2. 2
Agenda
• Introduction
• About David and Aaron’s Inc
• Before Splunk with Jeff Meyers, Sales Engineer, Splunk
• Our challenges and opportunities
• Use Cases
• PCI Compliance
• Real-time detection of threats(internal and external)
• Conclusion
• Where we’re headed, best practices, and lessons learned
3. 3
About Aaron’s Inc
• Aaron's, Inc. is a lease-to-own retailer. The company focuses
on leases and retail sales of furniture, electronics,
appliances, and computers.
• 2,100 Company-operated and franchised stores in the
United States and Canada.
• The Company was founded in 1955, is headquartered in
Atlanta and has been publicly traded since 1982.
• In April, Aaron’s completed the transformative acquisition of
Progressive Finance resulting in the strategic positioning of
the Company as the leader in both the traditional rent-to-
own (RTO) industry as well as the emerging virtual rent-to-
own (RTO) space.
4. 4
About Me
• First time at a SplunkLive!
• Information Security for 10 years+ (HomeDepot,
InComm, MARTA)
• Started using Splunk at Aaron’s in October, 2015
• Responsible for growing Splunk
“We help our customers build credit. It’s important for us to maintain a high level of
trust. We utilize Splunk to make sure we keep the trust relationship growing. ”
5. 5
About The Security Team
• CISO: Chris Bullock, CISSP|CCE|CCFT|GWAPT|GaCSI Instructor|CLEO
• Risk Validation
– Bhavin Patel, Manager CISSP| C|EH
– David Craigen, Senior Information Assurance Engineer/Architect, CISM
Develop and Implement new & better security technologies, integrations, project/product security
assessments, data enrichment , Penetration testing, vulnerability assessments, Application Security,
Advisory Services
• Incident Management
– Dean Mallis, Manager, CISSP| GWAP|CCE|ITIL
– Derek Weaver, Senior Information Assurance Engineer, CISSP|EnCE|CFCE |GCIH
Incident Response & Investigation, forensics, eDiscovery, data enrichment, data loss prevention
• Governance, Policies, Standards and Training
– Jim Moore, Manager, CISSP
– Verna E. Longmore, Information Assurance Engineer
Conduct internal audits, coordinate external auditors
User awareness and education
IT misuse/harassment, DMCA complaints, education
7. 7
Before Splunk: Scattered Logs, Limited Visibility
• Challenges
• Difficult to validate compliance
levels
• Response time measured in
hours/days
• Needed a faster way to get logs
• Lack of custom dashboards lead to
blind spots
• Previous tool will remain nameless &
blameless
8. 8
The Journey
• PCI Compliance
• Event correlation
• Faster building of reports and dashboards, compliance requirement
• Quick remediation
• Early breach detection, mitigation, improving security posture
• Continuous monitoring
2013
2016
Security
Use
Cases
Focus
On
Visibility
9. 9
With Splunk: Flexibility, Fast Time to Value
• Solution
• Aggregate multiple data sources
• Not just for security products but other IT assets / data sources
• Build custom searches and reports into existing process
• Continuous monitoring across entire infrastructure
• Security incident response time measured in minutes
“All data is
security data”
10. Use of Splunk at Aaron’s
Real-time DetectionRemediation
Security Alerts &
Threat Response
Compliance &
Reporting
“We help our customers build credit. It’s important to keep our relationship with our
customers a trusting one. We utilize Splunk to make sure we keep the trust
relationship growing.”
11. Splunk at Aaron’s Inc
• Data sources
– Corporate Firewalls
– Carbon Black
– Store Firewalls(2500)
– AD Logs
– VPN logs
– Vulnerability Management
– Threat Intel
– Mail Servers
– Database Audit Logs
– IPS / NGFW
– Application Logs
11
Forwarders (Universal and Heavy)
2 Indexers
General search head + ES Search Head
• Data Volume
• Indexing ~190 GB per day (doubled since 2013)
• Waiting for more license capacity for another 200+ GB
• Users
40 regular users 115 infrequent users
12. 12
Splunk Roadmap at Aaron’s
Phase I-> Phase II
– Additional data sources
– Greater enrichment & correlation
– Increase automation & integration
– Additional metrics & dashboards
– Expand into applications
– Implement ES
– The Hunter Project
14. 14
Best Practices and Lessons Learned
Walk then run!
– Show value quickly
Dashboards for Executive Management
Get a holistic view on your data, big
picture, make better decisions
Network
Attend .conf16
With (Aron's) is a merchant. What we do, we provide opportunity for individuals to rent, household appliance, furniture and things like that. And these are individuals who normally cannot (fully be accredit), so we assist them. And we have our own special engine that do that, but the main thing about (Aron) is built on relationship with our customers. And we help our customers (build) credit when they're in. And we provide in the opportunity to grow and they come back. They keep coming back to us because of that relationship.
So myself I've been in the Information Security over 10 years. The different from network engineering to one on building management but now on building out the infrastructure of how we want to grow Splunk from where it is now to something more dynamic. It was called the (antique) program that my director is looking to achieve where it's, where you'd know the overall risk internally and externally. (Well,) and quantify that risk and react to – and that's the (X submission).
So it's important for us to keep our relationship not just from a sales standpoint but by our trust standpoint. So, that's where we're developing our security program and it's growing and we utilize Splunk to make sure that we keep as trust relationship growing with our customer and grow the business.
Difficult to ascertain compliance levels
Exports were difficult to provide
"checking a single server was like swiss cheese" >> little confidence in the results coming back...
