PagerDuty deployed Splunk Cloud running on AWS to gain end-to-end visibility across their operations and enhance their security and compliance efforts. With Splunk, PagerDuty sped incident investigations, provided analysts with rich context for decision making, and reduced costs by 30% over their previous solution. Splunk Cloud provided PagerDuty with security, real-time monitoring, compliance reporting, and insights for engineering and operations across their AWS environment.
2. Today’s Presenters
David Potes, Manager, Solutions Architecture, Amazon Web Services
Arup Chakrabarti, Director of Engineering, PagerDuty
Erin Sweeney, Senior Director Security Product Marketing, Splunk
3. • An overview of AWS and AWS Marketplace, with an emphasis on AWS
Security solutions and Splunk
• Challenges faced by PagerDuty
• The PagerDuty success story with AWS and Splunk
• Overview of the Splunk solutions featured in our story
• Q&A/ Discussion
Today’s Agenda
4. Learning Objectives
• How proactive security measures help prevent breaches that can significantly impact
business
• How Splunk’s analytics-driven approach to security makes it easy to gain end-to-end
visibility across your AWS and hybrid environment and prevent or resolve threats
5. Partnering to ensure protection from
every vantage point
Introduction to
AWS Security
6. $6.53M 56% 70%
Your data and IP are your most valuable assets
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-
breaches/
Average cost of a
data breach
https://www.csid.com/resources/stats/data-breaches/
7. In June 2015, IDC released a report which found that most customers can be more secure
in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS can be more secure than your existing environment
8. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security
9. The AWS infrastructure is protected by extensive
network and security monitoring systems:
• Network access is monitored by AWS
security managers daily
• AWS CloudTrail lets you monitor
and record all API calls
• Amazon Inspector automatically assesses
applications for vulnerabilities
Constantly monitored
10. The AWS infrastructure footprint protects your data
from costly downtime
• 43 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
• Retain control of where your data resides
for compliance with regulatory requirements
• Protect yourself from a DDoS attack with the newly
released AWS Shield service
Highly available
11. AWS enables you to improve your security using
many of your existing tools and practices
• Integrate your existing Active Directory
• Use dedicated connections as a secure,
low-latency extension of your data center
• Provide and manage your own encryption
keys if you choose
Integrated with your existing resources
15. PagerDuty’s Security Challenge
PagerDuty needed to take a more elastic security stance to investigate and
respond quickly in order to:
• Monitor and triage threats
• Maintain security posture
• Mitigate risk
• Ensure optimal customer experience and minimize service interruption
• Meet operational analysis needs
PagerDuty had previously relied on a logging solution that output data—not
answers, and couldn't scale to meet the growing business needs.
16. The Solution – Why Splunk?
PagerDuty adopted Splunk Cloud running on AWS in order to:
• Speed incident investigations and response times
• Provide analysts with rich contextual info for informed decision-making
• Mitigate risk
• Provide high availability of its services
• Scale to meet customer demand as needed
• Reduce cost by 30% over previous solution
17. Enterprise-wide Visibility and High Availability
• Security
Ensures product security; fast time to investigate,
minimizes risk and downtime
• Compliance
Automated daily searches ensure compliance across a
range requirements with no manual intervention
• Operations
Delivers on goal of being one of most highly available
services worldwide
• Application Development
Enables DevOps/ Distributed Operations with real time
visibility into production environments
18. Enhancing Security and Compliance
• Prior solution provided data…but not answers
• Made our security program more effective and easier to run
• Threshold-based alerts helps minimize alert fatigue, prioritize investigations
• Dashboards quickly pinpoint anomalies warranting further investigation
• Eliminates need for disparate tools
• AWS App provides change mgt./change tracking audit trail for compliance
19. Powering Engineering and Distributed Operations
• Delivering new product securely
with speed and agility
• Historical trending helps team
understand where to invest energy
• Keep engineering resources
focused on running the business
and customer satisfaction versus
tools maintenance
20. Business Analytics and Beyond
• Finance team using platform for visibility into customer usage trends
• Leading indicator of renewals/ at-risk accounts
• Execs and Product Management use Splunk for view into overall
business health
21. Why Splunk on AWS?
• No infrastructure management or
admin – just need to point data onto
Splunk Cloud
• Trust and reliability with Splunk that
you don’t get with other solutions
• Born on the cloud, can’t live without
scalability, agility
22. Summary of Results
PagerDuty deployed Splunk Cloud as its platform for operational visibility and triage
across the business—from IT operations monitoring to security and compliance.
With Splunk Cloud, Engineering has a solution for monitoring and alerting, and then
can dig deeper into the source of issues and resolve them quickly.
• Ensured customer satisfaction and highly available cloud services
• Reduced IT & security incident resolution from hours to minutes & seconds
• Realized 30% cost savings over prior service
24. Analytics-Driven Security Provides Visibility
“You can’t protect what
you can’t see.”
Best Practices for
Securing Workloads in
Amazon Web Services
Gartner, April 2015
Neil MacDonald, Greg Young
“Security
requires visibility.”
Amazon Web Services
“Intro to AWS Security”
2015 AWS Summit Series
“Security monitoring
will make or break
a technology risk
management program.”
Assessing the Risk:
Yes, the Cloud Can Be
More Secure Than Your
On-Premises Environment
IDC, July 2015, Pete Lindstrom
25. Splunk Cloud: Analytics-Driven Security
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Lambda
Servers
Messaging
GPS
Location
Config
EC2
Online
Services
DatabasesCall Detail
Records
Energy Meters
CloudTrail
End-to-End VisibilityIndex Untapped Data: Any Source, Type, Volume
Application Delivery
IT Operations
Security, Compliance
and Fraud
Business Analytics
Internet of Things
and Industrial Data
Splunk App for AWS
VPC
IAM
27. Security Intelligence Use Cases
End-to-end security visibility and posture assessment
to make remediation decisions with confidence
Security &
Compliance
Reporting
Real-time
Monitoring of
Known Threats
Advanced Threat
Detection and
Response
Fraud
Detection
Insider
Threat
Incident
Investigations
& Forensics
28. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You +
Inventory
& Config
Data
Encryption
Shared responsibility for security
29. Security Ecosystem for Coverage and Protection
Threat
Intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
30. Usage
Topology
Security
Timeline
Billing
Insights
Splunk App for AWS: The Value
▶ View user activity
▶ Gain a full audit trail
▶ Detect anomalous behavior
Security Visibility
▶ Who added that rule in the security
group that protects our application
servers?
▶ Where is the blocked traffic into that
VPC coming from?
▶ What was the activity trail of a
particular user before and after that
incident?
▶ Alert me when a user imports
key-pairs or when a security group
allows all ports
▶ What instances are provisioned
outside of a VPC, by whom and when?
▶ What security groups are defined but
not attached to any resource?
Security Use Cases
31.
32.
33.
34.
35. Four Years in a Row as a Leader
Furthest overall in Completeness of
Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM report
in all three Use Cases
Splunk Positioned as a Leader
Gartner 2016 Magic Quadrant for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for
Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This
graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context
of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any
vendor, product or service depicted in its research publications, and does not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of
Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a
particular purpose.
Leader
38. Splunk Online Experience
Try it out!
https://www.splunk.com/en_us/form/security-investigation-online-experience-endpoint.html
Step-by-step instruction1
Launch instruction video2
One click
Online Session
3
Learn Splunk Skills for Security
•Use sample data to safely
practice security investigation
techniques
•Embedded help features step-
by-step how to guides on
finding security problems
•Contains sample
ransomware data set
and tips and tricks for you to
learn
39. Benefit of AWS Marketplace
• Easily discover & deploy
software & SaaS
• Simplified Buying Process
• Reduces Time to Procure
• Eliminate License Management
• One, consolidated AWS Bill
• Apply to contract commitments
• Automatic Renewals
Splunk Cloud Specifics
• Annual and Multi-Annual
contract subscriptions
• Automatic discount for Multi-
Annual Options
• Buy in increments of
5GB,10GB, and 20GB
index/day
• Easily Upgrade Splunk License
• Private pricing available for
larger index volumes, apps and
add-ons.
