2. About Jason
• Chief Information Security Officer at the University of
Connecticut
Current Date:
3. Original Issues
• Not enough people had access to the data
o Making sense of the data for non-technical types and visualizations
o Today: 130 people with access to Splunk, widely viewed as a resource
• Decentralized IT structure doesn’t allow for a full scope
across departments
• Incident response times and capacity planning
• Helping law enforcement
o Track down missing students
o Find stolen IT assets
Current Date:
4. Decreasing Incident Response Times
• Heavily centralized the authentication system + Splunk allows
us to correlate locations and incidents
• Response times have decreased from hours to minutes
• Example: servicing law enforcement request dropped from
3 day turnaround to 20 minutes
Current Date:
5. Data Sources and Splunk Apps
• Data: Firewalls, IPS, DHCP, Antivirus, NAC, web servers,
Active Directory, Exchange, VMware, SCCM, switches,
custom applications, many others
• Apps: Splunk for Exchange, Splunk for AD, Splunk on
Splunk, Google Maps, DNS, DB Connect, Deployment
monitor, many custom apps and commands
• Volume: 90 to 180 GB/day (rare spikes during data intake of
new departments)
Current Date:
6. Encouraging Departments to
Understand their Data
• Encourages standardizing of operating systems
• SecureU initiative
o If you run an IT device of some sort, your log data has to be collected
o Each school/division gets 2 gigs each thus increased adoption
• Allows for central IT to see trends across entire University
• Reports sent to Deans, Directors at each department
o Encourages healthy competition for security compliance
• The “Security Score”
o Getting university departments to understand importance of security and value
Current Date:
11. • Alerts set for stolen IT assets when they get back on the
network
o MACs of lost devices flagged => triggers Splunk alert
• Missing person’s alerts? Well they aren’t missing, they just
aren’t calling Mom back – they’ve been on the network
• Resolving a bomb threat
o Able to identify culprit due to accessory data collected by
Splunk
o "Fringe" data can be security data too
Helping Law Enforcement
Current Date:
12. GeoIP Analysis
Goal:
Flag user logins occurring further from campus than the user norm
(e.g. Phishing attack immediately followed by login from China,
Russia)
Search foundation:
sourcetype="vpn" "Login succeeded" | table src_ip, netid | geoip
src_ip | haversine origin="41.808333,-72.249444"
inputFieldLat=src_ip_latitude inputFieldLon=src_ip_longitude
units=mi | stats max(mi) by netid, geo_info
Current Date:
14. Capacity Planning
• Splunk allows us to see and anticipate which wired and
wireless points on campus are being used at which times of
day to allocate accordingly
• Two examples :
o Single sign on authentication via CAS: rate of usage over
time
o Wireless networks: utilization high water marks over time
Current Date:
17. Protecting Against Breaches and Fines for
Personal Identifiable Information
• Used Splunk to identify PII across systems
o DLP tool finds the PII and Splunk used for reporting
o Removed to avoid breaches and fines
• Identified PII used in security score
o Avoided millions in fines
o Increased program participation
Current Date:
18. Future Goals and Plans
• Doing more correlation across systems and become more
proactive
o e.g., across auth systems, AV, NAC, IPS, and PII to provide granular and
actionable threat prioritization
• UCONN as a service provider for other educational facilities
across the state of Connecticut
Current Date:
19. Results/ROI
• Response times have decreased from hours to minutes
• Standardized operating systems
• Changed each department’s behavior to encourage upgrading
anti-virus software and security measures
• Huge risk reduction
• Saved millions in potential fines from PII and breaches
Current Date: