This document discusses how Creative Artists Agency, a talent and sports agency, uses Splunk to gain visibility into security data from various sources and streamline security investigations. Before Splunk, CAA had manual and slow security processes. Splunk now provides a single interface to correlate security data and detect incidents like compromised credentials. CAA uses Splunk for investigations, monitoring, auditing, and analytics to improve response times and security posture. Future plans include expanding analytics and evangelizing Splunk's use across other IT groups.

1. Copyright © 2015 Splunk Inc.
Splunk at Crea:ve Ar:sts
Agency

2. 2
Jon Papp
Informa:on Risk Management
Crea:ve Ar:sts Agency

3. 3
A Bit About Me …
! Background in Mechanical Engineering with concentra:on on Robo:cs
! Designed, built, and developed robo:c jet engine manufacturing systems for
Alcoa Power and Propulsion
! Architected huge material handling systems (warehouse sorta:on, airport
baggage handling, shipping and packaging, etc.) for BEUMER Group
! Close friend recommended trying business intelligence consul:ng
! Worked as a Splunk PS consultant across many industries
! Now focused on IT Security at CAA

4. 4
About Crea:ve Ar:sts Agency
! Headquartered in Los Angeles, CA
! 10 loca:ons across 6 countries
– Addi:onal small/home offices
– 4,000 employees
– 6 security staff
! Talent and Sports Agency
– Represent world’s leading ar:sts,
entertainers, athletes, and brands

5. 5
What We’re Protec:ng
! Internal Data
– Agent/Execu:ve data
– Corporate informa:on
– Financials
– Internally developed applica:ons
! Client Data
– Reputa:on
– Personal/Sensi:ve informa:on
– Contracts
– Salary informa:on

6. 6
Security Challenges We Face
! “Target Rich” Environment
– VIPs = prime targets
– Many non-technical users
– High churn rate on assistants
! Variety of Threats
– Leaked creden:als
– Malicious insiders
– Phishing/spear phishing adacks
– Web borne threats

7. 7
Before Splunk
Situa=on
! Manual Processes
– Data from a wide range of point products
– Email threat inves:ga:ons begin with users
– Deeper inves:ga:ons require cross-checking logs
Impact
! Very slow and reac:ve
! Limited ability to do any kind of trend analysis
! No end-to-end picture
! Can’t scale to meet growing needs

8. 8
Example: Phishing Inves:ga:ons
If user ques)ons the validity of an email:
! Sends email to “Is This Safe” mailbox
1. Homegrown tool checks URLs against AV for known malware
2. Generates report
3. Response sent back to user indica:ng safe/not safe
Security team reviews all emails sent to “Is This Safe”:
! Deeper inves:ga:on
1. Manually inves:gate emails
2. If phishing, check email logs for sender/IP/recipients
3. Check web security appliance to see who clicked on URLs
4. Reach out to users to resolve

9. 9
Security Requirements
• Objec=ves
– Eliminate manual processes
– Correlate disparate data sources to
maximize context in security
inves:ga:ons
• Goal
Collect and analyze all security relevant
data to streamline incident inves:ga:ons
and improve incident response :mes
Need a Single Pane of Glass for All Security Data!

10. 10
How We Use Splunk ! Primary incident inves:ga:on tool – single pane of glass
– Correlate and view data from disparate security point products
ê Firewall
ê IPS
ê Cloud service event logs
ê Email security appliance
ê Web security appliance
ê External threat feeds
! Proac:ve Security Monitoring
– Failed / Successful logins
– Data leakage
– Known high-risk IPs
– An:virus threat detec:ons
! Regular Security Audi:ng
– User provisioning
– Password changes
– New device logins
– HR changes
– Security group changes
– New cloud instance crea:on
! Behavioral Analy:cs
– Z score analysis
! Opera:onal Intelligence

11. 11
Incident: Splunk Saves the Day!
! Decommissioned domain controller in Geneva crushed DHCP
– Wireless and unassigned devices lost network connec:on
– Splunk clearly showed the padern
ê Releasing/renewing
ê Authoriza:on failure
– Resolved within 45 minutes!
! Built a custom alert – happened again a few weeks later
– Immediately alerted and resolved

12. 12

13. 13
Incident: Security Risk Alert
! Daily Splunk security audi:ng - monitoring user logins by device ID
! Detected user had 2 new iPhone logins on same day
– Poten:al risk – stolen creden:als used
– Inves:gated user ac:vity in Splunk to gain context
– Reached out to user
! Determined user had purchased new iPhone, broke phone, and
purchased a replacement within the same day

14. 14
Future Plans
! Con:nue to improve security visibility and controls
– Expand advanced proac:ve analy:cs (behavioral modeling, etc.)
! Become an internal evangelist for Splunk
– Branch out from security to help other groups solve their challenges
ê IT opera:ons
ê Product development
ê Financial analy:cs
IT
Opera:ons
Applica:on
Delivery
Developer Plaporm (REST API, SDKs)
Business
Analy:cs
Industrial Data
and Internet of
Things
Business
Analy:cs
Industrial
Data and
Internet of
Things
Security,
Compliance,
and Fraud

15. 15
My Advice
! Invest the :me to clean data and add context first
– Log types
– Data sources
– User iden:ty
– Devices
– Loca:ons
– Etc.
! Context makes data easily reusable and accelerates analysis
– Correla:ons
– Alerts
– Solving a wide range of problems

16. Thank You