welcome to tomorrow ... today
TRANSCRIPT
Copyright©2016Splunk Inc.
TimLeeCISO,CityofLA
ErnieWelchSalesEngineer,Splunk
WelcometoTomorrow...TodayTheneedandbenefitofmergingofITandSecurityintoday'severconnectedworldofsecurityandIT
Disclaimer
2
Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose
containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesor
functionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.
CityofLosAngeles
2nd largestcityinU.SPopulation:4MillionAnnualvisitors:43Million43departments,35,000FTECriticalInfrastructureSectors
3
Mayor’sExecutiveDirectiveonCybersecurity
“I’mcreatingthisCyberIntrusionCommandCenter(CICC)sothatwehavea single,focusedteamresponsibleforimplementingenhancedsecurity standardsacrosscitydepartmentsandservingasarapidreaction forcetocyber-attacks,”MayorEricGarcetti
4
Challenges
“Siloed”SOCs/NOCsDispersedandmassivelogcapturingLackofcentralizedIncidentManagementcapabilitiesNothreatintelligenceanalysisandsharingplatformLimitedSituationAwareness(SA)andsecuritymetricscity-wide
5
Solution
6
IntegratedSOCCriticalAssetProtection(CAP)
7
CriticalAsset
8
A“CriticalAsset”isdefinedasanysystem,whetherphysicalorvirtual,sovitaltotheCityofLosAngelesanditscitizens,thattheincapacityordestructionofsuchsystems,ortheunauthorizedaccessand/ordisseminationoftheinformationcontainedtherein,wouldhaveadebilitatingimpactontheCity'ssecurity,economicsecurity,publichealthorsafety,oranycombinationofthosematters.
9
IDENTIFY
• Critical Asset Inventory• Data sources & security controls• Security goals & use cases
DETECT
• Data collection / Logging• SIEM/ISOC integration• Alert correlation, notification and dashboards
PROTECT
• KPI monitoring . Policy, Standard and Guidelines• Threat Intelligence service . Awareness and Training• Vulnerability assessment . Penetration testing and Tabletop exercise• Data Security / Compliance
RESPOND • Incident Response Plan and Notification Procedure (Department, City-wide)
RECOVER• Critical System Recovery Plan (Service Continuity Plan)Cr
iticalA
ssetProtection
EnterpriseSecurity
10
ESandabifurcatedISOCdashboard
ITServiceIntelligence
11
We’vedeployed5ofthe43departmentswithinCityofLAWe’remodeled38ServicesWe’vecreated30individualglasstablesWe’remonitoring160KPI’sWe’veenabledMLforanomalydetection/adaptivethresholdsWe’reusingMulti-KPIAlertingforadvancednotifications
CurrentDeployment
ITServiceIntelligence
12
RoleBasedAccessControl
ITServiceIntelligence
13
Usingmultiglasstables
ITServiceIntelligence
14
LeveragingcoredashboardsfromITSI
ITServiceIntelligence
15
DeepDivesandOSHostDetails
Tomorrow…Today
16
ITSImulti-KPIAlertsandNotableEvents
ITSI&Security
17
Startingtotieitalltogether
LessonsLearned
StartgettingeventsintoSplunkASAPEngageBusinessServiceSME’searly– DBServers– WebServers– AppServers
LeverageKPIBaseSearches– muchmoreefficientLeverageThresholdtemplates– Savestime,buildsstandards
18
WhatNow?
19
Relatedbreakoutsessionsandactivities…
THANKYOU