Copyright © 2016 Splunk Inc.

Splunk User Group EdinburghIT Ops / Use Case DevNovember 2016

2

Introduction - Harry McLaren● Alumnus of Edinburgh Napier● Security Consultant at ECS – Role: Specialist Splunk Consultant & Enablement Lead– Specialism: Enterprise Security (SIEM) / IT Service Intelligence

● Splunk User Group Edinburgh: Leader / Founder

3

Introduction - ECSStrategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services– Awards: Splunk Revolution Award & Splunk Partner of the Year 2016

4

5

Agenda

• Housekeeping: Overview & House Rules

• Presentation: IT Operations with IT Service Intelligence

• Demo: IT Service Intelligence Demo

• Presentation: Use Case Development

• Discussion: Business Pain to Organisational Insight

6

Splunk [Official] User Group“The overall goal is to create an authentic, ongoing

user group experience for our users, where they contribute and get involved”

● User Lead Technical Discussions

● Sharing Environment

● Build Trust

● No Sales!

Use Case Development

9

What is a Use Case?● Software & Systems Engineering Definition (via Wikipedia)

“A use case is a list of actions or event steps, typically defining the interactions between a role and a system, to achieve a goal.”

Roles / Actors System Goals

10

Use Case ExamplesSecurity

SECURITY & COMPLIANCE REPORTING

REAL-TIME MONITORING OF KNOWN THREATS

DETECT UNKNOWN THREATS

INCIDENT INVESTIGATIONS &

FORENSICS

FRAUD DETECTION

INSIDER THREAT

11

Security - Insider Threat ● Roles / Actors– Security Analyst / SOC Manager / CISO

● System Requirements– Real-time monitoring based on event logs from relevant systems.– Abnormal Behaviour detection based on ‘Normal’ baselining.

● Goals– Detect / Alert on Insider Threats within the organisation.– Respond to Insider Threats with as much workflow automation as possible.

INSIDER THREAT

12

Insider Threats using Splunk ● Roles / Actors– Security Analyst / SOC Manager / CISO

● System (Splunk)– Real-time monitoring based on correlation search's of event logs such as

Active Directory (AD) and Data Loss Prevention (DLP) software. – Insider Threat detection using Machine Learning models to baseline expected

behaviour and alerting on outliers and abnormal behaviour patterns.– Workflow actions via ‘Enterprise Security’ App and the Adaptive Response Framework.

● Goals Achieved – Detection / alerting on Insider Threats within the organisation.– Responding to Insider Threats with workflow automation.

INSIDER THREAT

13

Business Process Analytics

Customer ExperienceAnalytics

Product Analytics

DigitalMarketing

Use Case ExamplesBusiness Analytics

14

Business Analytics - Customer Experience● Roles / Actors– Marketing Analyst / Product Owner / Website Manager

● System Requirements– Minimal ingestion of additional system logs / hardware (low cost / fast ROI).– Real-time mapping of customer journey of e-commerce platform.– Allow contextual information to be correlated with event information.

● Goals– Alerting when customer experience is degraded past defined KPIs.– Visual representation of useful information for non-technical users.– Create a single view of e-commerce platform for high level monitoring.

Customer ExperienceAnalytics

15

Customer Experience using Splunk● Roles / Actors– Marketing Analyst / Product Owner / Website Manager

● System (Splunk)– Leverages existing event logs and requires minimal additional log sources. – Processes event data into wide selection of interactive visual representations.– Pulls contextual information and correlate with event data for greater insight.

● Goals Achieved – Alerting based on time-sensitive KPIs which can self-set dynamically. – Dashboards showing business relevant information about SLAs in RAG.– High level view supporting drill downs and dependencies via Glass Tables.

Customer ExperienceAnalytics

16

Any Questions?

Business Pain to Organisational Insight

18

Discover > Design > Build > Deliver

Transformation & DeliveryData Enrichment & Acceleration Visualisation & Reporting Development

Data Collection & On-boardingCollection Configuration & Optimisation Data Segmentation & Normalisation

Use Case Discovery & DefinitionDiscovery Workshops / Questionnaires Use Case Specification Document

19

Challenge: How Could You Use This?

Transformation & DeliveryData Enrichment & Acceleration Visualisation & Reporting Development

Data Collection & On-boardingCollection Configuration & Optimisation Data Segmentation & Normalisation

Use Case Discovery & DefinitionDiscovery Workshops / Questionnaires Use Case Specification Document

20

Any Questions?

21

Updates Announced at .conf 2016● Introducing Splunk Enterprise 6.5 - Available Now

‣ Splunk ML Toolkit: Guided workbench and SPL extensions to help you create and operationalize your own custom analytics based on your choice of algorithms.

‣ Tables: New feature that lets you create and analyse tabular data views without using SPL.

‣ Hadoop Data Roll: Gives you another way to reduce historical data storage costs while keeping full search capability.

● Premium Apps - New Releases:– Splunk Enterprise Security [Minor Release] – Splunk IT Service Intelligence [Major Release]– Splunk User Behaviour Analytics [Major Release]

22

Get Involved!● Splunk User Group Edinburgh– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html– https://www.linkedin.com/groups/12013212

● Splunk’s Slack Group– Register via www.splunk402.com/chat – Channel: #edinburgh

● Present & Share at the User Group?Connect:‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk

Thank You