SlideShare a Scribd company logo

Splunk Stream - Einblicke in Netzwerk Traffic

Splunk
Splunk

Wussten Sie, dass Ihre Paket- bzw. Übertragungsdaten wertvolle und detailierte Einblicke für Ihre gesamte Operational Intelligence liefern? In dieser Session erfahren Sie mehr über die skalierbare Softwarelösung Splunk App for Stream (keine Hardware Taps notwendig), welche bestehende Andwendungsszenarien von Splunk in der IT und im Geschäftsbereich verstärkt und erweitert. In einer Live Demo zeigen wir Ihnen, wie Sie mit Übertragungsdaten zu mehr Operational Intelligence gelangen hinsichtlich: Infrastructure Operations Application Management Security

Technology
1 of 41
Copyright © 2017 Splunk Inc. Splunk Stream Tomas Baublys Sr. Sales Engineer
2 Agenda • Market Challenges • Product Overview • Architecture and Deployment • Stream 7.0 Features • Demo • FAQ and Summary
Introduction: Market Challenges and Splunk Solution
5 Problem Statement ITOA / APM / NPM: • How do we get accurate data for my mission? Security Analysis: • Details of conversations may not be contained in logs • Security data may be hard to acquire • If an entity is compromised, it may not log at all! • Applications may not accurately report their own performance • Better to rely on an external agent to report the health of an entity than the entity itself (especially if it’s underperforming!)
6 Solution: Wire Data with Splunk Stream! monitor application conversations and network performance Direct ingest into Splunk (no props/transforms) Stream is not a dedicated – APM / NPM tool, but has aspects of both – Security Analytics tool, but data is useful for both real-time and forensic security analysis It’s Free! https://splunkbase.splunk.com/app/1809/
7 What’s Wire Data? Network Conversations Machine data Poly-structured data Authoritative record of real-time and historical communication between machines and applications tcpdump -qns 0 -A -r blah.pcap 20:57:47.368107 IP 205.188.159.57.25 > 67.23.28.65.42385: tcp 480 0x0000: 4500 0214 834c 4000 3306 f649 cdbc 9f39 E....L@.3..I...9 0x0010: 4317 1c41 0019 a591 50fe 18ca 9da0 4681 C..A....P.....F. 0x0020: 8018 05a8 848f 0000 0101 080a ffd4 9bb0 ................ 0x0030: 2e43 6bb9 3232 302d 726c 792d 6461 3033 .Ck.220-rly-da03 0x0040: 2e6d 782e 616f 6c2e 636f 6d20 4553 4d54 .mx.aol.com.ESMT 0x0050: 5020 6d61 696c 5f72 656c 6179 5f69 6e2d P.mail_relay_in- 0x0060: 6461 3033 2e34 3b20 5468 752c 2030 3920 da03.4;.Thu,.09. 0x0070: 4a75 6c20 3230 3039 2031 363a 3537 3a34 Jul.2009.16:57:4 0x0080: 3720 2d30 3430 300d 0a32 3230 2d41 6d65 7.-0400..220-Ame 0x0090: 7269 6361 204f 6e6c 696e 6520 2841 4f4c rica.Online.(AOL 0x00a0: 2920 616e 6420 6974 7320 6166 6669 6c69 ).and.its.affili 0x00b0: 6174 6564 2063 6f6d 7061 6e69 6573 2064 ated.companies.d End Users Typical Collection Point Servers Network
9 How Will Wire Data Help Solve the Problem? Wire data represents capture of true conversations between endpoints It has the “omniscient view” of what actually transpired The conversations contain the details about each transaction, including the time of occurrence Less chance of interference – Intentional / Malicious – Load or resource based
10 Stream Metadata vs. Flow Records Splunk Stream 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical • Traditional Wire Data flow-type records (such as NetFlow) generally contains only IP addresses and TCP or UDP ports. • While this can show host-host connections, it doesn’t give any insight about the content of those conversations (like telephone call records) • Splunk Stream parses wire data all the way up the stack and generates Events with information at every level (more akin to a written transcript of a phone call) Flow-type Data 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical
11 Stream Metadata vs Full Packet Capture Stream Metadata contains essential content information: – L3/L4 and L7 headers and payload Eliminates the redundancy of thousands of identical headers – Significantly smaller data storage
12 Stream events in Splunk 1. L2/L3/L4 Flow info (IP, Port, Proto,App name) 2. L7 Protocol Info (HTTP headers, SMTP adresses, DNS query/resp) 3. L7 Full bidirectional payload (possibly hashed or hex encoded) 4. Directly measured metrics (byte count, resp. time) 5. Empirically derived heuristics (round- trip, server dealy) 6. Any specific fields, configurable
Product Overview
14 Wire Data Collection / Metadata Generation End Users Host + (UF/HEC) + STM Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
15 Wire Data Collection / Metadata Generation End Users TAP or SPAN Servers Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
16 What’s Available In Splunk Stream Data? Performance Metrics Round Trip Time Client Request Time Server Reply Time Server Send Time Total Time Taken Base HTML Load Time Page Content Load Time Total Page Load Time Application Data POST Content AJAX Data Section Sub-Section Page Title Session Cookie Proxied IP Address Error Message Business Data Product ID Customer ID Shopping Cart ID Cart Items Cart Values Discounts Order ID Abandoned?
17 Splunk Stream (7.0) Metadata Collection – Collects essential elements of the application conversation – Eliminates redundancy of duplicate packet headers Live Interface Collection Option – Collect directly on hosts – Also from a tap or SPAN port Estimate Mode – Deploy Stream without collecting data (or affecting license) Commercial App Detection (300+) – Works even if the app is encrypted Aggregation Mode – Statistics generated at endpoint – Similar to “stats sum(x)” in SPL Filtering at Endpoint Out-of-Box Content – Dashboards for common protocols Distributed Forwarder Mgt – Similar to Splunk UF mgt – All config centrally managed – Forwarder Groups 1GbE and 10GbE link options – 10 GbE uses DPDK SDK (dpdk.org)
18 Protocols Parsed with Stream 7.0 Simple Transport TCP UDP IP Infrastructure ARP DHCP SNMP DNS ICMP File Transfer FTP HTTP File Service NFS SMB Email IMAP MAPI POP3 SMTP Messaging AMQP IRC SMPP XMPP Authentication Diameter LDAP RADIUS Database MYSQL Postgres TDS (Sybase / MS-SQL) TNS (Oracle SQL*Net) VoIP SIP RTP
