Mining  Security  Data    Security  Surveillance  and  the  case  for  data  reuse  

•  Financial  services  organisa5on  with  over  40,000  employees  

•  Opera5ng  more  than  1,800  branches  and  service  centres  

•  Responsible  to  more  than  460,000  shareholders  

•  Major  financial  services  franchises  in  Australia,  New  Zealand,  Asia,  the  United  Kingdom  and  the  United  States  

•  CommiKed  to  providing  quality  products  and  services,  fair  fees  and  charges,  and  rela5onships  built  on  the  principles  of  help,  guidance  and  advice  

Na0onal  Australia  Bank  

•  Security  Program  Manager,  Informa5on  Security  Services  

•  Senior  Manager,  nabCERT  SOC  •  Na5onal  Australia  Bank’s  Computer  Emergency  Response  Team  •  Won  SC  Magazine  Award  for  Organiza5onal  Excellence  in  

Informa5on  Security  

•  12+  years  in  technology  

•  Held  various  roles  at  NAB:  •  Info  Security  team  leader  •  Architecture  and  strategy  •  Project  management  •  Consul5ng  

Introducing  Jamie  

What’s  the  user  doing?  

What’s  the  machine  doing?  

What’s  the  app  doing?  

What’s  happening  to  the  data?  

What’s  happening  on  the  network?  

Five  Areas  of  Interest  

•  Need  to  improve  incident  response  5mes  •  Require  greater  visibility  into  security  events  •  Achieve  contextualized  /  enriched  aler5ng  •  Correlate  across  systems  •  Deal  with  different  log  formats    •  Add  new  or  modified  log  formats  •  Avoid  custom  code  (10  different  security  analysts)  •  Limit  to  resource  availability  for  manual  (bespoke)  inves5ga5ons  

Defining  (some  of)  the  Issues  the  SOC  Faced  

“Splunk  gave  us  the  speed  of  deployment    and  results  we  were  looking  for.”  

•  Stood  up  Splunk  quickly  •  Onboard  and  integrate  data  once—easily  

•  No  need  to  re-­‐import  when  applica5ons  or  formats  change  •  Keeps  the  team  in  the  business  of  security  analysis  and  out  of  the  business  of  building  parsers  and  connectors  

•  Proven  to  be  effec$ve  and  efficient  

Why  Splunk?  ROI  for  nabCERT  

•  Primary  objec5ve:  Significantly  reduce  the  5me  to  complete  electronic  searches  of  email  archives  to  meet  legal  requests  •  Email  logs  easily  searchable,  by  user,  subject,  5meframe  

–  Effec5ve?  Yes  •  Ability  to  perform  searches  based  on  subject,  sender,  recipient,  date  /  5me  •  Results  used  by  the  team  to  finalise  acquisi5on  of  all  per5nent  material  

–  Efficient?  Yes  •  No  more  grep  •  Search  5mes  reduced  to  minutes  vs.  hours  or  days  (per  inves5gator)  •  Concurrent  searching  of  datasets  by  the  inves5ga5ve  team  

Case  Study  One  

You’re  Mining  For  Gold  In  Your  Data…  

Au

If  You  Are  Going  To  That  Much  Trouble  

Fe Cu

Pb Ag

Ni

Business  Partners  

Applica0on  Support   Fraud  Team  

Infrastructure  Performance  Management  

Network  Service  Delivery  Managers  

Security  

Who  Are  Our  Data  Consumers?  

