SlideShare a Scribd company logo

SplunkLive! Austin Customer Presentation - Baylor

Splunk, profile picture
Splunk

- Baylor University is a private Christian university in Waco, Texas with over 17,000 students. The CISO, Jon Allen, built the university's security program from the ground up over 17 years. - Before Splunk, it was difficult and inefficient for the security team to search logs and get the information they needed across different systems in a timely manner. - Splunk provided a single platform to integrate and search all their log data, allowing the security team to quickly gain visibility, troubleshoot issues, and meet compliance requirements. It also helped break down silos between different IT teams. - Splunk has improved operational efficiency by reducing the time to find information from hours to minutes. It also fosters

Technology
1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Copyright © 2016 Splunk Inc. Baylor University Jon Allen Assistant VP & CISO
2 About Baylor University • Chartered in 1845 • In Waco Texas, the state’s oldest institution of higher learning • Nationally ranked research institution • Private Christian university; world’s largest Baptist university • Tier 1 school among national universities • 17,000 students • 3000-3200 faculty / staff
3 About Me • Assistant VP & CISO — First full time info security employee here at Baylor, here now 17 years — 13 years in information security — Started the security program & built it up from the beginning • BS, Political Science; Masters, Computers Science; CISSP • Forensic examiner, give 6-10 presentations a year, publications • Manage 3 full-time security analysts • Team runs Splunk environment; performs security reviews on new products, security awareness, instant-on response, forensics, vulnerability management, security compliance consulting
4 Before Splunk: Highly Inefficient • It was hard to get the info we needed quickly — Had to log in to each domain controller separately — Local searches and for different roles were tedious • No ability to cross reference & make sense of data • Operating in traditional siloed IT groups • Vendors would decide what was important, and were often wrong • Experiencing account lockouts across domain controllers in high-use environments • End result = poor customer service “We had a good idea of what we needed to know, but it was very hard to get that information in a timely manner.”
5 Choosing Splunk • Splunk started as a small PCI network project — Needed to meet login requirements for processing transactions • We were looking for more than the usual “compliance in a box” • We needed solutions for bigger problems, such as: — Identifying lockouts across domain controllers — Resolving horribly inefficient log, search, and service issues • Splunk gave us tools to pull our data together & cross reference it • Unlike other vendors, Splunk was flexible & allowed us to map risk for the education environment ourselves • It was clear from the beginning, Splunk was a very powerful tool — Ops team loved the applications for them — We helped get the net plus agreement in place (1st school to sign on) “Once our OPS guys got a little taste of Splunk, they were hooked.”
6 Splunk Benefits • From a low headcount staff perspective, our savings have been in resources – people and saving time. Finding information has gone from hours to minutes. • Splunk puts everyone on the same page. Everybody has access to the same information, which breaks down silos. • Information security is about “protecting your treasure” as much as you can. With Splunk, we can quickly see if something is in isolation, a trend or requires action. • It’s not always how can I prevent breaches, but how can I minimize and control them. Splunk is a great tool for that. “Splunk has helped our team build credibility because we’re bringing something to the table that helps people get their jobs done and done well.”
7 Splunk at Baylor University • 400 GB license • Large central IT organization • 30+ users: • Architecture: – Netflow and firewalls largest data sources (firewalls 40 percent of license) – 10 servers – 3 indexers; role-based access control 100+ Universal Forwarders 3 Indexers 3 Search Heads + 1 Deployment Servers
8 Logs & Third-Party Apps at Baylor • DNS monitoring • Radius logs • Crashplan • Qualys • Box, Duo • Cloud services • CloudFlare • Office 365, Microsoft PA
Splunk Use Cases Security Visibility/Search/Analytics DashboardsOperational Efficiency Early Use Cases – PCI Compliance, Ops, Troubleshooting
10 Splunk Early Use Cases • PCI compliance • Ops cases: — Mail logs and searches, authentication, AD, Shibboleth • Troubleshooting — Vendor “sent message claims” – easy to verify • Being able to visualize data with illustrations • Security (Phase 1) – SIEM (Security Information & Event Mgmt) “For us, the piece that’s a plus & a minus is you can do so much. You do the first 5 things & then it’s ‘Where does my imagination take me?’”