Splunk Cloud
Now Available on AWS Marketplace
www.splunk.com/aws-marketplace
Find out more or Buy Now:
40. Recommendations
• Organizations should look for a seamless AWS security solution fit
• Ensure the partner you choose has expertise on, in, and around AWS
• End-to-end visibility and actionable security best practices are the
keys to success
AWS – If necessary, please replace any of the next 7 AWS-focused slides with content you feel is more appropriate. Thanks!
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.
As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.
As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
We are also certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards.
Top Row (left to right)
ISO 27001 Information Security Management
ISO 9001 Quality Management Systems Requirements
American Institute of Certified Professional Accounts (SOC 1, SOC 2, SOC 3 reports)
Payment Card Industry Data Security Standard (PCI-DSS)
Federal Information Security Management
Cloud Security Alliance
Middle Row:
TUV Trust IT – independent certification body for the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT Grundschutz)
UK G-Cloud Digital Marketplace
HIPAA (Health Information Portability and Accountability Act)
Federal Information Processing Standards 140-2
Americans with Disabilities Act Section 508
Motion Pictures of America Association
Bottom Row:
US International Traffic in Arms Regulations
Department of Defense Cloud Security Model
Criminal Justice Information Systems (CJIS) Security Policy
Federal Risk Authorization Management Program (FedRAMP)
Australian Information Risk Assurance Program
US Department of Education (FERPA)
<FOR MORE IN DEPTH QUESTIONS REFER THE CUSTOMER TO http://aws.amazon.com/compliance FOR MORE DETAILS>
Security:
Speeding incident response from hours to minutes/seconds
Compliance:
Daily searches ensure compliance across a range of audit requirements
Application Development:
Enables DevOps/ Distributed Operations with real time visibility into production environments
Thanks Arup.
I love that you’re getting value from Splunk to address both your security needs and the needs of your growing business to keep your customers happy and productive.
Arup gave you a flavor of the what they are doing with Splunk, but let me cover a bit more about why Splunk can be important for those of you getting started on your cloud journey, or looking for better ways to secure in the cloud.
You’ll recall David said AWS secures the cloud and you are responsible for securing what’s in the cloud.
That’s where Splunk can help.
You can’t secure or protect what you can’t see
You can’t manage cost for what you can’t see
You can’t extract additional business value for what you can’t see
Splunk takes an analytics driven security approach to help you secure and protect what’s valuable to you and your business
How do we do that? Splunk makes your data visible, accessible and valuable—I loved what Arup said that other solutions give you data, where as Splunk gives you answers and I’ll talk a bit more about how we do that.
Splunk is the platform for machine data, Splunk collects all data into one place so you can search analyze visualize and report on it to solve a breadth of use cases for IT, security and the business.
You can collect data from anywhere. Splunk employs universal forwarding and indexing technology to collect the data—it’s a small footprint with little or no impact to you.
Search and analyze across all your data – with powerful search and schema-on-the-fly technology. This means you don’t have to deploy a database and worry about pulling a pre-determined schema together. Again, less impact on your IT resources.
Rapidly deliver real-time insights from machine data to IT and security personnel – through a powerful UI and dashboards.
Drilling in.
The flexible interface allows you to do freeform search to investigate incidents.
Information is correlated from across your entire environment so you can conduct investigations from a single pane of glass. You can correlate based on time stamp, userID, IP address—practically anything to get a full view of what is or was happening in your app or infrastructure.
Once you find and remediate an incident you can set up alerts—smart, threshold based alerts, to minimize alert fatigue and focus your analyst investigations on the incidents and assets most important to your business. For example, would you rather have your analysts spending time updating anti-virus, or investigating unusual access to your customer database? Probably the latter. Splunk can help.
And finally, you can build the dashboards you need to understand trends, highlight anamalous activity at a glance, or provide compliance, audit or other reporting to your leadership, board, partners or other stakeholders.
And you can apply these activities and workflows across any number of security use cases.
