Post on 05-Jun-2020
transcript
Using Splunk Enterprise to Achieve IT Opera9ons and Business Agility
Jeff D Gill
Linkedin/in/jeffdgill
#splunkconf
Agenda
• About Me and CSC • Splunk Architecture at CSC • Splunk Use Cases • Summary
2
About Me and CSC
• Head of Global SaaS Infrastructure Chief Information Security Officer, CSC • Biography
– Executive / CIO-Advisor, IT Service Excellence, Accenture – Global Offering Lead, ITBM, Accenture – Research Lead, Innovation Management Services, Accenture – Co-founder / President, Executive Business Group – Senior Director, Infrastructure Management Services, Comcast
• Corporation Service Company (CSC) – Since 1899, a worldwide leader for business legal and financial services – Represents hundreds of thousands business entities worldwide including many Fortune 100 – Helping corporations maintain good status, manage annual reports, permits and other
corporate filings 3
Splunk CSC Architecture (2012)
• Splunk Enterprise originally added to monitor application log files and improve service availability
• Data Sources – 275 types of application logs – Mostly Oracle’s WebLogic – Network logs – Syslog – 40+ GB/day average
• Splunk Deployment – One search head – Two indexers – Deployment server makes Splunk management easier
4 4
Splunk CSC Architecture Today (2013)
• 400GB data indexed daily • Five lines of business • 90+ system architectures • 350 possible breach scenarios
Understanding which data is relevant is critical !
User Actions
Security / Intrusion
Connectivity Routing / Switching NTO Spider RSA/RAS & Wireless
Platforms / Apps FireEye Tipping Point BlueCoat Firewalls/VPN BlueCoat
QualSys
Web Logs Custom App Logs / Events Cyber Ark Honeyd
CDR Business Process Monitoring
5
Splunk Use Cases at CSC
• Monitoring – DevOps, Security • Development process support • Agile development: Splunk allows for new features to be
prototyped and provided to the end user while still being in a development team’s backlog
• Decision support: Improving customer experience through technology
• Automation • Visualization and reporting
6
Splunk for CSC DevOps
• Windows: Instant insight into Windows performance metrics • Linux: Proactive monitoring of CSC Linux infrastructure • NAS/SAN: Aggregating, monitoring and analyzing relevant IT data
from CSC storage systems • App and transaction logs: Monitoring webservers performance for
avoiding outages and increased customer satisfaction • Network health visibility (routers, switches firewalls) • Proprietary applications monitoring
7
Security
• Correlation of intrusion prevention, FireEye, and Symantec SEP alerts to detect Zero-hour threats
• Windows AD, Linux internal authentication • Customer facing and SSO authentication • Identification of potential Cross Site Replay Forgery (CSRF) attacks in
customer facing apps
8
• Custom applications to aid the customer service representative to better support our customers
• Splunk enables identification of domain registration trends • With Splunk, CSC can proactively resolve self-service order issues for
our customers
Decision Support System (DSS)
9
DSS Report
10
DSS Continued
11
Automation
• Cisco service – alert remote NOC • FireEye alerts – open ticket via
external scripting • Splunk enables correlation of
potential incidents across multiple systems to accelerate identification and diagnosis of problems
12
Enrichment and Correlation
13
Referencing External Data
• Blackhole list services • Spamhaus • Threat list databases • Splunk protects our reputation by monitoring DNS, spam,
and other threat lists to ensure that CSC is not improperly categorized
• Splunk helps us protect our customers and resources by aggregating data lists and correlating them against logged hosts in various situations
14
Telephony CDR
• Call Detail Records (CDR) allow CSC to make up for shortcomings in Cisco’s call reporting tools
• Gives end user ad-hoc querying capabilities as well as automated reports
• Visualization of inbound calls with Google Maps – future
15
Security Operations Console • Windows Security Operations Console • Symantec Endpoint Protection Reporting • Virus activity reporting – CSC developed
16
Summary
• Splunk Software helps us achieve exceptional customer satisfaction
• With Splunk Software, CSC is able to significantly improve IT operations and business agility
• Splunk Software accelerates incident response by identifying errant events and correlating information that most monitoring systems can’t
• Splunk Software speeds recovery in that the operators can link potential problems and get to the root cause of real problems quickly
17
Thank you!
• Q&A
18