© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Splunk and AWSSecuring the Cloud

Kam Amir | Splunk Cloud Architect

kam@splunk.com

08/03/2017

© 2017 SPLUNK INC.

During the course of this presentation, we may make forward-looking statements regarding future events or

the expected performance of the company. We caution you that such statements reflect our current

expectations and estimates based on factors currently known to us and that actual events or results could

differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live

presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

information. We do not assume any obligation to update any forward-looking statements we may make. In

addition, any information about our roadmap outlines our general product direction and is subject to change

at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

or other commitment. Splunk undertakes no obligation either to develop the features or functionality

described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in

the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

© 2017 SPLUNK INC.

Agenda

▶ What is Machine Data?

▶ Why Splunk?

▶ Splunk Security Use Cases

• Partnerships and integrations with third party vendors

• Splunk Security Apps

▶ Splunk on AWS

▶ Splunk App for AWS

© 2017 SPLUNK INC.

What is Machine Data?

© 2017 SPLUNK INC.

ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100

MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.

Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:

weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The

DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:

ACMEDB-01:1521. Reason: Connection refused

05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type

0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-

13ae51a6d092, Trunk T451.16

05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

CUSTID 10098213

05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:

http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},

objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy

this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if

you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}

What Does Machine Data Look Like?SOURCES

Order Processing

Twitter

Care IVR

Middleware Error

© 2017 SPLUNK INC.

Machine Data Contains Critical InsightsSOURCES

Order Processing

Twitter

Care IVR

Middleware Error

Customer ID Order ID Product ID

ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100

MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.

Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:

weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The

DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:

ACMEDB-01:1521. Reason: Connection refused

05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type

0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-

13ae51a6d092, Trunk T451.16

05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

CUSTID 10098213

05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:

http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},

objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy

this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if

you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}

Order ID

Twitter ID

Customer ID

Customer ID

Time waiting on hold

Customers Tweet

Company’s Twitter ID

© 2017 SPLUNK INC.

Machine Data Contains Critical InsightsSOURCES

Order Processing

Twitter

Care IVR

Middleware Error

Customer ID Order ID Product ID

ORDER, 2016-05-21T14:04:12.484,10098213,569281734,67.17.10.12,43CD1A7B8322,SA-2100

MAY 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.

Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:

weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The

DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:

ACMEDB-01:1521. Reason: Connection refused

05/21 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type

0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-

13ae51a6d092, Trunk T451.16

05/21 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

CUSTID 10098213

05/21 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092

{actor:{displayName: “Go Boys!!”,followersCount:1366,friendsCount:789,link:

http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},

objectType:“person”,preferredUsername:“B0ysF@n80”,statusesCount:6072},body: “Can’t buy

this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if

you hate @ACME!!”,objectType:“activity”,postedTime:“2016-05-21T16:39:40.647-0600”}

Order ID

Twitter ID

Customer ID

Customer ID

Time waiting on hold

Customers Tweet

Company’s Twitter ID

© 2017 SPLUNK INC.

Why Splunk?

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

True End State: Complete Hybrid Visibility

On-

Premises

Private

Cloud

Public

Cloud

Storage

Telecoms

Security

Web

Services

Networks

Containers

Web

Clickstreams

RFID

Lambda

Servers

Messaging

GPS

Location

Config

EC2

Online

Services

DatabasesCall Detail

Records

Energy

Meters

CloudTrail

End-to-End

VisibilityIndex Untapped Data: Any Source, Type, Volume

Application Delivery

IT Operations

Security, Compliance

and Fraud

Business Analytics

Internet of Things

and Industrial Data

EMR

RDS

© 2017 SPLUNK INC.

Splunk Markets

Developer Platform (REST API, SDKs)

IT Operations

ApplicationDelivery

Business Analytics

Internet of Things and Industrial

Data

Security, Complianceand Fraud

Platform for Operational Intelligence

© 2017 SPLUNK INC.

The Splunk Portfolio

Rich Ecosystem ofApps & Add-Ons

Splunk Premium

Solutions

Mainframe

Data

Relational

DatabasesMobileForwarders

Syslog/

TCP

IoT

Devices

Network

Wire DataHadoop

Platform for Operational Intelligence

© 2017 SPLUNK INC.

Splunk Security Use Cases

© 2017 SPLUNK INC.

Recent HeadlinesDo you want to be front page news?

© 2017 SPLUNK INC.

Security

SECURITY AND

COMPLIANCE

REPORTING

REAL-TIME

MONITORING OF

KNOWN THREATS

INCIDENT

INVESTIGATIONS

AND FORENSICS

FRAUD

DETECTION

DETECT

UNKNOWN

THREATS

INSIDER

THREAT

© 2017 SPLUNK INC.