Splunk is a Security Intelligence Platform and can address threat detection and response, malware, phishing, ransomware, fraud, insider threat and many other use cases.
You may or may not have a SIEM or need a SIEM.
If you have one, We’re more flexible than traditional SIEMs and can complement or replace existing SIEM deployments, while also addressing more complex security use cases.
-------------------------------------
Examples below if you want to touch on any:
Faster Investigations
monitor large volumes of NW, FW, IDS, and proxy data and do forensics (Treasury)
analyze evidence in hacking cases and identity theft cases. take digital evidence from multiple sources and present in a timeline (LA County)
Able to identify hacking incident and point tech support to specific desktops needing remediation (DoJ)
Security and Compliance:
With Splunk in place, the auditors are able to observe the necessary reports in real time, check their box, and get on their way (NASA)
Continuous Diagnostics and Mitigation (CFO Audit Act)
NASA JSC is using Splunk as a consolidated, highly scalable logging platform for security, incident response, & compliance. Splunk has saved them hours upon hours by replacing past practices that involved less flexible end point products, relying on custom scripts, grep’ing, and manually searching through vast quantities of logs. JSC is continuing to grow their use of Splunk due to the increased details and insight that Splunk is providing them.
Monitoring endpoint security, monitoring servers for troubleshooting and FISMA compliance (DoI)
SSA is mainly using Splunk for compliance reporting - a main of the CDM program. Their security operations center also uses Splunk to understand their security posture.
monitor security and compliance for all DHS systems in the private cloud/Data Center. (DHS)
Threat detection:
Improves the way they track messages and detect threats via email. Only takes a couple seconds to track messages in Splunk, which used to take hours (Senate)
EOS is using custom searches and dashboards to find security threats that affect the applications running on satellites and ground systems. Once these security threats are identified with Splunk, their IT analysts are able to drill down into the raw data in order to identify the root cause of the threat. (NASA EOS)
Fraud detection
- Splunk’s ability to Map out the incoming IP Addresses has led to quicker resolution on blocking account. The Goal at USPS is to move from reactive fraud detection to Proactive. USPS is currently testing setting up alarms anytime an International order is placed. The goal is to make it so difficult for the bad guys to do business that they go somewhere else. (USPS)
UBA and Insider threat
Splunk is used to monitor employee use of the web during work hours on internal networks (DoJ)
environment where an employee is a Government contractor who has access to sensitive R&D projects and/or supporting Government programs, data leakage is highly possible. An employee can intentionally or unintentionally download any text documents associated to that program/project to a personal laptop, personal email, etc. (NGC SOC)
Let’s talk about how Splunk can address some security concerns particularly related to AWS.
You’ll recall David said AWS secures the cloud and you are responsible for securing what’s in the cloud.
That’s where Splunk can help.
You choose best of breed providers for threat intelligence, network security, authentication, and odds are, Splunk already has an app or partnership with those solutions to get data into Splunk, with pre-packaged searches, alerts, dashboards and reports to help you get value from that data source immediately. This week at Black Hat, we announced support for a Cyber4Sight, a new threat intelligence feed from Booz Allen Hamilton and Shadowplex-R, a new deception-based ransomware solution.
Further, over the next several months we’ll be packaging up use case based apps. We’ve just released Splunk Insights for Ransomware, and there’s more to come. These are all available for free on Splunkbase.
So, now you’ve got visibility into everything on the cloud with Splunk—this includes data from the Splunk App for AWS.
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
With the Splunk App for AWS, you’ll gain visibility across usage, topology, security, timeline, billing and other insights.
Some of the security related use cases we can address include a view into user activity, full audit trail and the ability to detect anomalous behavior.
We get user, VPC, authentication and other security relevant data from AWS, so you can get a sense of your full security posture.
We capture changes adds and deletes to Inventory and config to automatically create a topology view and then continuously monitor the changes in a customers environment for security and compliance reporting.
For network security, we capture VPC flow log data, and that Flow data provides that additional context and richness for the security lens.
