14. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
15. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping
16. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
17. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy
18. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
19. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities
20. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
21. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget
22. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget Pay per use
23. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget Pay per use
24. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget Pay per use
Faster
25. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget Pay per use
Faster Cheaper
26. Vision
NN will adopt a self-service infrastructure with standardized cloud services and automated processes
Before After
Silo shopping Full end-to-end ownership
Manual and lossy Automated and predictable
Fixed capabilities On-demand and self-service
Central budget Pay per use
Faster Cheaper Better
62. C
C
Internal capability market + end-to-end responsibility = defence in depth
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C C
C
C
C
C
Security monitoring tools
Well, I believe that you can get to know someone by looking into their meterkast.
This is mine.
So now that you know me.
I can show you my secondary equipment room
Where I built the first iteration of my personal Splunk cluster.
That I used to develop a Puppet-Splunk module.
Puppet is used for infrastructure automation.
My goal was to create a Splunk aware desired state configuration tool
that you cound give a description of what the end state should be like.
And this tool would build and configure it.
At the time there was nothing quite like it, and it’s currently in use by large and small organizations worldwide.
However this particular setup suffered from one fatal flaw. I had lots of availability issues with it. Daily downtime.
NN Group is a financial services company
active in 18 countries
with a strong presence in Europe and Japan.
Cover 2016 annual report
Buying companies left and right.
Improving innovativeness
About buying companies left and right:
Perfecting this since 1845
Sword
NN as it is today
Merged from 2 companies
acquisition engine has been running smoothly
Most recent label additions to portfolio
It can be improved
Example of a funeral insurance company
Reason for our digital transformation.
Some markets change faster than others
We need to respond faster to these changes
Koen
Bright blue blazer
we have a new way of looking at things.
A new way of thinking.
self-service, cloud, automation.
Splunk is an important building block for operational and security monitoring within NN.
Because it CAN be automated.
It CAN be turned into a self-service capability.
Could not do this with Arcsight
To get anything done at NN you had to do a lot of silo shopping,
Project managers to do the silo shopping
end-to-end responsible.
Core of target operating model
most of their work on their own
empowering as I’ll show later.
Manual ssh-ing
Editing config files
Automated pipelines version controlled
Physical servers in DC
Could not scale up
Could not scale down
Now we can
On our own
Money!
It should be pay-per-use.
Not using: not paying
Using: paying
This where the work actually starts.
Teams in parallel
thinking about automation, self-service, pay-per-use.
Aws team example
Account vending machine
Own account under NN umbrella
Withing boundaries
Focus on Splunk team
SOC team
We like splunk: can be automated
So the first order of business for the Splunk team
Move from onprem to AWS
Built with automation
Nimble first steps
Couple of SH, 4 IDX
double
Multisite
In 1 hour
trivial or abstract,
Skype call
popcorn
10 pm finish
Wow! This would have been lots of work earlier
This is what end-to-end responsibility feels like.
Empowering
Some months later
Doubling
Same call
More popcorn
Waiting for aws provisioning
Gave us ES
Migrating UC from Arcsight -> Splunk
But onboarding…
fundamental self-service building block
No more ssh and config file editing
We can use it
App teams too
onboarding menu
All managed from a git repo
Everyone can edit
But we’re not stupid
Pipeline with checks
Config check, 2nd step
Modified splunk appinspect
To do the heavy lifting
Using this for almost a year now
Index creation
Retention
Size
Also pipeline check
And review
Self-service onboarding is fundamental
Because previously this is how it looked like with Arcsight
They were not the only ones
But we would already have a queue.
And we would finish onboarding some months later.
For the first team in this swimming lane
And then for the next.
Well this is not exactly what end-to-end responsibility looks like.
Anti pattern
So we can take a rest from all the hard work we’ve been doing all this time.
Anyway, I just wanted to show our new Prague ITHUB office.
Some say, this is where the SOC is located.
In all seriousness we are still doing security monitoring.
Asynchronous
Unblocking other teams
Now that data is in
Do something useful
Workshops previously, that you had to book
Waiting list.
Doesn’t scale
Handbook that covers our ideas
Howto approach app sec mon
Insprired by the one from the Ops team.
Way ahead of us
Operational monitoring handbook
And has lots of inspirational stories.
Value
More handson
Steps from onboarding to usecases
MITRE
Workshop replacer, first version
Automated usecase testing
Worked months ago
But now?
Needed for our infra secmon
Other teams same issue
Expose as self-service
Last
contract automation.
docs
criticalily
expected followup: call in the night, or snow ticket for tomorrow
Can’t tell more
Very early alpha stage
Zoom out bigger picture
Another point
Need a couple of slides
please bear with me.
3 teams: 2 cloud, 1 cicd
Using previous tools
Built own automated env
Self-service building blocks
In these automated envs
That other teams also could incorporate into their own stuff.
Like we did for scalable application security montoring.
And so on.
And that brings me to my point.
Internal market
Everyone free to us
we WANT teams to be end-to-end responsible.
We are no longer a cathedral.
We are becoming a bazaar where you can show at the individual booth for existing stuff and create new stuff from it.
Very powerful stuff.
Some secmon tools in this market
e.g. aws and azure
No longer only game in town
Somehow incorporate these new feeds
We don’t mind
Because defence in depth
This is a good thing. We actually want this.
It also leads to something else, that we share with our customers and it’s this:
It also enables a form of healthy competition.
One team at NN has this motivational poster framed.
Not sure if you can read if.
It says:
Clients don’t complain
They go elsewhere.
And this is something that applies to our customers.
But now also to our internal capability market.
And this boys and girls, is how you do security monitoring during a digital transformation.
I have only one slide left.
Which is my key takeaway slide.
The main take-away of this presentation is that you should definitely check out Prague for a city trip.
Even in the winter.
This is the view from my hotel on the Staropramen brewery.
At sunrise.