SplunkLive! Milano 2016 Customer presentation Yoox-Net a porter Security Intelligence platform

1. Gianluca Gaias
Security, Risk & Compliance Director
YOOX NET-A-PORTER Group
Giovanni Curatola
Building an Enterprise-grade Security
Intelligence Platform at YOOX NET-A-PORTER
Group
(Gain the Big Picture)

2. Personal introduction
Gianluca Gaias, YOOX NET-A-PORTER Group
Security, Risk & Compliance Director
YOOX NET-A-PORTER Group is the global Internet retailing partner
for leading fashion and luxury brands
2

3. Key Takeaways
From a technology oriented approach to an info-centric approach.
From log correlation to pattern recognition.
From a passive/display platform to a proactive/executive platform.
From standard dashboards to real-time dynamic dashboards.
From a security event to an context-aware security information.
3

4. Agenda
4
Yoox Group: business and challenges.
Security evolution overview
From Tech Oriented approach to Information Oriented approach
– Deep Investigation
– Proactive Dashboard: IP Blacklist
– Real-time Dynamic Dashboard: Attack Map
Risk Management and Pattern Recognition
– Use Case: Attackers Activity
Reconsidering dashboard design
Next Steps

5. YOOX NET-A-PORTER GROUP
Over 180 countries served
DCs
US, UK, Italy, China, Hong Kong, Japan
Customer care covering all time zones
Local Offices:
New York, London, Milan, Bologna, Paris,
Hong Kong, Shanghai, Tokyo
Same-Day Delivery in London, Manhattan, Connecticut
and Hong Kong
Digital production facilities
US, UK, Italy, China, Hong Kong, Japan
Butler service and authenticity RFid seal
1 order processed every 4 seconds 1.7 billion revenues
27.1 million active customers
PRO-FORMA 2015 FY
7.1 million orders
27.1 million active customers

6. Rest of Europe
48.8%
 Global premier online luxury
fashion destination for content
and commerce for the season’s
must-have womenswear
collections
 Unparalleled editorial content,
including its weekly online
magazine THE EDIT and bi-
monthly print magazine PORTER
 Global destination for men’s style
with unparalleled offering from
the season of the leading
menswear, watchmakers and
specialist grooming brands
 Rich editorial content through the
weekly online magazine The
Journal and bi-monthly
newspaper The MR PORTER Post
MULTI-BRAND IN-SEASON MULTI-BRAND OFF-SEASON
Rest of Europe
48.8% The world’s leading online
lifestyle store for fashion, design
and art
 Broad offering of off-season
premium apparel and accessories,
exclusive collections, home &
design and artworks
 The online destination for women
dedicated entirely to in-season
high-end shoes
 Exclusive shoe-related services
and editorial component
Rest of Europe
48.8%
 Go-to destination for previous-
season designer fashion for the
global style-conscious woman
looking for the best designer
products at great prices
 In-house label of styling
essentials “Iris and Ink”
 The luxury online boutique
devoted to creating distinctive
style through an eclectic and
selective in-season assortment of
high fashion and directional
designers for men and women
 Dedicated mini-stores
ONLINE FLAGSHIP STORES
 Official Online Flagship Stores of leading fashion and
luxury brands for which YNAP is the exclusive partner
 Long-term partnerships
and many more …
JVCo with Kering
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
.com
 Proprietary business where YNAP operates as an
e-tailer for the season’s luxury fashion collections under
its four own brand names
 Proprietary business where YNAP operates as an
e-tailer mainly for the previous-season designer fashion
under its two own brand names
“Powered by YOOX NET-A-PORTER GROUP”

7. YOOX NET-A-PORTER Group: Challenges
7
Keep the trust
– Data Confidentiality
– Data Integrity and Completeness
– Data Processing Transparency
High Availability in hostile enviroment
Gain the big picture:
– Challenge and Enabler
 Shareholders
 Customers
 Stakeholders

8. Security Evolution Overview
8
0
1
2
3
4
5
6
7
8
9
Data Leakage Prevention
Information Security
Compliance
IPS & Anomaly Detection
Administrative Access
Control
PCI-DSS Compliance
Sites Vulnerability Checks
Code Review
Logical Access
Governance
Security Intelligence
Platform
Online Brand Protection
Privacy Compliance
Information Process
Analysis
2011 2013 2015

9. Security Evolution – Tech vs Info
Technology Oriented:
– Info confined to technology
– Partial identity definition
– No covered gaps
Information Oriented - Splunk:
– Enrichement of tech logs
– Event correlation
– Clear identity definition
9

10. From Tech to Info
“From a technology oriented approach to an info-centric approach.”
1

11. Investigation
1

12. Investigation: show details
1

13. Advanced Dashboard: IP Blacklist
• Proactive Dashboard
• One-click blacklist on
Akamai WAF through
Akamai API calls
• Splunk is able to run
a command on input
source
Drilldown
«From a passive/display platform to a
proactive/executive platform»

14. WAF activity rapresentation: standard dashboard
• Statistical evidences by:
– Source IP
– Attack type
– WAF Action
• Event distribution over the time
• Spike visibility depends from the scale
• Is not evident:
– Attack frequency
– Relation between Source IP, Attack type and
WAF action
Pros Cons

15. “From standard dashboards to real-time dynamic dashboards”
Real-time Dynamic Dashboard: Attack Map

16. Security Evolution – Risk Mgmt & Pattern Rec.
Risk Management:
– Correlation of Tech Elements and Business Elements
– Support to quantitative risk analysis
– Assigning Risk value to alerts
Pattern Recognition:
– Different levels of correlation
– Pattern as result of several high-level events from different systems by identity
– Knowledge from historical incidents and analysts experience
– Goal: detect user behavior and recurrent attack patterns

17. Pattern Recognition
Single security events may be part of a more complex action.
Correlation
Brute Force
Exce. Out Data
High Conn.
Correlation
Level 1
Correlation
Level 2
Correlation
Level n
Data Exfiltration
«From log correlation to pattern recognition»
Sequence
Introduced by high level analyst
Pattern Consolidation
Analyst

18. Risk Management
“From a security event to
an context-aware security
information”
Risk
Static
Assign.
(Lookup)
N level
correlation
Content
Eval
Usually single security event has a static risk
We need risk value based on content and other events correlated.

19. Use Case: Attackers Activity
Detect sequence of relevant event by identity
Activity Score: vertical axes, max of the same alert type
Activity Frequency: ball diameter
Pattern Recognition
Risk Value

20. Reconsidering dashboard design
Native Log Collection
Splunk Log Collection
Standard Dashboards
Advanced
Dashboards
Pattern
Recognition
Splunk
Engineers
NOC
SOC
Security Analyst
Head of Security
Knowledge
Data Meaning
The Big Picture

21. Key Takeaways
From a technology oriented approach to an info-centric approach.
From log correlation to pattern recognition.
From a passive/display platform to a proactive/executive platform.
From standard dashboards to real-time dynamic dashboards.
From a security event to an context-aware security information.

22. Questions?

23. Grazie