And again, if you have some services on premises, Splunk gives you complete visibility across cloud and on prem environments so you have a true sense of your security posture and the ability to conduct comprehensive investigations and analysis.
Customers like Arup at Pager Duty, EnerNOC, Adobe, Yelp, Cox Automotive, FINRA, Autodesk, use Splunk to address these needs every day.
Now for the eye candy portion of our discussion. I mentioned that splunk looks at your inventory and configuration data to create a topology view. Here it is.
It’s the “big picture” of all your EC2 assets across all your accounts and regions, and provides a picture of how everything is connected.
This is a helpful way to visualize where your assets are, how they are connected to each other and, for example, if there are systems that are not attached to a VPC, which might be a violation of a corporate policy.
You can also drill down by using the legend on the left to turn on or off objects such as security groups (like what ports and protocols are open for what systems), EBS volumes and more
This is a great view for overall compliance and security posture.
The Topology View also has as few layers you can activate or deactivate, so you can easily see which instances have the most network traffic, are using the most CPU, have the highest cost, etc. We also support details around Amazon Inspector. On that point—I’d like to think Splunk and AWS co-innovate in delivering value to customers in that we released support for Inspector the same day AWS released the feature.
But why does this matter in the security context?
You expect certain VPCs to have certain levels of traffic and via Inspector and this view, you can find anomalous patterns to further investigate.
Bytes in and out for performance
Certain VPCs should have various levels of traffic
Pivot to util, ingress egress traffic
We want to look into locked down security group,
But see lots of traffic
Cloud shoild provide conitinuity and consistency
Cloud starts clean, security is code
When provisioning systems there can be messiness
Splunk is multi-account cross region see everythign golbally to drilldown as needed
As an example – if we drill into an EC2 instance, we get details such as its CPU usage, Disk usage, etc but also information on AWS Inspector results, and even VPC flow details…which we can then drill into
Again, this matters because on an individual basis I can see where I might need to update patches or what activity might be suspicious. And because Splunk is great at time series data, I can also use this topology view to identify config creep.
This single view
State of the statby VPC
In a single set of tabs we can look around
Beyond standard data
Into how much does this cost
We integrate with Amazon Inspector which is vuln scanner
Allows us to say indiv by indiv basis I can see what might be suspicious
In a single view, I get value for ops admin and security gts view into
Patch mgmt can use inspector, but it’s integrated into topology for overall view
Topology is means of saying here’s 20K view and then I can drill into what’s important
Because splunk is great at time series
It’s good to look at config creep
And then it wouldn’t be a Splunk presentation if we didn’t show a dashboard.
Here we see two VPC flow log views - ”VPC Flow Logs – Security Analysis” and VPC Flow Logs – Traffic Analysis”. If we look briefly at the Security Analysis view, you have your standard Accept v Reject trends over time, as well as the top values of rejections by Ports and Addresses. These are a starting point to look through potential anomalies or unexpected results, such as a very very high ratio of rejections to accepts, or an uncommon port, etc. And in Splunk, you can use statistical commands to understand for instance something 4 times the standard deviation of normal, and trigger an alert based on something that is highly anomalous. This is an example of how analytics driven security can help you prioritize your security investigations.
But back to this dashboard, You can click on any row in the results to drill down into the “trendlines” here at the bottom
So those are just a few practical applications of Splunk to help you secure what’s in the cloud.
And while, yes, I am a Splunk fangirl, you don’t have to listen to me or just buy into the eye candy. Splunk’s value is proven! Splunk has been a recognized leader in the Gartner Magic Quadrant for the last 4 years.
Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
And Splunk has more 7000 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs use Splunk for security/compliance.
And as Arup alluded, you can use Splunk beyond security for a whole range of use cases across application management, IT Operations, Business analytics, industrial data and more.
Ok, so what next.
There’s a free online experience. It’s an AWS instance pre-loaded with data and provides a video and documentation to walk you through incident detection and scoping exercises.
Or, you can buy Splunk Cloud today on marketplace. Load up your own data and get a better handle on your security posture right away.
David, back to you to bring us home.
Need to decide on at least 5 predetermined questions to fall back on