Abstract image of a woman sitting on books and studying on a laptop

SplunkLive! Customer Presentation – UMCP

Splunk, profile picture
Splunk

This document discusses how Splunk has helped the University of Maryland improve security visibility and incident response. It provides an overview of the speaker and UMD, challenges they previously faced with scattered logs and limited visibility, and how Splunk has provided faster search capabilities and the ability to correlate data from multiple sources. Use cases described how Splunk has helped with real-world incident investigations, security alerts and threat response, breach detection, and compliance reporting. Best practices and lessons learned are also shared.

Technology
1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Copyright © 2015 Splunk Inc. Splunk @ The University of Maryland Kevin Shivers Manager, Security Technical Services
2 Disclaimer This is not an endorsement of any company, product, or service by the University of Maryland or the State of Maryland. Any and all statements made in this presentation are mine and mine alone and do not in any way represent an official statement from the University of Maryland or the State of Maryland.
3 Agenda • Introduction • About you, UMD, and myself • Our challenges and opportunities • Use Cases • Incident investigation • Breach detection • Compliance • Conclusion • Where we’re headed, best practices, and lessons learned
4 About You New to Splunk? Seasoned vet? Security professional? IT Operations? Management? Auditor? Just here for the free t-shirt, food, and happy hour? Higher Ed? State of MD?
5 About The University of Maryland, College Park • Founded in 1856 • Public research university • ~37,000 students, ~10,000 faculty/staff • Ranked 19th among public universities by U.S. News & World Report and 16th among public universities by Forbes • Extremely decentralized IT • Division of IT – Provides centralized IT services (network, e-mail, phones, mainframe, payroll, ”the ISP for campus”)
6 About Me • Security practitioner for 17 years • At Maryland for 13 years • Stints at Sourcefire and Network Associates (McAfee) • Primary responsibilities • Lead the University’s IT security operations • Architecting new & better IT security technologies • Splunk user since April 2013 • Spent 4 days inside Chernobyl and lived to tell the tale
7 About The Security Team • CISO • Security Engineering (1.5 FTE) – Develop and Implement new & better security technologies, integrations, project/product security assessments, data enrichment • Security Operations (2.5 FTE) – Incident Response & Investigation, forensics, eDiscovery, data enrichment, vulnerability assessment, data loss prevention • Compliance (3 FTE) – Conduct internal audits, coordinate external auditors • User awareness and education (1 FTE + 2 grad students) – IT misuse/harassment, DMCA complaints, education
8 The Journey • Address manual log aggregation / searching • Perform correlation searching between multiple sources • Faster building of reports and dashboards, compliance requirement • Quick remediation of advanced persistent threat (APT) • Early breach detection, mitigation, improving security posture • Continuous monitoring 2013 2015 Security Use Cases Focus On Visibility
9 Before Splunk: Scattered Logs, Limited Visibility • Challenges • Logs stored everywhere, hours lost logging in / searching • Networking, Unix, Windows, Email, etc. • Manual correlation required to find needle in haystack • Sec and Ops needed common searches, reports, visualizations • Legacy SIEMs lacked ad-hoc search capabilities • Pre-defined rules only, limited ability to dig through data • Response time measured in hours/days Needed a faster way to get answers
10 With Splunk: Flexibility, Fast Time to Value • Solution • Aggregate multiple data sources • Not just security products but other IT assets / data sources • Build custom searches and reports into existing process • Ad-hoc searches, platform-independent UI • Continuous monitoring across entire infrastructure • Visibility needed for breach detection and IR • Response time measured in minutes “Splunk works how my group’s brain works”
