Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk and Cisco UCS Breakout Session

1,555 views

Published on

Splunk and Cisco UCS Breakout Session

Published in: Technology

Splunk and Cisco UCS Breakout Session

  1. 1. Robert Novak, Cisco Big Data Partner CSE March 2016 Splunk in the Cisco UCS Ecosystem How Cisco and its customers deploy, use, and scale Splunk environments with the Cisco Unified Computing System
  2. 2. Who am I and why am I here? Today: Consulting Systems Engineer for Cisco’s Americas Partner Organization Focused on big data and analytics UNIX Sysadmin for ~20 years (retired) Full stack: servers, storage, network, coffee 149 to 149k person companies Sun, Nortel, 3PAR, Ebay, Trulia, Disney, etc “Big Data” herder since 2003 Hadoop admin (certifiable) since 2009 Cisco UCS C-Series admin since 2011 (early adopter!) Charter Cisco Champion, VMware vExpert since 2013 Blogger at rsts11.com and Cisco Blogs Tweeter at @gallifreyan and @rsts11
  3. 3. Agenda • Hardware still matters! • How Cisco uses Splunk internally • How some of our customers use Splunk on UCS • Cisco integrations with Splunk • The Unified Computing System advantage • Learn More
  4. 4. Hardware Still Matters A quick glance at infrastructure for Splunk
  5. 5. Why does hardware still matter? 5 • Splunk will run on almost anything (even my laptop) • Standalone servers have lower admin overhead • Build up your clusters and you have to keep them consistent • Grow your data sources (and uses) and you have to add servers • Cluster constipation is bad, mmmkay?
  6. 6. Why does hardware still matter? 6 • Cisco customer big data pools tend to grow 2-3x/year • Cisco customer IT staff doesn’t grow as fast • The Cisco Unified Computing System (UCS) provides scalable, repeatable, predictable, and manageable deployments across dozens to thousands of servers for any application deployment • Pallet to production in hours, not days or weeks • Deep engineering integration between Cisco and Splunk with tested and proven configurations More on this later…
  7. 7. How Cisco Uses Splunk Part 1 Operational Analytics at Enterprise Scale within Cisco IT
  8. 8. Big Data at a Big Customer: Cisco 8 • 10s of thousands of employees, contractors, devices • 100s of offices, business apps, audiences • Lots of data in lots of places • No one tool (not even Splunk) can do everything for everyone all the time • High volume, low value, low shelf life • Lancope, Hadoop feed into Splunk • Low to moderate volume, high value, (any) shelf life • Splunk on its own, sometimes with fronting dashboards • Additional visualizations with Platfora, Tableau, etc
  9. 9. A closer look at Splunk within Cisco 9 • Customer for 7+ years, strategic partner for 3+ years • Geographically disparate data collection and analysis • Over 70 business applications/use cases across the company • Around 20 teams using Splunk including Cisco IT and CSIRT • Nearly 10x growth in search volume from 2014-2016
  10. 10. 10 Indexers 16 Search Heads thanks to search head clustering in Splunk 6.3 47 Search Heads 20 Indexers Daily Indexing ~ 2TB 2014 2014 2015 2015 2015 Cisco’s IT Operations Evolving with Splunk Daily Indexing 300G 2010
  11. 11. Splunk Searches – Daily Average 1. Interactive Searches = 55K+ 2. Scheduled Searches = 45K+ 3. Total Searches = 100K+ 4. Number of Users = 180+
  12. 12. How Cisco Uses Splunk Part 2 Security Analytics at Enterprise Scale: Cisco’s Computer Security Incident Response Team (CSIRT)
  13. 13. About CSIRT • Cisco Computer Security Incident Response Team (CSIRT) • CSIRT = Security Monitoring and Incident Response • Architecture, Engineering, Research, and Investigations • Enterprise global threat and 24x7 incident response
  14. 14. CSIRT Environments Recent Snapshot  300 locations in 90 countries  400 buildings  1500+ labs  100,000+ employees on network  50-300 malware-related cases opened in a typical week  650,000+ ip devices on network  130,000 windows hosts  50,000 Linux hosts  40,000 routers  2-3 million highly tuned ids events per day  10+ billion netflow records per day
