Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk in the Cisco Unified Computing System (UCS)


Published on

Cisco has been a Splunk customer for 8 years, with a strong engineering partnership for 3+ years. Learn how several Cisco customers as well as Cisco IT have deployed, grown, and transformed our businesses using the advantages of Splunk Enterprise software together with Cisco UCS and Nexus hardware. We will also talk about scalability and performance considerations for all scales of data footprint and business growth.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Splunk in the Cisco Unified Computing System (UCS)

  1. 1. Bob Fosina, Cisco Big Data& Analytics Tweeter at @rfosina July 12, 2016 Splunk in the Cisco UCS Ecosystem How Cisco and its customers deploy, use, and scale Splunk environments with the Cisco Unified Computing System
  2. 2. Who am I and why am I here? Today: Business Development Manager for Cisco’s Americas Partner Organization Focused on big data and analytics Previously: IT Engineer for a major food company Helped build a pre-sales consulting organization for a major manufacturer Went to the dark side, had the lobotomy - Sales Specialist driving x86 technologies Enterprise Account Manager – entire portfolio Business Development Manager driving new and disruptive technologies
  3. 3. Agenda • Hardware still matters! • How Cisco uses Splunk internally • How some of our customers use Splunk on UCS • Cisco integrations with Splunk • The Unified Computing System advantage • Learn More
  4. 4. Hardware Still Matters A quick glance at infrastructure for Splunk
  5. 5. Why does hardware still matter? 5 • Splunk will run on almost anything (even my laptop) • Standalone servers have lower admin overhead • Grow your data sources, uses, or users and you have to add servers • Do you pre-buy servers? • Build up your clusters and you have to keep them consistent • Firmware stack in synch? • If not, how long before your cluster become constipated?
  6. 6. Why does hardware still matter? 6 • Customer’s big data pools tend to grow 2-3x per year • Customer’s IT staff doesn’t grow as fast • Many budgets decrease!
  7. 7. Why does hardware still matter? 7 • The Cisco Unified Computing System (UCS) provides scalable, repeatable, predictable, and manageable deployments across dozens to thousands of servers for any application deployment • Pallet to production in hours, not days or weeks • Deep engineering integration between Cisco and Splunk with tested and proven configurations More on this later…
  8. 8. How Cisco Uses Splunk Part 1 Operational Analytics at Enterprise Scale within Cisco IT
  9. 9. Big Data at a Big Customer: Cisco 9 • 10s of thousands of employees, contractors, devices • 100s of offices, business apps, audiences • Lots of data in lots of places • No one tool (not even Splunk) can do everything for everyone all the time • High volume, low value, low shelf life (IE Netflow) • Lancope, Hadoop feed into Splunk • Tetration will also feed into Splunk • Low to moderate volume, high value, (any) shelf life • Splunk on its own, sometimes with fronting dashboards • Additional visualizations with Platfora, SAS, Tableau, etc
  10. 10. A closer look at Splunk within Cisco 10 • Customer for 8+ years, strategic partner for 3+ years • Geographically disparate data collection and analysis • Over 70 business applications/use cases across the company • Around 20 teams using Splunk including Cisco IT and CSIRT • Nearly 10x growth in search volume from 2014-2015
  11. 11. Splunk Searches – Daily Average 1. Interactive Searches = 55K+ 2. Scheduled Searches = 45K+ 3. Total Searches = 100K+ 4. Number of Users = 180+
  12. 12. 10 Indexers 16 Search Heads reduction thanks to search head clustering in Splunk 6.2 47 Search Heads 20 Indexers Daily Indexing ~ 2TB 2014 2014 2015 2015 2016 Cisco’s IT Operations Evolving with Splunk Daily Indexing 300G 2010
  13. 13.  Pre 6.2 environment
  14. 14. 6.2 environment
  15. 15. How Cisco Uses Splunk Part 2 Security Analytics at Enterprise Scale: Cisco’s Computer Security Incident Response Team (CSIRT)
  16. 16. About CSIRT • Cisco Computer Security Incident Response Team (CSIRT) • CSIRT = Security Monitoring and Incident Response • Architecture, Engineering, Research, and Investigations • Enterprise global threat and 24x7 incident response