Splunk for Security

Splunk

Enterprise Security

500+

Security Apps

Splunk User

Behavior Analytics

Palo Alto

Networks

Symantec DNS

OSSEC

NetFlow

Logic

Cisco

Security Suite

F5 Security

PCI

Compliance

Active

Directory

Blue Coat

Proxy SG

© 2017 SPLUNK INC.

▶ Splunk Security Essentials

▶ https://splunkbase.splunk.com/app/3435/

▶ Splunk Security Essentials for Ransomware

▶ https://splunkbase.splunk.com/app/3593/

Security Focused Splunk AppsFree apps available from Splunkbase

© 2017 SPLUNK INC.

▶ Splunk Enterprise Security

• Analytics-Driven SIEM

• Real Time Monitoring

• Prioritize and Act

• Rapid Investigations

• Handle multi-step investigations

• Deploy on-prem, Splunk Cloud or private hybrid Cloud

• Improve Operational Efficiency

Splunk Enterprise Security (ES)Data driven SIEM

© 2017 SPLUNK INC.

Splunk Adaptive Response Partners DiagramCopy/paste this graphic to use in your own presentations

Identity and

Access

Internal Network

Security

Endpoints

OrchestrationWAF & App

Security

Threat

Intelligence

Network

Web Proxy

Firewall+

© 2017 SPLUNK INC.

Splunk on AWS

© 2017 SPLUNK INC.

▶ AWS Advanced Technology Partner

▶ AWS Big Data Competency

▶ AWS Security Competency

▶ AWS DevOps Competency

▶ AWS Government Competency

▶ AWS Education Competency

▶ AWS IoT Competency

▶ AWS MSP Technology Provider

▶ AWS Marketplace Partner

▶ AWS Security by Design Program Partner

▶ 1st partner with published Blueprints for AWS Lambda

▶ 1st partner to pass SaaS extension for Well Architected framework

Splunk’s AWS Credentials

© 2017 SPLUNK INC.

100% Uptime SLA

SOC2 Type II Certified

Runs on AWS

Cloud Services Apps

Splunk App for AWS,

ServiceNow, Salesforce, etc.

AWS Specific

Integrations

CloudTrail, CloudWatch/Logs,

Config/Rules, Inspector, Kinesis, S3,

VPC Flow Logs, Billing, SQS, SNS

Splunk Core + Enterprise

Security & ITSI available

Enterprise on AWS

For small IT teams starts $90/mo

Starts at 1gb/day

BYOL with Amazon EC2

Apps and Integrations

SaaS on AWS

Delivery Models

Splunk Runs On & With AWS

Deploy with

AWS Quick Start!

© 2017 SPLUNK INC.

Splunk App for AWS

© 2017 SPLUNK INC.

End-to-End Visibility with AWS and Splunk

Billing Reports

S3 Access Logs

CloudTrail Logs

ELB Access Logs

CloudFront Access Logs

Application Logs

Config Snapshots& History Files

Other Service Logs

Kinesis Stream

SQS

Lambda

RDS

Redshift

CloudTrail

SNS

S3

CloudWatchMetrics

CloudWatchEvents

CloudWatchLogs

EC2 SystemManager Events

ECS Container & TaskState Changes

EBS Volume & SnapshotNotifications

EMR Cluster & InstanceState Changes

Auto Scaling GroupState Changes

CodeDeployInstance & Deployment

State Changes

AWS ConsoleSign-In Events

AWS Health &Trusted Advisor Events

KMS Events

Config

ElastiCacheCluster Events

CloudFormationStack Events

CloudWatchAlarms

ELB Metrics

CloudFrontMetrics

EC2 Metrics

EBS Metrics

ECS Metrics

DynamoDBMetrics

EMR Metrics

Kinesis Metrics

Lambda Metrics

API GatewayMetrics

S3 Metrics

Route53 Metrics

SNS Metrics

RDSMetrics

AWS

Add-on

DB

ConnectNative path (via AWS)

Push path (via Splunk HEC)

Pull path (via Splunk Modular Input or DB Input)

VPC Flow Logs

Lambda Logs

API Gateway LogsCustom

Application Logs

API GatewayCustom Events

DynamoDBTable Updates

S3 Events

Cognito Events

Custom Config Rules

CodeCommit Repo Events

IoT

v1.1

© 2017 SPLUNK INC.