  15. 15. Deploying Splunk as SIEM • SIEM: Security Information and Event Management platform – Easy to index any type of machine data from any source – Over 60 users doing investigations, correlations, reporting, advanced threat detection – All the data + flexible searches and reporting = empowered and effective team – 2TB/day and searches take less than a minute. 7 global data centers with 350TB stored data – Flashback Malware contained to a fraction of the environment – Replaced older pre-big-data SIEM  Previous solution didn’t scale effectively  Queries in the minutes (or worse) rather than seconds with Splunk  Diverse functionality across the same aggregate data
  16. 16. Looking at our customers Successful deployments with Cisco UCS and Splunk
  17. 17. Threat Management at Govt Agency 19 • Agency wanted to manage and monitor all relevant alert data • Needed visibility across multiple security platforms • Centralized on scalable appliance model through a partner • Splunk Enterprise with Enterprise Security[1] premium app • By deploying on Cisco UCS with proven Cisco Validated Design, partner was able to deliver easily upgraded and expanded deployment with predictable results [1] Splunk won Best SIEM Solution (Enterprise Security) and Best Fraud Prevention Solution (Splunk Enterprise) awards from SC Magazine this month (Splunk press release)
  18. 18. Fraud prevention for Online School 20 • Leading online university needed to track student activity • Federal agencies have stringent requirements for loan qualifications and fulfillment • Deployed Splunk on UCS for student activity tracking • Blocking millions in fraudulent loan claims • Saving over 75% on auditing and compliance expenses • Saving over $1M/year on data processing • Deployed and expanded other analytics (security operations, IT operations, and application deployment) • Splunk on UCS grows beyond initial use cases and teams at most of our customers
  19. 19. 21 • Leading worldwide financial services company used Splunk for IT Operations analytics • When an electronic payment platform deployment came up, Splunk was enlisted to support rollout and monitoring in ridiculously short time frame • Speed and scalability led to use cases for security and fraud detection/prevention, marketing optimization, customer engagement and offers, and more • Customer continues to grow their Splunk environment (over 10x in first year, and still growing!) IT Ops & beyond for financial services
  20. 20. 22 • Customer needed quick updates, secure services, and high availability • Deployed Splunk Enterprise on UCS to replace older hardware and software platforms that didn’t scale well • Splunk and UCS delivered a more robust security posture with faster investigation and resolution of security events • High performance security analytics solution enables hospital to identify attack patterns and unauthorized actions that would otherwise go undetected. • Reduced space/power/cooling by 75% • Server deployment time reduced from 7 days to 1 day. See Cisco’s case study at cisco.com and Splunk’s case study at splunk.com Secure Healthcare at Union Hospital
  21. 21. Got Cisco? There’s an app for that… (or a technology add-on, at least)
  22. 22. CiscoSecuritySuiteApp Splunk & Cisco Integrations Security Identity Services Engine (pxGrid) Sourcefire (including AMP) ASA/PIX/FWSM Firewalls Web Security Appliance (WSA) Email Security Appliance (ESA) IPS Cloud Web Security (CWS) AnyConnect OpenDNS, ThreatGrid (in development) Data Center/ Insieme Cisco UCS Nexus 9K Application Centric Infrastructure (ACI - APIC) UCS Integrated Infrastructures Optimized for Splunk Enterprise High Performance High Capacity Enterprise Networking Switching and Routing Catalyst Switches Nexus (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000) Meraki Wireless NGN Routers (CRS, ASR, ISR) Open SDN Network Controller APIC EM Collaboration Call Manager • Inaugural SIEM & Threat Defense Partner • Inaugural pxGrid partner • Inaugural member of new Cisco Security Technical Alliances program • Inaugural ACI Partner • Inaugural Data Analytics Partner • Cisco Cloud Security for VMDC 1.0 Design Guide (link) • Cisco UCS Integrated Infrastructure for Splunk Enterprise (Distributed Deployment, High Capacity) (link) CiscoNetworksApp
