This document summarizes the use of Splunk at Intercontinental Exchange (ICE) for IT operations and information security monitoring. It describes how Splunk consolidated fragmented log data, enabled centralized searching and alerting, and provided dashboards for troubleshooting. IT operations appreciated having all data in one place and the flexibility to analyze logs. Information security retired two separate security information and event management (SIEM) systems in favor of Splunk for security monitoring and compliance reporting. The architecture deployed Splunk across ICE's 10 datacenters to ingest 1.5 TB of log data daily. Change management integrated Splunk deployments with their existing GIT and Jenkins processes.

1. Copyright © 2015 Splunk Inc.
ICE
Craig Serritella
Director, IT Monitoring

2. Craig Serritella -- Director, IT
Provide operations and
monitoring support for all
business units at ICE
Packet capture, enterprise
monitoring, alerting, and
Splunk
Background and Role

3. Company Overview
2000
2001
2007
2008 2010
2013 2014

4. Company Overview
Intercontinental Exchange is the leading global network of regulated
exchanges and clearing houses for financial and commodity markets
ICE has 11 exchanges worldwide
2014 average of 15.3 million daily trade volume
$28 trillion market cap of NYSE listed companies
Systemically important financial market utility (SIFMU)
theice.com
nyse.com

5. Use Case:
IT Operations

6. IT Operations – Before Splunk
Situation: Fragmented log data and no centralized way to search it
Struggles: Rapidly growing business with more logs/applications coming
online
Wanted:
– Consolidation to easily search logs
– Alerting/trending on data in logs
– Ability to quickly analyze logs
– A tool that could scale along with our growth
Enter Splunk: We were able to leverage our automated build processes
and forwarders to consolidate data, build useful dashboards, and get
good information

7. IT Operations – After Splunk
All data in one place!
Operations loved not having to use grep, sed, awk
Developers loved the flexibility of using Splunk to help troubleshoot
their applications
Operations and Systems Engineering were working on a common logs
platform/language
Operations could easily/quickly set up alerts and perform analysis on
logs

8. IT Operations – Dashboards

9. IT Operations - Gemstone

10. Rewriting Our Application Logs

11. Use Case:
Information Security

12. Information Security – Before Splunk
Situation: Two different SIEMs at the combined company
Struggles: Incomplete picture of the enterprise because of a fragmented
log infrastructure
Wanted: Consolidation on one system for security and logs and
integration with our current Splunk deployment
Enter Splunk:
– Leveraging heavy forwarders to connect to firewalls and pull data in for
searching
– Using the universal forwarder to migrate data off of the SIEMs, enabling InfoSec
to analyze their logs

13. Splunk vs. SIEM
SIEM (NYSE)
– Massive deployment at NYSE that did not scale very well
– Current software was nearing the end of the contract
– The use cases from the SIEM were not terribly complicated
SIEM (ICE)
– Small deployment that we did not think would scale
– User un-friendly interface – ops did not like/want it
– Reports were difficult and time-consuming to run

14. Security Use Cases
InfoSec Engineering
– Predicting/understanding DDoS attempts
– Troubleshooting connectivity errors
– Running reports of connections
InfoSec Vulnerability Management
– Alerting on suspicious behavior
– Auditing production changes
– Auditing customer activity
– Alert on suspected Malware activity

15. Splunk Apps
https://splunkbase.splunk.com/app/1454/

16. InfoSec – After Splunk
InfoSec retired two SIEMs and consolidated everything into Splunk
InfoSec and Operations are on a common tool
InfoSec can now easily run reports/trends against any of their data
“Data can now be correlated from both NYSE and ICE to give a
complete picture of the enterprise.”

17. Architecting the
Solution

18. Architecture
10 datacenters
Cluster Master and 3 indexers at every datacenter
145 logs repositories with forwarders
1.5 TB/day license
Search heads at two datacenters
Running 6.2.0

19. New York
Chicago
NYSE DR
Non-production
Performance TestDevelopment
Atlanta
ICE DR
London
New Jersey
Distributed Search Across Datacenters

20. Deploying Without a
Splunk Deployment Server
ICE needed segregation of duties for requested changes, approvals, and
people who could deploy changes
A framework was already in place with a GIT server and Jenkins
All changes for Splunk are checked in to GIT and then deployed by
Release Management

21. GIT

22. GIT – Assigning Blame (or Praise)

23. Build The Package

24. Deploy The Package

25. What’s Next?
Adding more InfoSec servers -- badge server, RSA
Finding other data sources that don’t lend themselves
well to our standard deployment
Refining our apps and dashboards
Adding more security dashboards
Normalizing time zones in our logs

26. 2
Thank You