"We have Splunk, why don't we use Splunk to do the dashboard, and they had not thought about that."
When I start telling them, well, they're talking about in just in logs, "We have different tools, security tools." I'm like, "Wait a minute, we (come) in just those into Splunk too. There's app, there's easy interface and then we can do cross-querying." "Yes. Yes." And so, after I suggested that, it's, "Hey, Splunk is yours," you know. So, you know…
I can relate to those people. We just got to drop on them. And just – I'm just been familiar with the tool from before, so I made a value of what it could do.
And I'm – I also was consulting at Norfolk Southern. So they bought Splunk and are using like that. Even in the meetings, I was telling their (CFO) because they were looking at first in coalesce. They just bought it. I was telling them how to set up. (There's a – not a stack). I was telling them how to ingest that information and all these different information from within the environment. And then, I finished consulting there and I came over to (Aron's).
(Aron) got Splunk a couple years ago just to we had to comply with the PCI requirements. That's how it first kicked all. So now, we're going at least see the value of it, so we're growing it in called a (prong). This one is from a security side we're ingesting our firewall logs, (one) building management tool, coalesce, we're ingesting that information. And a firewall logs. Firewall, (ID) VPN logs to get a holistic picture of what is going on. So – and we got Carbon Black and some other tool. So when an alert will occur, we can see and do two correlations of the event and what's occurring. That's Phase 1.
Phase 2 were our application folks are slowly seeing the value, because of them and not from a different tools to just analyze what's going on with the different applications and things like that. But they slowly realizing the power of Splunk. So we're (growing) that into that second phase or the first phase is overall for the security staff on.
We have multiple tools that we ingest. And in couple of years ago, since we started for the (PCI) we think one it's slowly. So, this year I came in because my backbone and we done on one building management program. And part of what we're doing the one building management program is getting and put into Splunk which (it wasn't), so I'm basically (acting) and growing the program of how Splunk is going to be used.
And we're also using it from looking at threats, so we have the coalesce feed interesting, we know to form abilities, we identified a system, so we can now map and basically address certain risks. So if Microsoft release affordability or anything like that, what we'd do, we're going to Splunk and we can query our system to saying, "OK, which one is more affordable because we're having that threat feed in there." We can track our pack – our patching within Splunk. We have our dashboard that quantifies the risk going down. We see that everyday going over time.
So when an alert will occur, we can see and do two correlations of the event and what's occurring
Put checks on compliance and reporting & remediation
Put something (perhaps a target) to indicate "in-process" on the others
Well, we're using Splunk from Splunk our red team standpoint. We have a red and blue team or blue team for investigations, alerts that we're receiving to try and find out exactly where that alert is coming from. And that's been the normal use of it so now we're enhancing that use by adding the third-party plug-ins to pull that data into Splunk, so we could get a much larger picture of what's going on within the environment.
And if there an alerts we've used it. We've had a third-party coming in and do 10 tests. So we look at those alerts. So out there we're doing the (exploits). We've seen those alerts because of certain tool we had out there. We're seeing that alert and to correlate where the alert was coming from, to correlate which machine was doing the attack and identify that. So from an incident management standpoint, we were seeing – we're slowly seeing the big picture going forward.
And we're also using it from looking at threats, so we have the coalesce feed interesting, we know to form abilities, we identified a system, so we can now map and basically address certain risks. So if Microsoft release affordability or anything like that, what we'd do, we're going to Splunk and we can query our system to saying, "OK, which one is more affordable because we're having that threat feed in there." We can track our pack – our patching within Splunk. We have our dashboard that quantifies the risk going down. We see that everyday going over time.
Data Sources
Current:
Corporate Firewalls
Carbon Black
Store Firewalls
AD
VPN
Vulnerability Management
Threat Intel
Mail Server
Database Audit Logs
IPS / NGFW
Application logs
Phase I
So now, we're going at least see the value of it, so we're growing it in called a (prong). This one is from a security side we're ingesting our firewall logs, (one) building management tool, coalesce, we're ingesting that information. And a firewall logs. Firewall, (ID) VPN logs to get a holistic picture of what is going on. So – and we got Carbon Black and some other tool. So when an alert will occur, we can see and do two correlations of the event and what's occurring. That's Phase 1.
"We have Splunk, why don't we use Splunk to do the dashboard, and they had not thought about that."
When I start telling them, well, they're talking about in just in logs, "We have different tools, security tools." I'm like, "Wait a minute, we (come) in just those into Splunk too. There's app, there's easy interface and then we can do cross-querying." "Yes. Yes." And so, after I suggested that, it's, "Hey, Splunk is yours," you know. So, you know…
I can relate to those people. We just got to drop on them. And just – I'm just been familiar with the tool from before, so I made a value of what it could do.
And I'm – I also was consulting at Norfolk Southern. So they bought Splunk and are using like that. Even in the meetings, I was telling their (CFO) because they were looking at first in coalesce. They just bought it. I was telling them how to set up. (There's a – not a stack). I was telling them how to ingest that information and all these different information from within the environment. And then, I finished consulting there and I came over to (Aron's).
We will be looking at the enterprise, the Security Enterprise soon because we're getting – we're making sure we get all the feeds lined up and then we're going to go ahead and pull that in and see. You know, we're been doing it manually but now we'll go into that, trying to move to that next level because we're not a 24 by 7 security operations. Right now, we're not stuck yet but we're trying to grow slowly.
Architecture!!!
." We're trying to see kind of big holistic – you're looking at from a holistic standpoint on see internal and external together. So, we can get a big picture and make better decisions.
Need some sort of "scales of justice"