AWS Loft London: Finding the signal in the noise - Effective SecOps with Sophos & Splunk Cloud
•Télécharger en tant que PPTX, PDF•
2 j'aime•750 vues
Presentation from AWS Loft London about how Sophos is using Splunk Cloud for effective SecOps.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à AWS Loft London: Finding the signal in the noise - Effective SecOps with Sophos & Splunk Cloud
Similaire à AWS Loft London: Finding the signal in the noise - Effective SecOps with Sophos & Splunk Cloud (20)
Plus de Splunk
Plus de Splunk (20)
Dernier
Dernier (20)
AWS Loft London: Finding the signal in the noise - Effective SecOps with Sophos & Splunk Cloud
- 1. Copyright © 2015 Splunk Inc. Finding the signal in the noise: Effective SecOps with Sophos & Splunk Cloud Ross McKerchar, Sophos
- 2. Introduction and Splunk Overview Andrew Morris, Splunk
- 3. Agenda 6:30 Introduction and Splunk Overview 6:50 Finding the signal in the noise: Effective SecOps with Sophos & Splunk Cloud 7:20 Demo: Splunk Enterprise Security and App for AWS 7:50 Q&A 3
- 4. Andrew Morris Director of Cloud, EMEA #Splunk SECURITY INTELLIGENCE IN THE CLOUD
- 5. CLOUD AND HYBRID IT SOFTWARE-DEFINED DATACENTERS CONTINUOUS APP DELIVERY ANALYTICS-DRIVEN SECURITY INTERNET OF THINGS
- 6. Make machine data accessible, usable and valuable to everyone.
- 7. Why Splunk? FAST TIME-TO-VALUE CLOUD, ON-PREMISE & HYBRID DEPLOYMENT VISIBILITY ACROSS STACK, NOT JUST SILOS ONE PLATFORM, MULTIPLE USE CASES ANY DATA, ANY SOURCE, ASK ANY QUESTION
- 8. Disruptive Approach to Unstructured Data Structured RDBMS SQL Search Schema at Write Schema at Read Traditional Splunk ETL Universal Indexing 8 Volume Velocity Variety Unstructured
- 9. Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
- 10. Proven Customer Value Across Use Cases & Industries Increased revenues from higher uptime Savings from fraud prevention Revenues from faster product launch Optimizing fuel use with sensor data Reduction in SLA payouts Value from preventing APTs $11.0 M $25.0 M $10.0 M $200+ M $1.8 M $1.0 + B $11.0 M $25.0 M $10.0 M $200+ M $1.8 M $1.0+ B Oil & Gas Services Telecom Provider TransportationFinancial Services High Tech Manufacturing Online Services 10
- 11. Platform for Machine Data Application Delivery Security, Compliance and Fraud Business Analytics Internet of Things and Industrial Data IT Operations
- 12. Platform for Operational Intelligence The Splunk Portfolio 1000+ Apps and Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop
- 13. Fully Integrated Enterprise Platform HA / DR Admin Data Security Apps SDKs/APIScale Collect Data Index Data Enrich Data Search & Explore Analyze & Predict Report & Visualize Alert & Action 13
- 14. Cloud Is a Journey and Splunk Is Your Partner Instant Secure Reliable 100% Uptime SLA Hybrid
- 15. 15 How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud On-time efficiency & dramatic queue reduction with 925 flights per day Real-time, predictive airfield analytics deliver on mobile app & Apple watch Data from airport gates, board pass scans, x-ray, travel, passenger flow
- 18. Modern Threat Landscape Realities CompromisesVulnerabilities You Can Disrupt Breaches
- 19. Splunk Security Intelligence Security and Compliance Reporting Monitor and Detect Known/ Unknown Threats Fraud Detection Insider Threat Incident Investigations and Forensics Security Analytics
- 20. 20 Single Platform for Security Intelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 21. 21 Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 22. How Telenor protects theirnetwork using Splunk Enterprise Security 1TB of Daily Data with “Splunk Everything” Strategy for Network, Security and IT Data Detect and Prevent Security Issues Enabling “Central Emergency Response Team” Baseline “Normal” Monitoring of Security and Operations – Real-time Analysis of Deviation
- 23. Security Operations IT Operations Business Operations With Splunk, Your Enterprise Data Platform SAME DATAOf the Asking Different QUESTIONS Different PEOPLE 23
- 24. Dev.splunk.com65,000+ questions and answers Over 1000 Apps Local User Groups and SplunkLive! events Thriving Community
- 25. Free Cloud Trial Free Software Download Free Enterprise Security Sandbox Easy to Try and Get Started 1 32
- 26. Copyright © 2015 Splunk Inc. Join us to hear more: Wednesday 11th May 2016 Westminster Park Plaza, London Register at: http://live.splunk.com/london
- 27. Finding the signal in the noise: Effective SecOps with Sophos & Splunk Cloud Ross McKerchar, Sophos
- 28. About Sophos • Founded 1985 in Abingdon, UK • 2,200 employees • Over 200,000 customers • 100+ million users
- 29. Our challenge Keeping up with this…
- 30. Our strategy Make change easy ‘Brutal’ prioritisation Focus on the achievable
- 31. Operational Intelligence Maturity IT Operations Security Customer experience Log gathering
- 32. Security Operations Maturity Automation Protection Governance 1. Log gathering 2. Threat detection 3. Governance 4. Security automation Reactive Proactive Optimising
- 33. Our Splunk Deployment 33 Sophos PureMessage Windows Logs Amazon Web Services Logs Sophos Mobile Control Sophos Endpoint Security Sophos UTM Sophos Firewall Sophos Cloud Sophos Wireless Sophos Safeguard
- 34. Demo
- 35. Q&A
- 36. Thank You
Notes de l'éditeur
