© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kelvin Yeung, Senior Architect, Splunk June 17, 2016 Cloud Is a Journey. Make Splunk Your Partner
Jan 09, 2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kelvin Yeung, Senior Architect, Splunk
June 17, 2016
Cloud Is a Journey. Make Splunk Your Partner
SplunkCompanyOverview
2
Company
• GlobalHQs:- SanFrancisco- London- HongKong
• 2,100+employeesglobally• AnnualRevenue:$668.4M(YoY+49%)
• NASDAQ:SPLK
Products
• Freetrialtomassivescale• Splunkproducts:
- SplunkEnterprise- SplunkCloud- Hunk- SplunkLight- SplunkMINT- PremiumSoluWons
Customers
• 11,000+customers• Across110+countries• SmalltolargeorganizaWons
• Morethan80oftheFortune100
• Largestlicense:- 1+Petabytes/day
GartnerTechnologyPriori<esforCIOsin2016
3
1.BI/Analy<cs
2.Cloud
3.Mobile
4.Digi<za<on/DigitalMarke<ng
5.Infrastructure&DataCentre
6.ERP
7.Security
8.IndustrySpecificApplica<ons
9.CRM
10.Networking/Voice/DataCommunica<ons
CloudMigra<on
SERVERS STORAGE NETWORKING
VIRTUALIZATION
INFRASTRUCTUREAPPLICATIONS
PACKAGEDAPPLICATIONS
CUSTOMAPPLICATIONS
IdenWty
VPN
IPPhone
HR
Finance
AppSvr
DB
WebSvr
CloudMigra<on:Considera<ons
SERVERS STORAGE NETWORKING
VIRTUALIZATION
INFRASTRUCTUREAPPLICATIONS
PACKAGEDAPPLICATIONS
CUSTOMAPPLICATIONS
IdenWty
VPN
IPPhone
HR
Finance
AppSvr
DB
WebSvr
Security&Compliance
ApplicaWonPerformance&SLAs OperaWonalVisibility
YourApplica<onandTechnologyStackspanacrossCloud&OnPremise
CloudMigra<on:Challenges
Applica<on-BasedSilos
Apps
Servers
Network
Storage
ZonesofVirtualiza<on PrivateCloud HybridCloud
IndustryLeadingPla]ormForMachineDataoverHybridCloudEnvironment
MachineData:AnyLoca<on,Type,Volume
Pla]ormSupport(Apps/API/SDKs)
EnterpriseScalability
UniversalIndexing
AnswerAnyQ
ues<on
Customdashboards
Reportandanalyze
Monitorandalert
Adhocsearch
OnlineServices Web
Services
ServersSecurity GPS
LocaWon
StorageDesktops
Networks
PackagedApplicaWons
CustomApplicaWonsMessaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
RFID
On-Premises
PrivateCloud
PublicCloud
PlaeormforOperaWonalIntelligence
SplunkAsYourCloudPartner
RichEcosystemofApps&Add-Ons
MainframeData
RelaWonalDatabasesMobileForwarders Syslog/TCP IoT
DevicesNetworkWireData
Hadoop
SplunkEnterpriseSecurity
SplunkITServiceIntelligence
SplunkPremiumSolu<ons
SplunkAppforAWS
PlaeormforOperaWonalIntelligence
Security&Compliance
RichEcosystemofApps&Add-Ons
MainframeData
RelaWonalDatabasesMobileForwarders Syslog/TCP IoT
DevicesNetworkWireData
Hadoop
SplunkAppforAWSSplunkEnterpriseSecurity
SplunkITServiceIntelligence
SplunkPremiumSolu<ons
SplunkforEnterpriseSecurity
Define rules to detect advanced threats
Unlimited context enrichment to qualify incidents fast
Tailored to analyze & investigate incidents
Enterprise-wide coordination & response
DETECT
INVESTIGATE RESPONSE
ENRICH INFORMATION
Simple solution for sophisticated enterprise scale security operations platform
MONITOR RESPOND DETECT FUNCTIONS INVESTIGATE
Splunk’sApproachtoSecurityChallenges
Review Determine 1 2 3 4Decide Act & Adapt
Report Ad hoc "Search
Analyze Collect Store
PROCESS
Notable Events
SECURITY WORKFLOW SUPPORT
Search Management
EVENT CORRELATIONS
SECURITY ENRICHED CONTEXT
KEY FEATURES
Asset, Identity, Others
Threat Info Management
THREAT INTELLIGENCE
Risk Scoring Framework
RISK BASED ANALYTICS
OUT-OF-BOX SECURITY CONTENTS
Views / Reports / Rules
SplunkThreatIntelligenceFramework
“Ifyouknowyourselfbutnottheenemy,foreveryvictorygainedyouwillalsosufferadefeat.”
TheArtofWar–SunTzu
Inordertosucceedinthecyberwar
CriWcaltoUnderstandtheHackingTechniquesUsedbyAhackersandtheInforma<ononGlobalThreats
SplunkThreatIntelligenceFrameworkFinding hidden IOCs using comprehensive threat intelligence mappings
• Multiple"sources
• Multiple transmission"types
• Multiple"transports
• Multiple data formats
1. IP 2. Emails 3. URLs 4. Files names/
hashes 5. Processes names 6. Services 7. Registry entries 8. X509 Certificates 9. Users
Manage / Audit threat sources
• List status • List mgmt. • List location
COLLECT MANAGE CATEGORIZE CORRELATE SEARCH INTEL SOURCES
Index, Extract, Categorize
Match all IOCs in existing log data
Generate alert for any matches
KSI and trends
Ad-hoc search, analyze,
investigate, prioritizeC
Data Management Security Dashboard
Correlation Data / Notable Events
Data Search
Threat intel indicator overview Shows overall posture of threat activities to understand quickly the changes in the detected threat activities status.
