Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Softcat Splunk Discovery Day Manchester, March 2017

557 views

Published on

Presentations from Softcat Splunk Discovery Day.

Published in: Software
  • Be the first to comment

Softcat Splunk Discovery Day Manchester, March 2017

  1. 1. Copyright © 2016 Splunk Inc. Manchester Social | #SplunkDisco17 WIFI: guest2017
  2. 2. 2 Agenda 09:30 – 09:45 Introduction & Welcome 09:45 – 10:00 A Day in the Life 10:00 – 10:15 So, What is Splunk? 10:15 –11:00 Session One: Data-driven insights into your IT Operations to support a digital transformation 11:00 –11:30 Break 11:30– 12:15 Session Two: Best Practices for Scoping Infections and Disrupting Breaches 12:15 –12:30 Interactive Demo & Morning Session Wrap Up 12:30– 13:30 Lunch 13:30 – Event Concludes
  3. 3. Big Data, Splunk and stuff Sam Routledge – CTO, Softcat 15th March 2017
  4. 4. A brief introduction…
  5. 5. Big data basics Data Nirvana! Business data – ERP, CRM.. Machine/ sensor data – temp, vibration… Marketing – location, app, click… Log data – firewall, av…
  6. 6. Digitisation considerations Digital business model Workforce Mobility Operational Efficiency Customer Satisfaction IoT/ sensor Mobile Devices Wearables Industrial Ready network Ready infrastructure Ready security Ready applications
  7. 7. Data = Disruptor (if used correctly) The retailer •App data •Location/ direction from Wifi •Make stores a destination The ‘precision agronomist’ •Sensor data – temp/ humidity etc •Soil quality •Pests The dairy farmer •Internet connected cows! •Stomach temperature sensors
  8. 8. Security and IT: a first use case Actionable insight Velocity of threat Volume of data Variety of sources A learning opportunity Understand ‘big data techniques Equip yourself to be the ‘data plumber’ Solve the big security problem Unify a fragmented toolset Respond with killer speed!
  9. 9. 9 How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud On-time efficiency & dramatic queue reduction with 925 flights per day Real-time, predictive airfield analytics deliver on mobile app & Apple watch Data from airport gates, board pass scans, x-ray, travel, passenger flow
  10. 10. 10 Track end-to-end transactions Monitor & model customer behavior Billion dollar website business & IT dashboards Prevent lost revenue via machine data insight How John Lewis Uses Splunk For Multi-channel Retail Analytics
  11. 11. Why Yoox/Net-A-Porter Built A Security Intelligence Platform Using Splunk Intrusion detection and identification of patterns of malicious behaviour Comprehensive real-time security analytics and monitoring Automatic security alerts and deep incident investigation
  12. 12. ITOA & performance monitoring to ensure the BBC Store is available Splunk Cloud allows team to focus on monitoring not running infrastructure Business analytics, customer experience and sales reports How BBC Worldwide Improves Customer Experience With Splunk
  13. 13. Why Tesco Uses Splunk To Accelerate Development And Understand Customers Cut Investigation & Resolution time 95% Reduce Escalations 50%, Accelerate Dev Cycles 30% Activity Tracking Dashboards with Improved Customer Experience and Reduced Lost Revenue Operational Analytics with Live Transaction Tracing and End-to-end Infrastructure Insight
  14. 14. Saving The US Rail Industry A Billion Dollars And 250 Million Acres Of Trees in CO2 Train sensor data in real-time Fuel savings resulting $1bn savings Better trained drivers & predictive maintenance
  15. 15. How TravisPerkinsbuilttheir SecurityOperationsCentreinthe Cloud Migrated on-prem to cloud based SOC using Splunk Enterprise Security Protect the organisation through real-time data driven security Identify incidents, security investigation, support compliance
  16. 16. 16 Better customer decisions Analyse the success of campaigns as well as one-off promotions in real time Proactively adjust marketing campaigns in real-time based on customer behaviour Device & promotion trends Which devices (iPhones, Androids or Kindle Fires) are being used to place orders Where and when it is more lucrative to run promotional campaigns- real time Revenue insights Online sales data across entire network of more than 10,000 stores Visualise key metrics - orders per minute/per store, popular pizza and what coupons How Dominos Delivered Real-time Marketing Analytics With Splunk
