network forensics for splunk, an emulex presentation

Network Forensics for Splunkers

Matt Walmsley, EMEA MarketingTom Jones, Sales Engineer

Emulex, Endace Division

mailto:[email protected]

mailto:[email protected]

2 Emulex Confidential - © 2013 Emulex Corporation

Today’s Topics

Time to Resolutio

n

Network Recording

Splunk Connector Q&A


The Networking Wheel of Life!

APMNPM

IPS / IDS

FirewallWAN Op

QoS

Recording &Forensics

Analysis & Intervention

Time to Resolution

# E

ven

ts

Savings

• Reduce Slow To Fix Items

• Identify Root Cause & Fix

Time is… Money / Safety / Advantage / Reputation


The 3 E of Great Interventions

Skills & Knowledge

Experience & Context

Evidence

Understanding

Decision Making

Intervention

• Efficient• Economic• Effective


Collecting Evidence - Recording Evolution

Interesting Vs. Important Specialised Vs. Generalised


Intelligent Network Recording

National Security

Banking & Trading

Enterprise

Specialised

Generalised


Endace – The Packet Capture Experts

World leader in network recording

10+ years selling security solutions to global clients

– Govt, Traders, Telco & Enterprise

Reputation for accuracy, scalability & performance

A division of Emulex


Intelligent Network Recording - Use Cases

Application Performance Management

Security Operations

Network Infrastructure Operations

Audit & Compliance

Legal Intercept

Custom


Intelligent Network Recording - Deployment

Intelligent Network Recorder “Probe”

• High Speed, High Fidelity Packet Capture Appliance

• Packet Processing and Indexing• Storage and Retrieval

Network Traffic Analysis App

• Traffic Profiling & Visualisation• Packet Analysis• Integration with other

networking tools


Endace Network Recording - Infrastructure

High Performance Intelligent Network Recording

Up to 64 TB storageMix of 1 and 10GbE ports

EndaceProbe™ INR

Network Visibility Headend

Allows EndaceProbe INRs/ODE to scale to 40 and

100GbE

EndaceAccess™Endace NetFlow

Generator

High-Speed NetFlow Generation for 10GbE

Networks

4x10GbE Ports

Endace OpenHosting Platform(ODE)

Hosting Platform for Monitoring Apps

8x1GbE or 4x10GbE PortsUp to 16 TB internal storage;

FC support for SAN


Low Definition• The visibility most solutions provide

How Much Network Visibility Do You Need?

High Definition – Endace Vision• See microbursts

• Know exactly what data has been compromised

• Identify issues impacting services and security application performance


EndaceVision - Actionable Insight

Bandwidth Over Time

Traffic breakdown and analysis

TCP/IP Conversations

Traffic over time Top Talkers Workflow


EndaceVision - Integrated and Open

Integration with “best of breed” solutions– API and hypervisor

– All tools share data from same secure location in datacenter

– Automated workflow, “pivot to packets” speeds up issue resolution

Lower Investment While Increasing ROI– Reduce device count

– Plan and train staff on the tools that fit customer situation best

EndaceProbe

EndaceFusion

APM NPM IDS HFT


Endace Solution - Key Features

• Market Leading Performance• 100% High fidelity packet capture • 10/100/1G/10G/40G/100GbE• 64TB on board storage

• FC SAN offload• Multi-unit “Sledging”

• Distributed Recording Fabric• Multiple EndaceProbe INRs, single recording

fabric• Traffic search and visualisation• Diverse, concurrent multiple uses

• Open and Flexible Integration• Endace dock hypervisor• RESTfull API• Endace Fusion solution ecosystem


Splunk & Endace – Macro and Micro

Log lines are a summary or interpretation of an event

Packets are the ground truth from which these are derived

Fusion connector links the two with a single click

Endace’s depth complements Splunk’s breadth


Feeding and Enabling Splunk

EndaceProbe INR Generated

Logs and Netflow Events

Splunk Generated Enquiries


Optimising Event Management Workflow

Event OccurrencePacket drill down and inspection

Traffic Analysis and Visualisation

Click to Traffic Search

Request Splunk Alert

!


Example Case – Finance / Trading Solution

Context• Network performance is critical to

$ services• Latency and outage intolerant• Multiple management tools

Solution• Integrated network monitoring and

security for a low latency 10GbE network

Products• Splunk!• EndaceProbe™ INR• Endace Fusion Connector for Splunk• EndaceVision™

Key Benefits• Greater insight into critical

network issues• Reduce time-to-resolution

(TTR)• Lower operational

expenditures (OPEX)


Real World Feedback

“While consolidating network monitoring and security tools was the primary need for the EndaceProbe INR, it was put to work even before the official deployment. the pilot and immediately discovered a security breach that had gone undetected with their existing tools, providing an immediate return on investment for the EndaceProbe INR 7000.”

“The EndaceProbe INR has been 100% reliable for us and we are impressed with its robust capabilities. We use it extensively and, coupled with the Fusion Connector for Splunk, are extremely happy with the results.” Global Head of Networks


Endace Helps You Enable the “3 E”

Understand macro and

micro situation

Reduce slow / hard to fix

items

Fix Route Cause

Stop Recurrent

Events

Reduce Time to Resolution Efficient

EconomicEffective


Which Means You Get…

Less stress, improved results

Uninterrupted weekends and evenings

Happy family, boss and stakeholders


Resources & Info

Solution Brief

Coming Soon

Testing Brief

Splunk Connector Appwww.emulex.com Blog

Video www.marquest.com

http://www.emulex.com/artifacts/c8d2fb58-85e8-4fce-8448-9c3d85a93d84/end_sb_all_endaceprobe_splunk.pdf

http://apps.splunk.com/app/1592/

http://www.emulex.com/partners/alliances/endace-fusion-ecosystem-program/fusion-connectors/splunk/

http://blog.endace.com/2013/10/introducing-the-fusion-connector-for-splunk-ideal-for-netops-and-secops-teams/

http://www.youtube.com/watch?feature=player_detailpage&v=2gHisBy_MEc

http://www.marquest.com/

Questions?

Thank you for your attention

network forensics for splunk, an emulex presentation

Technology

san11emulex confidential

generalisedemulex confidential

network forensics

sales engineer emulex

emulex corporationpacket

critical network issues

gbe network products

endace division