11 Splunk for Security • We gained proactive security vs. reactive ‘insecurity’ – Real-life fix: When we saw failed Box authentications, research revealed SNMP misconfigurations, not threats – Splunk helps us uncover & resolve those “non-threat” threats • Splunk provides a common language - everyone sees the same thing, independent of different tools • Splunk allows us to build strong relationships and support procedures (ie, we don’t run the firewall/IPS systems but we support the teams that do) • Dealing with the “noise” – IT security is challenged to find the valuable noise among all the noises (malware, phishing, spearing) – We can identify a problem source, talk to the right people & take action in minutes vs. hours (drastic time shrinkage) “In security, you’re not trying to find a needle in a haystack. You’re trying to find a needle in a pile of needles.”
12 Splunk for Visibility/Search/Analytics • The “single pane of glass” is by far the most powerful thing about Splunk — Network logs, traffic logs, authentication are all visible from one screen — Cross referencing is easy and extremely useful — Everyone across the organization can see the same thing • Splunk supports visibility off campus where it’s typically lost – cloud, vendors, Box • Monitoring/real time analytics — Load balancers, firewall connection rates — Having screens up so you can see issues is very helpful “At the end of the day, Splunk is a sandbox for our data. We pull all our data in the sandbox and decide what kind of castle we want to build today.”
13 Splunk for Operational Efficiency “We are all trusted to access read-only data so we know what everybody searches, which helps us move forward and build efficiency into the organization.” • We’ve built a very collaborative environment — Everyone gets “deputized” to do what needs to be done — We work with and support other teams working together (networking, firewall and server teams) — By nature, Splunk fosters collaboration • Splunk has opened up traditional IT silos – server / IT / firewall teams – efficient, effective searches build trust • Cloud computing — Most vendors don’t understand cloud computing -- you’ll lose visibility without the right tools — We know that’s the direction we’ll be going in — Splunk is working on those tools and can take us there
14 Splunk for Dashboards “There can some time and investment in creating a custom dashboard, but the benefit of seeing all that data in one place is huge.” • Our PCI log review dashboard is a significant investment — Our analysts use open source tool OS X for file integrity monitoring; Microsoft log numbers, OS X specs, firewall info — Within a very short time our analyst created a dashboard that includes data to meet log review reqt’s – all in one place • We support many different custom team requests — SysOps needed a dashboard showing who hasn’t had a successful backup after 4 days — Vendor interfaces that normally don’t work easily, can be pulled into Splunk • Predictive analysis - 2 years ago, we created a dashboard that shows network pinch points needing > capacity
15 Splunk A-Ha Moment • Now with Splunk, the security team doesn’t have to be the one pushing initiatives • Example: When we needed to move on a project: — In the past, would have required multiple meetings, hard conversations, going to the highest level — Now, they ask us “Why aren’t you doing this?” — Huge change! • This high-level buy-in only happens with a significantly useful, game-changing tool “The real power and value comes when I start understanding what I need to look like in the future or what may be coming down the line that I haven’t even thought of yet.”
16 Users • Vice President, deputy CIO, associate VPs • OPS team; systems operations • Server and networking team • Web & marketing • Client services; helpdesk, desktop support • Mobile support • Administrative systems • ERPs, database management
17 Splunk Words to the Wise…. • With Splunk, you can jump right in and get your feet wet quickly, but then you have to take that step back and understand what you really want to do. Then you start reaping the benefits more and more. • Avoid the pitfall of underestimating the size of the license you’ll need. • Similarly for your platform, make sure you have sufficient hardware capacity for what you want to do so Splunk can run efficiently. • Make the necessary investments so your platform will perform to meet your users’ needs.
18 Splunking Ahead…. • Greater expansion into cloud services — Microsoft project • Fischer hosted identity management system • Looking for new ways to leverage the investment in Splunk — Potential in managed services — Augmenting staff resources • Greater participation with vendors and Splunk for their customers’ benefit
19 Splunk Successes • Initially Splunk was another tool in the toolbox. Splunk is now our analytics tool, and we’re not renewing our traditional tools anymore. • With Splunk, there’s no finger pointing because we have a place where everybody knows to go for information and that’s been a huge value. It’s becoming a kind of universal expectation within the organization. • Splunk has helped our team provide a valuable service in helping the organization as a whole. 19
Thank You

