Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SplunkLive! Milano 2016 - customer presentation - Saipem


Published on

SplunkLive! Milano 2016 - customer presentation - Saipem
ITOps & Security

Published in: Technology
  • Be the first to comment

SplunkLive! Milano 2016 - customer presentation - Saipem

  1. 1. SAIPEM ITOps & Security
  2. 2. giovedì 7 aprile 2016giovedì 7 aprile 2016 A heterogeneous Splunk adoption All you can eat!
  3. 3. SAIPEM A Leading Global EP(I)C General Contractor  Operating in more than 60 countries  ~45,000 employees from >129 nationalities  29 engineering and project execution centers worldwide  11 fabrication yards in 5 continents Engineering & Construction  Full service EP(I)C provider  Distinctive ‘frontier focus’ in Oil & Gas industries  Most modern, technologically advanced offshore construction fleet Drilling  High quality player onshore and in niches offshore
  4. 4.  3 main datacenters: San Donato Milanese, Paris, Chennai  114 remote sites  46 vessels  3000 servers  85% virtual  5 petabytes  100 MPLS link  90 satellite links  50 VoIP call managers, 300 videoconference endpoints SAIPEM IT Figures
  5. 5. Agenda  Splunk Timeline  L.I.S.A. – Splunk Unique Portal  Log Management & Security  Internet Access  Monthly Security reports   Infrastructure & Application  Configuration Management  Software Inventory  Perpetual Patching Calendar  SOX Replica  Level 1 Console  ISO 27001  License Utilization
  6. 6. Splunk at Saipem timeline Domains of adoption by year REGULATIONS Meet SOX and Privacy compliance 2012 GOVERNANCE IT VISION & IT OPERATION Dashboards 2013 RELIABILITY Gain visibility on backup coverage and policies 2014 SECURITY Manage security events with Saipem SIEM 2015 Splunk: a useful tool which has found different application fields… 2016
  7. 7. Splunk Sources MDM ActiveSync uberAgent Endpoint Infrastructure Network Server FirewallIPS Next Generation Firewall Proxy Authentication Network devices, DHCP, Load Balancer AntiSpam, DNS & HTTP accelerator VPN Web Application Firewall CMDB IP Management Licenses Backup IPPlan MDM, ActiveSync Anti-malware, Vulnerability Assessment Audit Authentication IPPlan System Management AD DB Activity Monitor AvailabilityApplications Web Servers, Application Servers
  8. 8. L.I.S.A. – Splunk Unique Portal
  9. 9. L.I.S.A. – Splunk Unique Portal Log Management & Security
  10. 10. Splunk CORE (Infrastructure) Compliance Log Management & Security Services Infrastructure Log Management Active Directory Account Control Application Log Management login/logout AdS Adaptive Perimeter L.I.S.A. Log Continuity Controlli Syslog Controllo Accesso Firewall DHCP investigation Web Application Firewal Layer Authentication Compliance & Security Vulnerability Assessment Endpoint ProtectionMDM Next Generation Firewall Proxy Lockout Analysis Splunk Monitoring Remote Management VPN Dashboard (login, deny) User Investigation Log Governance Utilities & Services Remote Vendor Access Network Devices Internet Access Admin accounts Anomalies Security Security DomainsAdvanced Threats Event Investigator Identity Investigator Asset Investigator Security Posture Incident Review Risk Analysis Threat Activity Protocol Intelligence HTTP Analysis Traffic Size Analysis Access Endpoint Network Identity Access Center Account Management Default Account Activity Malware Center Endpoint Changes Update Center Traffic Center Intrusion Center Vulnerability Center Asset Center Identity Center Session Center SIEM Security Operation VPN Sessions VPN Client details Malware Investigation Security Overview IP Analysis HTTP Accelerator FirewallIDSLoad Balancer Availability Server Audit Integrated Risk Antispam WAFIPS monitoring Regional Security
  11. 11. Internet Access – Authentication Need Proxy authentication needs browser authentication SAIPEM INTRANET Authenticated SESSION * * * * * * * INTERNET Ticket Kerberos John Doe Proxy Server EMPLOYE E EXTERNA L
  12. 12. Internet Access – “We already know those guys!” Which information are collected with Splunk Domain Authentication AD Wi-Fi Authentication VPN Authentication
  13. 13. Internet Access - Splunk “Under the hood” Splunk sends authenticated users to the proxy AUTHENTICATED USERS Correlation & Enrichment Proxy Server USER + IP SESSIONS The flow is constantly monitored
  14. 14. Monthly Security reports – The Past Central IT collects global reports • Antivirus • Intrusion Prevention • Vulnerability • Mobility Antivirus Intrusion Prevention Vulnerability Mobility SOC Head of Security Manager
  15. 15. Monthly Security reports – New challenge New Saipem IT Regional managers
  16. 16. Monthly Security reports – New solution One dashboard to rule them all «Regional» Geolocation DATA REPRESENTATION FILTERED VIEW Next Generation Firewall Intrusion Prevention System Endpoint Protection Antivirus Protection Vulnerability Management Mobile Device Management
  17. 17. Monthly Security reports – Tailored monthly Security reports Less is more Geographical scope Enhanced visibility Less effort
  18. 18. IPS Load Balancer Web Application FW IDS Firewall - Security Overview One-stop dashboard for security monitoring Infrastructure status Application status User categorization HTTP Accelerator
  19. 19. - IP Analysis Tell me who you are and I will tell you your story Geolocalization User agents Threatscore Correlation
  20. 20. - Investigation Details for every pillar of the security architecture Vertical drilldown Anomaly detection Predictive analysis
  21. 21. L.I.S.A. – Splunk Unique Portal
  22. 22. L.I.S.A. – Splunk Unique Portal Infrastructure & Application
  23. 23. Configuration Management - Overview CMDB app allows to browse Saipem IT infrastructure Device Geolocation Worldwide Control
  24. 24. Configuration Management – Detailed view Device details gathered by discovery process Hardware Network Card Installed Software Running Services
  25. 25. Configuration Management – Open SR Integration with trouble ticketing system Daily Extraction VM Ownership
  26. 26. Software Inventory – Overview Counting the number of installed softwares NNN NNN NNNN NNNN NNNN NNNN NNNN NNNN NNNN NNNN NNNN NNNN SCCM Integration Data Normalization Main Softwares
  27. 27. Software Inventory - Analytics Licence economics simulation (example data) Windows Server OS licence: Standard VS Datacenter
  28. 28. Perpetual Patching Calendar Server reboot time management Shared Calendar Configurable Slots vCenter Integration
  29. 29. SOX Replica Monitoring backup replica execution result
  30. 30. Updated Real-time Nagios Alerts SCOM Alerts 3 CRITICAL ALERTS ARRIVED Gathering monitoring alerts in a single dashboard Level 1 Console
  31. 31. ISO 27001 Measuring application availability
  32. 32. License Utilization Chargeback of business application license cost License usage peaks: control license capacity