SlideShare uma empresa Scribd logo

SplunkLive! Boston June 2013 - UCONN

Splunk
Splunk
TecnologiaNegócios
1 de 19
SplunkLive! Boston Jason Pufahl, Chief Information Security Officer
About Jason •  Chief Information Security Officer at the University of Connecticut Current Date:
Original Issues •  Not enough people had access to the data o  Making sense of the data for non-technical types and visualizations o  Today: 130 people with access to Splunk, widely viewed as a resource •  Decentralized IT structure doesn’t allow for a full scope across departments •  Incident response times and capacity planning •  Helping law enforcement o  Track down missing students o  Find stolen IT assets Current Date:
Decreasing Incident Response Times •  Heavily centralized the authentication system + Splunk allows us to correlate locations and incidents •  Response times have decreased from hours to minutes •  Example: servicing law enforcement request dropped from 3 day turnaround to 20 minutes Current Date:
Data Sources and Splunk Apps •  Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers, Active Directory, Exchange, VMware, SCCM, switches, custom applications, many others •  Apps: Splunk for Exchange, Splunk for AD, Splunk on Splunk, Google Maps, DNS, DB Connect, Deployment monitor, many custom apps and commands •  Volume: 90 to 180 GB/day (rare spikes during data intake of new departments) Current Date:
Encouraging Departments to Understand their Data •  Encourages standardizing of operating systems •  SecureU initiative o  If you run an IT device of some sort, your log data has to be collected o  Each school/division gets 2 gigs each thus increased adoption •  Allows for central IT to see trends across entire University •  Reports sent to Deans, Directors at each department o  Encourages healthy competition for security compliance •  The “Security Score” o  Getting university departments to understand importance of security and value Current Date:
Encouraging Departments to Understand their Data (example) Operating System demographics Current Date:
Encouraging Departments to Understand their Data (example) Operating Systems by population Current Date:
Encouraging Departments to Understand their Data (example) Departmental Antivirus demographics Current Date:
Demographics by Campus (example) Campus Antivirus demographics Current Date:
•  Alerts set for stolen IT assets when they get back on the network o  MACs of lost devices flagged => triggers Splunk alert •  Missing person’s alerts? Well they aren’t missing, they just aren’t calling Mom back – they’ve been on the network •  Resolving a bomb threat o  Able to identify culprit due to accessory data collected by Splunk o  "Fringe" data can be security data too Helping Law Enforcement Current Date:
GeoIP Analysis Goal: Flag user logins occurring further from campus than the user norm (e.g. Phishing attack immediately followed by login from China, Russia) Search foundation: sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoip src_ip | haversine origin="41.808333,-72.249444" inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitude units=mi | stats max(mi) by netid, geo_info Current Date:
GeoIP Analysis VPN logins over 24h Current Date:
Capacity Planning •  Splunk allows us to see and anticipate which wired and wireless points on campus are being used at which times of day to allocate accordingly •  Two examples : o  Single sign on authentication via CAS: rate of usage over time o  Wireless networks: utilization high water marks over time Current Date:
Capacity Planning (example) Capacity planning as influenced by rate of growth (Single sign on) Current Date:
Capacity Planning (example) Capacity planning as influenced by rate of growth (Wireless network) Current Date:
Protecting Against Breaches and Fines for Personal Identifiable Information •  Used Splunk to identify PII across systems o  DLP tool finds the PII and Splunk used for reporting o  Removed to avoid breaches and fines •  Identified PII used in security score o  Avoided millions in fines o  Increased program participation Current Date:
Future Goals and Plans •  Doing more correlation across systems and become more proactive o  e.g., across auth systems, AV, NAC, IPS, and PII to provide granular and actionable threat prioritization •  UCONN as a service provider for other educational facilities across the state of Connecticut Current Date:
Results/ROI •  Response times have decreased from hours to minutes •  Standardized operating systems •  Changed each department’s behavior to encourage upgrading anti-virus software and security measures •  Huge risk reduction •  Saved millions in potential fines from PII and breaches Current Date:

Recomendados

Web and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisWeb and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisArtificial Intelligence Institute at UofSC
 
How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?Michigan State University Research
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunk
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
Managing Security with Splunk Enterprise
Managing Security with Splunk EnterpriseManaging Security with Splunk Enterprise
Managing Security with Splunk EnterpriseSplunk
 
Purpose
PurposePurpose
PurposePriviledge Haruzivi
 
Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands prosvsports
 
Resumen clases plexo
Resumen clases plexoResumen clases plexo
Resumen clases plexoEmmanuel Gonzalez
 

