partner solutions: splunk - cloud is a journey. make splunk your partner

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Kelvin Yeung, Senior Architect, Splunk

June 17, 2016

Cloud Is a Journey. Make Splunk Your Partner

SplunkCompanyOverview

2

Company

•  GlobalHQs:-  SanFrancisco-  London-  HongKong

•  2,100+employeesglobally•  AnnualRevenue:$668.4M(YoY+49%)

•  NASDAQ:SPLK

Products

•  Freetrialtomassivescale•  Splunkproducts:

-  SplunkEnterprise-  SplunkCloud-  Hunk-  SplunkLight-  SplunkMINT-  PremiumSoluWons

Customers

•  11,000+customers•  Across110+countries•  SmalltolargeorganizaWons

•  Morethan80oftheFortune100

•  Largestlicense:-  1+Petabytes/day

GartnerTechnologyPriori<esforCIOsin2016

3

1.BI/Analy<cs

2.Cloud

3.Mobile

4.Digi<za<on/DigitalMarke<ng

5.Infrastructure&DataCentre

6.ERP

7.Security

8.IndustrySpecificApplica<ons

9.CRM

10.Networking/Voice/DataCommunica<ons

CloudMigra<on

SERVERS STORAGE NETWORKING

VIRTUALIZATION

INFRASTRUCTUREAPPLICATIONS

PACKAGEDAPPLICATIONS

CUSTOMAPPLICATIONS

IdenWty

VPN

IPPhone

HR

Email

Finance

AppSvr

DB

WebSvr

CloudMigra<on:Considera<ons

SERVERS STORAGE NETWORKING

VIRTUALIZATION

INFRASTRUCTUREAPPLICATIONS

PACKAGEDAPPLICATIONS

CUSTOMAPPLICATIONS

IdenWty

VPN

IPPhone

HR

Email

Finance

AppSvr

DB

WebSvr

Security&Compliance

ApplicaWonPerformance&SLAs OperaWonalVisibility

YourApplica<onandTechnologyStackspanacrossCloud&OnPremise

CloudMigra<on:Challenges

Applica<on-BasedSilos

Apps

Servers

Network

Storage

ZonesofVirtualiza<on PrivateCloud HybridCloud

IndustryLeadingPla]ormForMachineDataoverHybridCloudEnvironment

MachineData:AnyLoca<on,Type,Volume

Pla]ormSupport(Apps/API/SDKs)

EnterpriseScalability

UniversalIndexing

AnswerAnyQ

ues<on

Customdashboards

Reportandanalyze

Monitorandalert

Adhocsearch

OnlineServices Web

Services

ServersSecurity GPS

LocaWon

StorageDesktops

Networks

PackagedApplicaWons

CustomApplicaWonsMessaging

TelecomsOnline

ShoppingCart

WebClickstreams

Databases

EnergyMeters

CallDetailRecords

SmartphonesandDevices

RFID

On-Premises

PrivateCloud

PublicCloud

PlaeormforOperaWonalIntelligence

SplunkAsYourCloudPartner

RichEcosystemofApps&Add-Ons

MainframeData

RelaWonalDatabasesMobileForwarders Syslog/TCP IoT

DevicesNetworkWireData

Hadoop

SplunkEnterpriseSecurity

SplunkITServiceIntelligence

SplunkPremiumSolu<ons

SplunkAppforAWS


Security&Compliance


MainframeData



Hadoop

SplunkAppforAWSSplunkEnterpriseSecurity



SplunkforEnterpriseSecurity

Define rules to detect advanced threats

Unlimited context enrichment to qualify incidents fast

Tailored to analyze & investigate incidents

Enterprise-wide coordination & response

DETECT

INVESTIGATE RESPONSE

ENRICH INFORMATION

Simple solution for sophisticated enterprise scale security operations platform

MONITOR RESPOND DETECT FUNCTIONS INVESTIGATE

Splunk’sApproachtoSecurityChallenges

Review Determine 1 2 3 4Decide Act & Adapt

Report Ad hoc "Search

Analyze Collect Store

PROCESS

Notable Events

SECURITY WORKFLOW SUPPORT

Search Management

EVENT CORRELATIONS

SECURITY ENRICHED CONTEXT

KEY FEATURES

Asset, Identity, Others

Threat Info Management

THREAT INTELLIGENCE

Risk Scoring Framework

RISK BASED ANALYTICS

OUT-OF-BOX SECURITY CONTENTS

Views / Reports / Rules

SplunkThreatIntelligenceFramework

“Ifyouknowyourselfbutnottheenemy,foreveryvictorygainedyouwillalsosufferadefeat.”