11 Real-time Campus Threat Detection/Prevention with Splunk Before Splunk Police discovered suspicious online posting at 3am Contacted us asking to track post to the sender Website with posting used: – Several distributed destination IP addresses – The source IP of one of our wireless NATs Manual effort to track the activity to an internal IP address and then a user took hours With Splunk Campus police again came in the wee hours w/ emergency need to trace a post back to user Again, posted via our wireless network with distributed web hosting presence With Splunk it took 2 minutes to trace & police were able to help the user
Use of Splunk at UMD Intrusion Detection Real-life Incident Investigations Security Alerts & Threat Response Compliance & Reporting “If Splunk were taken away from me, I would quit my job. It has solved a ton of problems and made my life so much easier.”
• Spike in a Windows usage log triggered alert • Ops team became suspicious while investigating that particular alert • Quick set of ad-hoc searches conducted • Clean handoff to sec team for forensic investigation / log review • APT eliminated from environment in days • During holiday season; most of that time spent on eradication and recovery vs detection and analysis • All handled in house vs having to bring in an external firm Use Case – Fast, Operationalized IR for APT
• APT type characterized based on incident • Phishing email origin, subsequent compromised accts / systems • Alerts configured based on APT detected • Auto-instantiated scripts to configure blocking rules • External pen test stymied couple months later • Proved effectiveness of remediation steps taken Use Case – Effective Remediation for APT
• Attacker able to compromise password reset tool • Able to change passwords – just those needed to access a critical database w/ 289k records • Within 30 minutes, team had contextualized entire breach • Chain of events from “users had not changed their passwords” to “database breached” • Focus on improving security posture, not investigating • Investigation took hours, not days or weeks • Avoided $250k- $500k cost for bring in external firm Use Case – Early Breach Detection
16 Use Case – Compliance & Reporting Requirement to review logs for failed logins and reboots on network devices Splunk SDK for Python & Python-fu to search through logs and generate a ticket in our trouble ticketing system for SOC staff to review Auditable list of closed tickets to demonstrate logs are being reviewed and acted upon
17 Dashboards
Splunk at University of Maryland • Data sources – Firewalls - IPS/NGFW – Wireless NAT logs - Linux server logs – Web server logs - Auth logs (AD/kerb/CAS/MFA) – Windows server logs - Mail server logs – Database audit logs - VPN logs • Data Volume • Indexing ~190 GB per day (doubled since 2013) • Waiting for more license capacity for another 200+ GB • Users 40 regular users 115 infrequent users 18 Universal Forwarders 4 Indexers General search head + ES Search Head
19 Splunk Applications Splunk for Palo Alto Splunk App for AWS Cisco Security Suite Splunk on Splunk DB Connect Splunk SDK for Python
20 Splunk Roadmap at UMD Single-site -> Multi-site Larger license & more logs Splunk as a Service for campus The great migration to AWS Metrics & dashboards for campus administrators Backend for self service tools for IT staff Splunk in the classroom More correlation & data enrichment More automation & integration
21 Best Practices and Lessons Learned
22 Best Practices and Lessons Learned Log the important things – Admin/privileged users logins (especially after hours)  Regular user logins/failed logins useful too – New admin/privileged user accounts created – System/service restarts – Critical failures – Web access logs  Interesting user agents, access to web app admin pages, SQLi, XSS attempts, etc – Access to DBs w/ PII – Virus/Malware alerts Review at least weekly, daily if you can (especially: after hours logins, new accounts, sys/service restarts, AV alerts)
23 Best Practices and Lessons Learned GET THE FASTEST STORAGE YOU CAN AFFORD NTP is your friend – sync time early & often Define your searches as much as possible (NO index=*) Splunk’s documentation – Excellent resource. RTFM! Splunk Answers – great resource .conf – Like drinking from a fire hose Online user groups – Higher Ed mailing list hosted by OSU (contact me for info) 2
Thank You! Contact: kts@umd.edu Note: I am hiring – Security Engineer and SOC Analyst positions!