19 Commercial Application Detection Add the many hundreds of applications to be detected to the TCP stream type existing “app” field Help diagnose the problem of: – “what is going over port 80”? – “what’s taking all of my bandwidth?” DOES NOT PARSE applications, simply detects them – Will detect encrypted protocols! – Will detect vendor-proprietary protocols! – Uses empirical patterns, DNS, Cert CNs and other methods Current feature supports 300+ applications, many more to be added
20 300+ Commercial Applications Detected  Adobe Flash Plugin Update Adobe Update Manager AIM express AIM Transfer AllMusic.com Altiris Amazon Ad System Amazon Cloud Drive Amazon Generic Services Amazon MP3 Amazon Video Amazon Web Services/Cloudfront CDN Android connectivity Manager Aol AOL Instant Messenger (formerly OSCAR) Apple AirPlay Apple Airport Apple AirPrint Apple App Store Apple FaceTime Apple Generic Services Apple HTTP Live Streaming Apple Location Apple Maps Apple Music Apple Push Notification Service Apple SIRI Apple Update ASProxy Atlassian Background Intelligent Transfer Service Baidu Player Baidu_wallet Baidu.com Bet365.com Bitcoin client BitTorrent Bittorrent Apps BitTorrent Bleep (aka BitTorrent Chat) BlackBerry Locate BlackBerry Messenger BlackBerry Messenger Audio BlackBerry Messenger Video BlackBerry.com Border Gateway Protocol CARBONITE CCProxy ChatON Chatroulette.com Chrome Update Cisco Discovery Protocol Cisco MeetingPlace Cisco Netflow Common Unix Printer System Crackle craigslist Data Stream Interface DB2 Debian/Ubuntu Update Dropbox Download Dropbox Upload Dropbox.com eBay.com Edonkey Evernote.com EverQuest - EverQuest II Facebook Facebook Messenger FarmVille Find My iPhone Firefox Update Flickr Generic Routing Encapsulation GitHub Gmail Basic Gmail drive Gmail Mobile GNUnet Gnutella Google Accounts Google Analytics Google App Engine Google Cache Google Calendar Google Chat Google Cloud Messaging Google Cloud Storage Google Documents (aka Google Drive) Google Earth Google Generic Google groups Google GStatic Google Hangouts (formerly Google Talk) Google Mail Google Maps Google Picasa Google Play Music,Google Play Musique Google Play Store Google Plus Google Safe Browsing Google Tag Manager Google Toolbar Google Translate Google.com GoToDevice Remote Administration GoToMeeting Online Meeting GoToMyPC Remote Access GPRS Tunneling Protocol GPRS Tunneling Protocol version 2 Half-Life Hi5.com High Entropy Hot Standby Router Protocol HP Printer Job Language Hulu HyperText Transfer Protocol version 2,HTTP/2 I2P Invisible Internet Project IBM Informix IBM Lotus Sametime IBM SmartCloud IBM Websphere MQ iCloud (Apple) iHeartRADIO iMessage File Download Imgur.com Independant Computing Architecture (Citrix) Instagram Internet Group Management Protocol Internet Printing Protocol Internet Security Association and Key Management Protocol Internet Small Computer Systems Interface iOS over-the-air (OTA) update IP Payload Compression Protocol IP-in-IP tunneling IPsec Encapsulating Security Payload IRC File Transfer Data iTunes Jabber File Transfer Java Update JEDI (Citrix) Kazaa (FastTrack protocol) KIK Messenger King Digital Entertainment LinkedIn.com Live hotmail for mobile Livestream.com LogMeIn Rescue magicJack Mail.ru Agent Maktoob mail Media Gateway Control Protocol Message Session Relay Protocol Microsoft ActiveSync Microsoft Lync Microsoft Lync Online Microsoft Office 365 Microsoft Remote Procedure Call Microsoft Service Control Microsoft SharePoint Microsoft SharePoint Administration Application Microsoft SharePoint Blog Management Application Microsoft SharePoint Calendar Management Application Microsoft SharePoint Document Management Application Multi Protocol Label Switching data-carrying mechanism Nagios Remote Data Processor Nagios Remote Plugin Executor Name Service Provider Interface Netflix.com NetMeeting ILS Network Time Protocol Nintendo Wi-Fi Connection Nortel/SynOptics Netwok Management Protocol OkCupid Online Certificate Status Protocol Oovoo Open Shortest Path First Opera Update Orkut.com Outlook Web Access (Office 365) Outlook Web App PalTalk Paltalk audio chat PalTalk Transfer Protocol Paltalk video Pandora Radio Pastebin Pastebin_posting PCAnywhere Photobucket.com Pinterest.com Playstation Network Plenty Of Fish QIK Video QQ QQ File Transfer QQ Games QQ Mail QQ WeiBo QQ.com QQDownload QQLive Network Player QQMusic QQStream Quake quic QVOD Player RapidShare.com Real Time Streaming Protocol Remote Desktop Protocol (Windows Terminal Server) Remote Procedure Call RetroShare Routing Information Protocol V1 Routing Information Protocol V2 Routing Internet Protocol ng1 Rovio Entertainment RSS Salesforce.com SAP SecondLife.com Secure Shell Session Traversal Utilities for NAT SharePoint Online Silverlight (Microsoft Smooth Streaming) Simple Object Access Protocol Skinny Client Control Protocol Slacker Radio Slingbox Snapchat SOCKet Secure v5 SoMud Bittorrent tracker SoundCloud SourceForge SPDY Spotify SquirrelMail Steampowered.com Symantec Norton AntiVirus Updates Syslog Systems Network Architecture Teamspeak v2 TeamSpeak v3 TeamViewer Telnet Teredo protocol Terminal Access Controller Access-Control System Plus TIBCO RendezVous Protocol Tor2web Tumblr Twitch Twitpic Twitter UStream uTorrent uTP (Micro Transport Protocol) UUSee Protocol VEVO Viber Vimeo.com Vine Virtual Router Redundancy Protocol VMWare vmware_horizon_view Waze Social GPS Maps & Traffic WebEx WhatsApp Messenger WHOIS WiiConnect24 Wikipedia.com Windows Azure CDN Windows Internet Naming Service Windows Live File Storage Windows Live Groups Windows Live Hotmail Windows Live Hotmail Attachements Windows Live SkyDrive Windows Live SkyDrive Login Windows Marketplace Windows Update WordPress.com World of Warcraft Xbox Live Xbox Live Marketplace Xbox Music Xbox Video (Microsoft Movies and Tv) xHamster.com Yahoo groups Yahoo Mail classic Yahoo Mail v.2.0 Yahoo Messenger Yahoo Messenger conference service Yahoo Messenger Transfer Protocol Yahoo Messenger Video Yahoo Search Yahoo webmail for mobile Yahoo Webmessenger Yahoo.com Yellow Page Bind Yellow Page Passwd Yellow Pages Server Youtube.com
