stackArmor Security MicroSummit - AWS Security with Splunk

© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk and AWS
Securing the Cloud
Kam Amir | Splunk Cloud Architect
kam@splunk.com
08/03/2017

© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

© 2017 SPLUNK INC.
Agenda
▶ What is Machine Data?
▶ Why Splunk?
▶ Splunk Security Use Cases
• Partnerships and integrations with third party vendors
• Splunk Security Apps
▶ Splunk on AWS
▶ Splunk App for AWS

© 2017 SPLUNK INC.
What is Machine
Data?

© 2017 SPLUNK INC.
ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100
MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}
What Does Machine Data Look Like?
SOURCES
Order Processing
Twitter
Care IVR
Middleware Error

© 2017 SPLUNK INC.
Machine Data Contains Critical Insights
SOURCES
Order Processing
Twitter
Care IVR
Middleware Error
Customer ID Order ID Product ID
ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100
MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}
Order ID
Twitter ID
Customer ID
Customer ID
Time waiting on hold
Customers Tweet
Company’s Twitter ID

© 2017 SPLUNK INC.
Why Splunk?

© 2017 SPLUNK INC.
True End State: Complete Hybrid Visibility
On-
Premises
Private
Cloud
Public
Cloud
Storage
Telecoms
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Lambda
Servers
Messaging
GPS
Location
Config
EC2
Online
Services
DatabasesCall Detail
Records
Energy
Meters
CloudTrail
End-to-End
Visibility
Index Untapped Data: Any Source, Type, Volume
Application Delivery
IT Operations
Security, Compliance
and Fraud
Business Analytics
Internet of Things
and Industrial Data
EMR
RDS

© 2017 SPLUNK INC.
Splunk Markets
Developer Platform (REST API, SDKs)
IT
Operations
Application
Delivery
Business
Analytics
Internet of
Things and
Industrial
Data
Security,
Compliance
and Fraud
Platform for Operational Intelligence

© 2017 SPLUNK INC.
The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence

© 2017 SPLUNK INC.
Splunk Security Use
Cases

© 2017 SPLUNK INC.
Recent Headlines
Do you want to be front page news?

© 2017 SPLUNK INC.
Security
SECURITY AND
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
INCIDENT
INVESTIGATIONS
AND FORENSICS
FRAUD
DETECTION
DETECT
UNKNOWN
THREATS
INSIDER
THREAT

© 2017 SPLUNK INC.
Splunk for Security
Splunk
Enterprise Security
500+
Security Apps
Splunk User
Behavior Analytics
Palo Alto
Networks
Symantec DNS
OSSEC
NetFlow
Logic
Cisco
Security Suite
F5 Security
PCI
Compliance
Active
Directory
Blue Coat
Proxy SG

© 2017 SPLUNK INC.
▶ Splunk Security Essentials
▶ https://splunkbase.splunk.com/app/3
435/
▶ Splunk Security Essentials for
Ransomware
▶ https://splunkbase.splunk.com/app/3
593/
Security Focused Splunk Apps
Free apps available from Splunkbase

© 2017 SPLUNK INC.
▶ Splunk Enterprise Security
• Analytics-Driven SIEM
• Real Time Monitoring
• Prioritize and Act
• Rapid Investigations
• Handle multi-step investigations
• Deploy on-prem, Splunk Cloud or private
hybrid Cloud
• Improve Operational Efficiency
Splunk Enterprise Security (ES)
Data driven SIEM

© 2017 SPLUNK INC.
Splunk Adaptive Response Partners Diagram
Copy/paste this graphic to use in your own presentations
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall
+

© 2017 SPLUNK INC.
Splunk on AWS

© 2017 SPLUNK INC.
▶ AWS Advanced Technology Partner
▶ AWS Big Data Competency
▶ AWS Security Competency
▶ AWS DevOps Competency
▶ AWS Government Competency
▶ AWS Education Competency
▶ AWS IoT Competency
▶ AWS MSP Technology Provider
▶ AWS Marketplace Partner
▶ AWS Security by Design Program Partner
▶ 1st partner with published Blueprints for AWS Lambda
▶ 1st partner to pass SaaS extension for Well Architected framework
Splunk’s AWS Credentials

© 2017 SPLUNK INC.
100% Uptime SLA
SOC2 Type II Certified
Runs on AWS
Cloud Services Apps
Splunk App for AWS,
ServiceNow, Salesforce, etc.
AWS Specific
Integrations
CloudTrail, CloudWatch/Logs,
Config/Rules, Inspector, Kinesis, S3,
VPC Flow Logs, Billing, SQS, SNS
Splunk Core + Enterprise
Security & ITSI available
Enterprise on AWS
For small IT teams starts $90/mo
Starts at 1gb/day
BYOL with Amazon EC2
Apps and Integrations
SaaS on AWS
Delivery Models
Splunk Runs On & With AWS
Deploy with
AWS Quick Start!

