SplunkLive! Utrecht 2019: NN Group
•Télécharger en tant que PPTX, PDF•
0 j'aime•369 vues
Learn the benefits of automated capabilities and how Splunk is an important building block for operational and security monitoring within NN.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à SplunkLive! Utrecht 2019: NN Group
Similaire à SplunkLive! Utrecht 2019: NN Group (20)
Plus de Splunk
Plus de Splunk (20)
Dernier
Dernier (20)
SplunkLive! Utrecht 2019: NN Group
- 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Security monitoring during a digital transformation Jorrit Folmer CISSP CCSP | Security monitoring consultant @ NN Group N.V 18 November 2019
- 14. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes
- 15. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping
- 16. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership
- 17. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy
- 18. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable
- 19. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities
- 20. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service
- 21. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget
- 22. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget Pay per use
- 23. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget Pay per use
- 24. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget Pay per use Faster
- 25. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget Pay per use Faster Cheaper
- 26. Vision NN will adopt a self-service infrastructure with standardized cloud services and automated processes Before After Silo shopping Full end-to-end ownership Manual and lossy Automated and predictable Fixed capabilities On-demand and self-service Central budget Pay per use Faster Cheaper Better
- 27. Target operating model Splunk team SOC team Execution Other dev-ops teams
- 28. Target operating model Execution Infrastructure as code Splunk team SOC teamOther dev-ops teams
- 30. Search tier Indexing tier Example 1: multi-site in 1 hour Site 1 Site 2
- 31. Search tier Example 2: doubling in 2 hours Site 1 Site 2
- 32. Execution Target operating model Infrastructure as code Enterprise Security Splunk team SOC teamOther dev-ops teams
- 33. Target operating model Execution Infrastructure as code Enterprise Security Self-service data onboarding Splunk team SOC teamOther dev-ops teams
- 39. Target operating model Splunk team SOC Execution Infrastructure as code Enterprise Security Self-service data onboarding
- 40. Hi, I need security monitoring for my go-live Team10 Req 10
- 41. Hi, I need security monitoring for my go-live Team10Team11Team12 Req 10 Req 11 Req 12
- 42. Hi, I need security monitoring for my go-live Team10Team11Team12SOC Req 10 Req 11 Req 12 Onboard 7
- 43. Hi, I need security monitoring for my go-live Team10Team11Team12SOC Finish Onboard 8 Onboard 9 Onboard 10Onboard 7 Req 10 Req 11 Req 12
- 44. Hi, I need security monitoring for my go-live Team10Team11Team12SOC Finish Finish Onboard 8 Onboard 9 Onboard 10Onboard 7 Onboard 11 Onboard Req 10 Req 11 Req 12
- 45. Self-service model with Splunk Team10Team11Team12SOC Req 10 Req 11 Req 12
- 46. Self-service model with Splunk Team10Team11Team12SOC FinishOnboard 10Req 10 Req 11 Req 12 Onboard 11 Finish Onboard 12 Finish
- 50. Self-service onboarding model with Splunk Team10Team11Team12SOC FinishOnboard 10Req 10 Req 11 Req 12 Onboard 11 Finish Onboard 12 Finish Consulting Building self-service capabilities
- 51. Target operating model Splunk team SOC Application security monitoring (ASM) Infrastructure as code Enterprise Security Self-service data onboarding ASM handbook
- 54. Target operating model Splunk team SOC Application security monitoring (ASM) Infrastructure as code Enterprise Security Self-service data onboarding ASM testing ASM handbook
- 55. Target operating model Splunk team SOC Application security monitoring (ASM) Infrastructure as code Enterprise Security Self-service data onboarding ASM testing ASM contract automation ASM handbook
- 56. Target operating model Capability combinatorics
- 57. Target operating model Capability combinatorics
- 58. Target operating model Capability combinatorics
- 59. Target operating model Capability combinatorics
- 60. Target operating model Capability combinatorics
- 61. Internal capability market C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C
- 62. C C Internal capability market + end-to-end responsibility = defence in depth C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C Security monitoring tools
- 65. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.
Notes de l'éditeur
- Well, I believe that you can get to know someone by looking into their meterkast. This is mine. So now that you know me. I can show you my secondary equipment room
- Where I built the first iteration of my personal Splunk cluster. That I used to develop a Puppet-Splunk module. Puppet is used for infrastructure automation. My goal was to create a Splunk aware desired state configuration tool that you cound give a description of what the end state should be like. And this tool would build and configure it. At the time there was nothing quite like it, and it’s currently in use by large and small organizations worldwide. However this particular setup suffered from one fatal flaw. I had lots of availability issues with it. Daily downtime.
