Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © 2015 Splunk Inc.
Incident Response at
Group Health Cooperative
Chris White
Sr. Information Security Engineer
2
• At Group Health since 2012
• Part of Information Security
Engineering and Operations
• Splunk user since 2011.
• Favor...
3
Company Overview
Member-governed, nonprofit health care
system coordinating care and coverage
Founded in 1947 and based ...
4
Enterprise Security Assurance
• Detect when prevention
mechanisms fail
• Manage and measure incident
response
• Enterpri...
5
Splunk at Group Health
~10 active users
Significant effort towards
managing knowledge objects
Git repositories on top of...
6
Splunk Development at Group Health
Simple XML
•Basic dashboards
•Drag & drop
Simple XML
•Advanced
•Drag & drop
Advanced ...
7
Anomaly
Detection
• Snort IDS
• Bro IDS
• Sandboxing
•
Alerting
•
•
Investigation &
Incident Tracking
• CIRTA
•
Incident...
8
Incident Response Workflow
CIRTA
(Computer Incident
Response Team Analysis)
• Original incident
response system
• Accele...
9
Splunk CIRTA Frontend (Alert)
10
Splunk CIRTA Frontend (Web)
11
Splunk CIRTA Frontend (Category)
12
Splunk CIRTA Frontend (Trend)
13
Splunk CIRTA Frontend (Analyst Trend)
14
Example: Phishing Attempts
Anomaly
Detection
• Correlate web
logs from OWA
and geolocation
• Apply weighted
scoring and...
15
Example: Phished Credentials
16
Example: Java Vulnerabilities
• Rule: Resource must have latest
version of Java to access Internet
• Vulnerable java re...
17
Splunk for Privacy Monitoring
Simple, dynamic, multiuser analysis experience
Complete context through demographics and ...
18
Why Splunk?
Easier to
visualize data
to detect
anomalies
Endless
possibilities with
SDK and Web
Framework
Log analysis
...
Group Health Cooperative Customer Presentation
Upcoming SlideShare
Loading in …5
×

Group Health Cooperative Customer Presentation

Group Health Cooperative Customer Presentation

  • Login to see the comments

Group Health Cooperative Customer Presentation

  1. 1. Copyright © 2015 Splunk Inc. Incident Response at Group Health Cooperative Chris White Sr. Information Security Engineer
  2. 2. 2 • At Group Health since 2012 • Part of Information Security Engineering and Operations • Splunk user since 2011. • Favorite joke My Background and Role
  3. 3. 3 Company Overview Member-governed, nonprofit health care system coordinating care and coverage Founded in 1947 and based in Seattle, Washington 25 locations in 17 cities Serves more than 600,000 residents in Washington and North Idaho
  4. 4. 4 Enterprise Security Assurance • Detect when prevention mechanisms fail • Manage and measure incident response • Enterprise log management and analysis • All things security engineering Protect the systems, patients and the patient data Enterprise Security Assurance Governance and Policy Engineering and Operations Operations (2) Engineering (me)
  5. 5. 5 Splunk at Group Health ~10 active users Significant effort towards managing knowledge objects Git repositories on top of all Splunk configurations Complete set of config packaged into single application for easier deployment Load balancer used for all inbound syslog. (No more facility/priority shuffling!) 1 search head 3 indexers Dev Search Head Deployment Server Git Deployment Versioning Syslog-ng Heavy Forwarder Sentry Win/*NIX
  6. 6. 6 Splunk Development at Group Health Simple XML •Basic dashboards •Drag & drop Simple XML •Advanced •Drag & drop Advanced XML •Full customization •Obsolete Web framework •Rich, interactive experiences 2013 Present
  7. 7. 7 Anomaly Detection • Snort IDS • Bro IDS • Sandboxing • Alerting • • Investigation & Incident Tracking • CIRTA • Incident Response at Group Health
  8. 8. 8 Incident Response Workflow CIRTA (Computer Incident Response Team Analysis) • Original incident response system • Accelerates post detection Incident Response • Automates and archives data for incidents • Builds picture of event over time • Incident contextual visualization, anomaly detection and search • Nearly instantaneous results • Tracks each incident stage • Measures incident response effectiveness • Incident categorizations Incident Logs CIRTA Logs Collected Logs Collateral Events
  9. 9. 9 Splunk CIRTA Frontend (Alert)
  10. 10. 10 Splunk CIRTA Frontend (Web)
  11. 11. 11 Splunk CIRTA Frontend (Category)
  12. 12. 12 Splunk CIRTA Frontend (Trend)
  13. 13. 13 Splunk CIRTA Frontend (Analyst Trend)
  14. 14. 14 Example: Phishing Attempts Anomaly Detection • Correlate web logs from OWA and geolocation • Apply weighted scoring and “speed of light” tests Alerting • Send alerts if “speed of light” tests fail Investigation • Verify phishing attempt and prevent access
  15. 15. 15 Example: Phished Credentials
  16. 16. 16 Example: Java Vulnerabilities • Rule: Resource must have latest version of Java to access Internet • Vulnerable java requests for exploit code blocked • Incidents processed in CIRTA and pushed to Splunk for incident metrics on compromises • 50% decrease in incidents/mon
  17. 17. 17 Splunk for Privacy Monitoring Simple, dynamic, multiuser analysis experience Complete context through demographics and encounters Increase efficacy through weighted scores Reporting performance – Avoid live analytical searches – Summarize scenario reports – Display pre-analyzed data Framework design supports pluggable sources of privacy data. On Splunkbase
  18. 18. 18 Why Splunk? Easier to visualize data to detect anomalies Endless possibilities with SDK and Web Framework Log analysis accessible vs. command line expertise

×