More Related Content

PPTX
SplunkLive! Customer Presentation – Virtustream
Splunk
 
PPTX
SplunkLive! Philadelphia - University of Scranton
Splunk
 
PPTX
Managing Security with Splunk Enterprise
Splunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PPTX
Higher Education Testimonials from Splunk Customers
Adam Tice
 
PDF
Threat Hunting
Tripwire
 
PPTX
Advanced persistent threat (apt)
mmubashirkhan
 
PDF
Threat Hunting with Splunk
Splunk
 
SplunkLive! Customer Presentation – Virtustream
Splunk
 
SplunkLive! Philadelphia - University of Scranton
Splunk
 
Managing Security with Splunk Enterprise
Splunk
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
Higher Education Testimonials from Splunk Customers
Adam Tice
 
Threat Hunting
Tripwire
 
Advanced persistent threat (apt)
mmubashirkhan
 
Threat Hunting with Splunk
Splunk
 

What's hot (20)

PPTX
Splunk at the Bank of England
Splunk
 
PDF
Workshop threat-hunting
Tripwire
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Enterprise Sec + User Bahavior Analytics
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Trustport - Roman Veleba
Jan Fried
 
PPTX
User and entity behavior analytics: building an effective solution
Yolanta Beresna
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
PPTX
Infosecurity Europe 2016: Operationalizing Threat Intelligence
Splunk
 
PDF
Toward revealing Advanced Persistence Threats in your organization - Public
Charles Lim
 
PPTX
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
festival ICT 2016
 
PPTX
Remote forensics fsec2016 delija draft
Damir Delija
 
PPTX
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
PDF
Splunk Live! Utrecht 2016 - CERT EU
Splunk
 
PPTX
SplunkLive! Milano 2016 - Splunk Plenary Session
Splunk
 
PDF
S4x20 Forescout Presentation
Brian Proctor - GICSP, CISSP, CRISC
 
PPTX
Webinar notes: Welcome to your worst day ever
Sophia Price
 
PPTX
Ethical hacking
Aishwary Sinha
 
PDF
Introduction to the advanced persistent threat and hactivism
Global Micro Solutions
 
Splunk at the Bank of England
Splunk
 
Workshop threat-hunting
Tripwire
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Threat Hunting with Splunk
Splunk
 
Enterprise Sec + User Bahavior Analytics
Splunk
 
Threat Hunting with Splunk
Splunk
 
Trustport - Roman Veleba
Jan Fried
 
User and entity behavior analytics: building an effective solution
Yolanta Beresna
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
Infosecurity Europe 2016: Operationalizing Threat Intelligence
Splunk
 
Toward revealing Advanced Persistence Threats in your organization - Public
Charles Lim
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
festival ICT 2016
 
Remote forensics fsec2016 delija draft
Damir Delija
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
Splunk Live! Utrecht 2016 - CERT EU
Splunk
 
SplunkLive! Milano 2016 - Splunk Plenary Session
Splunk
 
S4x20 Forescout Presentation
Brian Proctor - GICSP, CISSP, CRISC
 
Webinar notes: Welcome to your worst day ever
Sophia Price
 
Ethical hacking
Aishwary Sinha
 
Introduction to the advanced persistent threat and hactivism
Global Micro Solutions
 
Ad

Similar to SplunkLive! Customer Presentation – UMCP (20)

PPTX
Splunk at Weill Cornell Medical College
Splunk
 
PPTX
SplunkLive! Austin Customer Presentation - Baylor
Splunk
 
PDF
IT Operations Breakout Session
Splunk
 
PDF
Analytics Driven SIEM Workshop
Splunk
 
PPTX
Splunk User Group Edinburgh - November Event
Harry McLaren
 
PPTX
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
Customer Presentation, FirstSolar
Splunk
 
PPTX
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
PDF
Threat Hunting Workshop
Splunk
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PPTX
Using Splunk to Protect Students, Faculty and the University
ckurtz-asu
 
PPTX
Gov & Education Day 2015 - Mark Mendelson, UCLA
Splunk
 
PPTX
SplunkLive! Splunk for Security
Splunk
 
PPTX
SplunkLive! Cincinnati - E.W. Scripps - Oct 2012
Splunk
 
PDF
Wipro Customer Presentation
Splunk
 
PPTX
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
PDF
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
PPT
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
Splunk
 
PPTX
Customer Presentation with a Healthcare Company
Splunk
 
PPTX
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
Splunk at Weill Cornell Medical College
Splunk
 