21 Example of Applications in Search amazon_aws 31 krb5 30 apple 5 live_hotmail 6 apple_location 2 norton_update 5 dhcp 6 ntp 2 facebook 6 ocsp 81 flickr 1 pinterest 1 google 58 skype 1411 google_analytics 4 smb 12 google_gen 29 spdy 4 google_safebrowsing 8 spotify 3 google_tags 3 teredo 15 gstatic 11 tumblr 28 http 7945 twitter 11 http2 11 yahoo 129 https 214 yahoo_search 1 icloud 8 ymsg_webmessenger 3 imgur 9 youtube 1 sourcetype=stream:* | stats count by app
22 Data Estimate Mode (per-Stream) Stream Estimate Estimate Data Volume Mode Selection
23 Prebuilt Reporting Get visibility into applications performance and user experience Understand database activity and performance without impacting database operation Improve security and application intelligence with DNS analytics
Live Demo
Architecture and Deployment
26 Collect and Monitor Data with Stream Stream has two deployment architectures and two collection methodologies Deployment: – In-line directly on monitored host – Out-of-band (stub) with TAP or SPAN port Collection: – Technical Add-On (TA) with Splunk Universal Forwarder (UF) – Independent Stream Forwarder using HTTP Event Collector (HEC)
27 Deployment: Dedicated Collector End Users TAP or SPAN Firewall Search Head Linux Forwarder Splunk_TA_Stream Servers Internet Splunk Indexers
28 Deployment: Run on Servers Splunk Indexers Search Head Physical or Virtual Servers Universal Forwarder Splunk_TA_stream Physical Datacenter, Public or Private Cloud End Users FirewallInternet
29 Stream Forwarder Options 2. Independent Stream Forwarder • Makes it easy to add Stream anywhere in your environment • 1. Stream TA • Stream deploys as a modular input on top of your Splunk Forwarders. • Stream deploys as a stand-alone binary and communicates via HEC. • Requires >= Splunk 6.3.1 Splunk Fwd Splunk Indexers Splunk Indexers Any Linux Host Splunk Forwarder HTTP/S
31 Distributed Forwarder Management Gain more deployment flexibility Increase management efficiency with per-forwarder protocol control Tailor data collection by assigning different sets of protocols to groups of forwarders TNS MySQL HTTP DNS TCP SIP Diameter UDP Protocol Selection, Configuration & Distribution
New Features in Stream 7
33 Major New Features in Stream 7.0 Splunk Stream 7.0 was released GA in November 2016 NetFlow Collector – NetFlow v5, v9 (with template support), IPFIX (with vendor extensions) MD5 Hashing – Any parsed Stream field, including SMTP attachments and HTTP files – Integrates with Enterprise Security – Threat Intelligence Framework Flow Visualization for all IPv4 space PCAP Upload via SH and Continuous Directory Monitoring via Forwarder Enhanced Metadata Fields (e.g., FlowID, Protocol Stack, Event Name) Configuration Templates – Easier integration with other Splunk products
34 Flow Collection Active Flow listening socket on Stream Forwarder Flexible Configuration Options – Selectable fields and filtering – Can configure multiple, distinct listening ports on each Stream Forwarder Supports most common versions of Flow protocols – Cisco NetFlow, Juniper jFlow, HP sFlow, cFlowd – NetFlow v5, v9, IPFIX – V9 with templates (standard and custom) – IPFIX with vendor extensions Aggregation of Flow records (pre-indexing) can dramatically reduce the number of Splunk Events created Performance > 465,000 flows/second (on a single Independent Stream Forwarder)
35 Flow Collector Data Flow 35 NetFlow Collector • NetFlow listening sockets (UDP ports) • Actively capture Flows from NetFlow v5, v9, IPFIX • Creates Splunk- compatible Flow Records • Management from Stream Centralized UI NetFlow enabled devices 1 Export NetFlow (over UDP) 2 NetFlow Metadata captured by Stream 3 Events in Splunk Indexer / Search Head 4 1 2 4 Router Network Switch 3
36 NetFlow and sFlow Streams UX
37 MD5 Hashing of Files File Hashing provides integrity verification of files, can be used for a number of security use cases – inbound malware detection – outbound data loss prevention Stream generates MD5 hashes equivalent to “md5sum” unix command after decoding content back to binary Specifically for SMTP file attachments and HTTP MD5 hashes generated with Stream integrate directly into the Threat Intelligence framework of Enterprise Security, and has been tested with ES As a bonus, *any* non-numeric field can be MD5 hashed using the “Extract New Field” option. Field can be length-truncated if desired.
38 MD5 Hashing Data Flow 38 MD5 hashing • Used to enable DLP and Security use cases • Examines both inbound and outbound data transfer • Can be used to find IOCs as well as data exfiltration • Better metric than file names or file types File Transfer Traffic between Client and Server directed towards Stream 1 3 Network Switch Client Server (Malware)FileTransfer Tap or SPAN E S TA- Splice Threat Intelligence 1 2 Stream generates MD5 hashes of files, sends to Splunk Indexers 2 MD5 hashes compared against Threat Intel from public databases 3 Internet
39 Flow Visualization Designed to show limited Client->Server interaction for IPv4 address space. Overview and Detail views Can be used in real-time, interactive, and forensic modes Bubble chart that animates as flows appear (Detail view only) 3
40 Flow Visualization Detail View 4 Horizontal Trends show your externally-accessible hosts The Bubbles animate in real-time or in play- back mode Vertical Trends illustrate your internal host address space
Live Demo
FAQ and Summary
43 FAQ • Yes. The app enables capture of only the relevant network/wire data for analytics, through filters and aggregation rules • Select or deselect protocols and associated attributes with fine-grained precision within the app interface Can I limit the amount of data collected with Stream? • Data volume can vary based upon the number of selected protocols, attributes and the amount of network traffic • Use Stream Estimate to understand the indexing impact How can I estimate my indexing volume? • Stream can be installed on any physical or virtual host running supported OS, on premises or in the cloud • It can be installed off of TAP and SPAN ports • It can be deployed in combination with TAP aggregation or visibility switches Where is Stream typically installed?
Thank You

