2. 2
About the U.S. Social Security Administration
Independent agency of the U.S. Government
The SSA provides social insurance consisting of
retirement, disability, and survivors' benefits
Approx. 60,000 employees and 20,000 contractors
Headquarters located in Baltimore, Maryland
Field organization includes 10 regional offices,
6 processing centers, and approximately 1,230 field
offices
3. 3
Splunk at SSA
1.8 TB daily index capacity
– Currently index 410 GB/day
Seven clustered index peers
– 16.5 TB storage per indexer for hot, warm, and cold buckets
Four load balanced syslog servers
– Pre-parsing of events to reduce load and storage on heavy
forwarders and indexers
Seven geographically distributed heavy forwarders
2,200 universal forwarders
8 dedicated search heads (standalone)
Just a few of our sources
• VPN Logs
• Malware analysis platform logs
• Proxy and Web Application Logs
• Cisco ACS logs
• Network infrastructure logs
• Firewall logs
• Intrusion Detection Sensor alerts
• Vulnerability Management data
• Antivirus logs
• Active Directory information
• DNS Logs
• Mail server logs
4. 4
IT Challenges
290,000 IT Assets with 330,000 IPs
Centralized management, distributed ongoing
administration
Constantly changing without coinciding
adaptation…in the spirit of innovation!
A lot of smart people going in their own, siloed
direction
Can’t rely solely on tools, so you need to know
where to invest in human resources
“Being centralized is
a great benefit…until
something goes
wrong – problems
spread very quickly!”
5. 5
Traditional Elements of IT Security
Vulnerability scans still provided the
value without being 100% inclusive
Identifying a problem still creates
mitigations because you still create
the patch for all
The residual problem is that you can
only scan what you have access to
and the fix will only go out to those
same devices
6. 6
Continuous Diagnostics and Mitigation (CDM)
Phase 1 consists of Hardware Asset Management, Software Asset
Management, Vulnerability Management, and Configuration Management
Phase 2: Least Privilege and Infrastructure Integrity (e.g. Access Control
Management, Security-Related Behavior Management, Credentials and
Authentication Management, Privileges, and begin Boundary Protection)
Phase 3: Boundary Protection and Event Management for Managing the
Security Lifecycle (e.g. Audit/Monitoring, Policy, Quality Management, and Risk
Management)
7. 7
Facilitating Foundational Elements of Security
The foundation of automated network-based
access controls is an inclusive hardware asset
repository
The foundation of application/process whitelisting
is an inclusive software asset repository
The foundation of effective vulnerability
mitigation is being able to manage each asset
Don’t be afraid to
label something
unknown …
at least you now
know what you
don’t know!
8. 8
Bringing Ideas to Value
High level reporting provides
value quickly:
It exemplifies current state of
what you do know
It creates a vehicle to gain more
feedback and insight
It allows for parallel efforts and
therefore gained efficiency
Detailed analysis provides
actionable items and results:
It cuts immediately into the
return on investment estimations
It facilitates resource estimations
of both people and technology
It facilitates the process definition
for action and communication
9. 9
Our Project Plan
Map out the high level goals
What data sources will be required?
Who is the audience?
What does the data need to represent?
Divide the work between project
management and development
Analyzing deployment strategy starts with
timing of data sources
Are there data sources that can be shared?
10. 10
Remote Users Example
Identification of all remote users
Categorization of types of users
Trending of logon failures
Correlate remote software installs
Identify logons to multiple devices
Trend processes used
11. 11
Evangelizing Splunk within Your Organization
Many ways to get the information
out and shared
You may need to group data for
things to make sense to a wider
audience
Doing this brings the work to you in
the form of requirements so you
can stop guessing
12. 12
Tackling Asset Management Splunk Style
Process what you have
• Chart out the priority of your data
• Define your layers
• Create metadata on each layer
• Analyze within and across the layers
Show what you have
• Display assets with which data sources you
possess
• Framework for scoring
13. 13
Enterprise Security App
Provides the at-a-glance
view of security posture
Provides SOC with full SIEM
functionality
Provides data
normalization and unified
schema
14. 14
The Business Side of Splunk
More and more vendors are creating Splunk
plugins for faster time to production and for out
of the box cost to value
Leveraging our existing services vehicles for the
ability to surge when new data sources become
available
The platform itself is easy to work with
generating creativity from all levels
All of these require better project management
Layered scanning and patching
Penetration testing helps prioritize – the independent effort also provides valuable data
My interpretation is that DHS just made IT Security into a project
My interpretation of that project….
Label unknowns (later example)
So where do you start?
This is where I start the “business side of Splunk”
How we breakdown the 2 halves
An example
Getting the word out is part of it (ROI)
Unknowns
Vulnerability rising – scanner is now picking it up, drastic increase means it will likely continue upward (standardization)
Compare repositories
Display what sources were used (compliance)
Risk scoring…
Value quickly on certain data sources
AV by action, AV by signature – they should look similar (perfect world exact) – difference becomes interesting
High counts (what does it leverage - maybe missing patch)
Enterprise Security App one example
Service contracts may balance training costs – vendors with Splunk certified members
Let people play a bit
Project managers
Steve Johnson – two halves of a good idea