3. 3
About Equinix
As the world's largest data center
company, we provide global leaders
the power of interconnection: the
ability to connect to many customers
and partners in many regions—
accelerating business performance
and creating new opportunities.
4. 4
About Coach Lillie
My role at Equinix
My team’s mission
My favorite Splunk tee-shirt tag line
One fun fact about me
6. 6
Equinix Vision for SIEM
SIEM is key to any security
platform today
We were very early in adopting a
“SIEM in the Cloud” vision and
strategy
With a traditional on premise
SIEM, we didn’t think we would
have value right out of the box
Been searching for awhile…
“…we pushed the
vision of SIEM in
the Cloud for
years…”
7. 7
Why did we want a Cloud SIEM Solution?
Flexibility
Subscription Model
Eliminates the need
to feel ‘married’ to a
system – easier to
unsubscribe if it
doesn’t fit
Price
Less Expensive
At least 50% lower
TCO compared to
deploying an on-
premises SIEM
Ease/Speed
Minimal PS
Easy data ingestion
and easy
deployment that
doesn’t require an
army to set-up
(when most data is generated on-premises)
8. 8
What Cloud SIEM Was Right for Equinix?
Splunk Cloud with ES gave us a starting point
Met a variety of our use cases: ability to handle multiple types
of data (and speeds and feeds), apps marketplace, correlation
rules engine, and enterprise-level security view
We gained VALUE immediately out of the box; now a platform
to build upon
+
9. 9
Why we selected Splunk Cloud
Databases
Networks
Servers
Web
Services
Smartphones
and Devices
Custom
Applications
Security
Universal SearchApp Ecosystem Single Pane of
Glass
Certified Guaranteed
100%
Uptime
SLA
And More…
10. 10
“…Our goal is to protect customers, employees &
data.”
How We Use Splunk Cloud
Malware Protection
User Account Protection
Data Leakage Protection
14. 14
What’s Next for Equinix
Global Security Team standardizing on Splunk Cloud
Use insights to build out a Security Operations Center
Expand use of Splunk Cloud to the Global Server and
Network teams
Use Splunk to help integrate acquisitions
15. 15
Top Takeaways
SIEM in the cloud is the way to go
SIEM with an Enterprise-level “Helicopter view” for the CIO is a
must
Splunk Cloud is a GREAT choice to meet these needs:
– Splunk Cloud is a service and requires much less staff to operate (less cost)
– Splunk Cloud is less complex to implement and operate
– Splunk Cloud with ES is a true security SIEM – SOC 2 Type II certified, 100
percent uptime SLA
– Splunk Cloud reduced the time to resolve/respond to security incidents –
out of the box
George wanted SIEM in the Cloud solution. (ES)
SIEM is major achievements of any security system
Going into ES, we realized that any SIEM solution – there’s going to be a lot of work. We knew going in that there would be a considerable effort building it out.
We knew it wasn’t going to be SIEM out of the box.
WHY DID YOU CHOOSE a CLOUD BASED?
Cost was number one. Capex vs. Opex. Wanted something that we could turn up quickly and manage easily. Minimize costs for storage, systems monitoring, managing data bases
Cloud vs. on-prem value prop
Didn’t want anything I had to deploy manually
Subscribe, use it, marry myself and then unmarry myself.
Subscription is a lot easier
VALUE out of the Box?
Every organization has different use cases…but every solution would help us frame our use cases. (uptime, sensitivity of data, systems vulnerability)
Needed a starting point. That’s what ES gave us out of the box
From there, we produced a final list that allowed us to operate a system based on our use cases.
COMPARED to other CLOUD SOLUTIONS
As a SIEM in the cloud, what drew me into ES. We have APPs marketplace. Most of the other customers don’t have the APPs or lenses into the data. Most are free.
Other vendors, don’t have those. If we had engaged with other vendors, we would have to build those out.
Apps are great, but they help you frame the data. Now we can compare it and add in our own use cases.
As you get through the process of getting operational, were there other areas of differentiation? Ability to search…across all data sets. Ability to do this across all data sets is really powerful. Searching is 101.
USE CASES TODAY
Malware protection – across all platforms (laptops, mobile, …)
Protecting user accounts – if a user logs in SF and Hong Kong simultaneously – detecting account compromise
Data leakage protection (SFDC app) – preventing malicious employee behavior
High priority: Care about data. Care about business being able to function. Target the things that typically have negative impact. Malware.
We have a security infrastructure that shows us malware on desk tops and servers
ES alerts us to systems with malware – phoning home or
ES allows us to protect users. If a user is logging on in silicon valley and log in 10 seconds later in hong kong…compromised system?
How do we monitor the security of our users
Had significant global structure – Firewall, VPN, active directory, but no SIEM…
Operating with a security infrastructure…splunk allowed us to aggregate this. One dashboard. Splunk ES.
Allows my guys to not have to go out to each different security system to monitor
Before, we didn’t have a way to correlate between the security systems. Big value add is correlation. Aggregation and correlation.
Get everything into a single place and then correlate…
Data feeds/sets – Qualys security, Cisco firewalls, load balancers, salesforce.com, tripwire, open VPN, Unyx and Windows (Splunk App), Juniper Firewalls, Palo Alto
Salesforce – data leakage protection – very sensitive and critical to the business. Manage malicious employees who may be forklifting data. Certain algorythms and data that looks suspicious
Salesforce App – gives you good data but doesn’t really provide enough intelligence to determine
Separate from security use cases, Salesforce app is pretty slick.
How we accomplish this (New Slide)
Log aggregation
Log correlation
Data sources: (Qualys, Palo Alto Networks, Cisco, F5, Salesforce.com, Tripwire, Open VPN, Unix, Windows, Application logs, Juniper)
We had almost 20 billion raw events to monitor. Within Splunk Cloud we built 50 correlation rules. Now we look at critical and high only priority events only. This reduced the 20 billion to 12,000. That’s the story.”
Talk about your personal CIO Dashboard and the operational intelligence it provides you.
ARE OTHER TEAMS USING SPLUNK at Equinix?
Security – Now – How many folks. 6 people.
Infrastructure for monitoring app performance
DevOps…looking to Splunk to bake prcesses into development. Triggered alerts. Service down, KPIs,
LOOKING AT HURRICANE LABS TO HELP OPERATE BETTER IN THIS ENVIRONMENT.
Help manage Splunk. Write correlation events as we define them in terms of use cases.
Use a service skilled in that work rather than doing it themselves.
Security ops center
NOTIONAL DEPLOYMENT COST savings?
Vs. arcsight, maybe saved half. Splunk Cloud is half of what the cost of something like arcsight.
Value: One of the biggest factors is how the environment is managed. With arcsight, you have to hire an army of professional services to get it set up, manage data bases, and then tune it. On going work. Cannot tune it and leave it.
Data sources into Splunk…then turning correlation and mapping to use cases. We are a little easier because we can work to define the use cases and then do the code.
More complexity on the arcsight side – less on the Splunk ES
COMPLIANCE/CERTIFICATIONS IMPORTANT
Really use this for security use cases
SPLUNK CLOUD – SOC 2 Type II certified
Very important
Very sensitive
Certifications that attest to the protection of the data
100 PERCENT UPTIME
Didn’t track that with others?
SLA still going
Never seen anywhere else offer that