  17. 17. Copyright © 2016 Splunk Inc. So what is Splunk? Al Costigan Partner Account Manager, Splunk
  18. 18. Is this your first Splunk presentation?
  19. 19. Do you think the name sounds rude?
  20. 20. Spelunking: Splunking: to explore underground caves to explore machine data
  21. 21. pothole>
  22. 22. 2016 Gartner CIO Agenda
  23. 23. DIGITAL REVOLUTION UNDER-PINNED BY DATA Music Shopping Phone Car Banking Healthcare GovernmentWeb TV
  24. 24. 2424 STRUCTURED DATA
  25. 25. 2626 MACHINE DATA time series, in motion, unstructured
  26. 26. 27 The data we know and use The available data we don’t know or use
  27. 27. Your machine data is… Messy Lazy
  28. 28. Escalating IT Complexity… SaaS/PaaS IaaS VIRTUALIZATION STORAGE PACKAGED APPLICATIONS CUSTOM APPLICATIONS HR Email Finance App Svr DB Web Svr INFRASTRUCTURE APPLICATIONS VPN IP Phone Identify SERVERS NETWORKING
  29. 29. Security AnalyticsITOperationsAnalytics (ITOA) Splunk’s TwoMainUseCases
  30. 30. Deadly Ice Creams!!!
  31. 31. Platform for Machine Data Application Delivery Security, Compliance and Fraud Business Analytics Industrial Data and Internet of Things IT Operations Servers RFID Networks GPS Location Packaged Applications Custom Applications Messaging Desktops Online Shopping Cart Storage Smartphones and Devices Energy Meters Web Clickstreams Telecoms Databases Call Detail Records Web Services Online ServicesOn- Premises Private Cloud Security Public Cloud …but has multiple uses
  32. 32. 34 Turning Machine Data Into Operational Intelligence Reactive Proactive Proactive Monitoring and Alerting Real-Time Business InsightOperational Visibility Search and Investigate
  33. 33. Security Operations IT Operations Business Operations With Splunk… SAME DATAOf the Asking different QUESTIONS Different PEOPLE
  34. 34. Identify and fix problems fast Prevention rather than cure Just to recap
  35. 35. Index and Analyze Data Across Your Technology Stack Splunk Add-Ons, Templates and Apps Accelerate Value From Machine Data No rigid schemas– add in data from any other source. API SDKs UI Server, Storage, Network Virtualization, Containers Operating Systems + Databases Custom Applications Business Applications Cloud Services Web Intelligence Mobile Applications Stream Operations and Service Desks App Performance Monitoring DB Connect
  36. 36. JUST IMAGINE – ALL THAT FROM ONE PLATFORM
  37. 37. Copyright © 2016 Splunk Inc. Thank you
  38. 38. Copyright © 2016 Splunk Inc. Data Driven insights into your IT Operations to support a digital transformation Guillaume Ayme ITOA Evangelist, Splunk
  39. 39. DIGITAL MOBILE CONNECTED
  40. 40. 42 New Digital Services
  41. 41. CONFIDENTIAL. INTERNAL USE ONLY. No way to differentiate
  42. 42. 44
  43. 43. 45 Digital Workspace
  44. 44. CONFIDENTIAL. INTERNAL USE ONLY. Causing an Explosion in Machine-Generated Data Need insights to move at warp speed
  45. 45. 47 The Customer Experience is ever more important than ever
  46. 46. 48 The Customer Experience is ever more important
  47. 47. Social Media Campaign Visit Website Book on Mobile App Check-in in Reception Connect to Wifi in Room Watch TV in Room Check-out On Mobile The Digital Journey The Hotel Booking The Customer Experience is the Digital Experience
  48. 48. 52
  49. 49. CONFIDENTIAL. INTERNAL USE ONLY.
  50. 50. CONFIDENTIAL. INTERNAL USE ONLY. War Room App DB Network Storage System Data Gathering War Room ?? ? Now What? Outage
  51. 51. CONFIDENTIAL. INTERNAL USE ONLY. War Room App DB Network Storage System Data Gathering War Room ?? ? Now What? GAINING INSIGHTS IS HARD Human latency measured in hours or days Outage
  52. 52. 56 New Solution is Required Central location for all machine data Data indexed for rapid investigation Correlation & Visualisation Draw business insights
  53. 53. Machine Learning
  54. 54. IT Operational Analytics
  55. 55. 59 Based on our number of data sources, volumes & use cases is driving increased customer adoption Leader in ITOA 2015 (for 2nd year in a row)