Recommended

One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
Ata Ebrahimi
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Network access control (nac)
Network access control (nac)Network access control (nac)
Network access control (nac)
cyberlocke
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Issues in routing protocol
Issues in routing protocolIssues in routing protocol
Issues in routing protocol
Pradeep Kumar TS
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 

Recommended

One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
Ata Ebrahimi
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Network access control (nac)
Network access control (nac)Network access control (nac)
Network access control (nac)
cyberlocke
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Issues in routing protocol
Issues in routing protocolIssues in routing protocol
Issues in routing protocol
Pradeep Kumar TS
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Cyber security power point templates
Cyber security power point templatesCyber security power point templates
Cyber security power point templates
Raul Flores
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Maroochy water breach
Maroochy water breachMaroochy water breach
Maroochy water breach
sommerville-videos
 
Cgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsCgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systems
Mansi Verma
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
Splunk
 
Simple Calendar Application using C
Simple Calendar Application using CSimple Calendar Application using C
Simple Calendar Application using C
codewithc
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
InnoTech
 
CS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKSCS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKS
Kathirvel Ayyaswamy
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
damilolasunmola
 
Splunk Überblick
Splunk ÜberblickSplunk Überblick
Splunk Überblick
Splunk
 
Data Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk EnterpriseData Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk Enterprise
Splunk
 

More Related Content

What's hot

Cyber security power point templates
Cyber security power point templatesCyber security power point templates
Cyber security power point templates
Raul Flores
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Maroochy water breach
Maroochy water breachMaroochy water breach
Maroochy water breach
sommerville-videos
 
Cgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsCgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systems
Mansi Verma
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
Splunk
 
Simple Calendar Application using C
Simple Calendar Application using CSimple Calendar Application using C
Simple Calendar Application using C
codewithc
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
InnoTech
 
CS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKSCS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKS
Kathirvel Ayyaswamy
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
damilolasunmola
 

What's hot (20)

Cyber security power point templates
Cyber security power point templatesCyber security power point templates
Cyber security power point templates
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Maroochy water breach
Maroochy water breachMaroochy water breach
Maroochy water breach
 
Cgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsCgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systems
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
 
Simple Calendar Application using C
Simple Calendar Application using CSimple Calendar Application using C
Simple Calendar Application using C
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
 
CS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKSCS6003 AD HOC AND SENSOR NETWORKS
CS6003 AD HOC AND SENSOR NETWORKS
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
 

Viewers also liked

Splunk Überblick
Splunk ÜberblickSplunk Überblick
Splunk Überblick
Splunk
 
Data Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk EnterpriseData Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk Enterprise
Splunk
 
Getting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk EnterpriseGetting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk Enterprise
Splunk
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
Splunk
 
Daten getriebene Service Intelligence mit Splunk ITSI
Daten getriebene Service Intelligence mit Splunk ITSIDaten getriebene Service Intelligence mit Splunk ITSI
Daten getriebene Service Intelligence mit Splunk ITSI
Splunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
Splunk
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
Splunk
 
Splunk Technologie Add-ons und Alert Actions entwickeln
Splunk Technologie Add-ons und Alert Actions entwickelnSplunk Technologie Add-ons und Alert Actions entwickeln
Splunk Technologie Add-ons und Alert Actions entwickeln
Splunk
 
Discovery Day Milano 2017
Discovery Day Milano 2017Discovery Day Milano 2017
Discovery Day Milano 2017
Splunk
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
Aaron Irizarry
 
Splunk at Banco Popolare de Sondrio
Splunk at Banco Popolare de SondrioSplunk at Banco Popolare de Sondrio
Splunk at Banco Popolare de Sondrio
Splunk
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Splunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven InsightsSplunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven Insights
Splunk
 
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
SplunkLive! Frankfurt 2017 - MediaMarktSaturnSplunkLive! Frankfurt 2017 - MediaMarktSaturn
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
Splunk
 
SplunkLive! Frankfurt 2017 - DB Cargo
SplunkLive! Frankfurt 2017 - DB CargoSplunkLive! Frankfurt 2017 - DB Cargo
SplunkLive! Frankfurt 2017 - DB Cargo
Splunk
 
What is A Cloud Stack in 2017
What is A Cloud Stack in 2017What is A Cloud Stack in 2017
What is A Cloud Stack in 2017
Gaurav Roy
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017
John Maeda
 

Viewers also liked (20)

Splunk Überblick
Splunk ÜberblickSplunk Überblick
Splunk Überblick
 
Data Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk EnterpriseData Obfuscation in Splunk Enterprise
Data Obfuscation in Splunk Enterprise
 
Getting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk EnterpriseGetting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk Enterprise
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
 
Daten getriebene Service Intelligence mit Splunk ITSI
Daten getriebene Service Intelligence mit Splunk ITSIDaten getriebene Service Intelligence mit Splunk ITSI
Daten getriebene Service Intelligence mit Splunk ITSI
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
 
