Copyright  ©  2015  Splunk  Inc.  

Gianluca  Gaias  Head  of  Informa@on  Security,  YOOX  Group  

Building  an    Enterprise-­‐grade  Security  Intelligence  PlaIorm  at  Yoox.com  (Gain  the  Big  Picture)    

Disclaimer  

2  

During  the  course  of  this  presenta@on,  we  may  make  forward  looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cau@on  you  that  such  statements  reflect  our  current  expecta@ons  and  es@mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presenta@on  are  being  made  as  of  the  @me  and  date  of  its  live  presenta@on.  If  reviewed  aWer  its  live  presenta@on,  this  presenta@on  may  not  contain  current  or  

accurate  informa@on.  We  do  not  assume  any  obliga@on  to  update  any  forward  looking  statements  we  may  make.    

 In  addi@on,  any  informa@on  about  our  roadmap  outlines  our  general  product  direc@on  and  is  subject  to  change  at  any  @me  without  no@ce.  It  is  for  informa@onal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obliga@on  either  to  develop  the  features  

or  func@onality  described  or  to  include  any  such  feature  or  func@onality  in  a  future  release.  

Personal  Introduc@on  

3  

Gianluca  Gaias,  YOOX  Group      YOOX  Group  is  the  global  Internet  retailing  partner  for  leading  fashion  and  luxury  brands  

  Head  of  Informa@on  Security:    –  Applica@on  Security  –  Organiza@onal  Security  –  Compliance  –  Security  Monitoring  

Key  Takeaways    

4  

  From  a  technology  oriented  approach  to  an  info-­‐centric  approach  

  From  log  correla2on  to  pa3ern  recogni2on  

  From  a  passive/display  pla7orm  to  a  proac2ve/execu2ve  pla7orm  

  From  standard  dashboards  to  real-­‐2me  dynamic  dashboards  

  From  a  security  event  to  an  context-­‐aware  security  informa2on  

Agenda    YOOX  Group:  business  and  challenges.    Security  evolu@on  overview    From  Tech  Oriented  approach  to  Informa@on  Oriented  approach  –  Deep  Inves@ga@on  –  Proac@ve  Dashboard:  IP  Blacklist    –  Real-­‐@me  Dynamic  Dashboard:  Aback  Map  

  Risk  Management  and  Pabern  Recogni@on  –  Use  Case:  Abackers  Ac@vity  

  Reconsidering  dashboard  design    Next  Steps    

5  

YOOX  Group    

6  

  Global  reach  to  more  than  100  countries  worldwide    Five  logis@cs  centers  strategically  located,  guaranteeing  top  service  to  all  major  fashion  markets  (United  States,  Europe,  Japan,  China,  Hong  Kong)  

YOOX  Group:  OS  &  Mul@-­‐Brand  

7  

§  The online destination for women dedicated entirely to in-season high-end shoes

§  Exclusive shoe-related services and innovative editorial component

§  Launched in 2012

§  Exclusive  official  online  flagship  stores  of  leading  fashion  and  luxury  brands  §  Long-­‐term  partnerships  

MONO-­‐BRAND  

§  The luxury online boutique with in-season assortment of high fashion and directional designers for men and women

§  Dedicated mini-stores §  Launched in 2008

Online stores “Powered by YOOX Group”

MULTI-­‐BRAND  

§  The  world’s  leading  online  lifestyle  store  for  fashion,  design  and  art  

§  Broad  offering  of  end-­‐of-­‐season  premium  apparel  and  accessories,  exclusive  collec@ons,  vintage,  home  &  design  and  artworks  

§  Launched  in  2000    

JVCo with Kering

and  many  more  …  

YOOX  Group:  Challenges  

  Keep  the  trust    –  Data  Confiden@ality  –  Data  Integrity  and  Completeness  –  Data  Processing  Transparency  

  High  Availability  in  hos@le  enviroment      Gain  the  big  picture:  –  Challenge  and  Enabler  

8  

ü  Shareholders  ü  Customers  ü  Stakeholders  

Security  Evolu@on  Overview  

9  

0  1  2  3  4  5  6  7  8  9  

Data  Leakage  Preven@on  Informa@on  Security  

Compliance  

IPS  &  Anomaly  Detec@on  

Administra@ve  Access  Control  

PCI-­‐DSS  Compliance  

Sites  Vulnerability  Checks  

Code  Review  

Logical  Access  Governance  

Security  Intelligence  PlaIorm  

Online  Brand  Protec@on  

Privacy  Compliance  

Informa@on  Process  Analysis  

2011   2013   2015  

Security  Evolu@on  –  Tech  vs  Info  

  Technology  Oriented:  –  Info  confined  to  technology  –  Par@al  iden@ty  defini@on  –  No  covered  gaps  

  Informa@on  Oriented  -­‐  Splunk:  –  Enrichement  of  tech  logs  –  Event  correla@on  –  Clear  iden@ty  defini@on  

10  

From  Tech  to  Info    “From  a  technology  oriented  approach  to  an  info-­‐centric  approach.”  

