where did that instance go? · pdf filejens ihnow manager, cloud operations europe @ adobe...
TRANSCRIPT
Jens Ihnow
Manager, Cloud Operations Europe @ Adobe
Where Did That Instance Go?How to optimize Security and Compliance
Andrew Morris
EMEA Splunk Cloud Director
@andrewmorris_uk
#Splunk
Turning Machine Data into Operational Intelligence
INDEX ANY MACHINE DATA:ANY SOURCE, TYPE, VOLUME
Online Services Web
Services
ServersSecurity GPS
Location
StorageDesktops
Networks
Packaged Applications
CustomApplicationsMessaging
TelecomsOnline
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-Premises
Private Cloud
Public Cloud
GAIN REAL-TIME VISIBILITY
Apps &Solutions
Report &analyze
Custom dashboards
Monitor and alert
Ad hoc search
Platform for Machine Data
ApplicationDelivery
Security,Complianceand Fraud Business
Analytics IndustrialData and
Internet ofThings
ITOperations
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCPIoTDevices
NetworkWire Data
Hadoop
The Use Cases for Operational Intelligence
Platform for Operational Intelligence
The Splunk Portfolio
900+ Apps and Add-Ons
Splunk PremiumSolutions
MainframeData
RelationalDatabases
MobileSaasIaaS
SyslogTCP
IoTDevices
NetworkWire Data
Hadoop
The Four Principles of Splunk Cloud
Instant Secure Reliable
100% Uptime
SLA
Hybrid
6
Splunk Cloud Available Worldwide
Splunk AWS & Azure apps for cloud migration
Exec & IT insight with NOC dashboards
Students placed at right university
Network, IaaS & cloud troubleshooting
Why UCAS use Splunk for Cloud Management
SophosSecurity in the cloud, UK, Splunk powers their SOC
Security analytics driven SOC to protect the business
Splunk Cloud delivered from within EU as SaaS
Splunk for real-time reporting, alerting & investigation
How Sophos Uses Splunk Cloud For An Analytics Driven SOC
9
How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud
On-time efficiency & dramatic queue reduction with 925 flights per day
Real-time, predictive airfield analyticsdeliver on mobile app & Apple watch
Data from airport gates, board pass scans, x-ray, travel, passenger flow
Security Operations
IT Operations
Business Operations
With Splunk, your enterprise data platform
SAME DATAOf the
Asking Different QUESTIONS
Different PEOPLE
10
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Where Did That Instance Go? How to optimize Security and Compliance
Jens Ihnow | Manager Cloud Operations Europe
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
DIGITAL EXPERIENCESCHANGING THE WORLD THROUGH
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
ADOBE.IO
PRIVATE, PUBLIC OR HYBRID CLOUD
CORE TECHNOLOGIES
ADOBE CLOUD PLATFORM
CONTENT DATA
13
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security & Compliance using Splunk
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security vs. Compliance
Compliance is NOT Security and Security is NOT Compliance
Adobe “Common Control Framework”
Clear guidance to all of our product and services teams
1000 requirements rationalized down to about 200 Adobe-specific controls
15
Security
Complianc
e
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Answering controls with data
Data is created every second
Authentication logs
Change logs (deployments, builds, …)
Audit logs
Transaction logs
…
The needle in the haystack
Thousands of servers / instances / containers
Multi regions / data centers
Multi environments (Development, Staging, Production)
Up-/Downscaling (short living infrastructure)
At Adobe we are using Splunk to find evidence and answer controls
16
Picture by Jens Ihnow
at
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Splunk to aggregate them all
17
Splunk
AWS
Adobe
ApplicationsSecurity, Performance, …
Build & Deployment Builds, deployments, …
Security
CloudTrail, Loadbalancer, …
Threat intelligence, ...
Search
Enterprise
Security
AWS
App
Complianc
e App
…
Alerts
Dashboards
Search
Reports
(Archiving)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Types of logs indexed
AWS ELB logs
AWS Cloudtrail logs
AWS Flow logs (WiP)
AWS ...
Chef
Elasticsearch Yes we do! ;-)
Evident.io
Nginx & HAProxy & Tomcat & ...
MongoDB
Windows Event Logs
Custom logs like:
Application logs (e.g. Java Containers)
Transaction logs
Deployment / Audit trails
...
18
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Splunk environments running on AWS
Clusters deployed in many AWS regions = same like Adobe Applications
Adobe Managed, not Splunk Cloud
Thousands of Forwarders
Different cluster setups:
High Volume
Low Volume
Special clusters & search heads for:
AWS Cloud Trail
API access
Enterprise Security
…
Sandbox
19
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Architecture: Forwarding & Receiving + Deployment Server
20
Application x
Application z
Application y
CorporateSplunk
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Splunk on AWS architecture
21
Single Sign On License Master Deployment Server
High Volume
Search Heads Search Heads API
Low Volume
Cluster
Master
Cluster
Master
IDX-1 IDX-2 IDX-3 IDX-4 IDX … IDX-60 IDX-1 IDX-2 IDX-3 IDX-4 IDX … IDX-25
ELB ELB
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Splunk Use case examples
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
AWS Cloudtrail - Splunk App for AWS
Cloudtrail records AWS API activity:
23
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Amazon ElasticLoadBalancer
Use of SSL Ciphers
“Activities by AWS”:
24
Available data:
• timestamp
• elb
• client:port
• backend:port
• request_processing_time
• backend_processing_time
• response_processing_time
• elb_status_code
• backend_status_code
• received_bytes sent_bytes
• "request"
• "user_agent"
• ssl_cipher ssl_protocol
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Compliance Tracking of build and deployment
25
Logging deployed on all workflows (build, deploy, run, …)
Custom log format
Now Compliance is going to be „interesting“!
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Cloud Infrastructure Security for AWS by evident.io
26
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Visibility and transparency – a very old problem
Dashboards:
Usually Application / infrastructure
Sometimes Security
But what about Compliance?
Reporting:
Scheduled reports (e.g. daily overview)
Alerting:
Pager
Launch of Incidents / Problems
27
Picture by Jens Ihnow
at
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
References
Adobe CCF Whitepaper &Video: http://adobe.ly/1RbIO3A
Splunk – http://www.splunk.com
Splunk Cloud - http://www.splunk.com/de_de/cloud.html
Splunk App for AWS - http://splk.it/1WQU24g
Splunk Enterprise Security - http://splk.it/1UDSSEf
Splunk App for Compliance - http://splk.it/1U9wxkb
28