- Industry: Telco Use case: Security, IT Ops More can be found at: http://www.splunk.com/view/splunk-at-telenor/SP-CAAAE98 The Business Founded in 1855, Telenor, Norway's largest telecom services provider, has over 150 years of telecoms experience. The company believes "growth comes from truly understanding the needs of people to drive relevant change." Considering that Telenor's mobile subscribers globally grew from 15 to 160 million in less than a decade, its belief that deeper insight leads to success is holding true. Telenor's service portfolio in Norway includes fixed and mobile telephony, broadband and data communication. Customers rely on Telenor to provide always-on voice, data and content services. Challenges With millions of customers, thousands of servers and routers, and datacenters located throughout Norway, Telenor needed to understand the essential operating details of its infrastructure. Communication between far-flung departments was challenging and there were frequent miscommunications. While some log event data was being collected, the logs were difficult to analyze. In addition, granting access to certain logs on a server often meant giving access to all the logs collected on that server, which posed definite security and privacy risks. The few people with authorized access faced the impossible task of manually browsing through hundreds of millions of log records a day. Unsurprisingly, kernel errors and other issues sporadically slipped by unnoticed. Enter Splunk Splunk has provided Telenor Norway the visibility and operational insight to keep its IT systems and networks running at peak performance. Telenor is using Splunk Enterprise for troubleshooting, monitoring and security investigations. The network operations team runs dashboards visualizing network health and monitors for error events and unfamiliar patterns. The security team uses Splunk for correlation and analysis of security alarms. With Splunk they can look for, and be proactively alerted on, abnormal remote access patterns and investigate attacks on Internet-exposed services. Finally, Splunk also underpins the Telenor Computer Emergency Response Team (CERT), which is a cross-departmental incident response team. This virtual team uses Splunk for incident investigation, pinpointing the origin of large issues and performing rapid manual analysis of failing components to limit business impact. Telenor indexes 400GBs of data per day with Splunk, including data from thousands of servers, routers and data sources ranging from the datacenter, the IP infrastructure and the mobile network, to applications and services like web, email and IPTV. This constitutes about half of Telenor's entire IT estate, and there is now a 'Splunk first' policy in place, so any new data has to be put into Splunk. Telenor forwards data to a pool of Splunk indexers. Role-based access control ensures users get the access to the data they need without compromising security or violating customer privacy regulations. Breakthroughs Incident investigation and troubleshooting When something goes wrong, it is now quick and easy for Telenor to get to the root cause of the issue and resolve it. For example, the team noticed that Telenor WebMail accounts were being abused to send hundreds of thousands of SMS messages abroad. They used Splunk to analyze the incident and were immediately able to identify which accounts were being abused and how many SMS were being sent, as well as when and where the logins were coming from. Armed with this insight, it was a simple job to shut down the offending accounts and stop the abuse, preventing further revenue loss. Stronger security Using Splunk, the security teams can now determine the baseline for "normal" and track any deviations from that standard. This gives Telenor the ability to quickly and efficiently detect brute force login attacks and other security issues. With this established, they can now use easy-to-compose dashboards to monitor systems and services for anomalous activity. Other examples include correlating timing and IP addresses to determine if attacks from multiple countries are coordinated, and the ability to identify vulnerable Internet exposed services. Increased availability Not only can the CERT, security and operations teams troubleshoot problems faster than ever, the insights gained through Splunk software lets Telenor identify a problem long before it turns into a crisis. These valuable searches are now saved and run on a schedule, providing proactive alerts in front of recurring issues. Telenor can now spot an error as soon as it occurs and start working on correcting it immediately, which can prevent or reduce downtime. Business-critical insights Over time, the knowledge built into Splunk has enabled Telenor to learn more about the organization's IT and network infrastructure and its potential for the business. Telenor is now responding to incidents more proactively and providing better service as a result. The network operations team uses baseline measurements so they can understand what constitutes normal. They have created Splunk alerts to monitor for error spikes and unfamiliar patterns. This advanced visibility lets them troubleshoot problems before users notice them or services fail. In summary, since deploying Splunk, Telenor Norway has dramatically improved visibility into its complex IT infrastructure and networks. Not only can the internal teams now investigate and resolve issues much more quickly, they are also able to use operational intelligence to create baseline views to catch errors or anomalies early on, often addressing these issues before they impact the customer experience.
- By giving different people the ability to ask different questions of the Same data, when they need to, we’re helping customers across all of our core use cases move from reactive to proactive.