Splunk Technologie Add-ons und Alert Actions entwickeln
Splunk Technologie Add-ons und Alert Actions entwickelnSplunk Technologie Add-ons und Alert Actions entwickeln
Splunk Technologie Add-ons und Alert Actions entwickeln
 
Discovery Day Milano 2017
Discovery Day Milano 2017Discovery Day Milano 2017
Discovery Day Milano 2017
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
Splunk at Banco Popolare de Sondrio
Splunk at Banco Popolare de SondrioSplunk at Banco Popolare de Sondrio
Splunk at Banco Popolare de Sondrio
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Splunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven InsightsSplunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven Insights
 
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
SplunkLive! Frankfurt 2017 - MediaMarktSaturnSplunkLive! Frankfurt 2017 - MediaMarktSaturn
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
 
SplunkLive! Frankfurt 2017 - DB Cargo
SplunkLive! Frankfurt 2017 - DB CargoSplunkLive! Frankfurt 2017 - DB Cargo
SplunkLive! Frankfurt 2017 - DB Cargo
 
What is A Cloud Stack in 2017
What is A Cloud Stack in 2017What is A Cloud Stack in 2017
What is A Cloud Stack in 2017
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017
 

Similar to Splunk Stream - Einblicke in Netzwerk Traffic

Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
Splunk
 
Cloud Connectivity Service
Cloud Connectivity ServiceCloud Connectivity Service
Cloud Connectivity Servicejhpark
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
confluent
 
Mobility & Data Strategies
Mobility & Data StrategiesMobility & Data Strategies
Mobility & Data StrategiesSam Basu
 
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
Soroosh Khodami
 
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and ArchitectureIoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
Todd Montgomery
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
Splunk
 
Introduction to back-end
Introduction to back-endIntroduction to back-end
Introduction to back-end
Mosaab Ehab
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
guest2a5a03
 
3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions
Ian Skerrett
 
Sinnreich Henry Johnston Alan Pt 2
Sinnreich Henry Johnston Alan Pt 2Sinnreich Henry Johnston Alan Pt 2
Sinnreich Henry Johnston Alan Pt 2Carl Ford
 
MICROSOFT E IL MONDO IOT
MICROSOFT E IL MONDO IOTMICROSOFT E IL MONDO IOT
MICROSOFT E IL MONDO IOT
DotNetCampus
 
Windows iot barone
Windows iot baroneWindows iot barone
Windows iot baroneDotNetCampus
 
The Internet and World Wide Web
The Internet and World Wide WebThe Internet and World Wide Web
The Internet and World Wide Webwebhostingguy
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
Napier University
 
SIEM
SIEMSIEM
SIEM
Napier University
 

Similar to Splunk Stream - Einblicke in Netzwerk Traffic (20)

Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
Cloud Connectivity Service
Cloud Connectivity ServiceCloud Connectivity Service
Cloud Connectivity Service
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
 
Mobility & Data Strategies
Mobility & Data StrategiesMobility & Data Strategies
Mobility & Data Strategies
 
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
Why And When Should We Consider Stream Processing In Our Solutions Teqnation ...
 
voip_en
voip_envoip_en
voip_en
 
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and ArchitectureIoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
Introduction to back-end
Introduction to back-endIntroduction to back-end
Introduction to back-end
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions3 Software Stacks for IoT Solutions
3 Software Stacks for IoT Solutions
 
Sinnreich Henry Johnston Alan Pt 2
Sinnreich Henry Johnston Alan Pt 2Sinnreich Henry Johnston Alan Pt 2
Sinnreich Henry Johnston Alan Pt 2
 
MICROSOFT E IL MONDO IOT
MICROSOFT E IL MONDO IOTMICROSOFT E IL MONDO IOT
MICROSOFT E IL MONDO IOT
 
Windows iot barone
Windows iot baroneWindows iot barone
Windows iot barone
 
The Internet and World Wide Web
The Internet and World Wide WebThe Internet and World Wide Web
The Internet and World Wide Web
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
 
