This document discusses how Creative Artists Agency, a talent and sports agency, uses Splunk to gain visibility into security data from various sources and streamline security investigations. Before Splunk, CAA had manual and slow security processes. Splunk now provides a single interface to correlate security data and detect incidents like compromised credentials. CAA uses Splunk for investigations, monitoring, auditing, and analytics to improve response times and security posture. Future plans include expanding analytics and evangelizing Splunk's use across other IT groups.
3. 3
A Bit About Me …
! Background in Mechanical Engineering with concentra:on on Robo:cs
! Designed, built, and developed robo:c jet engine manufacturing systems for
Alcoa Power and Propulsion
! Architected huge material handling systems (warehouse sorta:on, airport
baggage handling, shipping and packaging, etc.) for BEUMER Group
! Close friend recommended trying business intelligence consul:ng
! Worked as a Splunk PS consultant across many industries
! Now focused on IT Security at CAA
5. 5
What We’re Protec:ng
! Internal Data
– Agent/Execu:ve data
– Corporate informa:on
– Financials
– Internally developed applica:ons
! Client Data
– Reputa:on
– Personal/Sensi:ve informa:on
– Contracts
– Salary informa:on
6. 6
Security Challenges We Face
! “Target Rich” Environment
– VIPs = prime targets
– Many non-technical users
– High churn rate on assistants
! Variety of Threats
– Leaked creden:als
– Malicious insiders
– Phishing/spear phishing adacks
– Web borne threats
7. 7
Before Splunk
Situa=on
! Manual Processes
– Data from a wide range of point products
– Email threat inves:ga:ons begin with users
– Deeper inves:ga:ons require cross-checking logs
Impact
! Very slow and reac:ve
! Limited ability to do any kind of trend analysis
! No end-to-end picture
! Can’t scale to meet growing needs
8. 8
Example: Phishing Inves:ga:ons
If user ques)ons the validity of an email:
! Sends email to “Is This Safe” mailbox
1. Homegrown tool checks URLs against AV for known malware
2. Generates report
3. Response sent back to user indica:ng safe/not safe
Security team reviews all emails sent to “Is This Safe”:
! Deeper inves:ga:on
1. Manually inves:gate emails
2. If phishing, check email logs for sender/IP/recipients
3. Check web security appliance to see who clicked on URLs
4. Reach out to users to resolve
9. 9
Security Requirements
• Objec=ves
– Eliminate manual processes
– Correlate disparate data sources to
maximize context in security
inves:ga:ons
• Goal
Collect and analyze all security relevant
data to streamline incident inves:ga:ons
and improve incident response :mes
Need a Single Pane of Glass for All Security Data!
10. 10
How We Use Splunk ! Primary incident inves:ga:on tool – single pane of glass
– Correlate and view data from disparate security point products
ê Firewall
ê IPS
ê Cloud service event logs
ê Email security appliance
ê Web security appliance
ê External threat feeds
! Proac:ve Security Monitoring
– Failed / Successful logins
– Data leakage
– Known high-risk IPs
– An:virus threat detec:ons
! Regular Security Audi:ng
– User provisioning
– Password changes
– New device logins
– HR changes
– Security group changes
– New cloud instance crea:on
! Behavioral Analy:cs
– Z score analysis
! Opera:onal Intelligence
14. 14
Future Plans
! Con:nue to improve security visibility and controls
– Expand advanced proac:ve analy:cs (behavioral modeling, etc.)
! Become an internal evangelist for Splunk
– Branch out from security to help other groups solve their challenges
ê IT opera:ons
ê Product development
ê Financial analy:cs
IT
Opera:ons
Applica:on
Delivery
Developer Plaporm (REST API, SDKs)
Business
Analy:cs
Industrial Data
and Internet of
Things
Business
Analy:cs
Industrial
Data and
Internet of
Things
Security,
Compliance,
and Fraud
Aside from the above:
Manage team of excellent security professionals
Security is not just a security department responsibility – incredible support and partnership with other IT groups
Excellent partnership with all departments and executive support
Derek: Moody's is a credit rating agency. It provides credit opinions and ratings to the market in order for the market to evaluate risk around bonds, lending, et cetera. Moody's is split into a couple of different divisions. One of them is MIS, which is the credit rating agency, which services that function.
