AWS utilises a shared security model where both AWS and the customer share responsibility for the security of data, applications and resources. As part of this model, it is critical that customers leverage services such as AWS CloudTrail, Config, and more. Attend this session to learn best practices on how to leverage these and other AWS services to gain end-to-end visibility and robust security on AWS. You will also hear how customers leverage third-party tools such as the Splunk App for AWS as critical elements of their security posture. Speakers: Dan Miller, Cloud Sales Director, APAC, Splunk & Simon O'Brien, Senior Systems Engineer, Splunk

1. Copyright
©
2015
Splunk
Inc.
You
Can’t
Protect
What
you
Can’t
See.
AWS
Security
Best
Practices
Dan
Miller,
Director
of
SplunkCloud,
APJ

2. 2
Make
machine
data
accessible,
usable
and
valuable
to
everyone.
2

3. Big
Data
Comes
from
Machines
Volume | Velocity | Variety | Variability
GPS,
RFID,
Hypervisor,
Web
Servers,
Email,
Messaging,
Clickstreams,
Mobile,
Telephony,
IVR,
Databases,
Sensors,
Telematics,
Storage,
Servers,
Security
Devices,
Desktops
3

4. Building
a
Big
Data
Platform
HA
/
DR Admin Data
Security Apps SDKs/APIScale
Collect
Data
Index
Data
Enrich
Data
Search &
Explore
Analyze
&
Predict
Report
&
Visualize
Alert
&
Action
4

5. Fully
Integrated
Enterprise
Platform
HA
/
DR Admin Data
Security Apps SDKs/APIScale
Collect
Data
Index
Data
Enrich
Data
Search &
Explore
Analyze
&
Predict
Report
&
Visualize
Alert
&
Action
5

6. Structured
RDBMS
SQL Search
Schema
at
Write Schema
at
Read
Traditional Splunk
Splunk
Approach
to
Machine
Data
Copyright © 2014 Splunk Inc.
6
ETL Universal
Indexing
Volume Velocity Variety
Unstructured

7. 7
Why
Splunk?
FAST TIME-­‐TO-­‐VALUE
ONE
PLATFORM,
MULTIPLE
USE
CASES
VISIBILITY
ACROSS
STACK,
NOT
JUST
SILOS
ASK
ANY
QUESTION
OF
DATA
ANY
DATA,
ANY
SOURCE
OR
DEPLOYMENT
MODEL

8. 8
Turning
Machine
Data
Into
Business
Value
Index
Untapped
Data:
Any
Source,
Type,
Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call
Detail
Records
Smartphones
and
Devices
RFID
On-­‐
Premises
Private
Cloud
Public
Cloud
Ask
Any
Question
Application
Delivery
Security,
Compliance
and
Fraud
IT
Operations
Business
Analytics
Industrial
Data
and
the
Internet
of
Things

9. IT
Operations
Application
Delivery
Developer
Platform
(REST
API,
SDKs)
Business
Analytics
Industrial
Data
and
Internet
of
Things
9
Delivers
Value
Across
IT
and
the
Business
Business
Analytics
Industrial
Data
and
Internet
of
Things
Security,
Compliance
and
Fraud

10. 10
Platform
for
Application
Delivery
and
IT
Operations
ROOT
CAUSE
AND ISSUE
RESOLUTION
PROACTIVE
MONITORING
AND
REAL-­‐TIME
ALERTING
DELIVER
BETTER
QUALITY
CODE
FASTER
CLOUD
APP
AND
INFRASTRUCTURE
MONITORING
MOBILE
APP
TROUBLESHOOTING
USER
&
USAGE
ANALYTICS

11. Better
Code,
Faster
Development
and
Migration
to
Cloud
• Reduced
error
rates
by
2
orders
of
magnitude
in
a
couple
of
weeks
• Rapidly
found
and
fixed
one
line
of
code
responsible
for
30,000+
errors
• Real-­‐time
dashboards
on
error
rates
and
production
impact
• In-­‐depth
visibility
as
they
strategically
migrate
apps
to
AWS
Cloud

12. 12
Apps
for
Application
Delivery
and
IT
Ops
Splunk
Apps
for
VMware
and
Exchange
300+
IT
Ops
and
App
Delivery
Apps
*nix
Operational
Intelligence
for
Mobile
Apps

13. 13
Application
Delivery
&
IT
Ops
Landscape
API
SDKs UI
Server,
Storage,
Network
Server
Virtualization
Operating
Systems
Custom
Applications
Business
Applications
Cloud
Services
App
Performance
MonitoringTicketing/Other
Web
Intelligence
Mobile
Applications
Stream

14. 14
Splunk
App
for
AWS
EC2
EMR
Kinesis
R53
VPC
ELB
S3
CloudFront
CloudTrail
CloudWatch
Redshift
SNS
API Gateway
Config
RDS
CF
IAM
Lambda
Explore Analyze Dashboard Alert Act
AWS
Data
Sources
End
State:
Comprehensive
AWS
Visibility

15. Splunk
IT
Service
Intelligence
at
1
Replaced
home-­‐
grown
tools
Real-­‐time
service
insights to
LOBs
Reduced
time
to
resolution

16. Splunk
IT
Service
Intelligence
at
1
“Splunk IT
Service
Intelligence
was
delivering
insights
days
after
installing,
instead
of
the
months
it
can
take
legacy
monitoring
solutions.
Splunk ITSI
helps
us
ensure
that the
claims
service
stays
up
and
running at
all
times.”
-­‐ Tyler
Germer,
director
of
information
technology,
AdvancedMD.

