Copyright 2014 Splunk Inc. Comprehensive Security with Splunk and Cisco Mario MASSARD Splunk Senior SE mario@splunk.com
Company Company (NASDAQ: SPLK) Founded 2004, first software release in 2006 HQ: San Francisco / Regional HQ: London, Hong Kong Over 1,000 employees, based in 12 countries Annual Revenue: $302.6M (YoY +52%) $10+ billion market valuation Fast Company 2013: Named Splunk #4 Most Innovative Company in the World and #1 Big Data Innovator Leader: Gartner SIEM Magic Quadrant, 2013 Business Model / Products Free download to massive scale On-premises, in the cloud and SaaS 7,000+ Customers Customers in over 90 countries 60 of the Fortune 100 Largest license: 100 Terabytes per day 2
Proven at 7,000+ Customers in 90+ Countries Over Half the Fortune 100 Cloud and Online Services Education Energy and Utilities Financial Services and Insurance Government Healthcare Manufacturing Media Retail Technology Telecommunications Travel and Leisure 4
Make machine data accessible, usable and valuable to everyone. 5
Splunk: The Engine For Machine Data GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases Ad hoc search Monitor and alert Custom dashboards Report and analyze Developer Platform Real-time Machine Data Sensors, Telematics, Storage, Servers, Security devices, Desktops, CDRs Splunk storage Other Big Data stores 6
Splunk Key Differentiators Single product, UI, data store Traditional Splunk SIEM Quick deployment & ease-of-use Can easily index any data type and retain all of it Big data architecture enables scale and speed Flexible search and reporting Open platform 7
Splunk Delivers Value Across IT and the Business 8
Operational Intelligence for IT and Business Users IT Operations Management Industrial Data / Internet of Things Application Management Digital Intelligence Security and Compliance Business Analytics Customer Support Operations Teams System Administrator Application Developers Security Analysts Auditors IT Executives Website/Business Analysts LOB Owners/ Executives 9
The Splunk Platform Operational Intelligence Platform Content User and Developer Interfaces Inputs, Apps, Other Content Web Framework SDK REST API Core Functions Core Engine Search Processing Language Indexing Collection
A Wealth of Splunk Apps Over 500 apps available on the Splunk apps site XenApp XenDesktop Server, Storage, Network Server Virtualization Operating Systems Infrastructure Applications Mobile Applications Cloud Services Custom Biz Applications Web Framework SDKs REST API Ticketing/Help Desk Other Monitoring
A Growing, Global Community of Users 3,000+ unique visitors per week to dev.splunk.com 500+ Apps, 24,000+ questions and 30,000+ Answers Local User Groups and SplunkLive! events Annual Users Conference Oct. 6 Oct. 9 Las Vegas, NV 16
Use Machine Data to Monitor Your Cisco Environment
Overlay vswitch VLAN Fabric VLAN WAN Overlay Overlay VM VM Overlay VRF Overlay VM VM Overlay VRF DC Fabric Overlay Overlay VM VM Overlay VRF Overlay VM VM Overlay VRF Increasing Complexity in Today s Datacenter
Datacenter Landscape Capacity Planning Performance Monitoring Quick Time to Resolution Infrastructure
Datacenter Landscape User Experience Availability Utilization Applications Infrastructure
Datacenter Landscape User Audit Compliance Security Security Applications Infrastructure
Datacenter Landscape Security Applications Infrastructure 22
Datacenter Connecting the dots Security Applications Infrastructure 23
Splunk: Broad Support for Cisco Infrastructure Splunk App for Enterprise Security 120+ security apps & add-ons Cisco ASA Cisco WSA Cisco Security Suite Cisco ESA Cisco UCS Cisco Advanced Threat Detection NetFlow Cisco IOS Cisco ISE Sourcefire
Splunk @ Cisco CSIRT
Replacing a SIEM @ Cisco Challenges: SIEM could not meet security needs Very difficult to index non-security or custom app log data Serious scale and speed issues. 10GB/day and searches took > 6 minutes Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM We moved to Splunk from traditional SIEM as Splunk is designed and engineered for big data use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. Gavin Reid, Leader, Cisco Computer Security Incident Response Team 48
The CSIRT Team The Computer Security Incident Response Team (CSIRT) reduces the risk of loss as a result of security incidents for Cisco-owned business. CSIRT regularly engages in proactive threat assessment, mitigation planning, incident trending with analysis, security architecture, incident detection and response. Tier 1 Event Analysis group (Costa Rica) Tier 2 Event Analysis group (Bangalore) Tier 3 Incident Response team (Global)
CSIRT Environment 300 locations in 90 countries 400 buildings 1500+ Labs 100,000+ employees on network 50-300 malware-related cases opened in a typical week 650,000+ IP Devices on network 130,000 Windows hosts 50,000 Linux hosts 40,000 Routers 2-3 million highly tuned IDS events per day 4.6 billion Netflow records per day
Some event sources send their data to a global network of collection servers CSIRT Environment
Cisco Uses Splunk Extensively 18 projects worldwide, ~9TB Splunk indexing capacity Key use cases include Proactive security monitoring and forensics (CSIRT) Monitoring & management of 1000s of apps Website Infrastructure monitoring and analysis Transformation from commodity services to high-value, proactive threat prevention We have the data We just can t leverage it without Splunk. - Cisco Director of Technology
Next Steps if Interested in Splunk Traditional Splunk SIEM Download Cisco apps at Splunk.com > Community > Apps If new user, try Splunk for free! Download Splunk at www.splunk.com Go to Splunk.com > Community > Documentation > Splunk Tutorial In 30 minutes will have imported data, run searches, created reports More information at Splunk.com > Solutions Contact me > mario@splunk.com 53
Copyright 2014 Splunk Inc. Thank You Demo Time!