Post on 26-Jan-2017
Copyright © 2016 Splunk Inc.
Splunk User Group EdinburghIT Ops / Use Case DevNovember 2016
2
Introduction - Harry McLaren● Alumnus of Edinburgh Napier● Security Consultant at ECS – Role: Specialist Splunk Consultant & Enablement Lead– Specialism: Enterprise Security (SIEM) / IT Service Intelligence
● Splunk User Group Edinburgh: Leader / Founder
3
Introduction - ECSStrategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services– Awards: Splunk Revolution Award & Splunk Partner of the Year 2016
4
5
Agenda
• Housekeeping: Overview & House Rules
• Presentation: IT Operations with IT Service Intelligence
• Demo: IT Service Intelligence Demo
• Presentation: Use Case Development
• Discussion: Business Pain to Organisational Insight
6
Splunk [Official] User Group“The overall goal is to create an authentic, ongoing
user group experience for our users, where they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
Use Case Development
9
What is a Use Case?● Software & Systems Engineering Definition (via Wikipedia)
“A use case is a list of actions or event steps, typically defining the interactions between a role and a system, to achieve a goal.”
Roles / Actors System Goals
10
Use Case ExamplesSecurity
SECURITY & COMPLIANCE REPORTING
REAL-TIME MONITORING OF KNOWN THREATS
DETECT UNKNOWN THREATS
INCIDENT INVESTIGATIONS &
FORENSICS
FRAUD DETECTION
INSIDER THREAT
11
Security - Insider Threat ● Roles / Actors– Security Analyst / SOC Manager / CISO
● System Requirements– Real-time monitoring based on event logs from relevant systems.– Abnormal Behaviour detection based on ‘Normal’ baselining.
● Goals– Detect / Alert on Insider Threats within the organisation.– Respond to Insider Threats with as much workflow automation as possible.
INSIDER THREAT
12
Insider Threats using Splunk ● Roles / Actors– Security Analyst / SOC Manager / CISO
● System (Splunk)– Real-time monitoring based on correlation search's of event logs such as
Active Directory (AD) and Data Loss Prevention (DLP) software. – Insider Threat detection using Machine Learning models to baseline expected
behaviour and alerting on outliers and abnormal behaviour patterns.– Workflow actions via ‘Enterprise Security’ App and the Adaptive Response Framework.
● Goals Achieved – Detection / alerting on Insider Threats within the organisation.– Responding to Insider Threats with workflow automation.
INSIDER THREAT
13
Business Process Analytics
Customer ExperienceAnalytics
Product Analytics
DigitalMarketing
Use Case ExamplesBusiness Analytics
14
Business Analytics - Customer Experience● Roles / Actors– Marketing Analyst / Product Owner / Website Manager
● System Requirements– Minimal ingestion of additional system logs / hardware (low cost / fast ROI).– Real-time mapping of customer journey of e-commerce platform.– Allow contextual information to be correlated with event information.
● Goals– Alerting when customer experience is degraded past defined KPIs.– Visual representation of useful information for non-technical users.– Create a single view of e-commerce platform for high level monitoring.
Customer ExperienceAnalytics
15
Customer Experience using Splunk● Roles / Actors– Marketing Analyst / Product Owner / Website Manager
● System (Splunk)– Leverages existing event logs and requires minimal additional log sources. – Processes event data into wide selection of interactive visual representations.– Pulls contextual information and correlate with event data for greater insight.
● Goals Achieved – Alerting based on time-sensitive KPIs which can self-set dynamically. – Dashboards showing business relevant information about SLAs in RAG.– High level view supporting drill downs and dependencies via Glass Tables.
Customer ExperienceAnalytics
16
Any Questions?
Business Pain to Organisational Insight
18
Discover > Design > Build > Deliver
Transformation & DeliveryData Enrichment & Acceleration Visualisation & Reporting Development
Data Collection & On-boardingCollection Configuration & Optimisation Data Segmentation & Normalisation
Use Case Discovery & DefinitionDiscovery Workshops / Questionnaires Use Case Specification Document
19
Challenge: How Could You Use This?
Transformation & DeliveryData Enrichment & Acceleration Visualisation & Reporting Development
Data Collection & On-boardingCollection Configuration & Optimisation Data Segmentation & Normalisation
Use Case Discovery & DefinitionDiscovery Workshops / Questionnaires Use Case Specification Document
20
Any Questions?
21
Updates Announced at .conf 2016● Introducing Splunk Enterprise 6.5 - Available Now
‣ Splunk ML Toolkit: Guided workbench and SPL extensions to help you create and operationalize your own custom analytics based on your choice of algorithms.
‣ Tables: New feature that lets you create and analyse tabular data views without using SPL.
‣ Hadoop Data Roll: Gives you another way to reduce historical data storage costs while keeping full search capability.
● Premium Apps - New Releases:– Splunk Enterprise Security [Minor Release] – Splunk IT Service Intelligence [Major Release]– Splunk User Behaviour Analytics [Major Release]
22
Get Involved!● Splunk User Group Edinburgh– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group– Register via www.splunk402.com/chat – Channel: #edinburgh
● Present & Share at the User Group?Connect:‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
Thank You