17. 17
Single
Platform
for
Security
Intelligence
SECURITY
&
COMPLIANCE
REPORTING
REAL-­‐TIME
MONITORING
OF
KNOWN
THREATS
DETECT
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
&
FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
Splunk
Complements,
Replaces
and
Goes
Beyond
Existing
SIEMs

18. How
FINRA
Uses
Splunk
Cloud
for
Security
• Transforms
third-­‐party
threat
intelligence
information
into
security
alerts
• Leverages
the
Splunk
App
for
AWS
• Efficient
provisioning
dramatically
reduces
costs
“Splunk
Cloud
gives
you
applications
which
let
you
get
huge
amounts
of
value
from
your
data.”
— Sr.
Director
of
Information
Security

19. API
SDKs UI
Network
Traffic
Analysis
Identity
&
Access
Control
Perimeter
Defense
EmailPayload
Analysis
Endpoint
Behavior
Analysis
Endpoint
Change
Tracking
DLP
Security
Analytics
Threat
Intelligence
Cloud
Security
Security
&
Compliance
Landscape
19

20. 20
Extending
Splunk
for
Business
Analytics
Splunk
Software
Complements
Existing
BI
Solutions
CUSTOMER
EXPERIENCE
PRODUCT
ANALYTICS
BUSINESS
PROCESS
ANALYTICS
DIGITAL
MARKETING

21. Why
Domino’s
uses
Splunk
for
Application
Management
and
Business
Analytics
• Understand
device
and
app
usage
trends
for
orders
• Real-­‐time
reNex insights
from
store
data
• Visibility
into
online
and
mobile
coupon
redemption
• Refine
Campaigns
for
higher
conversion

22. 22
Apps
&
Capabilities
for
Business
Analytics
Apps,
Features
&
Partners
• DB
Connect
• Stream
• ODBC
Driver
• Data
Models
• Pivot

23. IT
Operations
Security,
Compliance
and
Fraud
Application
Delivery
Developer
Platform
(REST
API,
SDKs)
Business
Analytics
Industrial
Data
and
Internet
of
Things
23
Delivers
Value
Across
IT
and
the
Business

24. 24
Splunk
for
Industrial
Data
&
the
Internet
of
Things
REMOTE
TROUBLESHOOTING
&
PREVENTIVE
MAINTENANCE
SECURITY
&
COMPLIANCE
DEVICE
USAGE
&
CUSTOMER
ANALYTICS
OPERATIONAL
EFFICIENCY

25. Saving
Customers
$Billions
on
Fuel,
Operations
• Improved
customer
operations
by
mining
large
volumes
of
unstructured
data
• Moved
from
monthly
batch
analysis
to
flexible
real-­‐time
reporting
• Delivered
value-­‐added
services
• Minimized
in-­‐train
forces
• Optimized
operational
efficiency
“Thanks
to
Splunk,
our
systems
allow
our
customers
to
provide
engineers
with
real-­‐time
feedback
and
use
operational
insight
to
achieve
optimal
runs
every
time.”
— Director
of
Engineering,
Train
Dynamic
Systems
(a
division
of
NYAB)

26. Apps
&
Capabilities
for
Industrial
Data
&
Internet
of
Things
• DBConnect
• REST
API
and
SNMP
Modular
Inputs
• Universal
Forwarder
for
Raspberry
Pi
Apps,
Features
&
Partners
REST
26

27. 27
All
the
features
of
Splunk
Enterprise
All
the
benefits
of
SaaS

28. Hybrid
28
Search Head(s)
Indexer(s)
On Premises Private Cloud Public Cloud
Search Head(s)
Indexer(s)
On Premises Private Cloud Public Cloud
Hybrid
Search
Single
Pane
of
Glass
Visibility

29. Platform
for
Operational
Intelligence
The
Splunk
Portfolio
Rich
Ecosystem
of
Apps
&
Add-­‐Ons
Splunk
Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP
IoT
Devices
Network
Wire
Data
Hadoop

30. Dev.splunk.com40,000+
questions
and
answers
1,000+
apps Local
User
Groups
and
SplunkLive!
events
30
Thriving
Community