  23. 23. Splunk App for Cisco UCS NEW AND IMPROVED as of May 28, 2016 Aggregates, monitors, trends and analyzes all relevant data from Cisco UCS Manager instances Enables proactive capacity and performance monitoring/ management, fault trending, power and cooling, and more Works with other Splunk add-ons and data sources (including Enterprise Security and PCI Compliance add-ons) to aggregate and correlate data across your enterprise 25 Application s Operating Systems Hypervisors UCS server, storage, network
  24. 24. Splunk on Cisco UCS
  25. 25. What is Cisco’s Unified Computing System (UCS)? Unified Management: UCS Manager uses policy-based configuration to ensure consistent deployments Unified Fabric: Integrated 10/40 Gigabit Ethernet and Storage Networking (FCoE/iSCSI) Service Profiles: Maintain consistency across batches of servers and multiple applications. Deploy and expand in record time. Performance: Built with 10GbE and 40GbE at the core, repeatable configurations and performance, and over 100 benchmark records
  26. 26. Why Splunk on Cisco UCS? Time to Deployment: Spin up a mutually validated, pre-tested environment in hours rather than days or weeks Total Cost of Ownership: Integrated networking and management reduce customer cost and effort to migrate, deploy, and expand Time to Grow: Expand servers and network capacity quickly and consistently
  27. 27. Cisco UCS + Splunk = Better Together Seamless Scalability Facilitates Rapid Growth – Scale Splunk from a single server to distributed/clustered deployment – Grow your clusters efficiently and consistently – Runs on the same UCS C-Series servers as other big data platforms Split Second Response Times – Exceptional performance for “needle-in-a-haystack” searches – Consistent performance as simultaneous users increase Simplified Repeatable Deployments – Four pre-tested UCS Integrated Infrastructures – Capacity or performance optimization – NEW! Cisco Validated Design (CVD) with HA and Archiving
  28. 28. 250 GB indexed per day 4 months retention 250 GB indexed per day 1 month retention Single Server Cisco UCS Reference Architectures UP to 4TB indexed per day 3 months Retention Up to 4TB indexed per day 1 year Retention Clustered Deployment Retention optimized Performance optimized
  29. 29. Cisco Validated Design (CVD) for Splunk • Developed by Cisco and Splunk engineers in Spring 2016 • 250+ page guide to design and deployment, pallet to production • Based on UCS C-Series (C220, C240, C3160) servers and Splunk Enterprise software • Includes high availability & data archiving • Download for free at cisco.com/go/bigdata_design
  30. 30. Splunk on UCS : Performance Benchmark Test bed Topology
  31. 31. Cisco UCS Benchmark Results (Splunk Enterprise 6.2 vs 6.3)
  32. 32. Learn more about Splunk and Cisco UCS
  33. 33. SplunkBase app resources: splunkbase.splunk.com Cisco’s Big Data Design Hub: cisco.com/go/bigdata_design features Cisco Validated Designs (CVDs) and other architectural docs Big Data Applications Hub: cisco.com/go/bigdata features reference architectures, solution briefs, infrastructure, automation, etc. Reach Out! Already using Splunk? Talk to your Splunk team about Cisco UCS! Already using Cisco UCS? Talk to your Cisco team about Splunk! Learn More About Splunk on Cisco UCS!
  34. 34. Cisco’s CSIRT engineers applied their experiences during the CSIRT deployment to a new O’Reilly book now available bitly.com/infosecplaybook “they wrote the book …” 36
  35. 35. Thank you.

×