Copyright  ©  2015  Splunk  Inc.  

Timothy  Lee  CISO,  City  of  Los  Angeles  

Splunk  Cloud  as  a  SIEM  for  Cybersecurity  CollaboraFon  

Disclaimer  

2  

During  the  course  of  this  presentaFon,  we  may  make  forward  looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cauFon  you  that  such  statements  reflect  our  current  expectaFons  and  esFmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaFon  are  being  made  as  of  the  Fme  and  date  of  its  live  presentaFon.  If  reviewed  aQer  its   live   presentaFon,   this   presentaFon   may   not   contain   current   or   accurate   informaFon.   We   do   not  assume  any  obligaFon  to  update  any  forward  looking  statements  we  may  make.      In  addiFon,  any  informaFon  about  our  roadmap  outlines  our  general  product  direcFon  and  is  subject  to  change  at  any  Fme  without  noFce.   It   is   for   informaFonal  purposes  only  and  shall  not,  be   incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaFon  either  to  develop  the  features  or  funcFonality  described  or  to  include  any  such  feature  or  funcFonality  in  a  future  release.  

City  of  Los  Angeles  

!   4  million  people,  465  sq  mi,  15-­‐Council  District  !   2nd  largest  city  in  the  US  !   1.8  million  employed  !   42.2  million  annual  visitors  !   42  departments  with  35,000  FTE    !   Port  of  LA,    Airport,  Water  and  Power  –  3  proprietary  departments  all  managing  their  own  networks  

!   InformaFon  Technology  Agency  (ITA)  manages  the  rest    

Our  Challenge  !   IT  Security  Team  is  understaffed  !   Dispersed  log  capturing  capabiliFes  

!   Minimal  use  of  collaboraFon  tools  

!   Lack  of  Incident  Management  pla]orm  

!   No  integrated  threat  intelligence  program    

!   Limited  situaFonal  awareness  and  operaFonal  metrics  for  City  as  a  whole  

!   Imbalance  in  response  capability    

!   Growing  cyber  threats  including  DDoS  &  Malware    

Mayor’s  ExecuFve  DirecFve  on  Cybersecurity  

5  

!   Facilitate  the  idenFficaFon  and  invesFgaFon  of  cyber  threats  and  intrusions  against  City  assets      

!   Ensure  incidents  are  quickly,  properly,  and  thoroughly  invesFgated  by  the  appropriate  law  enforcement  agency    

!   Facilitate  disseminaFon  of  cybersecurity  alerts  and  informaFon    

!   Provide  uniform  governance  structure  accountable  to  City  leadership    

!   Coordinate  incident  response  and  remediaFon  across  the  City    

!   Serve  as  an  advisory  body  to  City  departments      

!   Sponsor  independent  security  assessments  to  reduce  security  risks    

!   Ensure  awareness  of  best  pracFces    

Our  SoluFon  

6  

Integrated  Security  OperaFons  Center    Leveraging  Splunk  Cloud  and  Splunk  Enterprise  Security  

7  

Information Security Physical Security

LAWAPOLADWP

ITA LAPD LAXPD

LAPP DWP

FBI FBI DHS/USSS

MS-ISACThreat Info Services

Internal External

City of LAIntegrated SOC

Situational Awareness Threat Intelligence

City of Los AngelesIntegrated Security Operations Center

COLLECT

COLLABORATE

REPORT

PROMOTE

           Integrated  Security  OperaFons  Center  

8  

           Integrated  Security  OperaFons  Center  

How  Did  We  Sell  It  Internally?  !   Prepare  to  answer  why  you  need  SIEM  and  why  cloud-­‐based  

ê  Security  Audit  Report  (RecommendaFon  and  AcFon  Plan)  ê  Compliance  Gap  Assessment  Report  ê  Security  metrics  (numbers  of  intrusion  afempts,  incidents,  outages  caused  by  incidents,  top  afackers,  threat  acFvity  and  trends  etc.)  

ê  Present  it  from  the  business  risk  perspecFve  

!   Engage  others  outside  of  IT  to  also  help  sell  it  !   Provide  potenFal  risks  of  not  implemenFng  SIEM  !   Share  real-­‐world  examples  of  cyber  incidents  and  costs  that  your  audience  can  

relate  to  !   Provide  source  of  funding  for  implementaFon  and  operaFons  !   Align  results  to  organizaFonal  goals    

9  

Example:  ExecuFve  Dashboards  

10  

Use  Case  Example:  Top  Afackers  

11  

Use  Case  Example:  Top  DesFnaFon    By  Specific  Afacker  

12  

     Use  Case  Example:  Malware  Monitoring  

13  

Lessons  Learned  !   Conduct  SOC  readiness  assessment  before  anything  else  !   Prepare  to  answer  why  you  need  CSOC  !   Look  for  grant  opportuniFes  !   Pick  the  right  tools  and  technology  !   Be  mindful  of  operaFng  costs  !   Pick  the  right  contractor  !   Pick  the  right  team.  Invest  in  people.  !   Cybersecurity  collaboraFon  and  informaFon  sharing  are  essenFal  

14  

Resources  

!   Security  OperaFon  Center  Concepts  &  ImplementaFon  –  Renaud  Bidou  

!   How  to  Deploy  SIEM  Technology    –  Gartner  March  02,  2015    

!   Using  SIEM  for  Targeted  Afack  DetecFon    –  Gartner  March  12,  2014  

!   Top  6  SIEM  Use  Cases    –  InfosecinsFtute.com  May  15,  2014  

15  

Q&A  

THANK  YOU