The document discusses the evolution of YOOX Group's security intelligence platform from a technology-oriented approach focused on log correlation to a more information-centric approach using Splunk. This included enriching technical logs, implementing clear identity definitions, enabling deep investigation of security events, and developing proactive and dynamic dashboards that allow blacklisting IPs and visualizing attack patterns in real-time. The goal was to gain a more holistic view of security risks and threats across the organization.

1. Copyright
©
2015
Splunk
Inc.
Gianluca
Gaias
Head
of
Informa@on
Security,
YOOX
Group
Building
an
Enterprise-­‐grade
Security
Intelligence
PlaIorm
at
Yoox.com
(Gain
the
Big
Picture)

2. Disclaimer
2
During
the
course
of
this
presenta@on,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cau@on
you
that
such
statements
reflect
our
current
expecta@ons
and
es@mates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-­‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-­‐
looking
statements
made
in
the
this
presenta@on
are
being
made
as
of
the
@me
and
date
of
its
live
presenta@on.
If
reviewed
aWer
its
live
presenta@on,
this
presenta@on
may
not
contain
current
or
accurate
informa@on.
We
do
not
assume
any
obliga@on
to
update
any
forward
looking
statements
we
may
make.
In
addi@on,
any
informa@on
about
our
roadmap
outlines
our
general
product
direc@on
and
is
subject
to
change
at
any
@me
without
no@ce.
It
is
for
informa@onal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obliga@on
either
to
develop
the
features
or
func@onality
described
or
to
include
any
such
feature
or
func@onality
in
a
future
release.

3. Personal
Introduc@on
3
Gianluca
Gaias,
YOOX
Group
YOOX
Group
is
the
global
Internet
retailing
partner
for
leading
fashion
and
luxury
brands
Head
of
Informa@on
Security:
– Applica@on
Security
– Organiza@onal
Security
– Compliance
– Security
Monitoring

4. Key
Takeaways
4
From
a
technology
oriented
approach
to
an
info-­‐centric
approach
From
log
correla2on
to
pa3ern
recogni2on
From
a
passive/display
pla7orm
to
a
proac2ve/execu2ve
pla7orm
From
standard
dashboards
to
real-­‐2me
dynamic
dashboards
From
a
security
event
to
an
context-­‐aware
security
informa2on

5. Agenda
YOOX
Group:
business
and
challenges.
Security
evolu@on
overview
From
Tech
Oriented
approach
to
Informa@on
Oriented
approach
– Deep
Inves@ga@on
– Proac@ve
Dashboard:
IP
Blacklist
– Real-­‐@me
Dynamic
Dashboard:
Aback
Map
Risk
Management
and
Pabern
Recogni@on
– Use
Case:
Abackers
Ac@vity
Reconsidering
dashboard
design
Next
Steps
5

6. YOOX
Group
6
Global
reach
to
more
than
100
countries
worldwide
Five
logis@cs
centers
strategically
located,
guaranteeing
top
service
to
all
major
fashion
markets
(United
States,
Europe,
Japan,
China,
Hong
Kong)

7. YOOX
Group:
OS
&
Mul@-­‐Brand
7
§ The online destination for women
dedicated entirely to in-season high-end
shoes
§ Exclusive shoe-related services and
innovative editorial component
§ Launched in 2012
§ Exclusive
official
online
flagship
stores
of
leading
fashion
and
luxury
brands
§ Long-­‐term
partnerships
MONO-­‐BRAND
§ The luxury online boutique with in-season
assortment of high fashion and directional
designers for men and women
§ Dedicated mini-stores
§ Launched in 2008
Online stores “Powered by YOOX Group”
MULTI-­‐BRAND
§ The
world’s
leading
online
lifestyle
store
for
fashion,
design
and
art
§ Broad
offering
of
end-­‐of-­‐season
premium
apparel
and
accessories,
exclusive
collec@ons,
vintage,
home
&
design
and
artworks
§ Launched
in
2000
JVCo with Kering
and
many
more
…

8. YOOX
Group:
Challenges
Keep
the
trust
– Data
Confiden@ality
– Data
Integrity
and
Completeness
– Data
Processing
Transparency
High
Availability
in
hos@le
enviroment
Gain
the
big
picture:
– Challenge
and
Enabler
8
ü Shareholders
ü Customers
ü Stakeholders

9. Security
Evolu@on
Overview
9
0
1
2
3
4
5
6
7
8
9
Data
Leakage
Preven@on
Informa@on
Security
Compliance
IPS
&
Anomaly
Detec@on
Administra@ve
Access
Control
PCI-­‐DSS
Compliance
Sites
Vulnerability
Checks
Code
Review
Logical
Access
Governance
Security
Intelligence
PlaIorm
Online
Brand
Protec@on
Privacy
Compliance
Informa@on
Process
Analysis
2011
2013
2015

10. Security
Evolu@on
–
Tech
vs
Info
Technology
Oriented:
– Info
confined
to
technology
– Par@al
iden@ty
defini@on
– No
covered
gaps
Informa@on
Oriented
-­‐
Splunk:
– Enrichement
of
tech
logs
– Event
correla@on
– Clear
iden@ty
defini@on
10

11. From
Tech
to
Info
“From
a
technology
oriented
approach
to
an
info-­‐centric
approach.”
11

12. Inves@ga@on
12

13. Inves@ga@on:
Show
Details
13

14. Advanced
Dashboard:
IP
Blacklist
14
• Proac@ve
Dashboard
• One-­‐click
blacklist
on
Akamai
WAF
through
Akamai
API
calls
• Splunk
is
able
to
run
a
command
on
input
source
Drilldown
«From
a
passive/display
pla7orm
to
a
proac2ve/execu2ve
pla7orm»

15. WAF
Ac@vity
Representa@on:
Standard
Dashboard
15
• Sta@s@cal
evidences
by:
– Source
IP
– Aback
type
– WAF
Ac@on
• Event
distribu@on
over
the
@me
• Spike
visibility
depends
from
the
scale
• Is
not
evident:
– Aback
frequency
– Rela@on
between
Source
IP,
Aback
type
and
WAF
ac@on
Pros
Cons

16. “From
standard
dashboards
to
real-­‐2me
dynamic
dashboards”
Real-­‐@me
Dynamic
Dashboard:
Aback
Map
16

17. Security
Evolu@on
–
Risk
Mgmt
&
Pabern
Rec.
Risk
Management:
– Correla@on
of
Tech
Elements
and
Business
Elements
– Support
to
quan@ta@ve
risk
analysis
– Assigning
Risk
value
to
alerts
Pabern
Recogni@on:
– Different
levels
of
correla@on
– Pabern
as
result
of
several
high-­‐level
events
from
different
systems
by
iden@ty
– Knowledge
from
historical
incidents
and
analysts
experience
– Goal:
detect
user
behavior
and
recurrent
aback
paberns
17

18. Pabern
Recogni@on
Single
security
events
may
be
part
of
a
more
complex
ac@on.
18
Correla@on
Brute
Force
Exce.
Out
Data
High
Conn.
Correla@on
Level
1
Correla@on
Level
2
Correla@on
Level
n
Data
Exfiltra@on
«From
log
correla2on
to
pa3ern
recogni2on»
Sequence
Introduced
by
high
level
analyst
Pabern
Consolida@on
Analyst

19. Risk
Management
Usually
single
security
event
has
a
sta@c
risk
We
need
risk
value
based
on
content
and
other
events
correlated
19
“From
a
security
event
to
an
context-­‐aware
security
informa2on”
Risk
Sta@c
Assign.
(Lookup)
N
level
correla@on
Content
Eval

20. Use
Case:
Abackers
Ac@vity
Detect
sequence
of
relevant
event
by
iden:ty
Ac@vity
Score:
ver@cal
axes,
max
of
the
same
alert
type
Ac@vity
Frequency:
ball
diameter
20
Pa=ern
Recogni:on
Risk
Value

21. Reconsidering
Dashboard
Design
21
Na@ve
Log
Collec@on
Splunk
Log
Collec@on
Standard
Dashboards
Advanced
Dashboards
Pabern
Recogni@on
Splunk
Engeneers
NOC
SOC
Security
Analyst
Head
of
Security
Knowledge
Data
Meaning
The
Big
Picture

22. Key
Takeaways
22
From
a
technology
oriented
approach
to
an
info-­‐centric
approach.
From
log
correla2on
to
pa3ern
recogni2on.
From
a
passive/display
pla7orm
to
a
proac2ve/execu2ve
pla7orm.
From
standard
dashboards
to
real-­‐2me
dynamic
dashboards.
From
a
security
event
to
an
context-­‐aware
security
informa2on.

23. Next
Steps
23
Extend
the
scope
(channels,
data,
devices)
Deep
into
the
noise

24. 24
Ques@ons?

25. THANK
YOU