SIEM
SIEMSIEM
SIEM
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 

Splunk Stream - Einblicke in Netzwerk Traffic

  • 1. Copyright © 2017 Splunk Inc. Splunk Stream Tomas Baublys Sr. Sales Engineer
  • 2. 2 Agenda • Market Challenges • Product Overview • Architecture and Deployment • Stream 7.0 Features • Demo • FAQ and Summary
  • 4. 5 Problem Statement ITOA / APM / NPM: • How do we get accurate data for my mission? Security Analysis: • Details of conversations may not be contained in logs • Security data may be hard to acquire • If an entity is compromised, it may not log at all! • Applications may not accurately report their own performance • Better to rely on an external agent to report the health of an entity than the entity itself (especially if it’s underperforming!)
  • 5. 6 Solution: Wire Data with Splunk Stream! monitor application conversations and network performance Direct ingest into Splunk (no props/transforms) Stream is not a dedicated – APM / NPM tool, but has aspects of both – Security Analytics tool, but data is useful for both real-time and forensic security analysis It’s Free! https://splunkbase.splunk.com/app/1809/
  • 6. 7 What’s Wire Data? Network Conversations Machine data Poly-structured data Authoritative record of real-time and historical communication between machines and applications tcpdump -qns 0 -A -r blah.pcap 20:57:47.368107 IP 205.188.159.57.25 > 67.23.28.65.42385: tcp 480 0x0000: 4500 0214 834c 4000 3306 f649 cdbc 9f39 E....L@.3..I...9 0x0010: 4317 1c41 0019 a591 50fe 18ca 9da0 4681 C..A....P.....F. 0x0020: 8018 05a8 848f 0000 0101 080a ffd4 9bb0 ................ 0x0030: 2e43 6bb9 3232 302d 726c 792d 6461 3033 .Ck.220-rly-da03 0x0040: 2e6d 782e 616f 6c2e 636f 6d20 4553 4d54 .mx.aol.com.ESMT 0x0050: 5020 6d61 696c 5f72 656c 6179 5f69 6e2d P.mail_relay_in- 0x0060: 6461 3033 2e34 3b20 5468 752c 2030 3920 da03.4;.Thu,.09. 0x0070: 4a75 6c20 3230 3039 2031 363a 3537 3a34 Jul.2009.16:57:4 0x0080: 3720 2d30 3430 300d 0a32 3230 2d41 6d65 7.-0400..220-Ame 0x0090: 7269 6361 204f 6e6c 696e 6520 2841 4f4c rica.Online.(AOL 0x00a0: 2920 616e 6420 6974 7320 6166 6669 6c69 ).and.its.affili 0x00b0: 6174 6564 2063 6f6d 7061 6e69 6573 2064 ated.companies.d End Users Typical Collection Point Servers Network
  • 7. 9 How Will Wire Data Help Solve the Problem? Wire data represents capture of true conversations between endpoints It has the “omniscient view” of what actually transpired The conversations contain the details about each transaction, including the time of occurrence Less chance of interference – Intentional / Malicious – Load or resource based
  • 8. 10 Stream Metadata vs. Flow Records Splunk Stream 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical • Traditional Wire Data flow-type records (such as NetFlow) generally contains only IP addresses and TCP or UDP ports. • While this can show host-host connections, it doesn’t give any insight about the content of those conversations (like telephone call records) • Splunk Stream parses wire data all the way up the stack and generates Events with information at every level (more akin to a written transcript of a phone call) Flow-type Data 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical
  • 9. 11 Stream Metadata vs Full Packet Capture Stream Metadata contains essential content information: – L3/L4 and L7 headers and payload Eliminates the redundancy of thousands of identical headers – Significantly smaller data storage
  • 10. 12 Stream events in Splunk 1. L2/L3/L4 Flow info (IP, Port, Proto,App name) 2. L7 Protocol Info (HTTP headers, SMTP adresses, DNS query/resp) 3. L7 Full bidirectional payload (possibly hashed or hex encoded) 4. Directly measured metrics (byte count, resp. time) 5. Empirically derived heuristics (round- trip, server dealy) 6. Any specific fields, configurable
  • 12. 14 Wire Data Collection / Metadata Generation End Users Host + (UF/HEC) + STM Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
  • 13. 15 Wire Data Collection / Metadata Generation End Users TAP or SPAN Servers Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
  • 14. 16 What’s Available In Splunk Stream Data? Performance Metrics Round Trip Time Client Request Time Server Reply Time Server Send Time Total Time Taken Base HTML Load Time Page Content Load Time Total Page Load Time Application Data POST Content AJAX Data Section Sub-Section Page Title Session Cookie Proxied IP Address Error Message Business Data Product ID Customer ID Shopping Cart ID Cart Items Cart Values Discounts Order ID Abandoned?
  • 15. 17 Splunk Stream (7.0) Metadata Collection – Collects essential elements of the application conversation – Eliminates redundancy of duplicate packet headers Live Interface Collection Option – Collect directly on hosts – Also from a tap or SPAN port Estimate Mode – Deploy Stream without collecting data (or affecting license) Commercial App Detection (300+) – Works even if the app is encrypted Aggregation Mode – Statistics generated at endpoint – Similar to “stats sum(x)” in SPL Filtering at Endpoint Out-of-Box Content – Dashboards for common protocols Distributed Forwarder Mgt – Similar to Splunk UF mgt – All config centrally managed – Forwarder Groups 1GbE and 10GbE link options – 10 GbE uses DPDK SDK (dpdk.org)
  • 16. 18 Protocols Parsed with Stream 7.0 Simple Transport TCP UDP IP Infrastructure ARP DHCP SNMP DNS ICMP File Transfer FTP HTTP File Service NFS SMB Email IMAP MAPI POP3 SMTP Messaging AMQP IRC SMPP XMPP Authentication Diameter LDAP RADIUS Database MYSQL Postgres TDS (Sybase / MS-SQL) TNS (Oracle SQL*Net) VoIP SIP RTP
  • 17. 19 Commercial Application Detection Add the many hundreds of applications to be detected to the TCP stream type existing “app” field Help diagnose the problem of: – “what is going over port 80”? – “what’s taking all of my bandwidth?” DOES NOT PARSE applications, simply detects them – Will detect encrypted protocols! – Will detect vendor-proprietary protocols! – Uses empirical patterns, DNS, Cert CNs and other methods Current feature supports 300+ applications, many more to be added
  • 18. 20 300+ Commercial Applications Detected  Adobe Flash Plugin Update Adobe Update Manager AIM express AIM Transfer AllMusic.com Altiris Amazon Ad System Amazon Cloud Drive Amazon Generic Services Amazon MP3 Amazon Video Amazon Web Services/Cloudfront CDN Android connectivity Manager Aol AOL Instant Messenger (formerly OSCAR) Apple AirPlay Apple Airport Apple AirPrint Apple App Store Apple FaceTime Apple Generic Services Apple HTTP Live Streaming Apple Location Apple Maps Apple Music Apple Push Notification Service Apple SIRI Apple Update ASProxy Atlassian Background Intelligent Transfer Service Baidu Player Baidu_wallet Baidu.com Bet365.com Bitcoin client BitTorrent Bittorrent Apps BitTorrent Bleep (aka BitTorrent Chat) BlackBerry Locate BlackBerry Messenger BlackBerry Messenger Audio BlackBerry Messenger Video BlackBerry.com Border Gateway Protocol CARBONITE CCProxy ChatON Chatroulette.com Chrome Update Cisco Discovery Protocol Cisco MeetingPlace Cisco Netflow Common Unix Printer System Crackle craigslist Data Stream Interface DB2 Debian/Ubuntu Update Dropbox Download Dropbox Upload Dropbox.com eBay.com Edonkey Evernote.com EverQuest - EverQuest II Facebook Facebook Messenger FarmVille Find My iPhone Firefox Update Flickr Generic Routing Encapsulation GitHub Gmail Basic Gmail drive Gmail Mobile GNUnet Gnutella Google Accounts Google Analytics Google App Engine Google Cache Google Calendar Google Chat Google Cloud Messaging Google Cloud Storage Google Documents (aka Google Drive) Google Earth Google Generic Google groups Google GStatic Google Hangouts (formerly Google Talk) Google Mail Google Maps Google Picasa Google Play Music,Google Play Musique Google Play Store Google Plus Google Safe Browsing Google Tag Manager Google Toolbar Google Translate Google.com GoToDevice Remote Administration GoToMeeting Online Meeting GoToMyPC Remote Access GPRS Tunneling Protocol GPRS Tunneling Protocol version 2 Half-Life Hi5.com High Entropy Hot Standby Router Protocol HP Printer Job Language Hulu HyperText Transfer Protocol version 2,HTTP/2 I2P Invisible Internet Project IBM Informix IBM Lotus Sametime IBM SmartCloud IBM Websphere MQ iCloud (Apple) iHeartRADIO iMessage File Download Imgur.com Independant Computing Architecture (Citrix) Instagram Internet Group Management Protocol Internet Printing Protocol Internet Security Association and Key Management Protocol Internet Small Computer Systems Interface iOS over-the-air (OTA) update IP Payload Compression Protocol IP-in-IP tunneling IPsec Encapsulating Security Payload IRC File Transfer Data iTunes Jabber File Transfer Java Update JEDI (Citrix) Kazaa (FastTrack protocol) KIK Messenger King Digital Entertainment LinkedIn.com Live hotmail for mobile Livestream.com LogMeIn Rescue magicJack Mail.ru Agent Maktoob mail Media Gateway Control Protocol Message Session Relay Protocol Microsoft ActiveSync Microsoft Lync Microsoft Lync