where did that instance go? · pdf filejens ihnow manager, cloud operations europe @ adobe...

Jens Ihnow

Manager, Cloud Operations Europe @ Adobe

Where Did That Instance Go?How to optimize Security and Compliance

Andrew Morris

EMEA Splunk Cloud Director

@andrewmorris_uk

#Splunk

Turning Machine Data into Operational Intelligence

INDEX ANY MACHINE DATA:ANY SOURCE, TYPE, VOLUME

Online Services Web

Services

ServersSecurity GPS

Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

TelecomsOnline

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

On-Premises

Private Cloud

Public Cloud

GAIN REAL-TIME VISIBILITY

Apps &Solutions

Report &analyze

Custom dashboards

Monitor and alert

Ad hoc search

Platform for Machine Data

ApplicationDelivery

Security,Complianceand Fraud Business

Analytics IndustrialData and

Internet ofThings

ITOperations

MainframeData

RelationalDatabases

MobileForwarders Syslog/TCPIoTDevices

NetworkWire Data

Hadoop

The Use Cases for Operational Intelligence

Platform for Operational Intelligence

The Splunk Portfolio

900+ Apps and Add-Ons

Splunk PremiumSolutions

MainframeData

RelationalDatabases

MobileSaasIaaS

SyslogTCP

IoTDevices

NetworkWire Data

Hadoop

The Four Principles of Splunk Cloud

Instant Secure Reliable

100% Uptime

SLA

Hybrid

6

Splunk Cloud Available Worldwide

Splunk AWS & Azure apps for cloud migration

Exec & IT insight with NOC dashboards

Students placed at right university

Network, IaaS & cloud troubleshooting

Why UCAS use Splunk for Cloud Management

SophosSecurity in the cloud, UK, Splunk powers their SOC

Security analytics driven SOC to protect the business

Splunk Cloud delivered from within EU as SaaS

Splunk for real-time reporting, alerting & investigation

How Sophos Uses Splunk Cloud For An Analytics Driven SOC

9

How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud

On-time efficiency & dramatic queue reduction with 925 flights per day

Real-time, predictive airfield analyticsdeliver on mobile app & Apple watch

Data from airport gates, board pass scans, x-ray, travel, passenger flow

Security Operations

IT Operations

Business Operations

With Splunk, your enterprise data platform

SAME DATAOf the

Asking Different QUESTIONS

Different PEOPLE

10

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Where Did That Instance Go? How to optimize Security and Compliance

Jens Ihnow | Manager Cloud Operations Europe


DIGITAL EXPERIENCESCHANGING THE WORLD THROUGH


ADOBE.IO

PRIVATE, PUBLIC OR HYBRID CLOUD

CORE TECHNOLOGIES

ADOBE CLOUD PLATFORM

CONTENT DATA

13


Security & Compliance using Splunk


Security vs. Compliance

Compliance is NOT Security and Security is NOT Compliance

Adobe “Common Control Framework”

Clear guidance to all of our product and services teams

1000 requirements rationalized down to about 200 Adobe-specific controls

15

Security

Complianc

e


Answering controls with data

Data is created every second

Authentication logs

Change logs (deployments, builds, …)

Audit logs

Transaction logs

…

The needle in the haystack

Thousands of servers / instances / containers

Multi regions / data centers

Multi environments (Development, Staging, Production)

Up-/Downscaling (short living infrastructure)

At Adobe we are using Splunk to find evidence and answer controls

16

Picture by Jens Ihnow

at


Splunk to aggregate them all

17

Splunk

AWS

Adobe

ApplicationsSecurity, Performance, …

Build & Deployment Builds, deployments, …

Security

CloudTrail, Loadbalancer, …

Threat intelligence, ...

Search

Enterprise

Security

AWS

App

Complianc

e App

…

Alerts

Dashboards

Search

Reports

(Archiving)


Types of logs indexed

AWS ELB logs

AWS Cloudtrail logs

AWS Flow logs (WiP)

AWS ...

Chef

Elasticsearch Yes we do! ;-)

Evident.io

Nginx & HAProxy & Tomcat & ...

MongoDB

Windows Event Logs

Custom logs like:

Application logs (e.g. Java Containers)

Transaction logs

Deployment / Audit trails

...

18


Splunk environments running on AWS

Clusters deployed in many AWS regions = same like Adobe Applications

Adobe Managed, not Splunk Cloud

Thousands of Forwarders

Different cluster setups:

High Volume

Low Volume

Special clusters & search heads for:

AWS Cloud Trail

API access

Enterprise Security

…

Sandbox

19


Architecture: Forwarding & Receiving + Deployment Server

20

Application x

Application z

Application y

CorporateSplunk


Splunk on AWS architecture

21

Single Sign On License Master Deployment Server

High Volume

Search Heads Search Heads API

Low Volume

Cluster

Master

Cluster

Master

IDX-1 IDX-2 IDX-3 IDX-4 IDX … IDX-60 IDX-1 IDX-2 IDX-3 IDX-4 IDX … IDX-25

ELB ELB


Splunk Use case examples


AWS Cloudtrail - Splunk App for AWS

Cloudtrail records AWS API activity:

23


Amazon ElasticLoadBalancer

Use of SSL Ciphers

“Activities by AWS”:

24

Available data:

• timestamp

• elb

• client:port

• backend:port

• request_processing_time

• backend_processing_time

• response_processing_time

• elb_status_code

• backend_status_code

• received_bytes sent_bytes

• "request"

• "user_agent"

• ssl_cipher ssl_protocol


Compliance Tracking of build and deployment

25

Logging deployed on all workflows (build, deploy, run, …)

Custom log format

Now Compliance is going to be „interesting“!


Cloud Infrastructure Security for AWS by evident.io

26


Visibility and transparency – a very old problem

Dashboards:

Usually Application / infrastructure

Sometimes Security

But what about Compliance?

Reporting:

Scheduled reports (e.g. daily overview)

Alerting:

eMail

Pager

Launch of Incidents / Problems

27

Picture by Jens Ihnow

at


References

Adobe CCF Whitepaper &Video: http://adobe.ly/1RbIO3A

Splunk – http://www.splunk.com

Splunk Cloud - http://www.splunk.com/de_de/cloud.html

Splunk App for AWS - http://splk.it/1WQU24g

Splunk Enterprise Security - http://splk.it/1UDSSEf

Splunk App for Compliance - http://splk.it/1U9wxkb

28

http://adobe.ly/1RbIO3A

http://www.splunk.com/

http://www.splunk.com/de_de/cloud.html

http://splk.it/1WQU24g

http://splk.it/1UDSSEf

http://splk.it/1U9wxkb

where did that instance go? · pdf filejens ihnow manager, cloud operations europe @ adobe...

Documents