Copyright©2016Splunk Inc.

ManagingInformationCollaborationwithDecentralizedSplunkInfrastructure

BryanSchaefer,MSISA,CISSPSuccessAdvisoryEngineer,Splunk

DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.

2

about.speakerSuccessAdvisoryEngineerforSplunk– LargeCivilianAgency&allsubagencies

PriorSecurityArchitectwhofellintorunninga2.5TBglobalSplunkinstanceSt.Louisnative,justrelocatedtoMDthisyearPriorNavy,lovedbeingatseaEmail:brschaefer@splunk.com– TherearetwoBryanSchaefer’satSplunk.

Bryan Schaefer

Agenda

SIEMTransition

DecentralizedArchitectureOptions

OrganizationalCollaboration

SecurityDataSharing

TopicsNotCoveredChargebackModelsHardwareRecommendations/Requirements/CostsManagedSplunkAsaServiceProviderHowtoWinFriendsandInfluencePeopleWorldPeace

Sowhyarewehere?Youmightbealargeagencywith42separateorganizationalunitseachusingSplunk,andyouwantasingleviewofthewhoenvironment?Perhapsyou’renotthatlarge,butstillhavemultipleteamsrunningdisparateSplunkinstancesthatyouneedtocorrelatedatabetweenMaybeyou’reattemptingtofigureouthowyourorganizationthinksaboutdatasharing?Oryoucouldjustbecuriousandwanttolearnandshareyourknowledgewhenyougetback?

SplunkSIEMtoSAPRoadmap

SIEMAugmentation

SIEMReplacement

FrameworkMaturity

SecurityAnalytics

Maturity

Effectiveness

Definesuccessviamaturitysteps&cleargoalsforeachphase.Setmilestonestodefinewhenyou’rereadytomovefromonesteptothenext.

SIEMTransitionApproachESimplementationasablankcanvas– Lotsofoutoftheboxmaterial,maynotalwaysapplytoyourusage

DefinewhatmustworkDay-1,currentreports,andmetrics– Getthoseimplementedfirstsothatyoucanmigrate

DefineaframeworkandmaturitymodelforyourSOC– Setusecases,priority,datarequirements,andmeasureprogress

PlanprogressionfromSIEMtoSAP– Thinkmorearoundanalytics,usingnon-securitylogstodrivesecurity

SplunkArchitectureBasicEnterpriseDesignSearchEntities:SearchHeads,SearchHeadClustersDataStorage:Indexers,IndexerClusters,HunkForwarders:UniversalForwarder,HeavyForwarder,REST,HEC,HunkAuxiliarySystems:LicenseMaster,DeploymentServer,MonitoringConsole,SearchHeadDeployer,IndexerClusterMasterApps&TA’s:– configurationcontainersforingesting,storing,parsing,

dashboarding,searching,reporting

DesignOptionsSplunkCentralization– OneSplunkforEveryone

SearchPeering– Groupscansearchothergroup’sSplunk

SegmentedPeering– SegmentingIndexerstosharedvs.notshared

ParallelIngest– Groupsingestthesamedatasourcesinparallel

SearchPeeringDesign• CentralSOCoperatesSplunkinternallytostore

notableeventsandinternallogs• DivisionallowsCSOCtosearchagainstinternal

indexers• Singlerecordismaintained,CSOCandDivision

canmonitorsearchutilization• CSOChasaccesstoalldataatDivision,notjust

“agreedsources”,mustmaintainproperaccesscontrolseparateofDivision.

• CSOCwillneedtonormalizeindexnamesacrossentireorganization.

• DataModelAccelerationscanbeproblematic

Simplesttechnicalmodel,requiresmostcooperation

SegmentedPeeringDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedonce.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.Bothgroupsthensearchasinglecopyoftheshareddata.Thedivisionoperatesit’sownsearchtierandindexingfornon-shareddata.Accesscontrolisenforcedbyarchitecture,centralSOCcannotreadinternaldivisiondata,divisioncanonlyseetheirsecuritydata.ThedivisionandCentralSOCcanmonitorsearchloadandperformanceofsharedindexers.