31. COLLECT
DATA
FROM
ANYWHERE
SEARCH
AND
ANALYZE
EVERYTHING
GAIN
REAL-­‐TIME
OPERATIONAL
INTELLIGENCE
The
Power
of
Splunk
31

32. FREE
CLOUD
TRIAL
FREE
DOWNLOAD
FREE
AMAZON
MACHINE
IMAGES
(AMI)
32
Easy
to
Try
&
Get
Started
1 32

33. Thank
you

34. ANDREW WURSTER
Monitor (allthethings)
with Splunk

35. Monitor
How we use Splunk
Why we chose Splunk
All about Atlassian
with

36. All About
Atlassian
Journey to the Cloud
Meet the Security
Team
All About Atlassian

37. Our software helps unleash the potential in every

38. Growing Quickly
Atlassian’sSecurity Team
All Things Security

39. Atlassian Embraces the Cloud

40. Why We
Chose
Splunk Industry Standard
What’s the MVP / MVE for our team?
At what cost?
Partner vs Buy
Buy from someone you know; not just a
single transaction.
Build vs Buy
Onboarding and Interoperability are
key.

41. COGS Time to Ship Support

42. Partner vs Buy
Who You Know Integrations Common Users

43. Industry Standard
Hiring Interoperability Ease of X

44. How we
Use
Splunk
Integrations
Investigations
Playbook

45. In the beginning…
Version 1.0 Version 2.0

46. What we have today.
Security Team VPC
Splunk Clusterw
CloudFormations
Data Archives to S3
Data Feeds
via Kinesis
Search Tier w ELB

47. Future ProofingSovereigntyScale
What we have today.

48. Security Intel
Playbook

49. Investigations

50. Integrations

51. Thank you!

52. Copyright
©
2015
Splunk
Inc.
Splunk App
for
AWS

53. Splunk
Offerings
in
AWS
• Splunk
App
for
AWS:
Integrates
w/CloudTrail,
Config
and
Billing,
VPC
Flow
Logs
Integrations• Self-­‐managed
cloud
deployments
• Self-­‐deploy
in
AWS
• Integrated
with
EMR
• Search
data
in
S3
• Hourly
pricing
Self-­‐managed
• Cloud
service
designed
for
small
IT
environments
• $90
a
month
• Splunk
Enterprise
as
a
service
• Full
app,
SDK,
API,
platform
support
Cloud-­‐service

54. AWS
Architecture
Diagram
Amazon
Instances
Amazon
Logging
Layer
Amazon
Messaging
Amazon
Storage
/
Queues
Splunk
Collects
the
data
from
the
AWS
SQS
and
the
S3
bucket
using
the
AWS
SDK
for
python
(Boto3).
S3 Bucket
AWS ConfigAWS CloudTrail
AWS CloudWatch
AWS SQS
AWS SNSSNS Topic
AWS Instance
with CloudWatch
VPC Flow
Logs

55. Requirements
For
Splunk
App
For
AWS
• Splunk
• Splunk
6.1
or
later
• Splunk
Add-­‐on
for
Amazon
Web
Services
• Splunk
Add-­‐on
for
Amazon
Web
Services
+1.1.0
required
for
AWS
Config
• AWS
• AWS
CloudTrail:
Enable
CloudTrail
with
SQS
and
SNS.
• AWS
Config:
Enable
Config
with
SQS
and
SNS.
• Billing:
Refer
to
the
AWS
documentation
to
turn
on
AWS
detailed
billing.
• VPC
Flow
Logs:
Enable
VPC
Flow
log
collection.

56. Install
the
Splunk
Add-­‐on
for
AWS
1.
Configure
your
AWS
accounts
and
services,
or
confirm
your
existing
configurations.
2.
Configure
your
AWS
account
permissions
to
match
those
required
by
the
add-­‐on.
3.
Install
the
add-­‐on.
4.
Set
up
the
add-­‐on
on
your
forwarders
or
single
instance.
5.
Configure
your
inputs
to
get
your
AWS
data
into
Splunk Enterprise.
6.
This
is
all
very
well
documented
at
docs.splunk.com

57. Permissions
S3
Storage
CloudTrail
API
Tracking
SNS
Notification
SQS
Message
Queue
splunkuser
Sample
permissions
for
cloudtrail

58. Splunk
Architecture
• Distributed
Splunk
Deployment
Single
Splunk
Deployment
Splunk'server
Indexer
Heavy+Weight+
Forwarder
Splunk+search
IndexerIndexer
Splunk
Add-­‐
on
for
AWS
installed
on
Heavy
Weight
Forwarder
Splunk
App
for
AWS
installed
on
all-­‐in-­‐one
Splunk
server

59. Setup
Interface
Add
Your
Account
Add
your
AWS
Inputs

60. Wait
5
– 10
Minutes
• Yes,
you’ll
need
to
wait
before
all
the
dashboards
and
reports
populate.

61. Gain
Visibility
Into
AWS
Logs

63. THANKYOU