  56. 56. Your IT Ops Backbone Rapid Search & Investigation Advanced Correlation Powerful Visualisation Real Time Alerting Machine Learning Collect any Machine Data. No Connectors. No Schema
  57. 57. Your IT Ops Backbone Rapid Search & Investigation Advanced Correlation Powerful Visualisation Real Time Alerting Machine Learning Collect any Machine Data. No Connectors. No Schema Incident & Problem Management Win, Unix, Network, Storage teams Capacity Managers Change, Release Managers Developers & QA IT Managers Compliance Managers App Mng
  58. 58. Your IT Ops Backbone Over 1300 Apps available on splunkbase.com Rapid Search & Investigation Advanced Correlation Powerful Visualisation Real Time Alerting Machine Learning Collect any Machine Data. No Connectors. No Schema
  59. 59. 63 ● Logs ● Audit ● Performance ● Availability Performance Mng Capacity Mng Compliance Incident Mng Security
  60. 60. 64 Collect ● Audit ● Billing ● Peformance ● Configuration More visibility, security and reliability of your migration to the cloud
  61. 61. 65
  62. 62. 66 Splunk Stream: Performance on the Wire 66 • End/Real User Performance • Application Performance • Network Performance • Transaction Management • Protocol Payload • End/Real User Performance • Application Performance • Network Performance • Transaction Management • Protocol Payload
  63. 63. Built on top of Splunk Data-driven Service Insights and streamlined Root Cause Investigation of your Business Services
  64. 64. 68 Dynamic Service Models of your Business Services
  65. 65. 69 Define KPIs on those Services based on Raw Data
  66. 66. 70 Adaptive Thresholds through Machine Learning & Anomaly Detection
  67. 67. 71 Global Health of your Services from Service Analyser
  68. 68. 72 Instant Investigation Framework for Rapid TTM
  69. 69. 73 Glass Tables
  70. 70. 74 Supporting the Transformation of over 13,000 customers
  71. 71. Users complain of failed checkout process
  72. 72. Checkout Process Realtime breakdown of checkout process
  73. 73. Model user journeys on $1.5 Billion Online Sales for Load Testing Enhanced Operational Intelligence Collaboration across all business Operational visibility of issues before they are reported
  74. 74. 78
  75. 75. 79 Business Insights & Alerting 79 • Monitors trending of Website activity including conversion • Instant alerting if product sells quicker than is normal • Able to identify if product is miss- priced – leading to reduced risk of bad PR and customer satisfaction Value:
  76. 76. 80 Customer Journeys 80 • All user journeys tracked end-to-end • Ability to drilldown to any order to view the state • Provides true user journeys • Better understanding of customer interactions • Provides business with real- time visibility and metrics of online channel Value:
  77. 77. 81 Magistor 81
  78. 78. 82 Magistor
  79. 79. 83 Magistor “sexy” logs 83
  80. 80. 84 Magistor app Dashboard 84
  81. 81. 85 #Splunk4Rookies
  82. 82. Thank You
  83. 83. Thank You
  84. 84. Copyright © 2016 Splunk Inc. Time for a Break
  85. 85. Copyright © 2016 Splunk Inc. Weclome Back
  86. 86. Copyright © 2016 Splunk Inc. Scoping Infections and Disrupting Breaches Matthias Maier Security Evangelist, Splunk
  87. 87. 91 Splunk Security Solutions MORE … SECURITY APPS & ADD-ONS SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data SPLUNK ENTERPRISE SECURITY SECURITY & COMPLIANCE REPORTING MONITORING OF KNOWN THREATS ADVANCED AND UNKNOWN THREAT DETECTION INCIDENT INVESTIGATION S & FORENSICS FRAUD DETECTION INSIDER THREAT
  88. 88. 92 Single Platform for Security Intelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
  89. 89. 939 TRADITIONAL DEFENSES ARE NO LONGER EFFICENT ENOUGH
  90. 90. 94 The Ever-Changing Threat Landscape 9 53% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
  91. 91. 95 Source: Verizon DBR Attacks often start with an email: 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS
