Splunk for ITOA Breakout Session
•
6 likes•1,998 views
This document discusses how Splunk provides value across IT operations, application delivery, business analytics, industrial data/IoT, and security/compliance. It highlights Splunk's capabilities for operational visibility, powerful developer platform, extensibility, and ecosystem for industrial/IoT data. An example deployment for oil and gas operations is shown. The document argues that a new approach to ICS/OT security is needed to analyze all relevant data and leverage threat intelligence. Splunk provides an application for enterprise security focused on ICS/OT environments.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Splunk for ITOA Breakout Session
Similar to Splunk for ITOA Breakout Session (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Splunk for ITOA Breakout Session
- 1. Splunk, Industrial Data and the Internet of Things
- 2. IT Operations Application Delivery Developer Platform (REST API, SDKs) Delivers Value Across IT and the Business Business Analytics Industrial Data and Internet of Things Security, Compliance and Fraud © 2015 Splunk Inc. All rights reserved.
- 3. IT Operations Application Delivery Developer Platform (REST API, SDKs) Delivers Value Across IT and the Business Business Analytics Industrial Data and Internet of Things Security, Compliance and Fraud © 2015 Splunk Inc. All rights reserved.
- 4. Use Cases Operations and Troubleshooting Security, Compliance and Safety Business Analytics Measurement and Verification Root Cause Analysis Capacity Planning Anomaly and Outlier Detection Cybersecurity Safety and Compliance Customer Intelligence Device Intelligence © 2015 Splunk Inc. All rights reserved.
- 5. Map Search Operation Playback OPERATIONAL VISIBILITYACROSS SILOS Experience Visualization © 2014 Splunk Inc. All rights reserved.
- 6. 6 Energy price monitoring React to price changes effectively Better operational analytics
- 7. 7 Monitoring flights and medicine in real time Making data accessible, usable and valuable to medical, flight, and support personnel Supporting outreach and fundraising efforts © 2014 Splunk Inc. All rights reserved.
- 8. 8
- 9. 9 Analyzing Robots to Improve Supply Chain 4%Throughput Improvements
- 10. Operational Technology (ICS) Energy Oil & Gas Process Manufacturing Medical Devices Telecom Smart Building Robots Consumer Technology Smart Home Wearables Media Scope of IoT & Industrial Data SCADA DCS Other Emerging Technology • ICS (Industrial Control System) - General Term Used to Describe a System or Process with Many Systems • SCADA (Supervisory Control and Data Acquisition) – Geographically Distributed Monitoring • DCS (Distributed Control System) – Process (Batch or Flow) with Many Data Points • Other - Embedded systems making up the rest of the IoT Space © 2015 Splunk Inc. All rights reserved.
- 11. Powerful Developer Platform Collection Indexing Search Processing Language Core Functions Inputs, Apps, Other Content SDKUI REST API Operational Intelligence Platform Content Core Engine User and Developer Interfaces
- 12. Powerful Extensibility 12 Splunk Web Framework R Project App Custom Search Commands in Python
- 13. Powerful IoT and Industrial Data Ecosystem 13 APIs, SDKs, App Framework, User Interface SDKs UI Legacy Data and Sensors IoT/ICS SecurityIoT Platforms Native Inputs REST Advanced Analytics and ML Custom Interfaces
- 14. Kepware Industrial Data Forwarder for Splunk © 2015 Splunk Inc. All rights reserved.
- 15. Example Deployment – Oil and Gas Operations Upstream •Wellsite Info (WITS Level 0) •Pump Controllers Midstream •ABB Total Flow Devices •Electronic Flow Measurement Device Downstream •PLCs •PACs •RTU’s •DCS •Data Recorders Accessed through Kepware Industrial Data Forwarder Additional Data Sources • Security-related events • Relational database and CSV lookups • Weather and other environmental events • Work order events • Safety-related events • Network and IT/OT infrastructure events Traditional Splunk Sources Splunk – At Intersection of IT and OT (a key trend going forward) © 2015 Splunk Inc. All rights reserved.
- 16. © 2015 Splunk Inc. All rights reserved Demo
- 17. Better quality and safety Drive product innovation Workflow and productivity improvements Detect cybersecurity threats Drive operational efficiencies Extend competitive advantage How Can IoT Analytics Transform Your Business? © 2015 Splunk Inc. All rights reserved.