Threat intel trending overview Shows trend changes of threat activities including the changes in the type of threats.
Detailed threat type activities Shows detailed active threat types and associated assets to understand, what kind of threats are active in network.
Active threat sources Shows how different threat sources are active to understand and calibrate threat intel enhancements.
ES THREAT INTELLIGENCE FRAMEWORK
Splunk Inc. 2016 © - Page 14
SecurityIntelligenceUseCases
SECURITY&COMPLIANCEREPORTING
REAL-TIMEMONITORINGOFKNOWNTHREATS
DETECTINGUNKNOWNTHREATS
INCIDENTINVESTIGATIONS&FORENSICS
FRAUDDETECTION
INSIDERTHREAT
ComprehensiveSecurityIntelligencePla]orm15
PlaeormforOperaWonalIntelligence
Applica<onPerformance&SLAs
RichEcosystemofApps&Add-Ons
MainframeData
RelaWonalDatabasesMobileForwarders Syslog/TCP IoT
DevicesNetworkWireData
Hadoop
SplunkAppforAWSSplunkEnterpriseSecurity
SplunkITServiceIntelligence
SplunkPremiumSolu<ons
EndtoEndServiceMonitoringisRequiredforCloud
17
Component-levelHealthwithoutServiceContext(“BigPicture”)
The”BigPictures”withoutCorrela<ontoComponent-leveldetails
SplunkITServiceIntelligenceData-drivenservicemonitoringandanaly<cs
18
SPLUNKITSERVICEINTELLIGENCE
Time-SeriesIndex
PlaeormforMachineData
DynamicServiceModels
Schema-on-Read DataModel CommonInforma<onModel
At-a-GlanceProblemAnalysis
EarlyWarningonDeviaWons
SimplifiedIncidentWorkflows
AchieveServiceVisibilityFasterServiceAnalyzerHigh-levelviewofservicesandcompositehealthscores
GlassTablesPersonalizedvisualizaWonsofyourservices
DeepDivesOrganizedviewofperformanceindicatorsacrosssilos
Mul<KPIAlertsCorrelaWonrulestogeneratenotableevents
NotableEventsEasy-to-understandreportonresultsofcorrelaWonsearches
AnomalyDetec<onandAdap<veThresholdsMachinelearningtobaselinenormaloperaWonsandidenWfyanomalousbehavior
19
DataCentricApproach
Hard-codedcreatesfalseposiWve(ForExample:>85%CPUUWlizaWon=NotNormalalways)
Collect,ingesthistoricalandcurrentdatatolearntheNormalofyourbusiness
20
PlaeormforOperaWonalIntelligence
Opera<onalVisibility
RichEcosystemofApps&Add-Ons
MainframeData
RelaWonalDatabasesMobileForwarders Syslog/TCP IoT
DevicesNetworkWireData
Hadoop
SplunkAppforAWSSplunkEnterpriseSecurity
SplunkITServiceIntelligence
SplunkPremiumSolu<ons
25
SplunkAppforAWSEC2
EMR
Kinesis
R53
VPC
ELB
S3
CloudFront
CloudTrail
CloudWatch
Redshift SNS
API Gateway
Config
RDS
CF
IAM
Lambda
Explore Analyze Dashboard Alert Act
AWSDataSources
ComprehensiveAWSVisibility
SplunkAppforAWS:TheData
26
• AWSCloudtrail– ServicethatdeliverslogsofadminacWvityonAWS
infrastructure– Examples:
ê Start/Stop/Createinstanceê ChangeofUserroles/rightsê ModificaWonofNetworkConfiguraWon
– Deliverslogfilestocustomers;noUI,display,analysis,search
• AWSConfig– Providesresourceinventory– ProvidesconfiguraWonhistory&changeinformaWon– Enablessecurity&governance
• AmazonCloudwatchMetrics– IPtrafficinformaWonto/fromVPCnetworkinterfaces– DatastoredandaccessiblefromAWSCloudwatchLogs
• AmazonCloudwatchVPCFlowLogs– IPtrafficinformaWonto/fromVPCnetwork
interfaces– DatastoredandaccessiblefromAWSCloudwatch
Logs• AWSAccessLogs
– ElasWcLoadBalancing(ELB)– CloudfrontCDN– S3
• AWSBilling– CurrentMonthviaCloudwatchmetrics– MonthlyDetailedBilling
SplunkAppforAWS:TheValue
27
• IncreasevisibilityintoAWSresourceuWlizaWon&useracWvity• Ensureadherencetosecurityandcompliancestandardswithafullaudittrail• UnderstandAWSenvironmentaldependenciesthroughtopologyviews
• MonitorVPCtrafficu<liza<onforaddiWonalsecurityinsights• CostOp<miza<onthroughMonthlyandDetailedBillingDashboards