  17. 17. CSIRT Environments Recent Snapshot  300 locations in 90 countries  400 buildings  1500+ labs  100,000+ employees on network  50-300 malware-related cases opened in a typical week  650,000+ ip devices on network  130,000 windows hosts  50,000 Linux hosts  40,000 routers  2-3 million highly tuned ids events per day  10+ billion netflow records per day
  18. 18. Deploying Splunk as SIEM • SIEM: Security Information and Event Management platform – Easy to index any type of machine data from any source – Over 60 users doing investigations, correlations, reporting, advanced threat detection – All the data + flexible searches and reporting = empowered and effective team – 2TB/day and searches take less than a minute. 7 global data centers with 350TB stored data – Flashback Malware contained to a fraction of the environment – Replaced older pre-big-data SIEM (our legacy MARS system)  Previous solution didn’t scale effectively  Queries in the minutes (or worse) rather than seconds with Splunk  Diverse functionality across the same aggregate data
  19. 19. Cisco’s IT Operations Results  Proactive monitoring enables 50% reduction in high priority issues  80% reduction in operational costs  90% improvement in problem resolution and root cause analysis times  Improvements in system stability, availability and performance  Aggregated multiple siloed systems into Splunk at 25% of cost  846% increase of search volume per day in one year  Operational Intelligence in minutes rather than hours “Splunk pulls data from all the logs and gives our operations teams a single place to look and work together to solve problems.” — Piyush Bhargava, Distinguished Engineer, Cisco IT
  20. 20. Looking at our customers Successful deployments with Cisco UCS and Splunk
  21. 21. Threat Management at Govt Agency 21 • Agency wanted to manage and monitor all relevant alert data • Needed visibility across multiple security platforms • Centralized on scalable appliance model through a partner • Splunk Enterprise with Enterprise Security[1] premium app • By deploying on Cisco UCS with proven Cisco Validated Design, partner was able to deliver easily upgraded and expanded deployment with predictable results – a recipe for success! [1] Splunk won Best SIEM Solution (Enterprise Security) and Best Fraud Prevention Solution (Splunk Enterprise) awards from SC Magazine earlier this year (Splunk press release)
  22. 22. Fraud prevention for Online School 22 • Leading online university needed to track student activity • Federal agencies have stringent requirements for loan qualifications and fulfillment • Deployed Splunk on UCS for student activity tracking • Blocking millions in fraudulent loan claims • Saving over 75% on auditing and compliance expenses • Saving over $1M/year on data processing • Deployed and expanded other analytics (security operations, IT operations, and application deployment) • Splunk on UCS grows beyond initial use cases and teams at most of our customers
  23. 23. 23 • Leading worldwide financial services company used Splunk for IT Operations analytics • When an electronic payment platform deployment came up, Splunk was enlisted to support rollout and monitoring in ridiculously short time frame • Apple Pay in 4 Months! • Speed and scalability led to use cases for security and fraud detection/prevention, marketing optimization, customer engagement and offers, and more • Customer continues to grow their Splunk environment (over 10x in first year, and still growing!) IT Ops & beyond for financial services
  24. 24. 24 • Customer needed quick updates, secure services, and high availability • Deployed Splunk Enterprise on UCS to replace older hardware and software platforms that didn’t scale well • Splunk and UCS delivered a more robust security posture with faster investigation and resolution of security events • Did you know there is a underground market of $10-$20 per stolen health care record! • High performance security analytics solution enables hospital to identify attack patterns and unauthorized actions that would otherwise go undetected. • Reduced space/power/cooling by 75% • Server deployment time reduced from 7 days to 1 day. See Cisco’s case study at and Splunk’s case study at Secure Healthcare at Union Hospital
  25. 25. Got Cisco? There’s an app for that… (or a technology add-on, at least)
