Copyright © 2016 Splunk Inc.

Splunk for Security at John LewisGeordie Stewart

IT Security ManagerJohn Lewis Partnership

John LewisFounded in London in 1864

Owned in trust by its Partners (employees)

46 John Lewis shops, 345 Waitrose supermarkets, www.waitrose.com and johnlewis.com

John Lewis Partnership annual revenue exceeds £11bn

Values - customer service, trust and values

Largest department store in the UK

3

History of Splunk at John Lewis

Splunk introduced(Simple log shipping, log parsing, keyword search)

IT operations use cases expanded

20112013

Splunk Enterprise Security introduced

New E-commerce platform

Previous SIEM reached end-of-life

2015

20122014

2016

4

Why Splunk?

We needed to get a new solution for PCI compliance up and running as quickly as

possible.

5

The Enterprise Security Challenge

6

The SIEM Maturity Curve

Fraud analyst Threat research/Intelligence Malware research Cyber Security/Threat

Security Analyst CSIRT Forensics Engineering

Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Audit/Compliance

Security Operations Roles/Functions

Reactive

Proactive

Searchand

Investigate

ProactiveMonitoringand Alerting

Security Situational Awareness

Real-time Risk

Insight

7

Bad Things Don’t Just ‘Happen’1

Major Inciden

t30 Minor Incidents

300 Near Misses

3,000 Unsafe Acts

30,000 Bad Practices

8

Single Pane of Glass for Security Relevant DataEND OF 2016 – 180GBNOW - 90GB

Server Estate

Application Active DirectoryNetworkApplication Active DirectoryNetwork

9

Single Panes of Glass

10

What is Normal?

11

Centralized Security Visibility at our Operations Bridge

12

Plain English explanation of what the issue isLow volume / high valueHyperlink to relevant operating proceduresBe clear who needs to do whatActions scripted in advance

Key Components of an Effective Alert

13

Improved Incident Investigation Workflow

When an alert is triggered we send an automated

email to the system owner with instructions of what

to do next

Activity

Alert

Investigation

New member added to

Domain Admin Group

E-Mail to infrastructure owners with detailed

description & instructions for review

Owner reviews the activity and makes decision

14

Automatic email sent to administrators each time there is an authentication failure for their accountEmail sent to the Operations Bridge if there is a significant increase in failed logons for any internet facing authentication systemEmail sent to security group owners (e.g. Domain Admins) every time an account is added

Alert Examples

15

Detecting Unknowns: anomalies

We worked with the owner of each system to establish what normal

looks like

Set thresholds which trigger an alert when something anomalous happens.

Additional detailed workflows have been defined for raised alerts.

Workflow(based on system classification, time of day, system owners)

Individual user: disable account

Multiple users from one specific IP:

blacklist IP-address

Log-on Anomaly

16

Scoping a Phishing Attack

Once we receive a phishing email notification we search to see which

other users received it and whether or not they opened it or

clicked on the link

“One reported phishing email can

lead us to 100 unreported phishing

emails.”

17

Threat Intelligence ExperienceWe correlated open source threat intelligence feeds with our data sources

Challenge:– Open source threat intelligence lacks context when alert is triggered– Removal of cleaned up IPs / domains from the lists is often not

defined in open source blacklists

What works:– Creating our own local threat lists based on incident investigation

and findings e.g. from phishing attacks etc.

Plans:– Evaluating commercial threat intelligence feeds

18

Many more use cases but not covered today!

Initial use case: PCI Compliance Data Archiving and Retention, Dashboards, Reviews

DDOS reporting

Privileged user monitoring

Application level security monitoring

19

How the Partnership Benefits from Splunk Enterprise Security

We can identify incidents more quickly and take appropriate

action where required

We’ve empowered our users to make

operational risk management decisions

We are re-using our investment for

compliance for security and IT ops use cases

Splunk allows us to store raw data more cheaply than on the source production

systems

20

The Future

Adaptive response - looking to feed

intelligence from Splunk into Palo Alto

Networks

User Behavior Analytics - need to capture all

logins to give UBA what it needs to baseline

normal

21

My Tips

Encourage system owners to share their data by providing shared

operational benefits

Empower the users – send alerts and reports straight to them. Don’t

let the security team be a bottleneck

Thank You