More Related Content

PPTX
SplunkLive! Austin Customer Presentation - Dell
Splunk
 
PDF
SplunkLive! Austin Customer Presentation - Xerox
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Splunk
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
PPTX
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
PDF
Splunk @ Adobe
Splunk
 
PPTX
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk
 
SplunkLive! Austin Customer Presentation - Dell
Splunk
 
SplunkLive! Austin Customer Presentation - Xerox
Splunk
 
Getting Started with Splunk Enterprise
Splunk
 
SplunkLive! Customer Presentation – athenahealth
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
Splunk @ Adobe
Splunk
 
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk
 

What's hot (20)

PPTX
Customer Presentation
Splunk
 
PPTX
Splunk for IT Operations
Splunk
 
PPTX
Splunk Discovery Day Düsseldorf 2016
Splunk
 
PPTX
SplunkLive! - Splunk for IT Operations
Splunk
 
PPTX
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Splunk
 
PPTX
Design, Build and Map IT and Business Services in Splunk
Splunk
 
PPTX
Operational Security Intelligence Breakout Session
Splunk
 
PPTX
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
PPTX
Getting Started with Splunk (Hands-On)
Splunk
 
PPTX
Customer Presentation
Splunk
 
PPTX
Splunk for IT Operations
Splunk
 
PPTX
Distributed Management Console Breakout Session
Splunk
 
PPTX
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
PPTX
Taking Splunk to the Next Level - Management Breakout Session
Splunk
 
PPTX
Cisco and Splunk: Under the Hood of Cisco IT Breakout Session
Splunk
 
PDF
SplunkLive! London - Splunk App for Stream & MINT Breakout
Splunk
 
PPTX
Splunk and Cisco UCS Breakout Session
Splunk
 
PPTX
SplunkLive! Splunk for IT Operations
Splunk
 
PPTX
Splunk live university of alberta 2015
dostatni
 
PPTX
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Customer Presentation
Splunk
 
Splunk for IT Operations
Splunk
 
Splunk Discovery Day Düsseldorf 2016
Splunk
 
SplunkLive! - Splunk for IT Operations
Splunk
 
Elevate your Splunk Deployment by Better Understanding your Value Breakfast S...
Splunk
 
Design, Build and Map IT and Business Services in Splunk
Splunk
 
Operational Security Intelligence Breakout Session
Splunk
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
Getting Started with Splunk (Hands-On)
Splunk
 
Customer Presentation
Splunk
 
Splunk for IT Operations
Splunk
 
Distributed Management Console Breakout Session
Splunk
 
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
Taking Splunk to the Next Level - Management Breakout Session
Splunk
 
Cisco and Splunk: Under the Hood of Cisco IT Breakout Session
Splunk
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
Splunk
 
Splunk and Cisco UCS Breakout Session
Splunk
 
SplunkLive! Splunk for IT Operations
Splunk
 
Splunk live university of alberta 2015
dostatni
 
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Ad

Viewers also liked (14)

PPTX
Taking Splunk to the Next Level - Manager
Splunk
 
PDF
Projecting Enterprise Security Requirements on the Cloud
Scientia Groups
 
PPT
SplunkLive! Paris 2015 - Euler Hermes
Splunk
 
DOCX
Cloud Access Security Broker (CASB)
rkulandaivel
 
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
PPTX
The Definitive CASB Business Case Kit - Presentation
Netskope
 
