2. Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
2
3. E. W. Scripps
Leading media enterprise
19 television stations in major
markets and 13 newspaper
markets
has operated the National
Spelling Bee since 1941
Expanding into social gaming
for multiple platforms
6000 employees across 29
locations
3
4. Jim Bundy, CISSP, CISM
Technology + Security roles across military, financial services and media
organizations
Implemented security program from start to finish at E.W. Scripps
CISSP, CISM
Writes security articles in spare time
4
5. Getting Started with Security
Needed data/ log aggregation solution across 29 locations
– WMI
– Network logs, syslog
– Servers, firewalls
– TippingPoint IDS/ IPS, Symantec Virus
– Unified threat management
– Desktops
Needed to secure across users and locations
5
6. Investigating SIEM
Evaluated ArcSight, LogRhythm, Symantec/ McAfee, others
Found SIEM market to be immature
– Relies on interoperability
– Needed specific versions or specific OS on various devices to make it work
– Too rigid
– Each branch manages own IT, so broad spectrum of devices and solutions in play
– SIEM provided canned reports
Data points, but no “context” – Last hour 50 failed logins. “Yes, but??”
6
7. Why Splunk?
Role-based access + Flexibility and Speed
Consolidated view Splunk ingests any data format without
Staffers only see specific data, admins have parsers or adapters on our endpoints.
view into entire infrastructure for alerting This sped the deployment and our time
+ troubleshooting. to value.
Limited Visibility Dashboards and Reporting
As with most IT and security Very limited prior to Splunk. Now we
environments we had siloed views into have answers to the most important
our data. We needed to see everything in questions: Who? What? Where? When?
Operations and Security … now we do! And Why?
7
8. How We Use Splunk: Single Source of Truth
Automated and ad-hoc Time-
Real-time alerting, Who created/ deleted this
Based Data Analysis
monitoring and dashboards UNIX account, for whom?
What human behaviors vs.
IDS IPS visibility + reporting malware vs. virus?
Verification and Validation What are my known
+ Change monitoring and threats?
management
What data is being accessed
Detecting brute force out of typical patterns for
Cyberattacks this user?
9. “Execs love dashboards. I give them enough to know what’s
going on without panicking them.”
9
10. INSERT DASHBOARD 2 HERE
“If I can provide something with a dial I’m like a god!”
10
11. Flexibility to Use and Create Apps
Using
– *Nix
– Symantec
– Juniper Firewalls
Investigating
– Splunk App for VMware
– Splunk App for Active Directory
Built own CA app
11
12. Finding ROI
Can use Splunk beyond just security—network team + others
– Significant operational value: server, desktop, etc.
Small team, better to manage fewer apps; will likely decommission
other tools:
– Quest change auditor
– TippingPoint
“We believe all tools should have
operational as well as security value—Splunk does,
and it’s just plain simple to use.”
12
Thanks MaureenGood morning. I must tell you folks you’ve got a gorgeous city here. I landed the other night, during sunset, the clouds were reflecting on the lake. Simply stunning. So we’ll spend some time today educating you about Splunk and I hope you’ll walk away with some ideas about how you can use Splunk to become more proactive (as Overstock, Familysearch and seamless will tell you) and save time in your organizations so you can get out there an enjoy this beautiful city with your friends and families.
I was always taught to start any presentation out with a joke. Unfortunately our legal team doesn’t have much of a sense of humor, so they’ve asked us to do the complete opposite. Thus I give you our first slide—a legal disclaimer! (Have to show it, but now we can get to the good stuff.)
Understanding the security of the enterprise requires collecting data from our security systems monitoring ‘known threats and all of our operations data representing user and machine activity for context and unknown threats.This data is not normalized – its fully indexed so that it is optimized for exploration using analytics correlation and visualizationQuestions about the data can be asked by the Security professional or the Security Intelligence analyst in the context of data criticality for riskWhat threats are my security systems telling me about? Where are the abnormal patterns in user activities?The Splunk app for Enterprise Security contains automated searches that create data visualizations of traditional security data, and provides workflows for incident handling of known and unknown threatsAnomalous user activity searches can be created on the fly and saved as automated searches related to the most critical data assets. Examples to follow.You might notice that the dots are entering a bucket and not a funnel – there’s no data reduction here – all raw data is available on-demand. New data can be added to existing collected data sources to re-examine a security incident that my have happened years ago.