Recomendados

Web and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisWeb and Complex Systems Lab @ Kno.e.sis
Web and Complex Systems Lab @ Kno.e.sisArtificial Intelligence Institute at UofSC
 
How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?How Does Cybersecurity Relate to Safety?
How Does Cybersecurity Relate to Safety?Michigan State University Research
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunk
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
Managing Security with Splunk Enterprise
Managing Security with Splunk EnterpriseManaging Security with Splunk Enterprise
Managing Security with Splunk EnterpriseSplunk
 
Purpose
PurposePurpose
PurposePriviledge Haruzivi
 
Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands Ilja Sacharow der beste Springer Russlands
Ilja Sacharow der beste Springer Russlands prosvsports
 
Resumen clases plexo
Resumen clases plexoResumen clases plexo
Resumen clases plexoEmmanuel Gonzalez
 
Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast EnglandBritish Studies
 
Embriologia nervioso
Embriologia nerviosoEmbriologia nervioso
Embriologia nerviosoLaura Hernandez Montealegre
 
Dif 2012
Dif 2012Dif 2012
Dif 2012medico
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatsonzuhitoslide
 
00 peg71-120dpi
00 peg71-120dpi00 peg71-120dpi
00 peg71-120dpiEVANDRO OLIVEIRA
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014ObesityHelp
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environmentSasha Citino
 
Tejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASTejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASLuis de la Barrera
 
Ascoli test
Ascoli testAscoli test
Ascoli testDr. Waqas Nawaz
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del PerúKAtiRojChu
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Rika Takegata
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?Aki Luostarinen
 
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...Florence Hudson
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 yearsMehedi Hasan
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...ICPSR
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 

Mais conteúdo relacionado

Destaque

Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast EnglandBritish Studies
 
Dif 2012
Dif 2012Dif 2012
Dif 2012medico
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatsonzuhitoslide
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014ObesityHelp
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environmentSasha Citino
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del PerúKAtiRojChu
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Rika Takegata
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?Aki Luostarinen
 

Destaque (12)

Unit 10: Southeast England
Unit 10: Southeast EnglandUnit 10: Southeast England
Unit 10: Southeast England
 
Embriologia nervioso
Embriologia nerviosoEmbriologia nervioso
Embriologia nervioso
 
Dif 2012
Dif 2012Dif 2012
Dif 2012
 
20151013nodered whatson
20151013nodered whatson20151013nodered whatson
20151013nodered whatson
 
00 peg71-120dpi
00 peg71-120dpi00 peg71-120dpi
00 peg71-120dpi
 
How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014How much does a zebra weigh? With Kyle Brown at #OH2014
How much does a zebra weigh? With Kyle Brown at #OH2014
 
Data Architecture Process in a BI environment
Data Architecture Process in a BI environmentData Architecture Process in a BI environment
Data Architecture Process in a BI environment
 
Tejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVASTejido conectivo DIAPOSITIVAS
Tejido conectivo DIAPOSITIVAS
 
Ascoli test
Ascoli testAscoli test
Ascoli test
 
independencia del Perú
independencia del Perúindependencia del Perú
independencia del Perú
 
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)Hearing and Ageing: Finnish version (Ikääntymis kuulo)
Hearing and Ageing: Finnish version (Ikääntymis kuulo)
 
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
MOK-/ilmiöprosessi: Mitä tapahtuu ennen, aikana ja jälkeen?
 

Semelhante a SplunkLive! Boston June 2013 - UCONN

PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...Florence Hudson
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 yearsMehedi Hasan
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...ICPSR
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Clinton DSouza
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Data analytics introduction
Data analytics introductionData analytics introduction
Data analytics introductionamiyadash
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
Improving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceImproving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceNorman Johnson
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Updated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystUpdated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystTiffany Doby
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityMark Scanlon
 
Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Jerry Sheehan
 

Semelhante a SplunkLive! Boston June 2013 - UCONN (20)

PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
PEARC17: ARCC Identity and Access Management, Security and related topics. Cy...
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...Meeting Federal Research Requirements for Data Management Plans, Public Acces...
Meeting Federal Research Requirements for Data Management Plans, Public Acces...
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdf
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Data analytics introduction
Data analytics introductionData analytics introduction
Data analytics introduction
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
Improving cyber security using biosecurity experience
Improving cyber security using biosecurity experienceImproving cyber security using biosecurity experience
Improving cyber security using biosecurity experience
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Updated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analystUpdated Senior Cyber Intel security analyst
Updated Senior Cyber Intel security analyst
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
 
Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...Montana State, Research Networking and the Outcomes from the First National R...
Montana State, Research Networking and the Outcomes from the First National R...
 

