George wanted SIEM in the Cloud solution. (ES) SIEM is major achievements of any security system Going into ES, we realized that any SIEM solution – there’s going to be a lot of work. We knew going in that there would be a considerable effort building it out. We knew it wasn’t going to be SIEM out of the box.
WHY DID YOU CHOOSE a CLOUD BASED? Cost was number one. Capex vs. Opex. Wanted something that we could turn up quickly and manage easily. Minimize costs for storage, systems monitoring, managing data bases Cloud vs. on-prem value prop Didn’t want anything I had to deploy manually Subscribe, use it, marry myself and then unmarry myself. Subscription is a lot easier
VALUE out of the Box? Every organization has different use cases…but every solution would help us frame our use cases. (uptime, sensitivity of data, systems vulnerability) Needed a starting point. That’s what ES gave us out of the box From there, we produced a final list that allowed us to operate a system based on our use cases.
COMPARED to other CLOUD SOLUTIONS As a SIEM in the cloud, what drew me into ES. We have APPs marketplace. Most of the other customers don’t have the APPs or lenses into the data. Most are free. Other vendors, don’t have those. If we had engaged with other vendors, we would have to build those out. Apps are great, but they help you frame the data. Now we can compare it and add in our own use cases. As you get through the process of getting operational, were there other areas of differentiation? Ability to search…across all data sets. Ability to do this across all data sets is really powerful. Searching is 101.
USE CASES TODAY
Malware protection – across all platforms (laptops, mobile, …) Protecting user accounts – if a user logs in SF and Hong Kong simultaneously – detecting account compromise Data leakage protection (SFDC app) – preventing malicious employee behavior
High priority: Care about data. Care about business being able to function. Target the things that typically have negative impact. Malware. We have a security infrastructure that shows us malware on desk tops and servers ES alerts us to systems with malware – phoning home or ES allows us to protect users. If a user is logging on in silicon valley and log in 10 seconds later in hong kong…compromised system? How do we monitor the security of our users
Had significant global structure – Firewall, VPN, active directory, but no SIEM… Operating with a security infrastructure…splunk allowed us to aggregate this. One dashboard. Splunk ES. Allows my guys to not have to go out to each different security system to monitor Before, we didn’t have a way to correlate between the security systems. Big value add is correlation. Aggregation and correlation. Get everything into a single place and then correlate… Data feeds/sets – Qualys security, Cisco firewalls, load balancers, salesforce.com, tripwire, open VPN, Unyx and Windows (Splunk App), Juniper Firewalls, Palo Alto Salesforce – data leakage protection – very sensitive and critical to the business. Manage malicious employees who may be forklifting data. Certain algorythms and data that looks suspicious Salesforce App – gives you good data but doesn’t really provide enough intelligence to determine Separate from security use cases, Salesforce app is pretty slick.
How we accomplish this (New Slide) Log aggregation Log correlation Data sources: (Qualys, Palo Alto Networks, Cisco, F5, Salesforce.com, Tripwire, Open VPN, Unix, Windows, Application logs, Juniper)
We had almost 20 billion raw events to monitor. Within Splunk Cloud we built 50 correlation rules. Now we look at critical and high only priority events only. This reduced the 20 billion to 12,000. That’s the story.”
Talk about your personal CIO Dashboard and the operational intelligence it provides you.
ARE OTHER TEAMS USING SPLUNK at Equinix? Security – Now – How many folks. 6 people. Infrastructure for monitoring app performance DevOps…looking to Splunk to bake prcesses into development. Triggered alerts. Service down, KPIs,
LOOKING AT HURRICANE LABS TO HELP OPERATE BETTER IN THIS ENVIRONMENT.
NOTIONAL DEPLOYMENT COST savings?
Vs. arcsight, maybe saved half. Splunk Cloud is half of what the cost of something like arcsight. Value: One of the biggest factors is how the environment is managed. With arcsight, you have to hire an army of professional services to get it set up, manage data bases, and then tune it. On going work. Cannot tune it and leave it. Data sources into Splunk…then turning correlation and mapping to use cases. We are a little easier because we can work to define the use cases and then do the code. More complexity on the arcsight side – less on the Splunk ES
Really use this for security use cases
SPLUNK CLOUD – SOC 2 Type II certified Very important Very sensitive Certifications that attest to the protection of the data
100 PERCENT UPTIME Didn’t track that with others? SLA still going Never seen anywhere else offer that
Chief Information Officer,
As the world's largest data center
company, we provide global leaders
the power of interconnection: the
ability to connect to many customers
and partners in many regions—
accelerating business performance
and creating new opportunities.
About Coach Lillie
My role at Equinix
My team’s mission
My favorite Splunk tee-shirt tag line
One fun fact about me
Equinix Vision for SIEM
SIEM is key to any security
We were very early in adopting a
“SIEM in the Cloud” vision and
With a traditional on premise
SIEM, we didn’t think we would
have value right out of the box
Been searching for awhile…
“…we pushed the
vision of SIEM in
the Cloud for
Why did we want a Cloud SIEM Solution?
Eliminates the need
to feel ‘married’ to a
system – easier to
unsubscribe if it
At least 50% lower
TCO compared to
deploying an on-
Easy data ingestion
doesn’t require an
army to set-up
(when most data is generated on-premises)
What Cloud SIEM Was Right for Equinix?
Splunk Cloud with ES gave us a starting point
Met a variety of our use cases: ability to handle multiple types
of data (and speeds and feeds), apps marketplace, correlation
rules engine, and enterprise-level security view
We gained VALUE immediately out of the box; now a platform
to build upon
Why we selected Splunk Cloud
Universal SearchApp Ecosystem Single Pane of
“…Our goal is to protect customers, employees &
How We Use Splunk Cloud
User Account Protection
Data Leakage Protection
What’s Next for Equinix
Global Security Team standardizing on Splunk Cloud
Use insights to build out a Security Operations Center
Expand use of Splunk Cloud to the Global Server and
Use Splunk to help integrate acquisitions
SIEM in the cloud is the way to go
SIEM with an Enterprise-level “Helicopter view” for the CIO is a
Splunk Cloud is a GREAT choice to meet these needs:
– Splunk Cloud is a service and requires much less staff to operate (less cost)
– Splunk Cloud is less complex to implement and operate
– Splunk Cloud with ES is a true security SIEM – SOC 2 Type II certified, 100
percent uptime SLA
– Splunk Cloud reduced the time to resolve/respond to security incidents –
out of the box