11  

Inves@ga@on  

12  

Inves@ga@on:  Show  Details  

13  

Advanced  Dashboard:  IP  Blacklist  

14  

•  Proac@ve  Dashboard  •  One-­‐click  blacklist  on  

Akamai  WAF  through  Akamai  API  calls  

•  Splunk  is  able  to  run  a  command  on  input  source       Drilldown  

«From  a  passive/display  pla7orm  to  a    proac2ve/execu2ve  pla7orm»  

WAF  Ac@vity  Representa@on:  Standard  Dashboard  

15  

•  Sta@s@cal  evidences  by:  –  Source  IP  –  Aback  type  –  WAF  Ac@on  

•  Event  distribu@on  over  the  @me  

•  Spike  visibility  depends  from  the  scale  •  Is  not  evident:  

–  Aback  frequency  –  Rela@on  between  Source  IP,  Aback  type  

and  WAF  ac@on  

Pros   Cons  

“From  standard  dashboards  to  real-­‐2me  dynamic  dashboards”  

Real-­‐@me  Dynamic  Dashboard:  Aback  Map  

16  

Security  Evolu@on  –  Risk  Mgmt  &  Pabern  Rec.    Risk  Management:  –  Correla@on  of  Tech  Elements  and  Business  Elements  –  Support  to  quan@ta@ve  risk  analysis  –  Assigning  Risk  value  to  alerts    

  Pabern  Recogni@on:  –  Different  levels  of  correla@on  –  Pabern  as  result  of  several  high-­‐level  events  from  different  systems  by  iden@ty  –  Knowledge  from  historical  incidents  and  analysts  experience  –  Goal:  detect  user  behavior  and  recurrent  aback  paberns  

17  

Pabern  Recogni@on    Single  security  events  may  be  part  of  a  more  complex  ac@on.  

18  

Correla@on  

Brute  Force  

Exce.  Out  Data  

High  Conn.  

Correla@on  Level  1  

Correla@on  Level  2  

Correla@on  Level  n  

Data  Exfiltra@on  

«From  log  correla2on  to  pa3ern  recogni2on»  

Sequence  

Introduced  by  high  level  analyst  

Pabern  Consolida@on  

Analyst  

Risk  Management  

  Usually  single  security  event  has  a  sta@c  risk    We  need  risk  value  based  on  content  and  other  events  correlated  

19  

“From  a  security  event  to  an  context-­‐aware  security  

informa2on”  

Risk  

Sta@c  Assign.  (Lookup)  

N  level  correla@on  

Content  Eval  

Use  Case:  Abackers  Ac@vity    Detect  sequence  of  relevant  event  by  iden:ty    

  Ac@vity  Score:  ver@cal  axes,  max  of  the  same  alert  type  

  Ac@vity  Frequency:  ball  diameter  

 

20  

Pa=ern  Recogni:on  Risk  Value  

Reconsidering  Dashboard  Design  

21  

Na@ve  Log  Collec@on  

Splunk  Log  Collec@on  

Standard  Dashboards  

Advanced  Dashboards  

Pabern  Recogni@on  

Splunk  Engeneers  

NOC  

SOC  

Security  Analyst  

Head  of  Security  Knowledge  

Data  Meaning  

The  Big  Picture  

Key  Takeaways    

22  

  From  a  technology  oriented  approach  to  an  info-­‐centric  approach.  

  From  log  correla2on  to  pa3ern  recogni2on.  

  From  a  passive/display  pla7orm  to  a  proac2ve/execu2ve  pla7orm.  

  From  standard  dashboards  to  real-­‐2me  dynamic  dashboards.  

  From  a  security  event  to  an  context-­‐aware  security  informa2on.  

Next  Steps  

23  

Extend  the  scope  (channels,  data,  devices)  

Deep  into  the  noise  

24  

Ques@ons?  

THANK  YOU