SplunkLive! London 2019: University of Exeter
•Télécharger en tant que PPTX, PDF•
1 j'aime•3,688 vues
Higher Education and Research - actively protecting our investment
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à SplunkLive! London 2019: University of Exeter
Similaire à SplunkLive! London 2019: University of Exeter (20)
Plus de Splunk
Plus de Splunk (20)
Dernier
Dernier (20)
SplunkLive! London 2019: University of Exeter
- 1. Higher education and research – actively protecting our investment Alan Hill Chief Information and Digital Officer
- 2. University of Exeter Top 10 Universities in the UK 98% of research rated as international quality
- 3. The University as a Business • £100m of research income • £420m turnover • 22,500 students • 4,500 academic and professional staff • 4 campuses in the South West of England
- 5. University has economic impact
- 7. What we have to protect • All research data is valuable • Intellectual property • Patents • ‘High value targets’
- 8. Education • Students as customers • Battle-rhythm of the University • Critical services – Collaborative learning environment – Recruitment and admissions – Online exams
- 10. Education • Students as customers • Battle-rhythm of the University • Critical services – Collaborative learning environment – Recruitment and admissions – Online exams
- 12. The Threat • What do we look like to an attacker? Inside and outside • Tactics: DDOS, theft, reputation, exploitation • Capability, routes, intent, techniques • Attackers’ options
- 13. • One tool to manage security, operations and application development • Minimise training overhead • On-premises option to control costs • Available through contract frameworks Why
- 14. Splunk in action for the University The What? MITRE ATT&CK • Tactic: Credential Access – “Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network.“ The How? MITRE ATT&CK • Technique: Kerberoasting • Technique: Credential Dumping • Technique: Brute Force Where to look for? Data Sources • Domain Controller Authentication Logs • PowerShell Logs • Process Monitoring • … https://attack.mitre.org/
- 16. Step by Step SIEM Success: Security Monitoring + Forensic The What? MITRE ATT&CK • Tactic: Credential Access The How? MITRE ATT&CK • … • … • Technique: Brute Force • … Where to look for? Data Sources • Domain Controller Authentication Logs • … • … https://attack.mitre.org/
- 18. Reality of deployment • Need to truly understand your estate • On-premises comes with its own overheads • Energising the staff for the new capabilities • Ensure you have enough professional service support • Start small and grow big - control the use cases • Keep focused on the business benefits • “No plan survives contact with the enemy”
- 19. We’re only just getting started • Splunk is central to our operations • The use cases are growing daily • It’s in action now protecting the University • Tangible value for money
Notes de l'éditeur
- Alan Hill CIDO Contributing to amazing research and excellent education Combining research and education to “make the exceptional happen” Today I want to tell you about: What is a University – a business, a charity, and educational establish, a world renowned research institute What we need to protect – Research and Education The Threat to higher education institutes Splunk’s role in protecting our investment (UK taxpayers, commercial organisations, student fees) Lastly – the reality of a Splunk deployment from zero to hero in 8 weeks.
- Business drivers: Student recruitment: international students pay more than UK/EU. Everyone is after the same market. League tables driven by student recruitment. Research quality drives future research income Its success is built on a strong partnership with its students and a clear focus on high performance. So you can see the lines of business and how that can drive income. Ensuring those Lines of Business operate effectively and remain secure is the role of Splunk in the Univeristy . .
- Formed in 1955 22,500 students from more than 130 different countries.
- The University of Exeter combines world class research with excellent student satisfaction at its campuses in Exeter and Cornwall 4 campuses across Devon and Cornwall. No international sites. For those of you that are not familiar with the UK, these are beautiful areas for the sea and the countryside
- The value of the University is an important economic point We are not only educating and researching We create more than £1.17 Billion economic output So this is a significant business, that has real and tangible impact That needs digital services and IT systems that are reliable, high performing, and secure.
- Recent breakthroughs to come out of Exeter's research include: the identification and treatment of new forms of diabetes and the creation of the world's most transparent, lightweight and flexible conductor of electricity. Our research focuses on some of the most fundamental issues facing humankind, including on disease prevention through predictive biology We have a specialist research IT team that directly contribute to: Discovery of the atmospheres of exo-planets 200 light years away Research into dementia in the over 50s in Hong Kong and the UK
- Research data is valuable – it needs protecting Even if it is to be published openly there are few years first to get maximum value from it. Commercially funded research needs protection for the duration of the contract. From research derives intellectual property rights, and patents The professors who do the most valuable or sensitive research are ‘high value targets’ to an adversary who wants the information without the work or the cost So wrapping Splunk around the research data and the high value targets, helps protect our research Identifies unusual patterns of access, and helps prevent the theft of research data
- Education line of business: Like any business – we value our customers Customers expect services to he of high quality and to run effectively So we will be using Splunk to help us focus on those critical services There is a battle-rhythm that means we have peaks times for services that simply must not fail: Virtual learning environment where course content is placed, with LECTURES recorded (SLIDE NOW)
- Each lecture is recorded – the speaker and the content Uploaded to our cloud provider and accessed through the virtual learning environment Last academic year = 650,000 viewings I know what you are thinking – lying in bed instead, but usage indicates it’s about revision
- Recruitment and admissions is about getting all our spaces filled each year with the best quality students A – level results download Place allocation Filling spaces - setting up a call centre, high availability on the website, low latency in the back end systems Each unfilled space is a hit on 3 years of income Online exams: similar pressure to make sure these critical services operate effectively Splunk will help us do all these things So what is the threat to these Lines of Business
- 10 MINUTES check Assume all of your research has been copied – as a starting point
- Understanding the threat What we look like as a target: Graphene research Animal research Military research How might we be attacked Leads us to prioritise the deployment of Splunk to support the overall protection plan.
- We are a small team Need one tool that does everything Low cost of training in ££££ but also time Need options such as on-premises to manage the through life cost, based on previous investments in our data centre. Critically – the availability of procurement frameworks. Universities act like public bodies and so procurement can be a painful process. Now Splunk has an arrangement that can be accessed by all universities and colleges.
- So let’s look at Splunk in action protecting our research data Ensuring that critical services remain available Mitre ATTACK methodology as the backdrop, I am going to show some videos of day 2 in our deployment
- Starting in the Access Centre Do not be alarmed by the word EXTREME – this is day 2 so everything looks new! Looking over time at Actions and Access. Exploring the patterns and anomalies We can see Access denied/failure etc Focus on Failure Look specifically at server EMPS LEANDRO – and we can see an Admin account has multiple failed attempts to access We can look at the signature, and at the time.
- So we have an admin account – Credential Access Using Brute Force Attack This is something we would not normally be able to see, certainly not with the speed or ease. We can take action now.
- Now in the Intrusion Centre We can quickly see the attack locations and start to interpret what that may mean Then to the Traffic Centre Looking at patterns over time Focusing on one particular device that has drawn our attention Multiple ports open Facebook (may be this is a misconfiguration) Peer to peer file sharing website – if this was a research machine, this would be a red flag.
- University is a business It has customers It has value Splunk now plays a key role our day to day operations Use case are coming in thick and fast Protecting our key assets and our high value targets is critical security activity But remembering that this was an investment, so getting the benefits realised, getting the value for money evidenced is important for a business perspective The vision for the University is to Make the Exceptional Happen, and I am delighted that Splunk are playing a part in doing that.