Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | gaurav-gp-pal |
View: | 125 times |
Download: | 0 times |
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk and AWSSecuring the Cloud
Kam Amir | Splunk Cloud Architect
08/03/2017
© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
© 2017 SPLUNK INC.
Agenda
▶ What is Machine Data?
▶ Why Splunk?
▶ Splunk Security Use Cases
• Partnerships and integrations with third party vendors
• Splunk Security Apps
▶ Splunk on AWS
▶ Splunk App for AWS
© 2017 SPLUNK INC.
What is Machine Data?
© 2017 SPLUNK INC.
ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100
MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}
What Does Machine Data Look Like?SOURCES
Order Processing
Care IVR
Middleware Error
© 2017 SPLUNK INC.
Machine Data Contains Critical InsightsSOURCES
Order Processing
Care IVR
Middleware Error
Customer ID Order ID Product ID
ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100
MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}
Order ID
Twitter ID
Customer ID
Customer ID
Time waiting on hold
Customers Tweet
Company’s Twitter ID
© 2017 SPLUNK INC.
Machine Data Contains Critical InsightsSOURCES
Order Processing
Care IVR
Middleware Error
Customer ID Order ID Product ID
ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100
MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}
Order ID
Twitter ID
Customer ID
Customer ID
Time waiting on hold
Customers Tweet
Company’s Twitter ID
© 2017 SPLUNK INC.
Why Splunk?
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
True End State: Complete Hybrid Visibility
On-
Premises
Private
Cloud
Public
Cloud
Storage
Telecoms
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Lambda
Servers
Messaging
GPS
Location
Config
EC2
Online
Services
DatabasesCall Detail
Records
Energy
Meters
CloudTrail
End-to-End
VisibilityIndex Untapped Data: Any Source, Type, Volume
Application Delivery
IT Operations
Security, Compliance
and Fraud
Business Analytics
Internet of Things
and Industrial Data
EMR
RDS
© 2017 SPLUNK INC.
Splunk Markets
Developer Platform (REST API, SDKs)
IT Operations
ApplicationDelivery
Business Analytics
Internet of Things and Industrial
Data
Security, Complianceand Fraud
Platform for Operational Intelligence
© 2017 SPLUNK INC.
The Splunk Portfolio
Rich Ecosystem ofApps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
DatabasesMobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire DataHadoop
Platform for Operational Intelligence
© 2017 SPLUNK INC.
Splunk Security Use Cases
© 2017 SPLUNK INC.
Recent HeadlinesDo you want to be front page news?
© 2017 SPLUNK INC.
Security
SECURITY AND
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
INCIDENT
INVESTIGATIONS
AND FORENSICS
FRAUD
DETECTION
DETECT
UNKNOWN
THREATS
INSIDER
THREAT
© 2017 SPLUNK INC.
Splunk for Security
Splunk
Enterprise Security
500+
Security Apps
Splunk User
Behavior Analytics
Palo Alto
Networks
Symantec DNS
OSSEC
NetFlow
Logic
Cisco
Security Suite
F5 Security
PCI
Compliance
Active
Directory
Blue Coat
Proxy SG
© 2017 SPLUNK INC.
▶ Splunk Security Essentials
▶ https://splunkbase.splunk.com/app/3435/
▶ Splunk Security Essentials for Ransomware
▶ https://splunkbase.splunk.com/app/3593/
Security Focused Splunk AppsFree apps available from Splunkbase
© 2017 SPLUNK INC.
▶ Splunk Enterprise Security
• Analytics-Driven SIEM
• Real Time Monitoring
• Prioritize and Act
• Rapid Investigations
• Handle multi-step investigations
• Deploy on-prem, Splunk Cloud or private hybrid Cloud
• Improve Operational Efficiency
Splunk Enterprise Security (ES)Data driven SIEM
© 2017 SPLUNK INC.
Splunk Adaptive Response Partners DiagramCopy/paste this graphic to use in your own presentations
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall+
© 2017 SPLUNK INC.
Splunk on AWS
© 2017 SPLUNK INC.