Online Microsoft Office 365 Microsoft Remote Procedure Call Microsoft Service Control Microsoft SharePoint Microsoft SharePoint Administration Application Microsoft SharePoint Blog Management Application Microsoft SharePoint Calendar Management Application Microsoft SharePoint Document Management Application Multi Protocol Label Switching data-carrying mechanism Nagios Remote Data Processor Nagios Remote Plugin Executor Name Service Provider Interface Netflix.com NetMeeting ILS Network Time Protocol Nintendo Wi-Fi Connection Nortel/SynOptics Netwok Management Protocol OkCupid Online Certificate Status Protocol Oovoo Open Shortest Path First Opera Update Orkut.com Outlook Web Access (Office 365) Outlook Web App PalTalk Paltalk audio chat PalTalk Transfer Protocol Paltalk video Pandora Radio Pastebin Pastebin_posting PCAnywhere Photobucket.com Pinterest.com Playstation Network Plenty Of Fish QIK Video QQ QQ File Transfer QQ Games QQ Mail QQ WeiBo QQ.com QQDownload QQLive Network Player QQMusic QQStream Quake quic QVOD Player RapidShare.com Real Time Streaming Protocol Remote Desktop Protocol (Windows Terminal Server) Remote Procedure Call RetroShare Routing Information Protocol V1 Routing Information Protocol V2 Routing Internet Protocol ng1 Rovio Entertainment RSS Salesforce.com SAP SecondLife.com Secure Shell Session Traversal Utilities for NAT SharePoint Online Silverlight (Microsoft Smooth Streaming) Simple Object Access Protocol Skinny Client Control Protocol Slacker Radio Slingbox Snapchat SOCKet Secure v5 SoMud Bittorrent tracker SoundCloud SourceForge SPDY Spotify SquirrelMail Steampowered.com Symantec Norton AntiVirus Updates Syslog Systems Network Architecture Teamspeak v2 TeamSpeak v3 TeamViewer Telnet Teredo protocol Terminal Access Controller Access-Control System Plus TIBCO RendezVous Protocol Tor2web Tumblr Twitch Twitpic Twitter UStream uTorrent uTP (Micro Transport Protocol) UUSee Protocol VEVO Viber Vimeo.com Vine Virtual Router Redundancy Protocol VMWare vmware_horizon_view Waze Social GPS Maps & Traffic WebEx WhatsApp Messenger WHOIS WiiConnect24 Wikipedia.com Windows Azure CDN Windows Internet Naming Service Windows Live File Storage Windows Live Groups Windows Live Hotmail Windows Live Hotmail Attachements Windows Live SkyDrive Windows Live SkyDrive Login Windows Marketplace Windows Update WordPress.com World of Warcraft Xbox Live Xbox Live Marketplace Xbox Music Xbox Video (Microsoft Movies and Tv) xHamster.com Yahoo groups Yahoo Mail classic Yahoo Mail v.2.0 Yahoo Messenger Yahoo Messenger conference service Yahoo Messenger Transfer Protocol Yahoo Messenger Video Yahoo Search Yahoo webmail for mobile Yahoo Webmessenger Yahoo.com Yellow Page Bind Yellow Page Passwd Yellow Pages Server Youtube.com
  • 19. 21 Example of Applications in Search amazon_aws 31 krb5 30 apple 5 live_hotmail 6 apple_location 2 norton_update 5 dhcp 6 ntp 2 facebook 6 ocsp 81 flickr 1 pinterest 1 google 58 skype 1411 google_analytics 4 smb 12 google_gen 29 spdy 4 google_safebrowsing 8 spotify 3 google_tags 3 teredo 15 gstatic 11 tumblr 28 http 7945 twitter 11 http2 11 yahoo 129 https 214 yahoo_search 1 icloud 8 ymsg_webmessenger 3 imgur 9 youtube 1 sourcetype=stream:* | stats count by app
  • 20. 22 Data Estimate Mode (per-Stream) Stream Estimate Estimate Data Volume Mode Selection
  • 21. 23 Prebuilt Reporting Get visibility into applications performance and user experience Understand database activity and performance without impacting database operation Improve security and application intelligence with DNS analytics
  • 24. 26 Collect and Monitor Data with Stream Stream has two deployment architectures and two collection methodologies Deployment: – In-line directly on monitored host – Out-of-band (stub) with TAP or SPAN port Collection: – Technical Add-On (TA) with Splunk Universal Forwarder (UF) – Independent Stream Forwarder using HTTP Event Collector (HEC)
  • 25. 27 Deployment: Dedicated Collector End Users TAP or SPAN Firewall Search Head Linux Forwarder Splunk_TA_Stream Servers Internet Splunk Indexers
  • 26. 28 Deployment: Run on Servers Splunk Indexers Search Head Physical or Virtual Servers Universal Forwarder Splunk_TA_stream Physical Datacenter, Public or Private Cloud End Users FirewallInternet
  • 27. 29 Stream Forwarder Options 2. Independent Stream Forwarder • Makes it easy to add Stream anywhere in your environment • 1. Stream TA • Stream deploys as a modular input on top of your Splunk Forwarders. • Stream deploys as a stand-alone binary and communicates via HEC. • Requires >= Splunk 6.3.1 Splunk Fwd Splunk Indexers Splunk Indexers Any Linux Host Splunk Forwarder HTTP/S
  • 28. 31 Distributed Forwarder Management Gain more deployment flexibility Increase management efficiency with per-forwarder protocol control Tailor data collection by assigning different sets of protocols to groups of forwarders TNS MySQL HTTP DNS TCP SIP Diameter UDP Protocol Selection, Configuration & Distribution
  • 30. 33 Major New Features in Stream 7.0 Splunk Stream 7.0 was released GA in November 2016 NetFlow Collector – NetFlow v5, v9 (with template support), IPFIX (with vendor extensions) MD5 Hashing – Any parsed Stream field, including SMTP attachments and HTTP files – Integrates with Enterprise Security – Threat Intelligence Framework Flow Visualization for all IPv4 space PCAP Upload via SH and Continuous Directory Monitoring via Forwarder Enhanced Metadata Fields (e.g., FlowID, Protocol Stack, Event Name) Configuration Templates – Easier integration with other Splunk products
  • 31. 34 Flow Collection Active Flow listening socket on Stream Forwarder Flexible Configuration Options – Selectable fields and filtering – Can configure multiple, distinct listening ports on each Stream Forwarder Supports most common versions of Flow protocols – Cisco NetFlow, Juniper jFlow, HP sFlow, cFlowd – NetFlow v5, v9, IPFIX – V9 with templates (standard and custom) – IPFIX with vendor extensions Aggregation of Flow records (pre-indexing) can dramatically reduce the number of Splunk Events created Performance > 465,000 flows/second (on a single Independent Stream Forwarder)
  • 32. 35 Flow Collector Data Flow 35 NetFlow Collector • NetFlow listening sockets (UDP ports) • Actively capture Flows from NetFlow v5, v9, IPFIX • Creates Splunk- compatible Flow Records • Management from Stream Centralized UI NetFlow enabled devices 1 Export NetFlow (over UDP) 2 NetFlow Metadata captured by Stream 3 Events in Splunk Indexer / Search Head 4 1 2 4 Router Network Switch 3
  • 33. 36 NetFlow and sFlow Streams UX
  • 34. 37 MD5 Hashing of Files File Hashing provides integrity verification of files, can be used for a number of security use cases – inbound malware detection – outbound data loss prevention Stream generates MD5 hashes equivalent to “md5sum” unix command after decoding content back to binary Specifically for SMTP file attachments and HTTP MD5 hashes generated with Stream integrate directly into the Threat Intelligence framework of Enterprise Security, and has been tested with ES As a bonus, *any* non-numeric field can be MD5 hashed using the “Extract New Field” option. Field can be length-truncated if desired.
  • 35. 38 MD5 Hashing Data Flow 38 MD5 hashing • Used to enable DLP and Security use cases • Examines both inbound and outbound data transfer • Can be used to find IOCs as well as data exfiltration • Better metric than file names or file types File Transfer Traffic between Client and Server directed towards Stream 1 3 Network Switch Client Server (Malware)FileTransfer Tap or SPAN E S TA- Splice Threat Intelligence 1 2 Stream generates MD5 hashes of files, sends to Splunk Indexers 2 MD5 hashes compared against Threat Intel from public databases 3 Internet
  • 36. 39 Flow Visualization Designed to show limited Client->Server interaction for IPv4 address space. Overview and Detail views Can be used in real-time, interactive, and forensic modes Bubble chart that animates as flows appear (Detail view only) 3
  • 37. 40 Flow Visualization Detail View 4 Horizontal Trends show your externally-accessible hosts The Bubbles animate in real-time or in play- back mode Vertical Trends illustrate your internal host address space
  • 40. 43 FAQ • Yes. The app enables capture of only the relevant network/wire data for analytics, through filters and aggregation rules • Select or deselect protocols and associated attributes with fine-grained precision within the app interface Can I limit the amount of data collected with Stream? • Data volume can vary based upon the number of selected protocols, attributes and the amount of network traffic • Use Stream Estimate to understand the indexing impact How can I estimate my indexing volume? • Stream can be installed on any physical or virtual host running supported OS, on premises or in the cloud • It can be installed off of TAP and SPAN ports • It can be deployed in combination with TAP aggregation or visibility switches Where is Stream typically installed?

