SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Download as PPTX, PDF1 like515 views
The presentation discusses the challenges and methodologies involved in migrating from legacy SIEM systems to Splunk. Key considerations include identifying and prioritizing use cases, understanding data sources, and ensuring integration with third-party systems. The session emphasizes the importance of thorough preparation and planning to avoid common pitfalls during the migration process.
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
- 1. Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying Kai Seidenschnur | Staff Sales Engineer
- 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements
- 3. © 2018 SPLUNK INC. How the Hell Did We Get Here? I’m done. I’m replacing this SIEM!
- 4. ▶ Splunk’s a great product, why not ▶ Other worthwhile reasons: • Limited security data type • Inability to effectively ingest data • Slow investigations • Instability and scalability • End-of-life or uncertain roadmap • Closed ecosystem • Limited to on-premises Most Common Reasons for Replacement
- 5. Introductions and Agenda Who Are These Guys, Anyway? 1
- 6. Agenda What Will We Be Talking About Today? You Got This Things you can do today, to get “ready” for a SIEM replacement SIEM Replacement Methodology Splunk PS best practices Use Cases These drive migrations DataSources & Data Onboarding Parsers / connectors / TAs Architecture Measure twice, cut once Third Party Integrations Smart? Great! But do you play well with others?
- 7. SIEM Migration Methodology Splunk Professional Services (PS) Best Practices – Based on Real World Experience 2
- 8. SIEM replacements to Splunk Enterprise Security can be complex, but if the following things are taken into account, you won’t lose your job | shirt over it: ▶ Use cases matter: • Audit & prioritize use cases • Planned response ... do something! ▶ Know your data / datasources • Identify datasources & owners • Audit datasources • Identify enrichment requirements ▶ Current / future state integrations ▶ Research & preparation is key ▶ Assets & identities ▶ Partner with Splunk + PS Things You Should Know About Legacy SIEM Replacement and Splunk PS Best Practices
- 9. Use Cases These Drive Replacements…Use Cases, Use Cases, USE CASES! 3
- 10. ▶ Document describing a single detection activity. • What is the condition to detect? • What is the event data required? • What enrichment is required to scope down events? • What enrichment will reduce noise (false positives)? • Point to the response plan • What are your current use cases? • Which ones provide value? • Which ones don’t? What Is a Use Case? Spiral Analysis Planning Evaluation Development Waterfall Prototyping Determine Objectives Test Implement Requirements Design Implementation Verification Maintenance DEVE LOP DEMONSTRATE REFI NE
- 11. ▶ Document describing a single response activity • For a response what event data is required to triage • What actions should be taken • Escalation communication and do we need to order pizza • Can we reduce the cost of pizza by providing better data for response decisions? What Is a Response Plan?
- 12. ▶ The first step in embarking on a SIEM replacement initiative is • Identifying and prioritizing high value use cases, response plans and compliance reports: • Splunk PS has a 1-2 week SIEM replacement workshop where we come in and help customers: − Identify and develop high-fidelity use cases slated for migration/development − Datasources and enrichment identified via use case prioritization process − Plan the solution architecture • We typically see a 30-60% reduction in use cases selected for migration generally due to: − Old and/or stale rules − Housekeeping rules no longer needed − Rule consolidation due to advanced Splunk Query Language So no, you don’t have to migrate ALL your old funky rules! Putting the Horse Before the Cart…
- 13. ▶ Next step in embarking on a SIEM replacement initiative is • Quantifying the # of use case/compliance reports to be migrated and developed in the new Splunk ES environment - 1yr, 3yrs, 5yrs planning: − 1 search/report = compute resource utilized • Quantifying the # of concurrent users who will be using the SIEM on a daily basis: − Generally based on SIEM usage: − Security Operations Center (SOC) − Security Engineering Team − Security Officer(s) − Audit Team • Assets & identities–can’t do without it; how will you collect from your environment? How Use Cases Affect SIEM Replacements
- 14. Datasources & Data Onboarding Parsers / Connectors / TAs (Technology Add-ons) 4
- 15. ▶ Use case analysis determines in-scope datasources ▶ Why you don’t need to migrate your historical data from Legacy SIEM ▶ Data Source Onboarding via: How Do You Migrate Datasources to Splunk? • Universal Forwarder (UF) Deployed alongside existing parsers/connectors • UF deployed on syslog aggregator to read and ship logs into Splunk • Modern HTTP Event Collection • Database Tables (DBX) • Much more. • Never forget Splunk Stream • Fields from raw data • Data Normalization • Splunkbase - splunkbase.splunk.com - Easy Button: Custom Tas via “Splunk Add-on Builder” App Splunk Log Forwarding: Syslog Aggregation TAs (Technology Add-ons)
- 16. ES Architecture Measure Twice, Cut Once 5
- 17. ▶ Plan for modern data collection, deprecate legacy log collection infrastructure and stop accepting log loss today ▶ Plan for disaster recovery and availability ▶ Plan to remediate logging policies and source configuration Plan the Architecture Now that we know what we want to do, how will we execute it?
- 18. © 2018 SPLUNK INC. Components > • Collection layer (connectors / parsers vs. UF's / HF's ) • Parsing layer (technology add-ons) • Storage layer (indexers) • Presentation layer (search head + Enterprise Security App) • Security analytics (Splunk App for Enterprise Security) • Management layer (deployment server, cluster master, license server, deployer) Data source will determine what components are needed—your network determines where they should be Splunk Architecture
- 19. Third Party Integrations Smart? Great! But Do You Play Well with Others? 5
- 20. © 2018 SPLUNK INC. But Do You Play Well With Others? Smart? Great!
- 21. We Support Integration with most third-party systems: ▶ Case management / ticketing systems • (ServiceNow, Remedy, etc) ▶ Threat intelligence feeds • (STIX, TAXII, Internal, etc) ▶ Database integration • (Oracle, MySQL, etc) ▶ Microsoft Active Directory ▶ REST API support ▶ Custom code ▶ Others Third-Party Integrations Identify Current/Future State Third-Party Integration Points
- 22. You Got This! Things You Can Do Today, to Get Prepared for Your SIEM Replacement 5
- 23. ▶ Identify/audit and prioritize use cases for migrations ▶ Identify/audit and prioritize datasources for migration ▶ Identify datasource owners ▶ Research Splunk Technology Add-ons for datasource at splunkbase.splunk.com ▶ Assets & identities: identify CMDB sources ▶ Third-party integrations ▶ Develop logging standards Replacement Checklist:
- 24. What Do “You” Do Next?
- 25. ▶ We've successfully completed countless hair-pulling SIEM replacements before. You're in good hands–partner with us! ▶ Get on the fast track and contact your Splunk Sales Rep. today to learn more about PS' SIEM & use case development programs ▶ You're in luck—we're here to help you today: We have a breakout room X dedicated for you to talk to us about your SIEM replacement
- 26. Making machine data accessible, usable and valuable to everyone.
- 27. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You https://ponypoll.com/frankfurt