This document summarizes a presentation given by Jim Krev from Fieldglass on how they use Splunk. Key points include: - Fieldglass is a large VMS provider that uses Splunk to replace their SIEM and help one analyst do the work of two by making searches, dashboards, and reports easier to create. - They index data from various systems and applications to build dashboards for security monitoring, vulnerability tracking, and auditing. - Splunk has helped them identify issues faster and show continuous improvements required for their ISO certification. - They have found Splunk to be very useful and have developed internal apps and continue expanding their use of Splunk over time.

1. Copyright © 2012 Splunk, Inc.
Jim Krev, Fieldglass
Sr. Security Manager

2. About Fieldglass
Vendor Management System (VMS) system provider founded in 1999
Helps Global 2000 firms procure and manage the flexible workforce
(contingent labor, project-based services, independent contractors)
200 customers, including GlaxoSmithKline, Johnson & Johnson,
Monsanto, Rio Tinto & Salesforce, use Fieldglass in 78 countries, 14+
languages
Ranked largest VMS with highest satisfaction rating for past three
consecutive years, according to Staffing Industry Analysts
2

3. About the Speaker
Jim Krev
Responsible for information security and
compliance requirements
With Fieldglass for 5 years
Full time in security since 2004
Lecturer at DePaul University
– Encourages students to use Splunk for OSSEC
3

4. From Logging Only to SIEM Replacement
Been using Splunk for several years
Release of Enterprise Security made Splunk viable SIEM replacement
SIEM was overly complex
Made the argument to replace SIEM with Splunk = FTW!
“Our SIEM was overly complex and not as easy to
use as Splunk”
4

5. Saving Time and Money with Splunk
Only one analyst
Don’t have time to wait on two menus
With Splunk I can create a search, I can create a dashboard from that, I
can schedule a report
Don't waste a lot of time going back and forth between screens trying to
figure out how to produce a report
“One person can do the job of two with Splunk.”
5

6. Indexing Fieldglass Data (Exact Amount?)
Collecting data from physical and logical network:
– Network devices
– Server events
– Application logs
– Anti-virus
– Vulnerability scanning events
– IDS events from firewalls
– Custom csv
– Nmap scans
– We have built apps and created some cool looking dashboards
 Nessus and Nmap dashboard that correlates inventory
 Virus statistics over systems and time
6

7. Tracking Continuous Improvement for ISO
Certification
Tracking vulnerabilities in the
infrastructure
Need to showcase continuous
improvement for ISO certification
Senior Management looks at
dashboard
7

8. Building our own App with Splunk
Internal Audit App
– Proactively monitor passes
– Monitors incompletes
– Monitors failures
– Tracks control area and
owner
– Shows how we did on
internal Audit
8

9. 9

10. AHA!
Search on a fragment of an event and find the root cause
Correlate against all networking devices by index
Can see what's happening in all three networks
The ability to get down to the raw event
“Splunk is very addicting…once you start
playing around with it, it’s hard to shake.”
10

11. Extending with Splunk Apps
Splunk App for
Windows
Splunk on Splunk
Google Maps for
Splunk (IP mapping)
Splunk for Symantec
11

12. Growing Splunk within IT
Daily reports to DBAs
Gaining momentum by showing Splunk environment in home
infrastructure
Showcasing internally as to how easy it is to correlate data in Splunk
12

13. Future
• Splunk App for VMware
• Building out scalable Splunk
infrastructure
• Active directory integration
• Using Splunk for advanced
persistent threats detection
13

14. ROI
Replaced SIEM with Splunk
Saving $30,000/year and an additional resource
Saved hours of work to find issues/resolution
Easy to show continuous improvement for ISO
Quickly identify patches
14

15. Thank You!