▶ AWS Advanced Technology Partner
▶ AWS Big Data Competency
▶ AWS Security Competency
▶ AWS DevOps Competency
▶ AWS Government Competency
▶ AWS Education Competency
▶ AWS IoT Competency
▶ AWS MSP Technology Provider
▶ AWS Marketplace Partner
▶ AWS Security by Design Program Partner
▶ 1st partner with published Blueprints for AWS Lambda
▶ 1st partner to pass SaaS extension for Well Architected framework
Splunk’s AWS Credentials
© 2017 SPLUNK INC.
100% Uptime SLA
SOC2 Type II Certified
Runs on AWS
Cloud Services Apps
Splunk App for AWS,
ServiceNow, Salesforce, etc.
AWS Specific
Integrations
CloudTrail, CloudWatch/Logs,
Config/Rules, Inspector, Kinesis, S3,
VPC Flow Logs, Billing, SQS, SNS
Splunk Core + Enterprise
Security & ITSI available
Enterprise on AWS
For small IT teams starts $90/mo
Starts at 1gb/day
BYOL with Amazon EC2
Apps and Integrations
SaaS on AWS
Delivery Models
Splunk Runs On & With AWS
Deploy with
AWS Quick Start!
© 2017 SPLUNK INC.
Splunk App for AWS
© 2017 SPLUNK INC.
End-to-End Visibility with AWS and Splunk
Billing Reports
S3 Access Logs
CloudTrail Logs
ELB Access Logs
CloudFront Access Logs
Application Logs
Config Snapshots& History Files
Other Service Logs
Kinesis Stream
SQS
Lambda
RDS
Redshift
CloudTrail
SNS
S3
CloudWatchMetrics
CloudWatchEvents
CloudWatchLogs
EC2 SystemManager Events
ECS Container & TaskState Changes
EBS Volume & SnapshotNotifications
EMR Cluster & InstanceState Changes
Auto Scaling GroupState Changes
CodeDeployInstance & Deployment
State Changes
AWS ConsoleSign-In Events
AWS Health &Trusted Advisor Events
KMS Events
Config
ElastiCacheCluster Events
CloudFormationStack Events
CloudWatchAlarms
ELB Metrics
CloudFrontMetrics
EC2 Metrics
EBS Metrics
ECS Metrics
DynamoDBMetrics
EMR Metrics
Kinesis Metrics
Lambda Metrics
API GatewayMetrics
S3 Metrics
Route53 Metrics
SNS Metrics
RDSMetrics
AWS
Add-on
DB
ConnectNative path (via AWS)
Push path (via Splunk HEC)
Pull path (via Splunk Modular Input or DB Input)
VPC Flow Logs
Lambda Logs
API Gateway LogsCustom
Application Logs
API GatewayCustom Events
DynamoDBTable Updates
S3 Events
Cognito Events
Custom Config Rules
CodeCommit Repo Events
IoT
v1.1
© 2017 SPLUNK INC.
Topology
Usage
Splunk App for AWS: The Value
▶ View user activity
▶ Gain a full audit trail
▶ Detect anomalous behavior
▶ View EC2 utilization metrics
▶ View by account, region,
instance
▶ Supports numerous
AWS services
▶ Visualize your AWS
Environment
▶ View resource relationships
▶ Gain playback history
▶ Compare and correlate events
▶ View in a time-series ribbon
▶ Accelerate investigations
▶ Leverage machine
learning toolkit
▶ Gain billing recommendations
▶ Detect security and billing
anomalies
▶ Gain view into resource cost
▶ Improve RI planning / utilization
▶ Monitor actual spend
vs. forecast
Security Billing
Timeline Insights
© 2017 SPLUNK INC.
