Using  Splunk  Enterprise  to  Achieve  IT  Opera9ons  and  Business  Agility

Jeff  D  Gill  

Linkedin/in/jeffdgill  

#splunkconf

Agenda

•  About Me and CSC •  Splunk Architecture at CSC •  Splunk Use Cases •  Summary

2

About Me and CSC

•  Head of Global SaaS Infrastructure Chief Information Security Officer, CSC •  Biography

–  Executive / CIO-Advisor, IT Service Excellence, Accenture –  Global Offering Lead, ITBM, Accenture –  Research Lead, Innovation Management Services, Accenture –  Co-founder / President, Executive Business Group –  Senior Director, Infrastructure Management Services, Comcast

•  Corporation Service Company (CSC) –  Since 1899, a worldwide leader for business legal and financial services –  Represents hundreds of thousands business entities worldwide including many Fortune 100 –  Helping corporations maintain good status, manage annual reports, permits and other

corporate filings 3

Splunk CSC Architecture (2012)

•  Splunk Enterprise originally added to monitor application log files and improve service availability

•  Data Sources –  275 types of application logs – Mostly Oracle’s WebLogic – Network logs – Syslog –  40+ GB/day average

•  Splunk Deployment – One search head – Two indexers – Deployment server makes Splunk management easier

4  4

Splunk CSC Architecture Today (2013)

•  400GB data indexed daily •  Five lines of business •  90+ system architectures •  350 possible breach scenarios

Understanding which data is relevant is critical !

User Actions

Security / Intrusion

Connectivity Routing / Switching NTO Spider RSA/RAS & Wireless

Platforms / Apps FireEye Tipping Point BlueCoat Firewalls/VPN BlueCoat

QualSys

Web Logs Custom App Logs / Events Cyber Ark Honeyd

CDR Business Process Monitoring

5

Splunk Use Cases at CSC

•  Monitoring – DevOps, Security •  Development process support •  Agile development: Splunk allows for new features to be

prototyped and provided to the end user while still being in a development team’s backlog

•  Decision support: Improving customer experience through technology

•  Automation •  Visualization and reporting

6

Splunk for CSC DevOps

•  Windows: Instant insight into Windows performance metrics •  Linux: Proactive monitoring of CSC Linux infrastructure •  NAS/SAN: Aggregating, monitoring and analyzing relevant IT data

from CSC storage systems •  App and transaction logs: Monitoring webservers performance for

avoiding outages and increased customer satisfaction •  Network health visibility (routers, switches firewalls) •  Proprietary applications monitoring

7

Security

•  Correlation of intrusion prevention, FireEye, and Symantec SEP alerts to detect Zero-hour threats

•  Windows AD, Linux internal authentication •  Customer facing and SSO authentication •  Identification of potential Cross Site Replay Forgery (CSRF) attacks in

customer facing apps

8

•  Custom applications to aid the customer service representative to better support our customers

•  Splunk enables identification of domain registration trends •  With Splunk, CSC can proactively resolve self-service order issues for

our customers

Decision Support System (DSS)

9

DSS Report

10

DSS Continued

11

Automation

•  Cisco service – alert remote NOC •  FireEye alerts – open ticket via

external scripting •  Splunk enables correlation of

potential incidents across multiple systems to accelerate identification and diagnosis of problems

12

Enrichment and Correlation

13

Referencing External Data

•  Blackhole list services •  Spamhaus •  Threat list databases •  Splunk protects our reputation by monitoring DNS, spam,

and other threat lists to ensure that CSC is not improperly categorized

•  Splunk helps us protect our customers and resources by aggregating data lists and correlating them against logged hosts in various situations

14

Telephony CDR

•  Call Detail Records (CDR) allow CSC to make up for shortcomings in Cisco’s call reporting tools

•  Gives end user ad-hoc querying capabilities as well as automated reports

•  Visualization of inbound calls with Google Maps – future

15

Security Operations Console •  Windows Security Operations Console •  Symantec Endpoint Protection Reporting •  Virus activity reporting – CSC developed

16

Summary

•  Splunk Software helps us achieve exceptional customer satisfaction

•  With Splunk Software, CSC is able to significantly improve IT operations and business agility

•  Splunk Software accelerates incident response by identifying errant events and correlating information that most monitoring systems can’t

•  Splunk Software speeds recovery in that the operators can link potential problems and get to the root cause of real problems quickly

17

Thank you!

•  Q&A

18