PPTX
Splunk for Industrial Data and the Internet of Things
Splunk
 
PPTX
Reference Architecture for Data Loss Prevention in the Cloud
Netskope
 
PPTX
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
PDF
Splunk
Bruno Bonfils
 
PPTX
5 Highest-Impact CASB Use Cases
Netskope
 
PDF
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
IBM Security
 
PPTX
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 
PPTX
Splunk live paris_overview_02_07_2013 v2.1
jenny_splunk
 
Taking Splunk to the Next Level - Manager
Splunk
 
Projecting Enterprise Security Requirements on the Cloud
Scientia Groups
 
SplunkLive! Paris 2015 - Euler Hermes
Splunk
 
Cloud Access Security Broker (CASB)
rkulandaivel
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
The Definitive CASB Business Case Kit - Presentation
Netskope
 
Splunk for Industrial Data and the Internet of Things
Splunk
 
Reference Architecture for Data Loss Prevention in the Cloud
Netskope
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
Splunk
Bruno Bonfils
 
5 Highest-Impact CASB Use Cases
Netskope
 
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
IBM Security
 
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 
Splunk live paris_overview_02_07_2013 v2.1
jenny_splunk
 
Ad

Similar to SplunkLive! Austin Customer Presentation - Baylor (20)

PPTX
SplunkLive! Customer Presentation – Covance Inc"
Splunk
 
PPTX
Customer Presentation, FirstSolar
Splunk
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
PPTX
Splunk Different
Splunk
 
PPTX
Customer Presentation
Splunk
 
PPTX
Splunk live! Customer Presentation – Wellsfargo
Splunk
 
PPTX
Splunk at Sabre
Splunk
 
PDF
Splunk in the Cisco Unified Computing System (UCS)
Splunk
 
PPTX
Getting Started with Splunk Breakout Session
Splunk
 
PPTX
City of San Diego Customer Presentation
Shannon Cuthbertson
 
PPTX
Getting Started with Splunk Breakout Session
Splunk
 
PPTX
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Tripwire
 
PDF
ClickBank Customer Presentation
Splunk
 
PPTX
Customer Presentation - Financial Services Organization
Splunk
 
PPTX
Splunk @ HomeAway
Splunk
 
PPTX
SplunkLive! Customer Presentation – UMCP
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Customer Presentation - Telus
Splunk
 
SplunkLive! Customer Presentation – Covance Inc"
Splunk
 
Customer Presentation, FirstSolar
Splunk
 
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
SplunkLive! Customer Presentation – athenahealth
Stephanie Bies
 
Splunk Different
Splunk
 
Customer Presentation
Splunk
 
Splunk live! Customer Presentation – Wellsfargo
Splunk
 
Splunk at Sabre
Splunk
 
Splunk in the Cisco Unified Computing System (UCS)
Splunk
 
Getting Started with Splunk Breakout Session
Splunk
 
City of San Diego Customer Presentation
Shannon Cuthbertson
 
Getting Started with Splunk Breakout Session
Splunk
 
Simplicity in Hybrid IT Environments – A Security Oxymoron?
Tripwire
 
ClickBank Customer Presentation
Splunk
 
Customer Presentation - Financial Services Organization
Splunk
 
Splunk @ HomeAway
Splunk
 
SplunkLive! Customer Presentation – UMCP
Splunk
 
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Getting Started with Splunk Enterprise
Splunk
 
Customer Presentation - Telus
Splunk
 

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Teaching material agriculture food technology
LiaRayya
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