TheArtofWar–SunTzu

Inordertosucceedinthecyberwar

CriWcaltoUnderstandtheHackingTechniquesUsedbyAhackersandtheInforma<ononGlobalThreats

SplunkThreatIntelligenceFrameworkFinding hidden IOCs using comprehensive threat intelligence mappings

•  Multiple"sources

•  Multiple transmission"types

•  Multiple"transports

•  Multiple data formats

1.  IP 2.  Emails 3.  URLs 4.  Files names/

hashes 5.  Processes names 6.  Services 7.  Registry entries 8.  X509 Certificates 9.  Users

Manage / Audit threat sources

•  List status •  List mgmt. •  List location

COLLECT MANAGE CATEGORIZE CORRELATE SEARCH INTEL SOURCES

Index, Extract, Categorize

Match all IOCs in existing log data

Generate alert for any matches

KSI and trends

Ad-hoc search, analyze,

investigate, prioritizeC

Data Management Security Dashboard

Correlation Data / Notable Events

Data Search

Threat intel indicator overview Shows overall posture of threat activities to understand quickly the changes in the detected threat activities status.

Threat intel trending overview Shows trend changes of threat activities including the changes in the type of threats.

Detailed threat type activities Shows detailed active threat types and associated assets to understand, what kind of threats are active in network.

Active threat sources Shows how different threat sources are active to understand and calibrate threat intel enhancements.

ES THREAT INTELLIGENCE FRAMEWORK

Splunk Inc. 2016 © -

SecurityIntelligenceUseCases

SECURITY&COMPLIANCEREPORTING

REAL-TIMEMONITORINGOFKNOWNTHREATS

DETECTINGUNKNOWNTHREATS

INCIDENTINVESTIGATIONS&FORENSICS

FRAUDDETECTION

INSIDERTHREAT

ComprehensiveSecurityIntelligencePla]orm15


Applica<onPerformance&SLAs


MainframeData



Hadoop




EndtoEndServiceMonitoringisRequiredforCloud

17

Component-levelHealthwithoutServiceContext(“BigPicture”)

The”BigPictures”withoutCorrela<ontoComponent-leveldetails

SplunkITServiceIntelligenceData-drivenservicemonitoringandanaly<cs

18

SPLUNKITSERVICEINTELLIGENCE

Time-SeriesIndex

PlaeormforMachineData

DynamicServiceModels

Schema-on-Read DataModel CommonInforma<onModel

At-a-GlanceProblemAnalysis

EarlyWarningonDeviaWons

SimplifiedIncidentWorkflows

AchieveServiceVisibilityFasterServiceAnalyzerHigh-levelviewofservicesandcompositehealthscores

GlassTablesPersonalizedvisualizaWonsofyourservices

DeepDivesOrganizedviewofperformanceindicatorsacrosssilos

Mul<KPIAlertsCorrelaWonrulestogeneratenotableevents

NotableEventsEasy-to-understandreportonresultsofcorrelaWonsearches

AnomalyDetec<onandAdap<veThresholdsMachinelearningtobaselinenormaloperaWonsandidenWfyanomalousbehavior

19

DataCentricApproach

  Hard-codedcreatesfalseposiWve(ForExample:>85%CPUUWlizaWon=NotNormalalways)

  Collect,ingesthistoricalandcurrentdatatolearntheNormalofyourbusiness

20


Opera<onalVisibility


MainframeData



Hadoop




25

SplunkAppforAWSEC2

EMR

Kinesis

R53

VPC

ELB

S3

CloudFront

CloudTrail

CloudWatch

Redshift SNS

API Gateway

Config

RDS

CF

IAM

Lambda

Explore Analyze Dashboard Alert Act

AWSDataSources

ComprehensiveAWSVisibility

SplunkAppforAWS:TheData

26

•  AWSCloudtrail–  ServicethatdeliverslogsofadminacWvityonAWS

infrastructure–  Examples:

ê  Start/Stop/Createinstanceê  ChangeofUserroles/rightsê  ModificaWonofNetworkConfiguraWon

–  Deliverslogfilestocustomers;noUI,display,analysis,search

•  AWSConfig–  Providesresourceinventory–  ProvidesconfiguraWonhistory&changeinformaWon–  Enablessecurity&governance

•  AmazonCloudwatchMetrics–  IPtrafficinformaWonto/fromVPCnetworkinterfaces–  DatastoredandaccessiblefromAWSCloudwatchLogs

•  AmazonCloudwatchVPCFlowLogs–  IPtrafficinformaWonto/fromVPCnetwork

interfaces–  DatastoredandaccessiblefromAWSCloudwatch

Logs•  AWSAccessLogs

–  ElasWcLoadBalancing(ELB)–  CloudfrontCDN–  S3

•  AWSBilling–  CurrentMonthviaCloudwatchmetrics–  MonthlyDetailedBilling

SplunkAppforAWS:TheValue

27

•  IncreasevisibilityintoAWSresourceuWlizaWon&useracWvity•  Ensureadherencetosecurityandcompliancestandardswithafullaudittrail•  UnderstandAWSenvironmentaldependenciesthroughtopologyviews

•  MonitorVPCtrafficu<liza<onforaddiWonalsecurityinsights•  CostOp<miza<onthroughMonthlyandDetailedBillingDashboards

SplunkAppforAWSDemo