Mais de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Mais de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Último

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Último (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

SplunkLive! Boston June 2013 - UCONN

  • 1. SplunkLive! Boston Jason Pufahl, Chief Information Security Officer
  • 2. About Jason •  Chief Information Security Officer at the University of Connecticut Current Date:
  • 3. Original Issues •  Not enough people had access to the data o  Making sense of the data for non-technical types and visualizations o  Today: 130 people with access to Splunk, widely viewed as a resource •  Decentralized IT structure doesn’t allow for a full scope across departments •  Incident response times and capacity planning •  Helping law enforcement o  Track down missing students o  Find stolen IT assets Current Date:
  • 4. Decreasing Incident Response Times •  Heavily centralized the authentication system + Splunk allows us to correlate locations and incidents •  Response times have decreased from hours to minutes •  Example: servicing law enforcement request dropped from 3 day turnaround to 20 minutes Current Date:
  • 5. Data Sources and Splunk Apps •  Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers, Active Directory, Exchange, VMware, SCCM, switches, custom applications, many others •  Apps: Splunk for Exchange, Splunk for AD, Splunk on Splunk, Google Maps, DNS, DB Connect, Deployment monitor, many custom apps and commands •  Volume: 90 to 180 GB/day (rare spikes during data intake of new departments) Current Date:
  • 6. Encouraging Departments to Understand their Data •  Encourages standardizing of operating systems •  SecureU initiative o  If you run an IT device of some sort, your log data has to be collected o  Each school/division gets 2 gigs each thus increased adoption •  Allows for central IT to see trends across entire University •  Reports sent to Deans, Directors at each department o  Encourages healthy competition for security compliance •  The “Security Score” o  Getting university departments to understand importance of security and value Current Date:
  • 7. Encouraging Departments to Understand their Data (example) Operating System demographics Current Date:
  • 8. Encouraging Departments to Understand their Data (example) Operating Systems by population Current Date:
  • 9. Encouraging Departments to Understand their Data (example) Departmental Antivirus demographics Current Date:
  • 10. Demographics by Campus (example) Campus Antivirus demographics Current Date:
  • 11. •  Alerts set for stolen IT assets when they get back on the network o  MACs of lost devices flagged => triggers Splunk alert •  Missing person’s alerts? Well they aren’t missing, they just aren’t calling Mom back – they’ve been on the network •  Resolving a bomb threat o  Able to identify culprit due to accessory data collected by Splunk o  "Fringe" data can be security data too Helping Law Enforcement Current Date:
  • 12. GeoIP Analysis Goal: Flag user logins occurring further from campus than the user norm (e.g. Phishing attack immediately followed by login from China, Russia) Search foundation: sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoip src_ip | haversine origin="41.808333,-72.249444" inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitude units=mi | stats max(mi) by netid, geo_info Current Date:
  • 13. GeoIP Analysis VPN logins over 24h Current Date:
  • 14. Capacity Planning •  Splunk allows us to see and anticipate which wired and wireless points on campus are being used at which times of day to allocate accordingly •  Two examples : o  Single sign on authentication via CAS: rate of usage over time o  Wireless networks: utilization high water marks over time Current Date:
  • 15. Capacity Planning (example) Capacity planning as influenced by rate of growth (Single sign on) Current Date:
  • 16. Capacity Planning (example) Capacity planning as influenced by rate of growth (Wireless network) Current Date:
  • 17. Protecting Against Breaches and Fines for Personal Identifiable Information •  Used Splunk to identify PII across systems o  DLP tool finds the PII and Splunk used for reporting o  Removed to avoid breaches and fines •  Identified PII used in security score o  Avoided millions in fines o  Increased program participation Current Date:
  • 18. Future Goals and Plans •  Doing more correlation across systems and become more proactive o  e.g., across auth systems, AV, NAC, IPS, and PII to provide granular and actionable threat prioritization •  UCONN as a service provider for other educational facilities across the state of Connecticut Current Date:
  • 19. Results/ROI •  Response times have decreased from hours to minutes •  Standardized operating systems •  Changed each department’s behavior to encourage upgrading anti-virus software and security measures •  Huge risk reduction •  Saved millions in potential fines from PII and breaches Current Date: