managing information collaboration with ... - splunk...forwarders: universal forwarder, heavy...
TRANSCRIPT
Copyright©2016Splunk Inc.
ManagingInformationCollaborationwithDecentralizedSplunkInfrastructure
BryanSchaefer,MSISA,CISSPSuccessAdvisoryEngineer,Splunk
DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.
2
about.speakerSuccessAdvisoryEngineerforSplunk– LargeCivilianAgency&allsubagencies
PriorSecurityArchitectwhofellintorunninga2.5TBglobalSplunkinstanceSt.Louisnative,justrelocatedtoMDthisyearPriorNavy,lovedbeingatseaEmail:[email protected]– TherearetwoBryanSchaefer’satSplunk.
Bryan Schaefer
Agenda
SIEMTransition
DecentralizedArchitectureOptions
OrganizationalCollaboration
SecurityDataSharing
TopicsNotCoveredChargebackModelsHardwareRecommendations/Requirements/CostsManagedSplunkAsaServiceProviderHowtoWinFriendsandInfluencePeopleWorldPeace
Sowhyarewehere?Youmightbealargeagencywith42separateorganizationalunitseachusingSplunk,andyouwantasingleviewofthewhoenvironment?Perhapsyou’renotthatlarge,butstillhavemultipleteamsrunningdisparateSplunkinstancesthatyouneedtocorrelatedatabetweenMaybeyou’reattemptingtofigureouthowyourorganizationthinksaboutdatasharing?Oryoucouldjustbecuriousandwanttolearnandshareyourknowledgewhenyougetback?
SplunkSIEMtoSAPRoadmap
SIEMAugmentation
SIEMReplacement
FrameworkMaturity
SecurityAnalytics
Maturity
Effectiveness
Definesuccessviamaturitysteps&cleargoalsforeachphase.Setmilestonestodefinewhenyou’rereadytomovefromonesteptothenext.
SIEMTransitionApproachESimplementationasablankcanvas– Lotsofoutoftheboxmaterial,maynotalwaysapplytoyourusage
DefinewhatmustworkDay-1,currentreports,andmetrics– Getthoseimplementedfirstsothatyoucanmigrate
DefineaframeworkandmaturitymodelforyourSOC– Setusecases,priority,datarequirements,andmeasureprogress
PlanprogressionfromSIEMtoSAP– Thinkmorearoundanalytics,usingnon-securitylogstodrivesecurity
SplunkArchitectureBasicEnterpriseDesignSearchEntities:SearchHeads,SearchHeadClustersDataStorage:Indexers,IndexerClusters,HunkForwarders:UniversalForwarder,HeavyForwarder,REST,HEC,HunkAuxiliarySystems:LicenseMaster,DeploymentServer,MonitoringConsole,SearchHeadDeployer,IndexerClusterMasterApps&TA’s:– configurationcontainersforingesting,storing,parsing,
dashboarding,searching,reporting
DesignOptionsSplunkCentralization– OneSplunkforEveryone
SearchPeering– Groupscansearchothergroup’sSplunk
SegmentedPeering– SegmentingIndexerstosharedvs.notshared
ParallelIngest– Groupsingestthesamedatasourcesinparallel
SearchPeeringDesign• CentralSOCoperatesSplunkinternallytostore
notableeventsandinternallogs• DivisionallowsCSOCtosearchagainstinternal
indexers• Singlerecordismaintained,CSOCandDivision
canmonitorsearchutilization• CSOChasaccesstoalldataatDivision,notjust
“agreedsources”,mustmaintainproperaccesscontrolseparateofDivision.
• CSOCwillneedtonormalizeindexnamesacrossentireorganization.
• DataModelAccelerationscanbeproblematic
Simplesttechnicalmodel,requiresmostcooperation
SegmentedPeeringDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedonce.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.Bothgroupsthensearchasinglecopyoftheshareddata.Thedivisionoperatesit’sownsearchtierandindexingfornon-shareddata.Accesscontrolisenforcedbyarchitecture,centralSOCcannotreadinternaldivisiondata,divisioncanonlyseetheirsecuritydata.ThedivisionandCentralSOCcanmonitorsearchloadandperformanceofsharedindexers.