SplunkLive! Austin Customer Presentation - Baylor
Splunk
 
IT Operations Breakout Session
Splunk
 
Analytics Driven SIEM Workshop
Splunk
 
Splunk User Group Edinburgh - November Event
Harry McLaren
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
Customer Presentation, FirstSolar
Splunk
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
Threat Hunting Workshop
Splunk
 
Splunk for Security Breakout Session
Splunk
 
Using Splunk to Protect Students, Faculty and the University
ckurtz-asu
 
Gov & Education Day 2015 - Mark Mendelson, UCLA
Splunk
 
SplunkLive! Splunk for Security
Splunk
 
SplunkLive! Cincinnati - E.W. Scripps - Oct 2012
Splunk
 
Wipro Customer Presentation
Splunk
 
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
Splunk
 
Customer Presentation with a Healthcare Company
Splunk
 
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
The various Industrial Revolutions .pptx
bandileshozi3
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

SplunkLive! Customer Presentation – UMCP

  • 1. Copyright © 2015 Splunk Inc. Splunk @ The University of Maryland Kevin Shivers Manager, Security Technical Services
  • 2. 2 Disclaimer This is not an endorsement of any company, product, or service by the University of Maryland or the State of Maryland. Any and all statements made in this presentation are mine and mine alone and do not in any way represent an official statement from the University of Maryland or the State of Maryland.
  • 3. 3 Agenda • Introduction • About you, UMD, and myself • Our challenges and opportunities • Use Cases • Incident investigation • Breach detection • Compliance • Conclusion • Where we’re headed, best practices, and lessons learned
  • 4. 4 About You New to Splunk? Seasoned vet? Security professional? IT Operations? Management? Auditor? Just here for the free t-shirt, food, and happy hour? Higher Ed? State of MD?
  • 5. 5 About The University of Maryland, College Park • Founded in 1856 • Public research university • ~37,000 students, ~10,000 faculty/staff • Ranked 19th among public universities by U.S. News & World Report and 16th among public universities by Forbes • Extremely decentralized IT • Division of IT – Provides centralized IT services (network, e-mail, phones, mainframe, payroll, ”the ISP for campus”)
  • 6. 6 About Me • Security practitioner for 17 years • At Maryland for 13 years • Stints at Sourcefire and Network Associates (McAfee) • Primary responsibilities • Lead the University’s IT security operations • Architecting new & better IT security technologies • Splunk user since April 2013 • Spent 4 days inside Chernobyl and lived to tell the tale
  • 7. 7 About The Security Team • CISO • Security Engineering (1.5 FTE) – Develop and Implement new & better security technologies, integrations, project/product security assessments, data enrichment • Security Operations (2.5 FTE) – Incident Response & Investigation, forensics, eDiscovery, data enrichment, vulnerability assessment, data loss prevention • Compliance (3 FTE) – Conduct internal audits, coordinate external auditors • User awareness and education (1 FTE + 2 grad students) – IT misuse/harassment, DMCA complaints, education
  • 8. 8 The Journey • Address manual log aggregation / searching • Perform correlation searching between multiple sources • Faster building of reports and dashboards, compliance requirement • Quick remediation of advanced persistent threat (APT) • Early breach detection, mitigation, improving security posture • Continuous monitoring 2013 2015 Security Use Cases Focus On Visibility
  • 9. 9 Before Splunk: Scattered Logs, Limited Visibility • Challenges • Logs stored everywhere, hours lost logging in / searching • Networking, Unix, Windows, Email, etc. • Manual correlation required to find needle in haystack • Sec and Ops needed common searches, reports, visualizations • Legacy SIEMs lacked ad-hoc search capabilities • Pre-defined rules only, limited ability to dig through data • Response time measured in hours/days Needed a faster way to get answers
  • 10. 10 With Splunk: Flexibility, Fast Time to Value • Solution • Aggregate multiple data sources • Not just security products but other IT assets / data sources • Build custom searches and reports into existing process • Ad-hoc searches, platform-independent UI • Continuous monitoring across entire infrastructure • Visibility needed for breach detection and IR • Response time measured in minutes “Splunk works how my group’s brain works”
