welcome to tomorrow ... today

Copyright©2016Splunk Inc.

TimLeeCISO,CityofLA

ErnieWelchSalesEngineer,Splunk

WelcometoTomorrow...TodayTheneedandbenefitofmergingofITandSecurityintoday'severconnectedworldofsecurityandIT

Disclaimer

2

Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose

containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesor

functionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.

CityofLosAngeles

2nd largestcityinU.SPopulation:4MillionAnnualvisitors:43Million43departments,35,000FTECriticalInfrastructureSectors

3

Mayor’sExecutiveDirectiveonCybersecurity

“I’mcreatingthisCyberIntrusionCommandCenter(CICC)sothatwehavea single,focusedteamresponsibleforimplementingenhancedsecurity standardsacrosscitydepartmentsandservingasarapidreaction forcetocyber-attacks,”MayorEricGarcetti

4

Challenges

“Siloed”SOCs/NOCsDispersedandmassivelogcapturingLackofcentralizedIncidentManagementcapabilitiesNothreatintelligenceanalysisandsharingplatformLimitedSituationAwareness(SA)andsecuritymetricscity-wide

5

Solution

6

IntegratedSOCCriticalAssetProtection(CAP)

7

CriticalAsset

8

A“CriticalAsset”isdefinedasanysystem,whetherphysicalorvirtual,sovitaltotheCityofLosAngelesanditscitizens,thattheincapacityordestructionofsuchsystems,ortheunauthorizedaccessand/ordisseminationoftheinformationcontainedtherein,wouldhaveadebilitatingimpactontheCity'ssecurity,economicsecurity,publichealthorsafety,oranycombinationofthosematters.

9

IDENTIFY

• Critical Asset Inventory• Data sources & security controls• Security goals & use cases

DETECT

• Data collection / Logging• SIEM/ISOC integration• Alert correlation, notification and dashboards

PROTECT

• KPI monitoring . Policy, Standard and Guidelines• Threat Intelligence service . Awareness and Training• Vulnerability assessment . Penetration testing and Tabletop exercise• Data Security / Compliance

RESPOND • Incident Response Plan and Notification Procedure (Department, City-wide)

RECOVER• Critical System Recovery Plan (Service Continuity Plan)Cr

iticalA

ssetProtection

EnterpriseSecurity

10

ESandabifurcatedISOCdashboard

ITServiceIntelligence

11

We’vedeployed5ofthe43departmentswithinCityofLAWe’remodeled38ServicesWe’vecreated30individualglasstablesWe’remonitoring160KPI’sWe’veenabledMLforanomalydetection/adaptivethresholdsWe’reusingMulti-KPIAlertingforadvancednotifications

CurrentDeployment

ITServiceIntelligence

12

RoleBasedAccessControl

ITServiceIntelligence

13

Usingmultiglasstables

ITServiceIntelligence

14

LeveragingcoredashboardsfromITSI

ITServiceIntelligence

15

DeepDivesandOSHostDetails

Tomorrow…Today

16

ITSImulti-KPIAlertsandNotableEvents

ITSI&Security

17

Startingtotieitalltogether

LessonsLearned

StartgettingeventsintoSplunkASAPEngageBusinessServiceSME’searly– DBServers– WebServers– AppServers

LeverageKPIBaseSearches– muchmoreefficientLeverageThresholdtemplates– Savestime,buildsstandards

18

WhatNow?

19

Relatedbreakoutsessionsandactivities…

THANKYOU