Indexonce,searchmultipletimes,segmentsdatasources
ParallelIngestDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedtwice.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.DataisindexedinCSOCandDivision.Nosharedinfrastructure,CSOCmustmonitordatasourcehealth.Organizationmustdecidewhichenvironmenthosts“authoritativerecord”andseparateretentionpolicies.Alternatively,theDivision’sHeavyForwardersandIndexerscanforwarddatatotheCSOCinsteadofthedownstreamforwarders.
Mostcomplexandexpensive,highlikelihoodtofail
DecentralizedOperationsDecisionsDecidewhatusecasesareneedacentralizedview– IOCsweeps,L1securitymonitoring,auditing,securityposture
DecidewhereauthoritativerecordwillresideWheredoesdataphysicallyneedtobeDeterminedownstreamconsiderationsandaccesscontrolSetpolicyregardingavailability,access,servicerequirements– DOTHISEARLY
DeterminewhoneedsDataModelAccelerationandonwhatdata.– Thisisbig,asithasrealhardwareimplications.
OrganizationConsiderationsAccessControl– Whoneedstoaccesswhat?Whatneedstobesharedvsquarantined?Anything
“toosensitive”?
CenterofExcellenceModel– Howcaneveryoneworktogether?WhoistheinternalPM,architect?– Whoistrained?Tracktrainingofalladminsandkeyanalysts.
MetricsReporting– Howdoyoumeasuresuccess?Whocaresaboutsuccess?
OperatingatLargeScaleUseeventtypes!– Groupbyorg,setaccess
controlaroundSplunkservers
GetlocalizedTA’sfromdatasharinggroupsStartusingDataModelsearly– Populatewitheventtypes,get
fieldsnormalized
eventtype=group1_indexerssplunk_server=group1*
eventtype=all_indexerseventtype=group*_indexers
eventtype=group1_firewalls(eventtype=group1_indexers index=secsourcetype=fw)
eventtype=firewallseventtype=group*_firewalls
DataModel=Network
Eventtype=group*_network
TwoThingstoAvoidInceptionSplunk– Striveforasfewlayersaspossible.– Determineifaninstanceis“too
small”andcanbeconsolidated.
“Wheredidthedatago?”– Determine“whocares”fordata
sources– Monitordatainputsreligiously!– Findnormal,andreportoutsideof
that
AdditionalInformationWhitepapercomingSplunkMulti-tenancy– http://blogs.splunk.com/2011/11/04/splunk-and-multitenancy/
SplunkMSaaS Concept– http://blogs.splunk.com/2016/01/22/msaas-a-conceptual-multi-splunk-
architecture-framework-for-multitenant-splunk-deployments-for-msps-mssps-and-enterprises/
TypicalDeploymentCharacteristics– http://docs.splunk.com/Documentation/Splunk/6.5.0/Deploy/Deploymentcharac
teristics
Announcements
.conf2017iscomingtoWashington,D.C.!
20
September25-28,2017WalterE.WashingtonConventionCenter
Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!
Reserveyourspottoday,paylater!
SignUpToday:http://live.splunk.com/LP=1822
Afterregistrationopens,youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.
VisittheInformationKioskintheSolutionPavilion!
SupportOperationHomefront!
21
EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram
foreveryattendeethatcompletestheirmissionofearning6sponsor badges.Theprogramwillprovidemealstoour localmilitaryfamiliesthisholidayseason.
Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldouble the$3,500donation to$7,000!
Workshops:GetSplunkHands-onExperienceAttendaSplunk Workshop
UpcomingScheduleDecember1:IntroductiontoSplunkEnterprise
December14:IntroductiontoSplunkITTroubleshooting
January11:IntroductiontoSplunkEnterpriseSecurity
January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop
January25:IntroductiontoSplunkITServiceIntelligence
January25:NEW! SplunkforApplicationDevelopers
LocationSplunkOfficeMcLean,VA
Visithttp://www.doyouknowsplunk.com/workshops
VisittheInformationKioskintheSolutionPavilion!
SplunkUserGroups- ConnectwithLocalSplunkers
NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html
DCMeetsthelastWednesday ofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html
BaltimoreMeetsthe3rd Mondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html
VisittheInformationKioskintheSolutionPavilion!
TaketheGovSummit PostEventSurvey!
24
Wevalueyourfeedback!TaketheposteventsurveyontheiPadsinthefoyerstartingat2:30pm!