SplunkLive! Austin Customer Presentation - Baylor

  • 1. Copyright © 2016 Splunk Inc. Baylor University Jon Allen Assistant VP & CISO
  • 2. 2 About Baylor University • Chartered in 1845 • In Waco Texas, the state’s oldest institution of higher learning • Nationally ranked research institution • Private Christian university; world’s largest Baptist university • Tier 1 school among national universities • 17,000 students • 3000-3200 faculty / staff
  • 3. 3 About Me • Assistant VP & CISO — First full time info security employee here at Baylor, here now 17 years — 13 years in information security — Started the security program & built it up from the beginning • BS, Political Science; Masters, Computers Science; CISSP • Forensic examiner, give 6-10 presentations a year, publications • Manage 3 full-time security analysts • Team runs Splunk environment; performs security reviews on new products, security awareness, instant-on response, forensics, vulnerability management, security compliance consulting
  • 4. 4 Before Splunk: Highly Inefficient • It was hard to get the info we needed quickly — Had to log in to each domain controller separately — Local searches and for different roles were tedious • No ability to cross reference & make sense of data • Operating in traditional siloed IT groups • Vendors would decide what was important, and were often wrong • Experiencing account lockouts across domain controllers in high-use environments • End result = poor customer service “We had a good idea of what we needed to know, but it was very hard to get that information in a timely manner.”
  • 5. 5 Choosing Splunk • Splunk started as a small PCI network project — Needed to meet login requirements for processing transactions • We were looking for more than the usual “compliance in a box” • We needed solutions for bigger problems, such as: — Identifying lockouts across domain controllers — Resolving horribly inefficient log, search, and service issues • Splunk gave us tools to pull our data together & cross reference it • Unlike other vendors, Splunk was flexible & allowed us to map risk for the education environment ourselves • It was clear from the beginning, Splunk was a very powerful tool — Ops team loved the applications for them — We helped get the net plus agreement in place (1st school to sign on) “Once our OPS guys got a little taste of Splunk, they were hooked.”
  • 6. 6 Splunk Benefits • From a low headcount staff perspective, our savings have been in resources – people and saving time. Finding information has gone from hours to minutes. • Splunk puts everyone on the same page. Everybody has access to the same information, which breaks down silos. • Information security is about “protecting your treasure” as much as you can. With Splunk, we can quickly see if something is in isolation, a trend or requires action. • It’s not always how can I prevent breaches, but how can I minimize and control them. Splunk is a great tool for that. “Splunk has helped our team build credibility because we’re bringing something to the table that helps people get their jobs done and done well.”
  • 7. 7 Splunk at Baylor University • 400 GB license • Large central IT organization • 30+ users: • Architecture: – Netflow and firewalls largest data sources (firewalls 40 percent of license) – 10 servers – 3 indexers; role-based access control 100+ Universal Forwarders 3 Indexers 3 Search Heads + 1 Deployment Servers
  • 8. 8 Logs & Third-Party Apps at Baylor • DNS monitoring • Radius logs • Crashplan • Qualys • Box, Duo • Cloud services • CloudFlare • Office 365, Microsoft PA
  • 9. Splunk Use Cases Security Visibility/Search/Analytics DashboardsOperational Efficiency Early Use Cases – PCI Compliance, Ops, Troubleshooting
  • 10. 10 Splunk Early Use Cases • PCI compliance • Ops cases: — Mail logs and searches, authentication, AD, Shibboleth • Troubleshooting — Vendor “sent message claims” – easy to verify • Being able to visualize data with illustrations • Security (Phase 1) – SIEM (Security Information & Event Mgmt) “For us, the piece that’s a plus & a minus is you can do so much. You do the first 5 things & then it’s ‘Where does my imagination take me?’”
  • 11. 11 Splunk for Security • We gained proactive security vs. reactive ‘insecurity’ – Real-life fix: When we saw failed Box authentications, research revealed SNMP misconfigurations, not threats – Splunk helps us uncover & resolve those “non-threat” threats • Splunk provides a common language - everyone sees the same thing, independent of different tools • Splunk allows us to build strong relationships and support procedures (ie, we don’t run the firewall/IPS systems but we support the teams that do) • Dealing with the “noise” – IT security is challenged to find the valuable noise among all the noises (malware, phishing, spearing) – We can identify a problem source, talk to the right people & take action in minutes vs. hours (drastic time shrinkage) “In security, you’re not trying to find a needle in a haystack. You’re trying to find a needle in a pile of needles.”
