delivering operational intelligence at nab with splunk, gartner symposium itxpo 2012
DESCRIPTION
National Australia Bank has gained new operational visibility and intelligence using Splunk and their machine data. Learn how hundreds of Splunk users within these organizations turn terabytes of machine data into increased uptime, improved service delivery, real-time customer insights, enhanced security posture, informed capacity planning and more.TRANSCRIPT
Mining Security Data Security Surveillance and the case for data reuse
• Financial services organisa5on with over 40,000 employees
• Opera5ng more than 1,800 branches and service centres
• Responsible to more than 460,000 shareholders
• Major financial services franchises in Australia, New Zealand, Asia, the United Kingdom and the United States
• CommiKed to providing quality products and services, fair fees and charges, and rela5onships built on the principles of help, guidance and advice
Na0onal Australia Bank
• Security Program Manager, Informa5on Security Services
• Senior Manager, nabCERT SOC • Na5onal Australia Bank’s Computer Emergency Response Team • Won SC Magazine Award for Organiza5onal Excellence in
Informa5on Security
• 12+ years in technology
• Held various roles at NAB: • Info Security team leader • Architecture and strategy • Project management • Consul5ng
Introducing Jamie
What’s the user doing?
What’s the machine doing?
What’s the app doing?
What’s happening to the data?
What’s happening on the network?
Five Areas of Interest
• Need to improve incident response 5mes • Require greater visibility into security events • Achieve contextualized / enriched aler5ng • Correlate across systems • Deal with different log formats • Add new or modified log formats • Avoid custom code (10 different security analysts) • Limit to resource availability for manual (bespoke) inves5ga5ons
Defining (some of) the Issues the SOC Faced
“Splunk gave us the speed of deployment and results we were looking for.”
• Stood up Splunk quickly • Onboard and integrate data once—easily
• No need to re-‐import when applica5ons or formats change • Keeps the team in the business of security analysis and out of the business of building parsers and connectors
• Proven to be effec$ve and efficient
Why Splunk? ROI for nabCERT
• Primary objec5ve: Significantly reduce the 5me to complete electronic searches of email archives to meet legal requests • Email logs easily searchable, by user, subject, 5meframe
– Effec5ve? Yes • Ability to perform searches based on subject, sender, recipient, date / 5me • Results used by the team to finalise acquisi5on of all per5nent material
– Efficient? Yes • No more grep • Search 5mes reduced to minutes vs. hours or days (per inves5gator) • Concurrent searching of datasets by the inves5ga5ve team
Case Study One
You’re Mining For Gold In Your Data…
Au
If You Are Going To That Much Trouble
Fe Cu
Pb Ag
Ni
Business Partners
Applica0on Support Fraud Team
Infrastructure Performance Management
Network Service Delivery Managers
Security
Who Are Our Data Consumers?
11
Security
• Detec5ng unauthorized devices • Monitor based on standard naming conven5on + Ac5ve Directory creden5als
• Add MAC address lookup to confirm a "good" device
Service Delivery Opera5ons
• Ensuring op5mum connec5vity / produc5vity • Alerts for insufficient IP/ subnet coverage across the network
• Alerts when subnets are full • Visibility into underu5lized subnets • Triggers ac5on for Network team to reallocate/ reassign Subnet
Our approach is to maximise the u=lity from every log source collected and indexed, not just for security
Case Study Two: DHCP Logs
Use commentary on the dashboard
Cause / Impact / Resolu5on
DHCP Dashboard—Security View
13
DHCP Dashboard – Network Service View
Don’t use Average, use Most Common (mode), median and 90% Percen5le.
Network Service View #2 Users cannot connect to the network, or have
delays connec5ng in hot desk areas.
DHCP Dashboard – Infrastructure View
Capacity and availability issues for the team
suppor5ng these services, as well as Service Desk.
Who is working late and how open during the week? Are they using the same
worksta5on?
Case Study Three: The AUer Hours Worker
The ‘gold’ in this case happens to be a log line that resolved a three week issue causing significant disrup5on to a business unit.
Case Study 4: SOC to the Rescue
18
" Single log type (DHCP) from 1,000+ DHCP servers " Security (nabCERT SOC) gets the “gold” it is aper " Networks, Security Opera5ons (Firewalls), Service Management, Infrastructure support, Building services get what is of value to them
" Splunk search language calcula5ons to pinpoint most cri5cal – Min, Median, Mode, Max, 90th percen5le
" Cross-‐reference with other data (IP address database) " Provide the teams with the facts, in context, with an explana5on and remedy
Enriched Data Drives Ac0on
• Take a collabora5ve approach • Give us your data, we’ll give you more value
• Dashboards for specific teams so they can drill down themselves for problem solving
• Role-‐based access ensures access only to relevant data
• Look beyond the gold (what you are aper)
Democra0zing Data (In A Secure Fashion)
20
Primary objec5ve: Significantly reduce 5me to complete electronic searches for legal
• Reuse case 1: Data loss protec5on supplement
• Reuse case 2: User ac5vity baselining
• Reuse case 3: Validate spam / spoof controls
• Reuse case 4: User Access Revalida5on supplement
Back to the Case Study One (Legal)
Think and plan strategically, work tac=cally
• More re-‐use cases from our data • More applica5on and databases • Complete key infrastructure collec5on • Look for the opportuni5es • Take the 5me to look for the win:win
What’s Next?
Ques0ons?
Splunk Company Overview Company (NASDAQ: SPLK) " Founded 2004, first sopware release in 2006 " HQ: San Francisco / Region HQ: London, Hong Kong " Over 600 employees, based in 10 countries " Q2 Revenue: $44.5 million; +71% year-‐over-‐year
Business Model / Products " Free download to massive scale " On-‐premise, in the cloud and SaaS
4,400+ Customers " Customers in over 80 countries " 54 of the Fortune 100 " Largest license: 100 Terabytes per day
See us on the ITXpo Showfloor in booth S2 23