11  

Security  

• Detec5ng  unauthorized  devices  • Monitor  based  on  standard  naming  conven5on  +  Ac5ve  Directory  creden5als  

• Add  MAC  address  lookup  to  confirm  a  "good"  device  

Service  Delivery  Opera5ons  

• Ensuring  op5mum  connec5vity  /  produc5vity  • Alerts  for  insufficient  IP/  subnet  coverage  across  the  network  

• Alerts  when  subnets  are  full  • Visibility  into  underu5lized  subnets  • Triggers  ac5on  for  Network  team  to  reallocate/  reassign  Subnet  

Our  approach  is  to  maximise  the  u=lity  from  every  log  source  collected  and  indexed,  not  just  for  security  

Case  Study  Two:  DHCP  Logs  

Use  commentary  on  the  dashboard  

Cause  /  Impact  /  Resolu5on  

DHCP  Dashboard—Security  View  

13  

DHCP  Dashboard  –  Network  Service  View    

Don’t  use  Average,  use  Most  Common  (mode),  median  and  90%  Percen5le.  

Network  Service  View  #2  Users  cannot  connect  to  the  network,  or  have  

delays  connec5ng  in  hot  desk  areas.  

DHCP  Dashboard  –  Infrastructure  View  

Capacity  and  availability  issues  for  the  team  

suppor5ng  these  services,  as  well  as  Service  Desk.  

Who  is  working  late  and  how  open  during  the  week?  Are  they  using  the  same  

worksta5on?  

Case  Study  Three:  The  AUer  Hours  Worker  

The  ‘gold’  in  this  case  happens  to  be  a  log  line  that  resolved  a  three  week  issue  causing  significant  disrup5on  to  a    business  unit.  

Case  Study  4:  SOC  to  the  Rescue  

18  

"   Single  log  type  (DHCP)  from  1,000+  DHCP  servers  "   Security  (nabCERT  SOC)  gets  the  “gold”  it  is  aper  "   Networks,  Security  Opera5ons  (Firewalls),  Service  Management,  Infrastructure  support,  Building  services  get  what  is  of  value  to  them  

" Splunk  search  language  calcula5ons  to  pinpoint  most  cri5cal    –  Min,  Median,  Mode,  Max,  90th  percen5le    

"   Cross-­‐reference  with  other  data  (IP  address  database)    "   Provide  the  teams  with  the  facts,  in  context,  with  an  explana5on  and  remedy  

Enriched  Data  Drives  Ac0on  

•  Take  a  collabora5ve  approach  •  Give  us  your  data,  we’ll  give  you  more  value    

•  Dashboards  for  specific  teams  so  they  can  drill  down  themselves  for  problem  solving  

•  Role-­‐based  access  ensures  access  only  to  relevant  data  

•  Look  beyond  the  gold  (what  you  are  aper)  

Democra0zing  Data  (In  A  Secure  Fashion)  

20  

Primary  objec5ve:  Significantly  reduce  5me  to  complete  electronic  searches  for  legal  

•  Reuse  case  1:  Data  loss  protec5on  supplement  

•  Reuse  case  2:  User  ac5vity  baselining  

•  Reuse  case  3:  Validate  spam  /  spoof  controls  

•  Reuse  case  4:  User  Access  Revalida5on  supplement  

Back  to  the  Case  Study  One  (Legal)  

   

Think  and  plan  strategically,  work  tac=cally  

•  More  re-­‐use  cases  from  our  data  •  More  applica5on  and  databases  •  Complete  key  infrastructure  collec5on  •  Look  for  the  opportuni5es  •  Take  the  5me  to  look  for  the  win:win  

What’s  Next?  

Ques0ons?  

Splunk  Company  Overview  Company  (NASDAQ:  SPLK)  "  Founded  2004,  first  sopware  release  in  2006  "  HQ:  San  Francisco  /  Region  HQ:  London,  Hong  Kong  "  Over  600  employees,  based  in  10  countries  "  Q2  Revenue:  $44.5  million;  +71%  year-­‐over-­‐year  

Business  Model  /  Products  "  Free  download  to  massive  scale  "  On-­‐premise,  in  the  cloud  and  SaaS    

4,400+  Customers  "  Customers  in  over  80  countries  "  54  of  the  Fortune  100  "  Largest  license:  100  Terabytes  per  day  

 

See  us  on  the  ITXpo  Showfloor  in  booth  S2  23