Copyright © 2015 Splunk Inc.
Splunk App for AWS at Creative Artists Agency
2
Jon Papp
Information Risk Management
Creative Artists Agency
3
A Bit About Me …
Background in Mechanical Engineering with concentration on Robotics
Designed, built, and developed robotic jet engine manufacturing systems for Alcoa Power and Propulsion
Architected huge material handling systems (warehouse sortation, airport baggage handling, shipping and packaging, etc.) for BEUMER Group
Close friend recommended trying business intelligence consulting
Worked as a Splunk PS consultant across many industries
Now focused on IT Security at CAA
4
About Creative Artists Agency
Headquartered in Los Angeles, CA
10 locations across 6 countries– Additional small/home offices– 4,000 employees– 6 security staff
Talent and Sports Agency– Represent world’s leading artists,
entertainers, athletes, and brands
5
What We’re Protecting
Internal Data– Agent/Executive data– Corporate information– Financials– Internally developed applications
Client Data– Reputation– Personal/Sensitive information– Contracts– Salary information
6
Migrating to the Cloud
Multiple teams actively migrating and producing entirely new services across multiple cloud environments (AWS and Azure)
No technical controls on what users are creating
No centrally managed automation deployment solution
Limited visibility into critical infrastructure changes
7
Splunk App for AWS
8
Splunk App for AWS
Quick and easy configuration
• Well documented installation guide
• My install was done in <1 hour
• Can easily manage inputs for multiple accounts all via user interface
9
Splunk App for AWS
Easily review topology (and topology over time)
9
10
Custom Designed Alerts
Audit new instance creation
10
11
Custom Designed Alerts
Audit risky security group rules
12
Custom Designed Alerts
Audit risky connections in VPC flow logs
13
Deployment Auditing
Find hosts in AWS missing essential security software
14
Quickly Resolve Incidents
15
Quickly Resolve Incidents
• Within 10 minutes confirmed vendor had accessed server remotely and ran IP scan while attempting to debug an issue
• Reviewed with vendor and service owner and established proper process for future debugging
• Also removed local administrative privileges vendor had been granted
16
What’s Next
First and foremost - replicating current AWS success in Azure to continue to provide holistic view of cloud infrastructure
Enforcing metadata tags on instances to assign accountability
Using Splunk to compile security risk and vulnerability information by instance and owner, giving owners a complete view of their security posture
Thank You