Editor's Notes

  1. Customer facing deck
  2. With this app, Splunk customers deep insights about can capture application transaction times, transaction paths, network performance, and even database queries. Correlating wire data with other application and infrastructure data in Splunk software such as logs, metrics and events, As a result users are getting insights about app, service or network availability, performance and usage of their servicesVisualize application and database insights including applications transactions, HTTP error codes, response times, top URIs database queries needing deep instrumentation or impact on monitoring system As a software solution, the Splunk App for Stream can be deployed on any type of cloud (in a VM). Our customers start gaining immediate insights into apps and cloud dinfrastrctucture without the deep instrumentation . This provides real-time visibility into any public, private or hybrid cloud infrastructure through insights from wire data. Additionally, customers can now securely decrypt SSL encrypted data for data completeness. As the nature of the apps runjning in the cloud is ephemeral, you can tailor your data collection easily. This can be achieved through temporary streams or fine grain monitoring. Lastly, can be rapidly deployed to collect streaming network data to everyone,
  3. We will cover just three examples in this section. There are many more – please refer to presentation titles Stream Customer Success Examples.
  4. This section covers the important features from the older releases. Skip, if the customer is familiar with the older releases.
  5. We will cover just three examples in this section. There are many more – please refer to presentation titles Stream Customer Success Examples.
  6. Thank you. Open up for Questions
  7. Thank you. Open up for Questions