  92. 92. 96 True Story: State of Michigan (SOM) – User account spoofing Phishing Mail: Mailbox reached storage limit... Outlook Web Access Portal custom design of SOM was rebuilt by attacker Provide E-Mail, Username, Password and Date of Birth... To how many Users was the mail delivered? How many clicked? How many filled out? Delivered to 2800 Employees before being blocked 155 Employees clicked the link 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
  93. 93. 97 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
  94. 94. 98 Required Data Sources Roadmap
  95. 95. 99 Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication 9 Data Sources Traditional SIEM
  96. 96. Persist, Repeat Threat Intelligence Access/Identity Endpoint Network Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain • Third-party threat intel • Open-source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating system • Database • VPN, AAA, SSO Data Sources for our investigation today • Web proxy • NetFlow • Network
  97. 97. Required Data Sources Required Capabilities Roadmap
  98. 98. Splunk Analytics-driven Security Risk- Based Context and Intelligence Connecting Data and People
  99. 99. 103 Capabilities—Scoping Infections and Breaches Report and Analyze Custom Dashboards Monitor and Alert Ad hoc Search Threat Intelligence Asset & CMDB Employee Info Data Stores Applications Raw Events Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint
  100. 100. 105 Required Data Sources Required Capabilities The Attack Kill Chain Roadmap
  101. 101. 106 Adversary Perspective—Attack Kill Chain Discovery Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives Lockheed Martin white paper: Intelligence-Driven Computer Network Defense of Analysis of Adversary Campaigns and Intrusion Kill Chains
  102. 102. 107 Exploitation != GameOver
  103. 103. 108 Kill Chain—Breach Example http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat Intelligence Access/Identity Endpoint Network
  104. 104. 109 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Roadmap
  105. 105. 110 Demo
  106. 106. 111 Demo Review Challenges – Difficult to go from threat-intel match to root cause – Hard to determine – was there a breach? Sources – Threat intel – open source threat intel feed – Network – web proxy logs, email logs – Endpoint – endpoint monitoring agent – Access/identity – asset management database Finding the root cause: connecting the dots – Match the threat-intel IP to network data to identify the infected machine – Identify the malicious process by mapping network data to endpoint data – Discover the infected email by matching local file access to email data
  107. 107. 112 Best Practices—Breach Response Posture Bring in data from at least one from each category: – Network – next gen firewall or web proxy, email, DNS – Endpoint – Windows logs, registry changes, file changes – Threat intelligence – open source or subscription based – Access and identity – authentication events, machine-user mapping Establish a security intelligence platform so analysts can: – Contextualize events, analytics and alerts – Automate analysis and exploration – Share techniques and results to learn and improve
  108. 108. 113 Source: Verizon DBR2015 IF IT HAPPENS TODAY? HOW LONG DOES IT TAKE YOU TO ANSWER UPCOMING QUESTIONS? 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 5
  109. 109. Travis Perkins built a lean SOC with Splunk Close collaboration with IT-Operations Team for remediation Moved from a failed SIEM deployment with appliances to a lean and agile SOC Quicker from ingesting new data to creating meaningful correlations
  110. 110. 115 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
  111. 111. 116 Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification against your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification 1
  112. 112. Explore: How Travis Perkins built a SOC in the Cloud http://blogs.splunk.com/2016/09/14/trust- and-resilience-at-the-speed-of-business- how-travis-perkins-built-a-lean-soc-with- splunk-in-the-cloud/ Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Thank you
  113. 113. Thank You
  114. 114. Copyright © 2016 Splunk Inc. Interactive Demo
  115. 115. Copyright © 2016 Splunk Inc. www.discoversplunk.com
  116. 116. Copyright © 2016 Splunk Inc. Q&A
  117. 117. Copyright © 2016 Splunk Inc. Lunch

×