  • 11. 11 Real-time Campus Threat Detection/Prevention with Splunk Before Splunk Police discovered suspicious online posting at 3am Contacted us asking to track post to the sender Website with posting used: – Several distributed destination IP addresses – The source IP of one of our wireless NATs Manual effort to track the activity to an internal IP address and then a user took hours With Splunk Campus police again came in the wee hours w/ emergency need to trace a post back to user Again, posted via our wireless network with distributed web hosting presence With Splunk it took 2 minutes to trace & police were able to help the user
  • 12. Use of Splunk at UMD Intrusion Detection Real-life Incident Investigations Security Alerts & Threat Response Compliance & Reporting “If Splunk were taken away from me, I would quit my job. It has solved a ton of problems and made my life so much easier.”
  • 13. • Spike in a Windows usage log triggered alert • Ops team became suspicious while investigating that particular alert • Quick set of ad-hoc searches conducted • Clean handoff to sec team for forensic investigation / log review • APT eliminated from environment in days • During holiday season; most of that time spent on eradication and recovery vs detection and analysis • All handled in house vs having to bring in an external firm Use Case – Fast, Operationalized IR for APT
  • 14. • APT type characterized based on incident • Phishing email origin, subsequent compromised accts / systems • Alerts configured based on APT detected • Auto-instantiated scripts to configure blocking rules • External pen test stymied couple months later • Proved effectiveness of remediation steps taken Use Case – Effective Remediation for APT
  • 15. • Attacker able to compromise password reset tool • Able to change passwords – just those needed to access a critical database w/ 289k records • Within 30 minutes, team had contextualized entire breach • Chain of events from “users had not changed their passwords” to “database breached” • Focus on improving security posture, not investigating • Investigation took hours, not days or weeks • Avoided $250k- $500k cost for bring in external firm Use Case – Early Breach Detection
  • 16. 16 Use Case – Compliance & Reporting Requirement to review logs for failed logins and reboots on network devices Splunk SDK for Python & Python-fu to search through logs and generate a ticket in our trouble ticketing system for SOC staff to review Auditable list of closed tickets to demonstrate logs are being reviewed and acted upon
  • 18. Splunk at University of Maryland • Data sources – Firewalls - IPS/NGFW – Wireless NAT logs - Linux server logs – Web server logs - Auth logs (AD/kerb/CAS/MFA) – Windows server logs - Mail server logs – Database audit logs - VPN logs • Data Volume • Indexing ~190 GB per day (doubled since 2013) • Waiting for more license capacity for another 200+ GB • Users 40 regular users 115 infrequent users 18 Universal Forwarders 4 Indexers General search head + ES Search Head
  • 19. 19 Splunk Applications Splunk for Palo Alto Splunk App for AWS Cisco Security Suite Splunk on Splunk DB Connect Splunk SDK for Python
  • 20. 20 Splunk Roadmap at UMD Single-site -> Multi-site Larger license & more logs Splunk as a Service for campus The great migration to AWS Metrics & dashboards for campus administrators Backend for self service tools for IT staff Splunk in the classroom More correlation & data enrichment More automation & integration
  • 21. 21 Best Practices and Lessons Learned
  • 22. 22 Best Practices and Lessons Learned Log the important things – Admin/privileged users logins (especially after hours)  Regular user logins/failed logins useful too – New admin/privileged user accounts created – System/service restarts – Critical failures – Web access logs  Interesting user agents, access to web app admin pages, SQLi, XSS attempts, etc – Access to DBs w/ PII – Virus/Malware alerts Review at least weekly, daily if you can (especially: after hours logins, new accounts, sys/service restarts, AV alerts)
  • 23. 23 Best Practices and Lessons Learned GET THE FASTEST STORAGE YOU CAN AFFORD NTP is your friend – sync time early & often Define your searches as much as possible (NO index=*) Splunk’s documentation – Excellent resource. RTFM! Splunk Answers – great resource .conf – Like drinking from a fire hose Online user groups – Higher Ed mailing list hosted by OSU (contact me for info) 2
  • 24. Thank You! Contact: kts@umd.edu Note: I am hiring – Security Engineer and SOC Analyst positions!