Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Josh Diakun - Cust Pres - Splunk Partner Event


Published on

Slides from my most recent presentation on how Ive grown & utilize Splunk from my former IT Ops days onward... This was my 6th time doing a customer presentation at a Splunk event. Original copy had my employer's branding, etc but I've removed that to make things simpler, hence some of the ugly empty space :)

Published in: Technology
  • Be the first to comment

Josh Diakun - Cust Pres - Splunk Partner Event

  1. 1. Josh DiakunSpecialist, Info Sec Operations @iam_joshd December 14, 2012 PUBLIC
  2. 2. The Challenge Before SplunkFault occurs Confusion ensues Weekend work No clarity, lots of stress 2
  3. 3. Why Splunk? 3
  4. 4. Security was the primary driver 4
  5. 5. So we went looking… Reviewed LogLogic, ArcSight, others Bought on Price, Speed, Support for Open Source platforms Bring logs together in a single system Try and Buy model 5
  6. 6. Splunk = Simplicity & Clarity 6
  7. 7. What’s Feeding Splunk  Active Directory IPS/HIPS  Host performance data Syslog  Custom application data AV Data  Webserver logs Firewall data  Enterprise storage metrics VPN data  Database audit logs SNMP data  SSO application data Backup event data  External sources (ie. blacklists) Proxy logs  Physical Badge Access Data 7
  8. 8. Use Cases Application Monitoring Traffic Monitoring and Troubleshooting and Trends Reporting forEnterprise Storage Security Analysis System
  9. 9. Building an Enterprise Security App Worked with the Security dept. GQM (Goal-Question-Metric) approach to understand their goals and map to metrics Worked with IT architecture and development Menu and form driven – users can quickly find the view and information they need Over 80 reports driven through 8 menus and 26 individual views! 9
  10. 10. Enterprise Security App Menu driven navigationEasily access thereports needed Enables bettercontrol and policy decisions 10
  11. 11. Enterprise Security App – Highlights! Ability to build relationships between data from different sources Proper relationship analysis leads to proactive alerting and event triggers On demand access to data and reports enables the ability to make timely decisions Alerting on “out of the norm” privilege escalations from unauthorized users andapplications enhanced by external lookup tables that act as information registrys forusers and provide asset classifications Monitors possible data loss by identifying and alerting on attachments and filesdestined for external domains Correlate physical data (i.e. badge swipe) with network and application logs to providea clear understanding of where and when users are accessing the network Identify malicious behavior based on event timing between web applications andunderlying technologies (i.e. databases) 11
  12. 12. Enterprise Security App - Session Profiling1. Using given “Session ID” builds 2. Ability to save theearliest known footprint, even if search, export, print &Session ID is not known in the events share resultsfrom other applications or devices4. Visually differentiate device &application events based on icontype 3. Entire footprint is constructed through all applications and devices that were touched during the user’s session 12
  13. 13. 13
  14. 14. RSA SecurID Appliance Provides entire view of all actions against your SecurID appliance Understand user actions, admin actions, etc… Identify “out of the norm” events over short time frames. Dashboards: Summary, User Activity, Network Activity & Event Search Form 14
  15. 15. HDS Enterprise Storage Analytics Provides the ability to easily drill down resource utilization by host, port, parity group & cache partition. Easily identify bottlenecks Allows to access activity in near real-time 15
  16. 16. Application Monitoring Provides access to production data without need for access to production systems Ability to understand user actions throughout their lifetime in the application Understand function & method calls – execution times, responses, size of calls, etc… 16
  17. 17. Summarized Benefits A more proactive view of the applications and infrastructure Faster investigations & fault identification Improved performance of business initiatives such as marketing campaigns Simplified business processes meaning resource time is freed up allowing for focus on new initiatives. 17
  18. 18.  Provides $100,000 ROI as an analytics engine for our enterprise storage system File delivery issues were previously costing $1,125 per incident with an avg. of one incident per week costing $58,500 per year. − Splunk reduced the cost per incident to $75 or $3900 per year -- $54,600 savings per year!! Extensive soft cost savings: − Ability to configure real-time alerts for quicker response times preventing potential data & profit loss. − Improved performance of business initiatives such as marketing campaigns Splunk TCO is less than 10% of the $$ savings. 18
  19. 19. Splunk increases productivity for our Securitydepartment by approximately $500,000 PER YEAR! 19
  20. 20. Everyones Happy! 20
  21. 21. What Splunk Taught Me…Listen Prioritize the data Make the data sexy 21
  22. 22. “Make everything as simple as possible but not simpler” – Albert Einstein 22