Copyright © 2015 Splunk Inc.

Splunk App for AWS at Creative Artists Agency

2

Jon Papp

Information Risk Management

Creative Artists Agency

3

A Bit About Me …

Background in Mechanical Engineering with concentration on Robotics

Designed, built, and developed robotic jet engine manufacturing systems for Alcoa Power and Propulsion

Architected huge material handling systems (warehouse sortation, airport baggage handling, shipping and packaging, etc.) for BEUMER Group

Close friend recommended trying business intelligence consulting

Worked as a Splunk PS consultant across many industries

Now focused on IT Security at CAA

4

About Creative Artists Agency

Headquartered in Los Angeles, CA

10 locations across 6 countries– Additional small/home offices– 4,000 employees– 6 security staff

Talent and Sports Agency– Represent world’s leading artists,

entertainers, athletes, and brands

5

What We’re Protecting

Internal Data– Agent/Executive data– Corporate information– Financials– Internally developed applications

Client Data– Reputation– Personal/Sensitive information– Contracts– Salary information

6

Migrating to the Cloud

Multiple teams actively migrating and producing entirely new services across multiple cloud environments (AWS and Azure)

No technical controls on what users are creating

No centrally managed automation deployment solution

Limited visibility into critical infrastructure changes

7

Splunk App for AWS

8

Splunk App for AWS

Quick and easy configuration

• Well documented installation guide

• My install was done in <1 hour

• Can easily manage inputs for multiple accounts all via user interface

9

Splunk App for AWS

Easily review topology (and topology over time)

9

10

Custom Designed Alerts

Audit new instance creation

10

11

Custom Designed Alerts

Audit risky security group rules

12

Custom Designed Alerts

Audit risky connections in VPC flow logs

13

Deployment Auditing

Find hosts in AWS missing essential security software

14

Quickly Resolve Incidents

15

Quickly Resolve Incidents

• Within 10 minutes confirmed vendor had accessed server remotely and ran IP scan while attempting to debug an issue

• Reviewed with vendor and service owner and established proper process for future debugging

• Also removed local administrative privileges vendor had been granted

16

What’s Next

First and foremost - replicating current AWS success in Azure to continue to provide holistic view of cloud infrastructure

Enforcing metadata tags on instances to assign accountability

Using Splunk to compile security risk and vulnerability information by instance and owner, giving owners a complete view of their security posture

Thank You