliance Reporting • Log Retention • Asset Discovery SIEM
  • 7. Gartner: Pitfall 1: Failure to Plan Before Buying Pitfall 2: Failure to Define Scope Pitfall 3: Overly Optimistic Scoping Pitfall 4: Monitoring Noise Pitfall 5: Lack of Sufficient Context Pitfall 6: Insufficient Resources Deployment Challenges
  • 8. My 5 year old SIEM (in leaders quadrant) • Difficult to Maintain and Support • Extremely Slow Search • Poor Vendor Support • No Active User Community • Not Used Outside of Information Security • Poor Development Capabilities • End-of-Life Ended up being centralized log management Loathed by all that used it My Old SIEM
  • 9. Need access to more log sources High performance searching More advanced searching and analysis Must support very high volume of data • Firewall > 3.5K e/s. • Web Logs> 1.6K e/s • Proxy > 1.6K e/s Integration/enrichment with threat intel data Need a more agile/nimble integration and development New Requirements
  • 10. IT Operations already supported and maintained a large Splunk deployment. • Several important logs were already being indexed and normalized. • High performance deployment • Being broadly adopted by other teams Decision was made to partner with IT Operations to test the waters We Already Had Splunk
  • 11. Keep existing SIEM running Setup a new search head for Information Security Configure a few devices to ship logs to Splunk • Firewall • Proxy Normalize Events (CIM) Install Some Useful Apps for the event sources Provide Analysts basic Splunk training Let them go to town Testing The Waters
  • 12. Analysts much happier with performance. • Example Simple proxy search over 30 days for a user • Old SIEM: 2 Days • Splunk: >10 min • More than 1 user could search at a time. Analysts could easily correlate events across different sources Analysts could easily enrich events with external lookups and intelligence data Results
  • 13. We like Splunk now what?
  • 14. Moved sources one at a time. • Focused on CIM compatibility (normalization) • Brought in Splunk Apps to give Analysts baseline searches and dashboards (as available) • Corrected issues with apps and add-ons • Corrected issues with varying log formats • Open source to Analysts. Core Splunk was our SIEM • Immediate value • Analyst write their own searches and alerts • We had a ton more work Moved all logs to Splunk
  • 15. Enough knowledge to be dangerous Not enough knowledge to be smart Thoughts on ES: • Why pay for this? • We can write our own searches • We already have several alerts based on our own correlations • We can make our own dashboards Build or Buy
  • 16. Migrated most SIEM log sources to Splunk Engaged Splunk Professional Services to perform a “ES Readiness Review” Scope (2 weeks): • Evaluate available sources for CIM compliance • Correct any issues with CIM compliance and log inputs • Install Splunk Enterprise Security and light it up • Enable a few basic correlations. 1 Month to let us play Enterprise Security POC
  • 17.
  • 18. ES was much more than core Splunk: • Seeing how searches were created and all of the different dashboards opened my eyes. • ES provides a good template for how it should be done. • Wouldn’t have used accelerated data models in correlation searches. • Alerts would have went into email and may not have been tracked (i.e. notable) • Would have taken months to recreate • Existing correlations provide a good starting point for creating more customized and advanced rules Ignorance is Bliss
  • 19. Incident Review is critical for a SOC • Provides single pane of glass for all items that must be reviewed by SOC • Correlation searches are written to a notable event • Notable events can be assigned workflow stages. Provides a solid foundation for Incident Review workflow. Allows me to better manage what is open and who is working it. Incident Review
  • 20. Ability to enrich log data with asset and identity information. • Simplifies a tracking down owners of a server • Simplifies identifying managers, users etc Event Investigator • Quickly visualize all events for a user or system Asset Management
  • 21. Provide much faster searches across data • Minimizes the time to detect issues • Speeds up the time to cross reference out logs with Threat Intelligence feeds Data Models
  • 22. Things to consider if you are planning or have implemented ES.
  • 23. 23 • Partner with other teams that may already have or could use Splunk – More sources better for IOC hunting – If possible have another team support infrastructure. Be a consumer of Splunk. • Focus on CIM compliance (aka normalization) first with your sources – Correct issues with logs first – Prioritize highest value logs first • Train analysts as early as possible – Search, Pivot, Data Model • Start small with use cases (correlations) – Turn them all off get – Turn one on high value correlation and tune – Build a response plan for the notable – Start staff following procedure – Rinse and repeat with another high value correlation • Take it easy with the threat feeds – Turn on what you trust – Assign confidence to your feeds – Consider looking backwards not forward for IOC activity – Consider Third Party Threat Intel Platform • Data models are your friend – Leverage these for IOC searches or search across large sets of logs – Pivot is an easy way for analyst to work with data – Consider changing default constraints to speed up build and pivot