- NN Group is a financial services company active in 18 countries with a strong presence in Europe and Japan. Cover 2016 annual report Buying companies left and right. Improving innovativeness
- About buying companies left and right: Perfecting this since 1845 Sword
- NN as it is today Merged from 2 companies
- acquisition engine has been running smoothly Most recent label additions to portfolio
- However. Customers won’t recommend us. NPS Scale -100 +100 Recommenders – unrecommenders = nps
- It can be improved Example of a funeral insurance company
- Reason for our digital transformation. Some markets change faster than others We need to respond faster to these changes Koen Bright blue blazer
- we have a new way of looking at things. A new way of thinking.
- self-service, cloud, automation. Splunk is an important building block for operational and security monitoring within NN. Because it CAN be automated. It CAN be turned into a self-service capability. Could not do this with Arcsight
- To get anything done at NN you had to do a lot of silo shopping, Project managers to do the silo shopping
- end-to-end responsible. Core of target operating model most of their work on their own empowering as I’ll show later.
- Manual ssh-ing Editing config files
- Automated pipelines version controlled
- Physical servers in DC Could not scale up Could not scale down
- Now we can On our own
- Money!
- It should be pay-per-use. Not using: not paying Using: paying
- This where the work actually starts. Teams in parallel thinking about automation, self-service, pay-per-use. Aws team example Account vending machine Own account under NN umbrella Withing boundaries Focus on Splunk team SOC team
- We like splunk: can be automated So the first order of business for the Splunk team Move from onprem to AWS Built with automation
- Nimble first steps Couple of SH, 4 IDX
- double Multisite In 1 hour trivial or abstract, Skype call popcorn 10 pm finish Wow! This would have been lots of work earlier This is what end-to-end responsibility feels like. Empowering
- Some months later Doubling Same call More popcorn Waiting for aws provisioning
- Gave us ES Migrating UC from Arcsight -> Splunk But onboarding…
- fundamental self-service building block No more ssh and config file editing We can use it App teams too
- onboarding menu All managed from a git repo
- Everyone can edit But we’re not stupid
- Pipeline with checks Config check, 2nd step
- Modified splunk appinspect To do the heavy lifting Using this for almost a year now
- Index creation Retention Size Also pipeline check And review
- Self-service onboarding is fundamental
- Because previously this is how it looked like with Arcsight
- They were not the only ones
- But we would already have a queue.
- And we would finish onboarding some months later. For the first team in this swimming lane
- And then for the next. Well this is not exactly what end-to-end responsibility looks like. Anti pattern
- So we can take a rest from all the hard work we’ve been doing all this time.
- Anyway, I just wanted to show our new Prague ITHUB office. Some say, this is where the SOC is located.
- In all seriousness we are still doing security monitoring. Asynchronous Unblocking other teams
- Now that data is in Do something useful Workshops previously, that you had to book Waiting list. Doesn’t scale Handbook that covers our ideas Howto approach app sec mon
- Insprired by the one from the Ops team. Way ahead of us Operational monitoring handbook And has lots of inspirational stories. Value
- More handson Steps from onboarding to usecases MITRE Workshop replacer, first version
- Automated usecase testing Worked months ago But now? Needed for our infra secmon Other teams same issue Expose as self-service
- Last contract automation. docs criticalily expected followup: call in the night, or snow ticket for tomorrow Can’t tell more Very early alpha stage
- Zoom out bigger picture Another point Need a couple of slides please bear with me. 3 teams: 2 cloud, 1 cicd
- Using previous tools Built own automated env
- Self-service building blocks In these automated envs
- That other teams also could incorporate into their own stuff. Like we did for scalable application security montoring.
- And so on.
- And that brings me to my point. Internal market Everyone free to us we WANT teams to be end-to-end responsible. We are no longer a cathedral. We are becoming a bazaar where you can show at the individual booth for existing stuff and create new stuff from it. Very powerful stuff.
- Some secmon tools in this market e.g. aws and azure No longer only game in town Somehow incorporate these new feeds We don’t mind Because defence in depth This is a good thing. We actually want this. It also leads to something else, that we share with our customers and it’s this:
- It also enables a form of healthy competition. One team at NN has this motivational poster framed. Not sure if you can read if. It says: Clients don’t complain They go elsewhere. And this is something that applies to our customers. But now also to our internal capability market. And this boys and girls, is how you do security monitoring during a digital transformation. I have only one slide left. Which is my key takeaway slide.
- The main take-away of this presentation is that you should definitely check out Prague for a city trip. Even in the winter. This is the view from my hotel on the Staropramen brewery. At sunrise.