National Australia Bank has gained new operational visibility and intelligence using Splunk and their machine data. Learn how hundreds of Splunk users within these organizations turn terabytes of machine data into increased uptime, improved service delivery, real-time customer insights, enhanced security posture, informed capacity planning and more.
Unblocking The Main Thread Solving ANRs and Frozen Frames
Delivering Operational Intelligence at NAB with Splunk, Gartner Symposium ITXpo 2012
1.
Mining
Security
Data
Security
Surveillance
and
the
case
for
data
reuse
2. Na0onal
Australia
Bank
• Financial
services
organisa5on
with
over
40,000
employees
• Opera5ng
more
than
1,800
branches
and
service
centres
• Responsible
to
more
than
460,000
shareholders
• Major
financial
services
franchises
in
Australia,
New
Zealand,
Asia,
the
United
Kingdom
and
the
United
States
• CommiKed
to
providing
quality
products
and
services,
fair
fees
and
charges,
and
rela5onships
built
on
the
principles
of
help,
guidance
and
advice
3. Introducing
Jamie
• Security
Program
Manager,
Informa5on
Security
Services
• Senior
Manager,
nabCERT
SOC
• Na5onal
Australia
Bank’s
Computer
Emergency
Response
Team
• Won
SC
Magazine
Award
for
Organiza5onal
Excellence
in
Informa5on
Security
• 12+
years
in
technology
• Held
various
roles
at
NAB:
• Info
Security
team
leader
• Architecture
and
strategy
• Project
management
• Consul5ng
4. Five
Areas
of
Interest
What’s
the
user
doing?
What’s
What’s
the
happening
on
machine
the
network?
doing?
What’s
What’s
the
happening
to
app
doing?
the
data?
5. Defining
(some
of)
the
Issues
the
SOC
Faced
• Need
to
improve
incident
response
5mes
• Require
greater
visibility
into
security
events
• Achieve
contextualized
/
enriched
aler5ng
• Correlate
across
systems
• Deal
with
different
log
formats
• Add
new
or
modified
log
formats
• Avoid
custom
code
(10
different
security
analysts)
• Limit
to
resource
availability
for
manual
(bespoke)
inves5ga5ons
6. Why
Splunk?
ROI
for
nabCERT
• Stood
up
Splunk
quickly
• Onboard
and
integrate
data
once—easily
• No
need
to
re-‐import
when
applica5ons
or
formats
change
• Keeps
the
team
in
the
business
of
security
analysis
and
out
of
the
business
of
building
parsers
and
connectors
• Proven
to
be
effec$ve
and
efficient
“Splunk
gave
us
the
speed
of
deployment
and
results
we
were
looking
for.”
7. Case
Study
One
• Primary
objec5ve:
Significantly
reduce
the
5me
to
complete
electronic
searches
of
email
archives
to
meet
legal
requests
• Email
logs
easily
searchable,
by
user,
subject,
5meframe
– Effec5ve?
Yes
• Ability
to
perform
searches
based
on
subject,
sender,
recipient,
date
/
5me
• Results
used
by
the
team
to
finalise
acquisi5on
of
all
per5nent
material
– Efficient?
Yes
• No
more
grep
• Search
5mes
reduced
to
minutes
vs.
hours
or
days
(per
inves5gator)
• Concurrent
searching
of
datasets
by
the
inves5ga5ve
team
9. If
You
Are
Going
To
That
Much
Trouble
Ag
Pb
Fe Cu
Ni
10. Who
Are
Our
Data
Consumers?
Infrastructure
Business
Applica0on
Fraud
Team
Performance
Partners
Support
Management
Service
Network
Delivery
Security
Managers
11. Case
Study
Two:
DHCP
Logs
Service
Delivery
Security
Opera5ons
• Detec5ng
unauthorized
devices
• Ensuring
op5mum
connec5vity
/
• Monitor
based
on
standard
naming
produc5vity
conven5on
+
Ac5ve
Directory
• Alerts
for
insufficient
IP/
subnet
creden5als
coverage
across
the
network
• Add
MAC
address
lookup
to
confirm
• Alerts
when
subnets
are
full
a
"good"
device
• Visibility
into
underu5lized
subnets
• Triggers
ac5on
for
Network
team
to
reallocate/
reassign
Subnet
Our
approach
is
to
maximise
the
u=lity
from
every
log
source
collected
and
indexed,
not
j11
for
security
ust
13. DHCP
Dashboard
–
Network
Service
View
Don’t
use
Average,
use
Most
Common
(mode),
median
and
90%
Percen5le.
13
14. Network
Service
View
#2
Users
cannot
connect
to
the
network,
or
have
delays
connec5ng
in
hot
desk
areas.
15. DHCP
Dashboard
–
Infrastructure
View
Capacity
and
availability
issues
for
the
team
suppor5ng
these
services,
as
well
as
Service
Desk.
16. Case
Study
Three:
The
AUer
Hours
Worker
Who
is
working
late
and
how
open
during
the
week?
Are
they
using
the
same
worksta5on?
17. Case
Study
4:
SOC
to
the
Rescue
The
‘gold’
in
this
case
happens
to
be
a
log
line
that
resolved
a
three
week
issue
causing
significant
disrup5on
to
a
business
unit.
18. Enriched
Data
Drives
Ac0on
" Single
log
type
(DHCP)
from
1,000+
DHCP
servers
" Security
(nabCERT
SOC)
gets
the
“gold”
it
is
aper
" Networks,
Security
Opera5ons
(Firewalls),
Service
Management,
Infrastructure
support,
Building
services
get
what
is
of
value
to
them
" Splunk
search
language
calcula5ons
to
pinpoint
most
cri5cal
– Min,
Median,
Mode,
Max,
90th
percen5le
" Cross-‐reference
with
other
data
(IP
address
database)
" Provide
the
teams
with
the
facts,
in
context,
with
an
explana5on
and
remedy
18
19. Democra0zing
Data
(In
A
Secure
Fashion)
• Take
a
collabora5ve
approach
• Give
us
your
data,
we’ll
give
you
more
value
• Dashboards
for
specific
teams
so
they
can
drill
down
themselves
for
problem
solving
• Role-‐based
access
ensures
access
only
to
relevant
data
• Look
beyond
the
gold
(what
you
are
aper)
20. Back
to
the
Case
Study
One
(Legal)
• Reuse
case
1:
Data
loss
Primary
objec5ve:
protec5on
supplement
Significantly
reduce
5me
to
• Reuse
case
2:
User
ac5vity
complete
electronic
baselining
searches
for
legal
• Reuse
case
3:
Validate
spam
/
spoof
controls
• Reuse
case
4:
User
Access
Revalida5on
supplement
20
21. What’s
Next?
• More
re-‐use
cases
from
our
data
• More
applica5on
and
databases
• Complete
key
infrastructure
collec5on
• Look
for
the
opportuni5es
• Take
the
5me
to
look
for
the
win:win
Think
and
plan
strategically,
work
tac=cally
23. Splunk
Company
Overview
Company
(NASDAQ:
SPLK)
" Founded
2004,
first
sopware
release
in
2006
" HQ:
San
Francisco
/
Region
HQ:
London,
Hong
Kong
" Over
600
employees,
based
in
10
countries
" Q2
Revenue:
$44.5
million;
+71%
year-‐over-‐year
Business
Model
/
Products
" Free
download
to
massive
scale
" On-‐premise,
in
the
cloud
and
SaaS
4,400+
Customers
" Customers
in
over
80
countries
" 54
of
the
Fortune
100
" Largest
license:
100
Terabytes
per
day
See
us
on
the
ITXpo
Showfloor
in
booth
S2
23