Topology
Usage
Splunk App for AWS: The Value
▶ View user activity
▶ Gain a full audit trail
▶ Detect anomalous behavior
▶ View EC2 utilization metrics
▶ View by account, region,
instance
▶ Supports numerous
AWS services
▶ Visualize your AWS
Environment
▶ View resource relationships
▶ Gain playback history
▶ Compare and correlate events
▶ View in a time-series ribbon
▶ Accelerate investigations
▶ Leverage machine
learning toolkit
▶ Gain billing recommendations
▶ Detect security and billing
anomalies
▶ Gain view into resource cost
▶ Improve RI planning / utilization
▶ Monitor actual spend
vs. forecast
Security Billing
Timeline Insights
© 2017 SPLUNK INC.
IT Operations Security Cost Management
▶ What is my EBS footprint and
posture across all my accounts and
all my regions?
▶ Who started/stopped/restarted what
instances and when?
▶ What EC2 instances are underutilized
and perhaps overprovisioned?
▶ What is the traffic volume into my
VPC and where is it originating from?
▶ Why are certain resources unreachable
from certain subnets/VPCs?
▶ List resources with missing or
non-conforming tags
▶ Who added that rule in the security
group that protects our application
servers?
▶ Where is the blocked traffic into that
VPC coming from?
▶ What was the activity trail of a
particular user before and after that
incident?
▶ Alert me when a user imports
key-pairs or when a security group
allows all ports
▶ What instances are provisioned
outside of a VPC, by whom and
when?
▶ What security groups are defined but
not attached to any resource?
▶ How many instances am I running?
▶ What reserved instances have I
purchased in the past?
▶ What is my reserved instance
utilization?
▶ How much am I paying per account?
▶ How much am I using per service
across all accounts?
▶ How many reserved instances should
I buy based on usage?
▶ Is this account within budget this
month, and how has it tracked in the
last year?
Detailed Use Cases
© 2017 SPLUNK INC.
AWS CloudWatch
Populates the Following Dashboards in the Splunk App for AWS:
Overview
Topology
Usage Overview
EC2 Instances
EBS Volumes
ELB Instances
Relational Database Service
Current Month Estimated Billing
Insights Overview /
EC2 / ELB / EBS Insights
Billing Anomaly Insights
Lambda
© 2017 SPLUNK INC.
AWS CloudWatch Logs
Data from the CloudWatch Logs
service, including VPC flow logs.
Flow logs allow you to capture IP
traffic flow data for the network
interfaces in your resources.
Dashboards:
• Topology
• VPC Flow Logs – Traffic Analysis
• VPC Flow Logs – Security
• Analysis
© 2017 SPLUNK INC.
AWS CloudTrail
Records AWS API calls for your account and delivers log files
to you
Populates Dashboards:• Overview
• Topology
• Security Overview
• IAM Activity
• VPC Activity
• Security Groups
• Key Pairs Activity
• Network ACLs
• User Activity
• Insights Overview
• Security Anomaly Insights
• Timeline
© 2017 SPLUNK INC.
AWS Config
Populates the Following Dashboards in the Splunk App for AWS:
Overview
Topology
Security Groups
Resource Activity
Timeline
Config Rules
© 2017 SPLUNK INC.
Customer Use Cases
City of Los Angeles Integrates Real-Time Security Intelligence Sharing Across 40+ City Agencies
© 2017 SPLUNK INC.
City of Los Angeles Integrates Real-Time Security Intelligence Sharing Across 40+ City Agencies
“By deploying the Splunk SIEM solution, we enhance our detection and response capabilities to protect the City’s critical assets from all manner of cyber threats and intrusions. By utilizing a cloud solution, our security team can focus on security events rather than deploying and maintaining infrastructure.”
ENTERPRISE SECURITY ON SPLUNK CLOUD
• Executive Summary
• White Paper
© 2017 SPLUNK INC.
▶ 6000+ IT and Business Professionals
▶ 200+ Sessions
▶ 80+ Customer Speakers
PLUS Splunk University▶ Three days: Sept 23-25, 2017▶ Get Splunk Certified for FREE!▶ Get CPE credits for CISSP, CAP, SSCP
SEPT 25 -28 , 2017Walter E. Washington Convention Center Washington, D.C.
.conf2017The 8th Annual Splunk Conference
conf .sp lunk.com
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Thank You