Indexonce,searchmultipletimes,segmentsdatasources

ParallelIngestDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedtwice.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.DataisindexedinCSOCandDivision.Nosharedinfrastructure,CSOCmustmonitordatasourcehealth.Organizationmustdecidewhichenvironmenthosts“authoritativerecord”andseparateretentionpolicies.Alternatively,theDivision’sHeavyForwardersandIndexerscanforwarddatatotheCSOCinsteadofthedownstreamforwarders.

Mostcomplexandexpensive,highlikelihoodtofail

DecentralizedOperationsDecisionsDecidewhatusecasesareneedacentralizedview– IOCsweeps,L1securitymonitoring,auditing,securityposture

DecidewhereauthoritativerecordwillresideWheredoesdataphysicallyneedtobeDeterminedownstreamconsiderationsandaccesscontrolSetpolicyregardingavailability,access,servicerequirements– DOTHISEARLY

DeterminewhoneedsDataModelAccelerationandonwhatdata.– Thisisbig,asithasrealhardwareimplications.

OrganizationConsiderationsAccessControl– Whoneedstoaccesswhat?Whatneedstobesharedvsquarantined?Anything

“toosensitive”?

CenterofExcellenceModel– Howcaneveryoneworktogether?WhoistheinternalPM,architect?– Whoistrained?Tracktrainingofalladminsandkeyanalysts.

MetricsReporting– Howdoyoumeasuresuccess?Whocaresaboutsuccess?

OperatingatLargeScaleUseeventtypes!– Groupbyorg,setaccess

controlaroundSplunkservers

GetlocalizedTA’sfromdatasharinggroupsStartusingDataModelsearly– Populatewitheventtypes,get

fieldsnormalized

eventtype=group1_indexerssplunk_server=group1*

eventtype=all_indexerseventtype=group*_indexers

eventtype=group1_firewalls(eventtype=group1_indexers index=secsourcetype=fw)

eventtype=firewallseventtype=group*_firewalls

DataModel=Network

Eventtype=group*_network

TwoThingstoAvoidInceptionSplunk– Striveforasfewlayersaspossible.– Determineifaninstanceis“too

small”andcanbeconsolidated.

“Wheredidthedatago?”– Determine“whocares”fordata

sources– Monitordatainputsreligiously!– Findnormal,andreportoutsideof

that

AdditionalInformationWhitepapercomingSplunkMulti-tenancy– http://blogs.splunk.com/2011/11/04/splunk-and-multitenancy/

SplunkMSaaS Concept– http://blogs.splunk.com/2016/01/22/msaas-a-conceptual-multi-splunk-

architecture-framework-for-multitenant-splunk-deployments-for-msps-mssps-and-enterprises/

TypicalDeploymentCharacteristics– http://docs.splunk.com/Documentation/Splunk/6.5.0/Deploy/Deploymentcharac

teristics

Announcements

.conf2017iscomingtoWashington,D.C.!

20

September25-28,2017WalterE.WashingtonConventionCenter

Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!

Reserveyourspottoday,paylater!

SignUpToday:http://live.splunk.com/LP=1822

Afterregistrationopens,youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.

VisittheInformationKioskintheSolutionPavilion!

SupportOperationHomefront!

21

EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram

foreveryattendeethatcompletestheirmissionofearning6sponsor badges.Theprogramwillprovidemealstoour localmilitaryfamiliesthisholidayseason.

Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldouble the$3,500donation to$7,000!

Workshops:GetSplunkHands-onExperienceAttendaSplunk Workshop

UpcomingScheduleDecember1:IntroductiontoSplunkEnterprise

December14:IntroductiontoSplunkITTroubleshooting

January11:IntroductiontoSplunkEnterpriseSecurity

January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop

January25:IntroductiontoSplunkITServiceIntelligence

January25:NEW! SplunkforApplicationDevelopers

LocationSplunkOfficeMcLean,VA

Visithttp://www.doyouknowsplunk.com/workshops

VisittheInformationKioskintheSolutionPavilion!

SplunkUserGroups- ConnectwithLocalSplunkers

NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html

DCMeetsthelastWednesday ofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html

BaltimoreMeetsthe3rd Mondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html

VisittheInformationKioskintheSolutionPavilion!

TaketheGovSummit PostEventSurvey!

24

Wevalueyourfeedback!TaketheposteventsurveyontheiPadsinthefoyerstartingat2:30pm!