The Chief Security Officer Perspective

Transcript

Hi -- my name is Mark Seward and I'm Director of Security and Compliance Solutions Marketing at Splunk.
Mark Seward, CISA
Director, Security and Compliance Solutions Marketing
Federal CIO Certification 10 years as a security practitioner
Splunk is often called "Google for the data center, or Google for the Security Operations Center." Implementing Splunk allows you to ask questions about what's going on in your IT architecture, But unlike Google, built into the search language is the ability to perform statistical analysis on the search results.

So really, Splunk is software that provides a multi-dimensional view deep into security devices and applications, combined with high level analytics and across time telling you exactly what security relevant events are happening in your IT infrastructure - physical, virtual or in the cloud.

Splunk can consume all your data with no schema, no custom connectors, no DB license, no DBA. Whether its log files or configuration files, Splunk helps you gather and index all types of machine-generated data across your IT infrastructure - any source, any format, any location.

Now, It's important to understand that machine-generated data is different from the "conventional", human-generated data that's stored in your company's databases. Your machine-generated data holds a categorical record of user activity, customer transactions, machine and network behavior, as well as potential security threats and fraud activity. With Splunk you can index and store all types of machine-generated data in accordance with compliance requirements so that all your IT data is security relevant.
Log data contains: categorical record of user activity, customer transactions, machine and network behavior, as well as potential security threats and fraud activity

How does this help Security & Compliance? Splunk provides a single system and single UI that handles both real-time streaming data for monitoring, and, the historical data needed for investigations and reporting. Splunk enables the Security staff to quickly dig through all the data to find that root-cause "needle in the haystack."

Show sampling of statistical commands being entered
With over 80 analytical commands that can be coupled to any search, Splunk's flexible and powerful enough to do any type of analysis and make it easy for the security staff to deliver the compelling dashboard visuals, and reports needed to support efforts to influence decisions about business risks from malicious insiders, sophisticated fraud, or nation-state cyber-espionage.

To be effective, security investigations, threat monitoring, compliance reporting, and fraud detection, all require coordination between the IT Operations and Security teams. The faster the teams can hunt down a problem, the less the impact on the business. Splunk's single-pane-of-glass approach unites the security and operations teams allowing them to view application data with security data to quickly follow the forensics trail wherever malicious behavior leads them.

Start on me then show field extraction - additional fields
Once a forensics investigation is complete, the searches created can be put-in-place to monitor real-time streams of data, proactively watching for the same forensic patterns. Harness the security team's imagination to seek potential patterns of behavior in the log data and then model them in Splunk. You'll be surprised how many of them can think like a hacker.

How else is Splunk different? Splunk scales. Terabytes per day is easy. You make no compromises in collection amounts or data types. When a vendor updates an application with new security relevant log information, Splunk immediately makes the information available for you to use.

Listed on the left are just a few current customer use cases.

Finally, Splunkbase contains free and paid apps and add-on that solve specific use case problems developed by your industry peers and Splunk developers.

It's easy to try - just download from the web site.
It's easy to set up - no data base licenses to buy, no schema to design.
It's easy to deploy - our customers typically go live in just a few days

And, It's easy to use - customizable dashboards, data drill down, and a powerful search engine show you a complete picture of what's really going on driven by your organization's key performance indicators.

Typically, our customers see a 90% reduction in time to investigate incidents. Turn ad-hoc compliance reports from months long to over-the-shoulder and identify fraud and sophisticated zero-day attacks that slip by most traditional rules-based SIEMs.

So give Splunk a try and start getting answers to the questions that will allow you to take proactive action against threats to the business.
_______________________________________________________________________________________
Customer examples:
DirecTV has built a next-gen SOC that relies on Splunk to identify advanced persistent and constantly changing (polymorphic) threats, rather than relying on traditional rules-based SIEM solutions.
U.S. Department of Energy- has standardized on Splunk to collect and analyze all of their security data. 75% of all U.S. Federal agencies are now using Splunk for security and compliance.
Motorola- has a sophisticated 24x7 SOC. They reduced incident investigations from hours to minutes and were able to redeploy 5 full-time security analysts to other roles.
MySpace: - using Splunk to detect fraudulent user accounts and reduce spam to its members. Splunk helped them reduce spam by 98%.
Cisco: their CSIRT (Computer Security Incident Response Team) Tier 1, Tier II and Tier III teams use Splunk to quickly consolidate and correlate disparate log sources, enabling previously impractical monitoring and response scenarios.
Carlson-Wagonlit, a global leader in business travel management, uses Splunk for PCI compliance--where the PCI in-scope data requirements included complex, custom multiline application logs.
CVS Caremark: The largest provider of prescriptions in the U.S., and operates the nation's largest number of retail pharmacies and retail-based health clinics. Now using Splunk for compliance. Previous approach was a schema-based, RDBMS-based solution and failed their audit. With Splunk they had the flexibility needed, and passed two PCI audits in a row.
The way our founders solved the problem is truly disruptive.
Background: Where'd the name "Splunk" come from? It's a play on the word "spelunk" meaning to explore natural caves. Customers talk about crawling through systems and trying to understand what their machines are doing. Now Splunk is often used as a verb: "I'm going to splunk the data center."

Additional Tips:
-Splunk is one of the fastest growing software companies in Silicon Valley. Not a start-up: Splunk is a high-growth, private, company with over 1,750 customers in 68 countries; doubling year-to-year including in 2009.
-Do advance prep--know the CSO's pain points, issues, previous security and compliance incidents, how paid, SLA commitments...