  26. 26. CiscoSecuritySuiteApp Splunk & Cisco Integrations Security Identity Services Engine (pxGrid) Sourcefire (including AMP) ASA/PIX/FWSM Firewalls Web Security Appliance (WSA) Email Security Appliance (ESA) IPS Cloud Web Security (CWS) AnyConnect OpenDNS, ThreatGrid (in development) Data Center/ Insieme Cisco UCS Nexus 9K Application Centric Infrastructure (ACI - APIC) UCS Integrated Infrastructures Optimized for Splunk Enterprise High Performance High Capacity Enterprise Networking Switching and Routing Catalyst Switches Nexus (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000) Meraki Wireless NGN Routers (CRS, ASR, ISR) Open SDN Network Controller APIC EM Collaboration Call Manager • Inaugural SIEM & Threat Defense Partner • Inaugural pxGrid partner • Inaugural member of new Cisco Security Technical Alliances program • Inaugural ACI Partner • Inaugural Data Analytics Partner • Cisco Cloud Security for VMDC 1.0 Design Guide (link) • Cisco UCS Integrated Infrastructure for Splunk Enterprise (Distributed Deployment, High Capacity) (link) CiscoNetworksApp
  27. 27. Splunk App for Cisco UCS NEW AND IMPROVED as of May 28, 2016 Aggregates, monitors, trends and analyzes all relevant data from Cisco UCS Manager instances Enables proactive capacity and performance monitoring/ management, fault trending, power and cooling, and more Works with other Splunk add-ons and data sources (including Enterprise Security and PCI Compliance add-ons) to aggregate and correlate data across your enterprise 27 Applications Operating Systems Hypervisors UCS server, storage, network
  28. 28. Splunk on Cisco UCS
  29. 29. What is Cisco’s Unified Computing System (UCS)? Unified Management: UCS Manager uses policy-based configuration to ensure consistent deployments Service Profiles: Maintain consistency across batches of servers and multiple applications. Deploy, expand and MAINTAIN in record time. Unified Fabric: Integrated 10/40 Gigabit Ethernet and Storage Networking (FCoE/iSCSI) Performance: Built with 10GbE and 40GbE at the core, repeatable configurations and performance, and over 100 benchmark records
  30. 30. Why Splunk on Cisco UCS? Time to Deployment: Spin up a mutually validated, pre-tested environment in hours rather than days or weeks Time to Value: Less than a week! Total Cost of Ownership: Integrated networking and management reduce customer cost and effort to migrate, deploy, and expand Time to Grow: Expand servers and network capacity quickly and consistently
  31. 31. 250 GB indexed per day 4 months retention 250 GB indexed per day 1 month retention Single Server Cisco UCS Reference Architectures UP to 4TB indexed per day 3 months Retention Up to 4TB indexed per day 1 year Retention Clustered Deployment Retention optimized Performance optimized
  32. 32. Cisco Validated Design (CVD) for Splunk • Developed by Cisco and Splunk engineers in Spring 2015 • 250+ page guide to design and deployment, pallet to production • Based on UCS C-Series (C220, C240, C3260) servers and Splunk Enterprise software • Includes high availability & data archiving • Download for free at
  33. 33. Splunk on UCS : Performance Benchmark Test bed Topology
  34. 34. Cisco UCS Benchmark Results (Splunk Enterprise 6.2 vs 6.3) Cisco is Testing with 6.4 now!
  35. 35. Cisco UCS + Splunk = Better Together Seamless Scalability Facilitates Rapid Growth – Scale Splunk from a single server to distributed/clustered deployment – Grow your clusters efficiently and consistently – Runs on the same UCS C-Series servers as other big data platforms Split Second Response Times – Exceptional performance for “needle-in-a-haystack” searches – Consistent performance as simultaneous users increase Simplified Repeatable Deployments – Four pre-tested UCS Integrated Infrastructures – Capacity or performance optimization – NEW! Cisco Validated Design (CVD) with HA and Archiving
  36. 36. Learn more about Splunk and Cisco UCS
  37. 37. SplunkBase app resources: Cisco’s Big Data Design Hub: features Cisco Validated Designs (CVDs) and other architectural docs Big Data Applications Hub: features reference architectures, solution briefs, infrastructure, automation, etc. Reach Out! • Already using Splunk? Talk to your Splunk team about Cisco UCS! • Already using Cisco UCS? Talk to your Cisco team about Splunk! Cisco Marketplace - Learn More About Splunk on Cisco UCS!
  38. 38. Cisco’s CSIRT engineers applied their experiences during the CSIRT deployment to a new O’Reilly book now available “they wrote the book …” 38
  39. 39. Download our SplunkLIVE! Content On Flash Drive e-Download
  40. 40. Thank you.