© 2017 SPLUNK INC.
Splunk App for AWS

© 2017 SPLUNK INC.
End-to-End Visibility with AWS and Splunk
Billing Reports
S3 Access Logs
CloudTrail Logs
ELB Access Logs
CloudFront Access Logs
Application Logs
Config Snapshots
& History Files
Other Service Logs
Kinesis
Stream
SQS
Lambda
RDS
Redshift
CloudTrail
SNS
S3
CloudWatch
Metrics
CloudWatch
Events
CloudWatch
Logs
EC2 System
Manager Events
ECS Container & Task
State Changes
EBS Volume & Snapshot
Notifications
EMR Cluster & Instance
State Changes
Auto Scaling Group
State Changes
CodeDeploy
Instance & Deployment
State Changes
AWS Console
Sign-In Events
AWS Health &
Trusted Advisor Events
KMS Events
Config
ElastiCache
Cluster Events
CloudFormation
Stack Events
CloudWatch
Alarms
ELB Metrics
CloudFront
Metrics
EC2 Metrics
EBS Metrics
ECS Metrics
DynamoDB
Metrics
EMR Metrics
Kinesis
Metrics
Lambda Metrics
API Gateway
Metrics
S3 Metrics
Route53 Metrics
SNS Metrics
RDS
Metrics
AWS
Add-on
DB
Connect
Native path (via AWS)
Push path (via Splunk HEC)
Pull path (via Splunk Modular Input or DB Input)
VPC Flow Logs
Lambda Logs
API Gateway Logs
Custom
Application Logs
API Gateway
Custom Events
DynamoDB
Table Updates
S3 Events
Cognito Events
Custom Config Rules
CodeCommit
Repo Events
IoT
v1.1

© 2017 SPLUNK INC.
Topology
Usage
Splunk App for AWS: The Value
▶ View user activity
▶ Gain a full audit trail
▶ Detect anomalous behavior
▶ View EC2 utilization metrics
▶ View by account, region,
instance
▶ Supports numerous
AWS services
▶ Visualize your AWS
Environment
▶ View resource relationships
▶ Gain playback history
▶ Compare and correlate events
▶ View in a time-series ribbon
▶ Accelerate investigations
▶ Leverage machine
learning toolkit
▶ Gain billing recommendations
▶ Detect security and billing
anomalies
▶ Gain view into resource cost
▶ Improve RI planning / utilization
▶ Monitor actual spend
vs. forecast
Security Billing
Timeline Insights

© 2017 SPLUNK INC.
IT Operations Security Cost Management
▶ What is my EBS footprint and
posture across all my accounts and
all my regions?
▶ Who started/stopped/restarted what
instances and when?
▶ What EC2 instances are underutilized
and perhaps overprovisioned?
▶ What is the traffic volume into my
VPC and where is it originating from?
▶ Why are certain resources unreachable
from certain subnets/VPCs?
▶ List resources with missing or
non-conforming tags
▶ Who added that rule in the security
group that protects our application
servers?
▶ Where is the blocked traffic into that
VPC coming from?
▶ What was the activity trail of a
particular user before and after that
incident?
▶ Alert me when a user imports
key-pairs or when a security group
allows all ports
▶ What instances are provisioned
outside of a VPC, by whom and
when?
▶ What security groups are defined but
not attached to any resource?
▶ How many instances am I running?
▶ What reserved instances have I
purchased in the past?
▶ What is my reserved instance
utilization?
▶ How much am I paying per account?
▶ How much am I using per service
across all accounts?
▶ How many reserved instances should
I buy based on usage?
▶ Is this account within budget this
month, and how has it tracked in the
last year?
Detailed Use Cases

© 2017 SPLUNK INC.
AWS CloudWatch
Populates the Following Dashboards in the Splunk App for AWS:
Overview
Topology
Usage Overview
EC2 Instances
EBS Volumes
ELB Instances
Relational Database Service
Current Month Estimated Billing
Insights Overview /
EC2 / ELB / EBS Insights
Billing Anomaly Insights
Lambda

© 2017 SPLUNK INC.
AWS CloudWatch Logs
Data from the CloudWatch Logs
service, including VPC flow logs.
Flow logs allow you to capture IP
traffic flow data for the network
interfaces in your resources.
Dashboards:
• Topology
• VPC Flow Logs – Traffic Analysis
• VPC Flow Logs – Security
• Analysis

© 2017 SPLUNK INC.
AWS CloudTrail
Records AWS API calls for your account and delivers log files
to you
Populates Dashboards:
• Overview
• Topology
• Security Overview
• IAM Activity
• VPC Activity
• Security Groups
• Key Pairs Activity
• Network ACLs
• User Activity
• Insights Overview
• Security Anomaly Insights
• Timeline

© 2017 SPLUNK INC.
AWS Config
Populates the Following Dashboards in the Splunk App for AWS:
Overview
Topology
Security Groups
Resource Activity
Timeline
Config Rules

© 2017 SPLUNK INC.
Customer Use Cases
City of Los Angeles Integrates Real-Time Security
Intelligence Sharing Across 40+ City Agencies

© 2017 SPLUNK INC.
City of Los Angeles Integrates Real-Time Security
Intelligence Sharing Across 40+ City Agencies
“By deploying the Splunk SIEM solution, we enhance
our detection and response capabilities to protect the
City’s critical assets from all manner of cyber threats
and intrusions. By utilizing a cloud solution, our
security team can focus on security events rather
than deploying and maintaining infrastructure.”
ENTERPRISE SECURITY ON SPLUNK CLOUD
• Executive Summary
• White Paper

© 2017 SPLUNK INC.
▶ 6000+ IT and Business Professionals
▶ 200+ Sessions
▶ 80+ Customer Speakers
PLUS Splunk University
▶ Three days: Sept 23-25, 2017
▶ Get Splunk Certified for FREE!
▶ Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
.conf2017
The 8th Annual Splunk Conference
conf.splunk.com

stackArmor Security MicroSummit - AWS Security with Splunk

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to stackArmor Security MicroSummit - AWS Security with Splunk

Similar to stackArmor Security MicroSummit - AWS Security with Splunk (20)

More from Gaurav "GP" Pal

More from Gaurav "GP" Pal (18)

Recently uploaded

Recently uploaded (20)

stackArmor Security MicroSummit - AWS Security with Splunk

Editor's Notes