Copyright © 2014 Splunk Inc. David Caradonna Manager Best PracAces, Value ConsulAng, Splunk Building a Splunk Business Case for Security
Copyright © 2014 Splunk Inc.
David Caradonna Manager Best PracAces, Value ConsulAng, Splunk
Building a Splunk Business Case for Security
Disclaimer
2
During the course of this presentaAon, we may make forward looking statements regarding future events or the expected performance of the company. We cauAon you that such statements reflect our current expectaAons and
esAmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaAon are being made as of the Ame and date of its live presentaAon. If reviewed aQer its live presentaAon, this presentaAon may not contain current or accurate informaAon. We do not assume any obligaAon to update any forward looking statements we may make. In addiAon, any informaAon about our roadmap outlines our general product direcAon and is subject to change at any Ame without noAce. It is for informaAonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaAon either to develop the features or funcAonality described or to
include any such feature or funcAonality in a future release.
3
Today’s Speaker David Caradonna Manager, Value ConsulAng Best PracAces Splunk>
Business Value ConsulAng Mission To help customers, prospects and partners document the poten0al and already realized business value of making machine data accessible, usable and valuable to everyone.
Experience: 25 years IT Experience; 15 years IT OperaAons; 7 years Value ConsulAng
Today’s Agenda
4
! A day in the life of an IT security professional ! Value opportuniAes with Splunk ! The Splunk IVA tool ! A 5-‐step process you can use to build your business case
5
1. Constant Triage of security events
2. Cri0cal Decision on whether an event is worthy of deeper invesAgaAon
3. Deep Dive invesAgaAon of defined incidents
Security Analyst – Part I
Source: 2013 Cyber Security Intelligence Index
6
4. Ongoing Support of scheduled audit acAviAes – internal and external
5. Timely Resolu0on of audit findings
6. Con0nuous Compliance monitoring and reporAng using best pracAce frameworks
Security Analyst – Part II
GLBA Gramm-‐
Leach-‐Bliley Act
Sarbanes-‐Oxley Act
Health Insurance
Portability and Accountability
Act
Payment Card Industry Data
Security Standard
Common Challenges
7
! No rapid & flexible search from massive log files ! No visualizaAon, no correlaAon, no alert based on log analyAcs ! No Enterprise SIEM, each team has silo’d soluAons that collect logs ! Administrators cannot analyze logs efficiently ! Higher risk for APTs leading to concerns with data breach
8
Assess Risk
Deep Analysis
Monitor Controls
Audit & Comply
Value Opportuni0es with Splunk
Con0nuous compliance on ALL components and policies resulAng in faster and simpler audits
Faster implementa0on of criAcal security controls (ex: SANS 20) across ALL layers of the organizaAon ulAmately resulAng in full enterprise visibility and significant reducAon in risks
Faster deep dive inves0ga0on on events and ahacks that require further proacAve and reacAve analysis
Faster 1st level triage on ALL security events/ahacks with less resources as opposed to reviewing only a subset of events
9
Key Security & Compliance Metrics 70% to 90% improvement with detecAon and research of events
70% to 95% faster invesAgaAon of security incidents
10% to 30% lower risks with data breaches, fraud and IP theQ
70% to 90% reducAon in compliance labor
Reduced invesAgaAon effort by more than 75%
Reduced the Ame to report on SAS70 compliance by 83%
Reduced the number of security incidents by 80%
10
The HOW? Best PracAce Guidelines
Refer to the Splunk SANS 20 whitepaper for detailed use cases and examples of how customers use Splunk for security to achieve the anAcipated improvement with:
ü Faster Detec0on of Security Events ü Faster Research and Inves0ga0on ü Reduced Risks with Data Breach and IP The[
12
Why Build a Business Case?
Most investments today require one
Analysts recommend focusing on business impact and value
Most effec9ve way to reason the need for change
Establishes project priority & urgency
Worth à Priority à Budget à Baseline
13
Things to Remember A business case ROI is not based on exact science, esAmaAon of key
performance indicators is acceptable
However, KPIs should always be believable and defendable
either based on true empirical data from your system,
or derived from industry benchmarks or customer use cases
Benchmarks, Case Studies, White Papers should always be embedded into your case
14
Interac0ve Value Assessment -‐ IVA
• Built-‐in industry best pracAces • Relies on Splunk Customer Case Studies • Facilitates decisions based on published benchmarks
the Splunk IVA tool
16
Capture Baseline KPIs 1
• # of security attacks/events per week • # operators conducting 1st level triage (SOC)
• # security incidents per week • # people involved in incident investigations • average duration of security incidents
• $ impact from fraudulent transactions • Online survey for data breach risk calculation
• # audit activities per year • # people hours involved per audit activity
17
Review Benefit Calcula0ons 2
› Labor Savings with • Faster triage of events by 1st level staff • Faster InvesAgaAon of Minor, Moderate,
and Complex Security Incidents • Automated and/or streamlined audit
compliance acAviAes
› Risk Savings with • ReducAon in fraudulent transacAons
• ReducAon in risk of data breach • ReducAon in risk of IP theQ
Automated calculaAons
19
3 Right Size your Value
Faster DetecAon
70%
Faster InvesAgaAon
75%
Lower Risks
30%
Adjust the levels of anticipated improvement for each Benefit Area
Decide whether your case should be
– Conservative – Probable – Optimistic
Faster ReporAng
80%
Assess your investment – Splunk Licenses – Splunk Training – Professional Services – Hardware – Support Staff
20
4 Forecast Your Cost
Verify your payback period – Reasonable payback is typically between 6 to 12 months
21
5 Build an Execu0ve Summary
• The IVA automaAcally provide CxO ready slides that can be copied into a PPT deck
• Leverage our Real-‐world Business Case Example as a template to create your own report!
Value Consul0ng Prac0ce
22
IT OperaAons Management Industrial Data / Internet of Things
Digital Intelligence
Business AnalyAcs
ApplicaAon Delivery
LOB Owners/ Execu0ves
System Administrator
Opera0ons Teams
Security Analysts
IT Execu0ves
Applica0on Developers Auditors Website/Business
Analysts Customer Support
Security and Compliance
Want the know more?
Stop by the Rapid Adop0on Center to learn more about our Value Services and how a business case can help you accelerate your adopAon of Splunk!
23