- 18. © 2015 Splunk Inc. All rights reserved Questions? bgilmore@splunk.com @BrianMGilmore www.linkedin.com/in/industrialdata
- 19. Splunk for ICS Security
- 20. Why is ICS Different Than IT? 20
- 21. Cyber Criminals Malicious Insiders Nation States ICS Security Threats
- 22. Why the Growing Interest in ICS Security? 22 Everyday Headlines
- 23. Preventing Control System Service Interruption Prevent Damage Health and Safety of Employees Meet Compliance Logging Capabilities Reporting Capabilities Correlation Between OT and IT Data Silos Existing ICS Security Problem Space 23 Weaknesses Drivers
- 24. A New Approach to ICS Security is Needed 24 Analyze all relevant data Contextual and Behavioral Relevance Rapid learning loops and responses Collaborative & Coordinated Leverage IOC & Threat Intel Fusion of Technology/People/Process • Goal-oriented • Human directed • Multiple tools, steps & activities • Dynamic • New evasion techniques • Coordinated
- 25. © 2015 Splunk Inc.25 Threat Intel Access IdentityEndpointsNetwork Splunk is the Security Brain (Intelligence)
- 26. App for Enterprise Security for ICS IT Security Events OT Security Events Process and Alarm Events © 2015 Splunk Inc. All rights reserved.
- 27. Splunk’s ICS Security Focused Partners 27
- 28. Connecting the “Data Dots” 28 28 Machine data Traffic data Abnormal behavior High confidence event Med confidence event Low confidence event Malware download Program installation Access to ICS Malware install Malware & endpoint execution data User on machine Link to program And process Authenticated Sessions used to pivot into Control Systems LAN Delivery, exploit installation Gain trusted access Access Operations Environment Upgrade (escalate) Lateral movement Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security Control System LAN
- 29. © 2015 Splunk Inc. All rights reserved Questions?
- 30. 30 www.splunk.com/apptitude July 20th, 2015 Submission deadline
- 31. 31 The 6th Annual Splunk Worldwide Users’ Conference • September 21-24, 2015 • The MGM Grand Hotel, Las Vegas • 4000 IT & Business Professionals • 2 Keynote Sessions • 3 days of technical content – 165+ sessions • 3 days of Splunk University – Sept 19-21, 2015 – Get Splunk Certified for FREE! – Get CPE credits for CISSP, CAP, SSCP, etc. – Save thousands on Splunk education! • 80 Customer Speakers • 80 Splunk Speakers • 35+ Apps in Splunk Apps Showcase • 65 Technology Partners • Ask The Experts and Security Experts, Birds of a Feather, Chalk Talks and a new & improved Partner Pavilion! • Register at conf.splunk.com
- 32. We Want to Hear your Feedback! After the Breakout Sessions conclude Text Splunk to 878787 And be entered for a chance to win a $100 AMEX gift card!
- 33. © 2015 Splunk Inc. All rights reserved Thank You !
Editor's Notes
- POSCO is a multi-national steel making company headquartered in Korea. They are the world’s 4th largest steelmaker. Data for one process coming from: sensors, devices, and servers. Each data type has different formats and fields and is stored in a different place. Existing SCADA tools only show current values. Cannot see past data or trends over time. For refinery operators to access data for investigations, must get permission from IT departments in each factory. Extract data from several databases into Excel files, mash it up and compare levels and trends over time to deduce root cause.! Between obtaining permissions, transforming data and actual analysis, investigations can take up to 2 weeks. The Perseus is a OI platform powered by Splunk that deliver three key values such as Experience Visualization, Operation Playback and Map Search in order to bridge gap of OI for the industry customers who want to get an operational visibility from their business infrastructures unlike the other siloed approaches. Perseus can integrate, correlate, manipulate and visualize data with contents such as images, maps, SCADA, remote desktops and even live streaming videos using next generation UX technology called POD (Pixel On Demand) which is powered by N3N. Most of all, Perseus is tightly integrated with Splunk in order to get world best BigData capability with valuable advantages. Experience Visualization – integrate all types of data needed to provide operators with complete operational visibility: Video, Links, Documents, Charts, Tables, Text, Images Map search: Always search within the context of the current view. Clicking the “search” button brings up the search view with all of the metrics in the current view pre-selected. Operators can easily change the visualization to get a different perspective on the data. Operation Playback: Adjust the time range for any view in the Perseus UI to see the values of each component in the view at any point in the past. This is incredibly useful for troubleshooting where existing systems make it hard to access and manipulate past data.
- Lumo Energy is an Australian energy retailing business with several power stations throughout Eastern Australia. They use a customized SCADA (supervisory control and data acquisition) system to monitor and control its machinery and equipment. They wanted to extend the capacity of their SCADA system to improve their ability to respond to price fluctuations in real time. They were also seeking more visibility into the infrastructure of their many power stations. Lumo uses Splunk to automate its monitoring of base electricity prices and predictions, which are provided by the Australian Energy Market Operator (AEMO). Splunk indexes all of the inbound data from AEMO, runs specific analysis and calculations specific to Lumo, and then securely provides pricing execution proposals to the stations. This way, AEMO can better predict and react to pricing fluctuations, thereby maximizing revenue. Lumo Energy also has greater control over their custom SCADA environment. Splunk dashboards display market demand and pricing information, power station status and output, resource utilization and other telemetry. Lumo Energy can respond faster to market fluctuations with greater operational intelligence and unparalleled visibility into plant and equipment efficiency. Splunk also provides fail-safe security for private online control of their energy assets operating in the Australian market.
