Upload
splunk
View
1.437
Download
1
Embed Size (px)
Citation preview
Copyright © 2016 Splunk Inc.
Splunk for Security at John LewisGeordie Stewart
IT Security ManagerJohn Lewis Partnership
John LewisFounded in London in 1864
Owned in trust by its Partners (employees)
46 John Lewis shops, 345 Waitrose supermarkets, www.waitrose.com and johnlewis.com
John Lewis Partnership annual revenue exceeds £11bn
Values - customer service, trust and values
Largest department store in the UK
3
History of Splunk at John Lewis
Splunk introduced(Simple log shipping, log parsing, keyword search)
IT operations use cases expanded
20112013
Splunk Enterprise Security introduced
New E-commerce platform
Previous SIEM reached end-of-life
2015
20122014
2016
4
Why Splunk?
We needed to get a new solution for PCI compliance up and running as quickly as
possible.
5
The Enterprise Security Challenge
6
The SIEM Maturity Curve
Fraud analyst Threat research/Intelligence Malware research Cyber Security/Threat
Security Analyst CSIRT Forensics Engineering
Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Audit/Compliance
Security Operations Roles/Functions
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoringand Alerting
Security Situational Awareness
Real-time Risk
Insight
7
Bad Things Don’t Just ‘Happen’1
Major Inciden
t30 Minor Incidents
300 Near Misses
3,000 Unsafe Acts
30,000 Bad Practices
8
Single Pane of Glass for Security Relevant DataEND OF 2016 – 180GBNOW - 90GB
Server Estate
Application Active DirectoryNetworkApplication Active DirectoryNetwork
9
Single Panes of Glass
10
What is Normal?
11
Centralized Security Visibility at our Operations Bridge
12
Plain English explanation of what the issue isLow volume / high valueHyperlink to relevant operating proceduresBe clear who needs to do whatActions scripted in advance
Key Components of an Effective Alert
13
Improved Incident Investigation Workflow
When an alert is triggered we send an automated
email to the system owner with instructions of what
to do next
Activity
Alert
Investigation
New member added to
Domain Admin Group
E-Mail to infrastructure owners with detailed
description & instructions for review
Owner reviews the activity and makes decision
14
Automatic email sent to administrators each time there is an authentication failure for their accountEmail sent to the Operations Bridge if there is a significant increase in failed logons for any internet facing authentication systemEmail sent to security group owners (e.g. Domain Admins) every time an account is added
Alert Examples
15
Detecting Unknowns: anomalies
We worked with the owner of each system to establish what normal
looks like
Set thresholds which trigger an alert when something anomalous happens.
Additional detailed workflows have been defined for raised alerts.
Workflow(based on system classification, time of day, system owners)
Individual user: disable account
Multiple users from one specific IP:
blacklist IP-address
Log-on Anomaly
16
Scoping a Phishing Attack
Once we receive a phishing email notification we search to see which
other users received it and whether or not they opened it or
clicked on the link
“One reported phishing email can
lead us to 100 unreported phishing
emails.”
17
Threat Intelligence ExperienceWe correlated open source threat intelligence feeds with our data sources
Challenge:– Open source threat intelligence lacks context when alert is triggered– Removal of cleaned up IPs / domains from the lists is often not
defined in open source blacklists
What works:– Creating our own local threat lists based on incident investigation
and findings e.g. from phishing attacks etc.
Plans:– Evaluating commercial threat intelligence feeds
18
Many more use cases but not covered today!
Initial use case: PCI Compliance Data Archiving and Retention, Dashboards, Reviews
DDOS reporting
Privileged user monitoring
Application level security monitoring
19
How the Partnership Benefits from Splunk Enterprise Security
We can identify incidents more quickly and take appropriate
action where required
We’ve empowered our users to make
operational risk management decisions
We are re-using our investment for
compliance for security and IT ops use cases
Splunk allows us to store raw data more cheaply than on the source production
systems
20
The Future
Adaptive response - looking to feed
intelligence from Splunk into Palo Alto
Networks
User Behavior Analytics - need to capture all
logins to give UBA what it needs to baseline
normal
21
My Tips
Encourage system owners to share their data by providing shared
operational benefits
Empower the users – send alerts and reports straight to them. Don’t
let the security team be a bottleneck
Thank You