We also have a fairly sizeable software development business called Moody's Analytics that focuses on building software, that banks and other organizations can use to evaluate their own credit risk, and some of the investments they make, and overall financial tools for helping them better understand risk exposure around the market investments, credit, and lending. We can probably get you a more canned corporate communications statement. That might be helpful for you to take a look at, as well.
Enter Splunk: We were able to pull data from throughout the organization, including end user systems, security appliances, and email and web servers – correlating and analyzing together for detailed forensics and streamlined incident response.
Different security concerns in restaurant space vs. other verticals
Yeah, the way we got started is we had a number of different homegrown log aggregation processes that were in place that were fairly absent of any kind of UI or analytics capability. It was typical log collection onto a central server using command line tools to do some analysis, et cetera.
We also had some managed service providers that were giving us some very, very basic analytics by also aggregating some of our log information into some of their tools. It wasn't really delivering the kind of service and capability we were looking for. It was very slow, very reactive, not a lot of ability to do any kind of trend analysis.
We went down a path to evaluate where do we want to be from a log collection and analytics standpoint. Obviously, we went down the path of looking at a number of the SIEM tools available in the market and give an evaluation of the typical players like QRadar, ArcSight.
We really found that while a lot of them had a good SIEM profile, they weren't really designed to be log archive tools. In order to use them as a log archives tool you had to invest a tremendous amount of overhead in storage, processing power, et cetera. Once you try to use those platforms as aggregators for any kind of real historic data, they just went to a crawl from a usability perspective.
We were much more interested in doing deep, historical forensic analysis, and analytics than we were in having a real‑time dashboard of things that were going on because most of that work we view as we want to outsource that to somebody who can staff an eyes on glass capability in a much more 24/7 way.
We want the internal platform to really be about how do we go back to six months ago and understand what happened from a security forensic stand‑point or how do we do trend analytics on potential events or that type of activity. We quickly eliminated some of the tools that were much more focused on what I'll call security operations type users and started to look for tools that were much more of a log aggregation type platform.
We looked at a couple of different options there, and that how we ended up with Splunk. Really, one of the deciding factors was we wanted something that would scale to be able to collect data, not just security data, but data from the whole organization, so that we weren't buying one platform for security and then buying another platform for normal IT operations because the view was, if we don't comingle all the data together, the value of that analysis is reduced.
Yeah, the way we got started is we had a number of different homegrown log aggregation processes that were in place that were fairly absent of any kind of UI or analytics capability. It was typical log collection onto a central server using command line tools to do some analysis, et cetera.
We also had some managed service providers that were giving us some very, very basic analytics by also aggregating some of our log information into some of their tools. It wasn't really delivering the kind of service and capability we were looking for. It was very slow, very reactive, not a lot of ability to do any kind of trend analysis.
We went down a path to evaluate where do we want to be from a log collection and analytics standpoint. Obviously, we went down the path of looking at a number of the SIEM tools available in the market and give an evaluation of the typical players like QRadar, ArcSight.
We really found that while a lot of them had a good SIEM profile, they weren't really designed to be log archive tools. In order to use them as a log archives tool you had to invest a tremendous amount of overhead in storage, processing power, et cetera. Once you try to use those platforms as aggregators for any kind of real historic data, they just went to a crawl from a usability perspective.
We were much more interested in doing deep, historical forensic analysis, and analytics than we were in having a real‑time dashboard of things that were going on because most of that work we view as we want to outsource that to somebody who can staff an eyes on glass capability in a much more 24/7 way.
We want the internal platform to really be about how do we go back to six months ago and understand what happened from a security forensic stand‑point or how do we do trend analytics on potential events or that type of activity. We quickly eliminated some of the tools that were much more focused on what I'll call security operations type users and started to look for tools that were much more of a log aggregation type platform.
We looked at a couple of different options there, and that how we ended up with Splunk. Really, one of the deciding factors was we wanted something that would scale to be able to collect data, not just security data, but data from the whole organization, so that we weren't buying one platform for security and then buying another platform for normal IT operations because the view was, if we don't comingle all the data together, the value of that analysis is reduced.
Enter Splunk: We were able to pull data from throughout the organization, including end user systems, security appliances, and email and web servers – correlating and analyzing together for detailed forensics and streamlined incident response.