- Splunk’s customer, Royal Flying Doctor Service, uses Splunk to better manage the systems and aircraft through which they provide rural healthcare in Australia’s most remote environments. Sensor data from the cooling systems that keep the medicine safe during transport, avionic data from the aircraft, and precise location data give the RFDS team a unique view into overall operations – which is incredibly important as the number of med flights they execute makes them the third largest Australian Airline! In addition to troubleshooting and ops using sensor data, RFDS management is able to re-purpose the precise location data to deliver a unique fundraising opportunity – Buy the sky: buythesky.com.au As planes are servicing patients around Australia, individuals and businesses are able to sponsor patches of sky. As planes fly through these patches, Splunk alerts Salesforce, and a custom email Is sent to the sponsors letting them know their money is being put to good use!
- At CeBit2014, Volkswagen’s Data Lab chose splunk to demonstrate the power of the machine data generated by their next generation of electric vehicle – the e-up. There are some very interesting concepts and innovations in this dashboard. First is its capability to replay any vehicle’s journey for the selected time range. In the lower left, you can see the scrub controls, and vehicle activity is marked by a simple histogram. All available sensors on the vehicle are “played back” in real-time or fast-forward mode, including vehicle speed, engine RPM, battery status, vehicle range, outdoor temperature, door and headlight status. This is a really great example of Splunk’s capabilities as a developer platform. Using Splunk 6’s built in web framework, a web developer was quickly able to develop an engaging and compelling dashboard in far less time than it would have taken using traditional or competing web data frameworks.
- What does this platform look like? The platform consists of 2 layer: A core engine and an interface layer On top of the platform you can’t run a broad spectrum of content that supports use cases Use cases range from application mgmt. and IT operations, to ES and PCI compliance, to web analytics The core engine provides the basic services for real time data input, indexing and search as well alerting, large scale distributed processing and role based access The Interface layer consist of the basic UI for search, reporting and visualization – it contains developer interfaces, the REST API and SDKs The SDKs provide a convenient access to core engine services in a variety of programing language environments. These programmatic interfaces allow you to eithe:r: extend Splunk integrate Splunk with other applications build completely new applications from scratch that require OI or analytical services that Splunk provides
- Endpoints designed to have long life spans with availability in mind Usually has an Embedded Operating System and Software Limited memory and storage Different Components – HMI, Historian, PLC, Embedded Cyber to Physical – A software based system that has the capability to have a physical effect
- Lets start with today’s ever changing threat landscape: With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries: the cyber criminals, the nation states and also the malicious Insiders; All going after major stakes of our life, our company and our nation.
- SANS SCADA Security Survey found that 70% of respondents are most concerned about “Preventing Control System Service Interruption” and are most worried about “HMI, Servers and Workstations”. https://www.sans.org/reading-room/whitepapers/analyst/results-scada-security-survey-35135 One of the top ICS CERT Recommended Practices is to “Increase Logging Capabilities”. The other top recommendation is user behavior analysis. https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B https://ics-cert.us-cert.gov/Recommended-Practices#nogo Most technology in the ICS / SCADA industry is decades old and the market is looking for new solutions. Operations staff need solutions to decrease MTTR and keep facilities operational Security staff are looking for better visibility and monitoring capabilities for Control Systems Management wants to leverage IoT, ICS, SCADA data for better business intelligence solutions Audit often has regulatory requirements to meet and need improved capabilities in reporting and compliance
- What role doe Splunk’s solution play in the new security Universe ? Splunk is the Brain, the Nerve center. There are four key categories of solutions we work with : They bring the sensory info from end points to the network, contextual info from users to business Apps, and threat trends& visibility at global level (It is about intelligence, collecting information, deriving intelligence and sharing them!) Intelligence sharing is front and center of the WH Security summit, we are enabling our customers to do exactly that!
- ----- Meeting Notes (4/22/15 10:47) ----- Splunk Apptitude is live and open. You've got 90 days. To win more than $150,000 in cash and prizes. Last day to submit is July 20th, 2015. We'll announce the winners at Black Hat in August. Good luck!
- 2 inspired Keynotes – General Session and Security Keynote 150+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! Join the 50%+ of Fortune 100 companies who attended .conf2014 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Vegas a Splunk user, leave Vegas a Splunk Ninja!