GTRI Splunk Case Studies - Splunk Tech Day
1 like967 views
This document contains summaries of multiple case studies involving the use of Splunk software for security and compliance purposes. The first case study involves a large multi-national company that implemented Splunk across 140 global data centers to address accountability, auditing, security and compliance concerns. The second case study outlines how a private aerospace firm used Splunk to create a centralized security incident and event management solution across multiple US data centers. The third case study describes how a US federal agency implemented Splunk and hired staff to fully enable a new 24/7 Security Operations Center. Additional brief case studies describe how Denver Water and the University of Texas at Austin also utilize Splunk.
GTRI Splunk Case Studies - Splunk Tech Day
- 1. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied.© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. GTRI & Splunk Case Studies Presented by Taylor Williams December 8, 2015
- 2. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security/Compliance Customer: Multi-national systems and (cloud) services-provider with 140,000+ employees and 140 data centers globally. Challenge: Many different services within corporation with proprietary and shared compliance and security concerns with no structured or centralized log management solution in place. Various missing components company-wide: • Accountability and Audit • Purchasing and Healthcare Compliance (PCI, HIPPA, etc.) • Network and System Security
- 3. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security/Compliance Solution Process: Phased approach for requirements gathering, proof of concept, pilot rollout, and a production rollout. RFP released for solution proposal (not specific to Splunk) awarded to GTRI for depth of Splunk practice and solutions provided. • Phase 1: Requirements gathering for use cases in 8 defined data centers out of 140 • Phase 2: Proof of Concept of solution for approximately 10% subset of data • Phase 3: Pilot Rollout of solution to all use cases for 8 defined data centers • Phase 4: Production Rollout to data centers globally Project currently nearing conclusion of Phase 2 with use cases met by viability of data thus far collected and indexed into Splunk
- 4. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security/Compliance GTRI Solution: Scalable and repeatable Splunk solution designed for implementation on Cisco Flexpod solution(s). Designed for scalability to data centers beyond original 8 proposed with standard operating procedures (SOPs) defined for both Splunk operations as well as hardware. Overall project inclusions: • Full “ground-up” Splunk Architectural design • Multi-site solution • Repeatable philosophy in architecture and deployment • Standard operating procedures and staffing plan for full 24x7 management • GTRI Splunk Managed Service
- 5. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security Customer: Private aerospace and engineering firm that designs and launches next generation rockets and propulsion systems. Data centers located in Denver and various launch locations across the US. Challenge: No central security incident and event management (SIEM) solution in place to have holistic view of network security posture from all data centers. Security concerns are great especially in monitoring those central to launch locations. • Create a centrally deployed and managed SIEM • Filter and fine-tune system to only see events deemed critical
- 6. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security Solution Process: RFP released for vendors to propose a security solution inclusive of full design and deployment methodologies to be enacted upon after award and project execution. Discovery stage included to assess and capture complete security use case, inclusive of relevant and irrelevant network sources to the central SIEM. Steps: 1. Design multi-site Splunk architecture. Two main data center locations for storage of logs, fully replicated for redundancy between each. 2. Execute on validated design, deploying Splunk Enterprise servers to all proposed locations 3. Ingest of logs from all validated sources 4. Filter nearly 1800+ hosts into a 200GB Splunk solution
- 7. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: Multi-Site Security GTRI Solution: Fully executed multi-site SIEM solution using Splunk and the Splunk App for Enterprise security. Security requirements and objectives met and exceeded using this solution and its fully executed design. Work continues today with full time GTRI Splunk Certified Architect on-site to manage solution. Overall project inclusions: • Full “ground-up” Splunk Architectural design • Multi-site solution • Assessment of all relevant use cases to meet licensing threshold • Splunk Enterprise Security Application installation and managed service
- 8. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied.
- 9. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: SOC Staffing and Managed Service Customer: Self-funding not-for-profit US federal agency part of the United States Department of Energy. Main location(s) located in the US Pacific Northwest region. Challenge: No SIEM in place to manage and monitor the agency’s overall network security posture. Security operations in place, but incident management and response was lacking and without use of proper tools. Customer needed to: • Create a centrally deployed and managed SIEM • Develop and deploy a 24x7 staffing model to fully staff and enable Security Operations Center with Splunk
- 10. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: SOC Staffing and Managed Service Solution Process: RFP released for vendors to propose a security solution inclusive of full design and deployment methodologies, as well as a proposed staffing model to fully enable customer SOC with use of the proposed tool. Phased approach to execution of project included: 1. Execute on validated design, deploying Splunk App for Enterprise Security within the deployed architecture for SIEM enablement 2. Propose finalized staffing model to customer for approval. Once approved, source, hire, and train staff on use of Splunk and ES
- 11. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Case Study: SOC Staffing and Managed Service GTRI Solution: Staffing model to manage 24x7 security operations: Shift times proposed for all personnel • SOC-specific personnel to be network security subject matter experts used for incident response and resolution. – SOC Manager (1) – Security – Lead Analyst (1) – Security – Senior Analyst (3) – Security – Analyst (9) • Splunk Operations personnel, to be used to manage to integrity of the Splunk architecture and be first tier for SOC personnel in event mining. – Operations Manager (1 per site) – Operations Architect (1 FTE) – Operations Data Scientist (1 per site and 1 FTE)
- 12. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Additional Case Studies Denver Water: Use Splunk for overall service health dashboards. A deluge of machine data from logs and databases overwhelmed IT administrators, hampering efforts to pinpoint problems when users notified the help desk. • Monitor and maintain applications – Asset management, customer information, geospatial, mobile, Web services, REST services • Dashboards provide visibility into: – Current performance and availability – Historical performance trending and availability – Average daily performance – Recent issues (uptime and failures)
- 13. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Additional Case Studies The University of Texas at Austin: • Began using Splunk for security forensics • Now using Splunk for identification and control, outbreak management, and visibility of 120,000+ network devices The City and County of San Francisco: • Using Splunk for network security services to become proactive versus reactive • Help identify what is/isn’t normal for web traffic to City and County’s website • “With Splunk, instead of spending 40% of an FTE’s day to understand what the web filters are telling us, we now just look at the dashboards to show us abnormalities”
- 14. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Questions?