Topology

Usage

Splunk App for AWS: The Value

▶ View user activity

▶ Gain a full audit trail

▶ Detect anomalous behavior

▶ View EC2 utilization metrics

▶ View by account, region,

instance

▶ Supports numerous

AWS services

▶ Visualize your AWS

Environment

▶ View resource relationships

▶ Gain playback history

▶ Compare and correlate events

▶ View in a time-series ribbon

▶ Accelerate investigations

▶ Leverage machine

learning toolkit

▶ Gain billing recommendations

▶ Detect security and billing

anomalies

▶ Gain view into resource cost

▶ Improve RI planning / utilization

▶ Monitor actual spend

vs. forecast

Security Billing

Timeline Insights

© 2017 SPLUNK INC.

Topology

Usage

Splunk App for AWS: The Value

▶ View user activity

▶ Gain a full audit trail

▶ Detect anomalous behavior

▶ View EC2 utilization metrics

▶ View by account, region,

instance

▶ Supports numerous

AWS services

▶ Visualize your AWS

Environment

▶ View resource relationships

▶ Gain playback history

▶ Compare and correlate events

▶ View in a time-series ribbon

▶ Accelerate investigations

▶ Leverage machine

learning toolkit

▶ Gain billing recommendations

▶ Detect security and billing

anomalies

▶ Gain view into resource cost

▶ Improve RI planning / utilization

▶ Monitor actual spend

vs. forecast

Security Billing

Timeline Insights

© 2017 SPLUNK INC.

IT Operations Security Cost Management

▶ What is my EBS footprint and

posture across all my accounts and

all my regions?

▶ Who started/stopped/restarted what

instances and when?

▶ What EC2 instances are underutilized

and perhaps overprovisioned?

▶ What is the traffic volume into my

VPC and where is it originating from?

▶ Why are certain resources unreachable

from certain subnets/VPCs?

▶ List resources with missing or

non-conforming tags

▶ Who added that rule in the security

group that protects our application

servers?

▶ Where is the blocked traffic into that

VPC coming from?

▶ What was the activity trail of a

particular user before and after that

incident?

▶ Alert me when a user imports

key-pairs or when a security group

allows all ports

▶ What instances are provisioned

outside of a VPC, by whom and

when?

▶ What security groups are defined but

not attached to any resource?

▶ How many instances am I running?

▶ What reserved instances have I

purchased in the past?

▶ What is my reserved instance

utilization?

▶ How much am I paying per account?

▶ How much am I using per service

across all accounts?

▶ How many reserved instances should

I buy based on usage?

▶ Is this account within budget this

month, and how has it tracked in the

last year?

Detailed Use Cases

© 2017 SPLUNK INC.

AWS CloudWatch

Populates the Following Dashboards in the Splunk App for AWS:

Overview

Topology

Usage Overview

EC2 Instances

EBS Volumes

ELB Instances

Relational Database Service

Current Month Estimated Billing

Insights Overview /

EC2 / ELB / EBS Insights

Billing Anomaly Insights

Lambda

© 2017 SPLUNK INC.

AWS CloudWatch Logs

Data from the CloudWatch Logs

service, including VPC flow logs.

Flow logs allow you to capture IP

traffic flow data for the network

interfaces in your resources.

Dashboards:

• Topology

• VPC Flow Logs – Traffic Analysis

• VPC Flow Logs – Security

• Analysis

© 2017 SPLUNK INC.

AWS CloudTrail

Records AWS API calls for your account and delivers log files

to you

Populates Dashboards:• Overview

• Topology

• Security Overview

• IAM Activity

• VPC Activity

• Security Groups

• Key Pairs Activity

• Network ACLs

• User Activity

• Insights Overview

• Security Anomaly Insights

• Timeline

© 2017 SPLUNK INC.

AWS Config

Populates the Following Dashboards in the Splunk App for AWS:

Overview

Topology

Security Groups

Resource Activity

Timeline

Config Rules

© 2017 SPLUNK INC.

Customer Use Cases

City of Los Angeles Integrates Real-Time Security Intelligence Sharing Across 40+ City Agencies

© 2017 SPLUNK INC.

City of Los Angeles Integrates Real-Time Security Intelligence Sharing Across 40+ City Agencies

“By deploying the Splunk SIEM solution, we enhance our detection and response capabilities to protect the City’s critical assets from all manner of cyber threats and intrusions. By utilizing a cloud solution, our security team can focus on security events rather than deploying and maintaining infrastructure.”

ENTERPRISE SECURITY ON SPLUNK CLOUD

• Executive Summary

• White Paper

© 2017 SPLUNK INC.

▶ 6000+ IT and Business Professionals

▶ 200+ Sessions

▶ 80+ Customer Speakers

PLUS Splunk University▶ Three days: Sept 23-25, 2017▶ Get Splunk Certified for FREE!▶ Get CPE credits for CISSP, CAP, SSCP

SEPT 25 -28 , 2017Walter E. Washington Convention Center Washington, D.C.

.conf2017The 8th Annual Splunk Conference

conf .sp lunk.com

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Thank You