splunklive! nashville texas roadhouse
TRANSCRIPT
Copyright © 2015 Splunk Inc.
Splunk at Texas Roadouse
John Miller,Information Security ManagerTexas Roadhouse IT
A Bit About Me …I’m an old school BBSer, phreaker and general mayhem generator who STILL gets excited with the new issue of 2600 magazine comes out20+ years “professional” experience networking or securing just about everything30+ years “non-professional” experience trying to break networks to discover the how and why when it goes boomHave designed or secured networks ranging from Fortune 100 corporations to mom and pop stores, banks, police departments, prisons and government installationsAlways learning, testing and finding ways to both break things and fix them…sometimes with extra parts
About Texas Roadhouse465 locations – 49 U.S. States– 4 Foreign Countries
Saudi Arabia Kuwait UAE Taiwan
$1.6 billion in annual revenue43,300 employees
What We’re ProtectingAlways looking to improve security and visibility to protect proprietary and sensitive information across the organization
Internal Data: – Employee information– Corporate Information– Financials– Proprietary recipesExternal Data:– Credit card data– Customer InformationAssets:– Business Process Systems– POS terminals– Employee workstations– Laptops
Security Challenges We FaceVariety of Threats: – Attacks against corporate entities– Phishing/spear phishing attacks– Social media phishing / hashtag hijack / account takeover– POS malwareDiverse, Dispersed Endpoints– 8,000 in store locations endpoints – geographically dispersed!
POS Devices Computers
– 2,000 corporate endpoints Laptops / Desktops / Servers Infrastructure devices / security hardware and software Mobile devices
– Small security teamSOX / PCI Compliance
What I Stepped Into …Situation:
Using Splunk for many years – but not for security– Event logging for PCI compliance– General logging
Multiple vendor interfaces for managementImpact:
Security felt more reactive at timesNo idea what might be lurking in the networkwithout touching multiple tool interfaces to research anomalies
Time to Roll Up My SleevesHumble Beginnings:
Looked through dozens of dashboards and streams from disparate apps and hardware front ends
Weaving the Story:Looked for anomaliesStitched it all together to get a complete picture
Inherently FlawedChasing one-off anomaliesManual correlationsIneffective use of timePotential to miss a lot of threats/malwareNo centralized visibility No centralized reporting
Why Splunk Enterprise Security?Looked at QRadar, ArcSight, LogRhythm– Limited on what data can be ingested– Difficult to impossible to customize– Strict rule sets
Existing investment in Splunk– Leverage existing data store– One Interface to manage
Needed a big data tool that could handle security and non-security use cases
Splunk Helped Us Learn About Ourselves!Much better idea of what was going on with the network and systems as a whole– More data– More categories and blocks
New levels of visibility– Blacklisted sites– Inappropriate lookups– Malware on endpoints not caught by AV– Insights into POS Communications
Identified weak pointsSingle pane of glass = one stop shop!
Additional BenefitsOne tool for IT Ops and Security– All data allowed from any group– Flexible and customizable
Visibility across the organization
ITOperations
Application Delivery
Developer Platform (REST API, SDKs)
Business Analytics
Industrial Data and
Internet of Things
Business Analytics
Industrial Data and
Internet of Things
Security, Compliance,
and Fraud
My AdviceLook at your options and choose what fits your talent pool– Customize dashboards– Dig into data– Perform complex searches
Legacy SIEMs wouldn’t let us do that!
Future PlansDevelopment team to see if can help them– Development process – Developmental testing
More IT operations integrationTicketing system integrationActive defense
Thank You