  • 12. 12 Splunk for Visibility/Search/Analytics • The “single pane of glass” is by far the most powerful thing about Splunk — Network logs, traffic logs, authentication are all visible from one screen — Cross referencing is easy and extremely useful — Everyone across the organization can see the same thing • Splunk supports visibility off campus where it’s typically lost – cloud, vendors, Box • Monitoring/real time analytics — Load balancers, firewall connection rates — Having screens up so you can see issues is very helpful “At the end of the day, Splunk is a sandbox for our data. We pull all our data in the sandbox and decide what kind of castle we want to build today.”
  • 13. 13 Splunk for Operational Efficiency “We are all trusted to access read-only data so we know what everybody searches, which helps us move forward and build efficiency into the organization.” • We’ve built a very collaborative environment — Everyone gets “deputized” to do what needs to be done — We work with and support other teams working together (networking, firewall and server teams) — By nature, Splunk fosters collaboration • Splunk has opened up traditional IT silos – server / IT / firewall teams – efficient, effective searches build trust • Cloud computing — Most vendors don’t understand cloud computing -- you’ll lose visibility without the right tools — We know that’s the direction we’ll be going in — Splunk is working on those tools and can take us there
  • 14. 14 Splunk for Dashboards “There can some time and investment in creating a custom dashboard, but the benefit of seeing all that data in one place is huge.” • Our PCI log review dashboard is a significant investment — Our analysts use open source tool OS X for file integrity monitoring; Microsoft log numbers, OS X specs, firewall info — Within a very short time our analyst created a dashboard that includes data to meet log review reqt’s – all in one place • We support many different custom team requests — SysOps needed a dashboard showing who hasn’t had a successful backup after 4 days — Vendor interfaces that normally don’t work easily, can be pulled into Splunk • Predictive analysis - 2 years ago, we created a dashboard that shows network pinch points needing > capacity
  • 15. 15 Splunk A-Ha Moment • Now with Splunk, the security team doesn’t have to be the one pushing initiatives • Example: When we needed to move on a project: — In the past, would have required multiple meetings, hard conversations, going to the highest level — Now, they ask us “Why aren’t you doing this?” — Huge change! • This high-level buy-in only happens with a significantly useful, game-changing tool “The real power and value comes when I start understanding what I need to look like in the future or what may be coming down the line that I haven’t even thought of yet.”
  • 16. 16 Users • Vice President, deputy CIO, associate VPs • OPS team; systems operations • Server and networking team • Web & marketing • Client services; helpdesk, desktop support • Mobile support • Administrative systems • ERPs, database management
  • 17. 17 Splunk Words to the Wise…. • With Splunk, you can jump right in and get your feet wet quickly, but then you have to take that step back and understand what you really want to do. Then you start reaping the benefits more and more. • Avoid the pitfall of underestimating the size of the license you’ll need. • Similarly for your platform, make sure you have sufficient hardware capacity for what you want to do so Splunk can run efficiently. • Make the necessary investments so your platform will perform to meet your users’ needs.
  • 18. 18 Splunking Ahead…. • Greater expansion into cloud services — Microsoft project • Fischer hosted identity management system • Looking for new ways to leverage the investment in Splunk — Potential in managed services — Augmenting staff resources • Greater participation with vendors and Splunk for their customers’ benefit
  • 19. 19 Splunk Successes • Initially Splunk was another tool in the toolbox. Splunk is now our analytics tool, and we’re not renewing our traditional tools anymore. • With Splunk, there’s no finger pointing because we have a place where everybody knows to go for information and that’s been a huge value. It’s becoming a kind of universal expectation within the organization. • Splunk has helped our team provide a valuable service in helping the organization as a whole. 19