By Matthias Maier October 16, 2015
Hi all,
Recently we had our annual user conference .conf2015 at the MGM in Las Vegas. We had many European customers join us there and some of them presented the impressive things they are doing with Splunk and their machine data. Earlier this week, Matt talked about the EMEA customers that presented their IT Operations use cases. I want to share with you how EMEA customers use Splunk for Security. Everything from traditional SIEM use cases, to security analytics with automated response, as well as protecting the business by using Splunk for fraud and forensics. Here are the highlights of this year from EMEA – you can review the slide decks and watch the recordings on our .conf2015 website.
Yoox.com: Building an Enterprise-Grade Security Intelligence Platform
Gianluca Gaias, Head of Information Security from Yoox Group, the global leader in online luxury brands (that recently acquired Richemont’s Net-a-porter), adopted Splunk as the integration fabric of their cybersecurity platform. Specifically, Splunk provides real-time event correlation and analytics to allow intrusion detection and identification of recurring malicious behavioural patterns. Any violations of security policies are detected by an automatic alerting system. These incidents are visible in a comprehensive set of dashboards that enriches activity monitoring with deep investigation capabilities. Yoox is currently working to build an enterprise grade security intelligence platform with predictive and learning capabilities based on their current Splunk deployment; with this achievement they will make a step forward from a reactive approach to a more mature, proactive one.
Swisscom: Collaborative Security Model
Christof Jungo, Head of Security Architecture from Swisscom presented the new way they want to approach IT security in the near future. Recently they also published the report “Cyber Security: the current threat status and its development”.
The collaborative security model is a framework that extends Splunk’s existing monitoring solution with an open and expandable abstraction layer for security commands. The aim is to build a true ecosystem, which allows all security solution providers to participate by expanding the framework with their own application. The framework establishes a standardized two-way communication channel. This enables security components to be managed centrally. Another advantage is the abstraction layer. This ensures security providers can easily be replaced at any time with a new, more suitable product. In our joint efforts for phase 1, we brought a number of providers onboard, such as Intel, Fortinet, Palo Alto Networks and EMC. The goal is to build a prototype to further enable manufacturers to participate in the ecosystem.
Christof also gave an interview at theCUBE and explained their concept of “we are already breached”.
PostFinance: How Splunk Connects Business and IT at a Swiss Bank
Patrick Hofmann, Head of IT Infrastructure showed how PostFinance, Switzerland’s third-largest retail bank, grew from using Splunk for log management to providing machine data-based services to a wide audience, including business applications. The session provided a short overview of the Splunk environment at PostFinance and then focused on two use cases:
- Business Support: The application support team has moved from using database exports and excel to create their monthly reports, to being able to recognize possible fraud cases and create any report a manager asks for on the fly.
- Fraud Detection: The online security team uses Splunk to survey the biggest online banking portal in Switzerland and to react in real time against threats or possible attacks. To end the session, he took a quick look at the key success factors for implementing Splunk at PostFinance.
Finanz Informatik: Compliance for 124 Million Bank Accounts
Dirk Hille, Michael Grabow and Julian Teichart from Finanz Informatik (FI), the IT service provider for approximately 416 German saving banks, with up to 124 million bank accounts, explained their journey with Splunk. Finanz Informatik uses Splunk to comply with both internal requirements and external regulations to control the access to customer data. They showed how Finanz Informatik started with Splunk to build a centralized SIEM platform across the mainframe, network, Unix and Windows environments. They then gave an overview of how Finanz Informatik uses Splunk for compliance requirements. This session covered how Finanz Informatik designed the architecture, the challenges they faced and the solutions they had implemented. They presented their monitoring, automated deployment and release management for Splunk in a complex, heterogeneous IT environment as well.
Linux Polska: From Zero to Pretty Robust Fraud Detection Tool
Tomasz Dziedzic, Senior Service Architect at Linux Polska showed how one for their customers (a large financial bank) started reporting cases of wire transfers not being delivered. This had the result of their clients threatening them with lawsuits and the bank started to lose its reputation. The anti-fraud team was helpless. The security analysts found some suspicious event sequences in custom application and web servers logs, which indicated that someone had stolen clients passwords. An attempt to solve the problem of automated fraud detection with old school Unix tools as egrep, sed, awk, cron, led to a quick-and-dirty, temporary, partial solution that nobody was fully satisfied with. The anti-fraud team still needed a solid and flexible tool to provide support for fraud detection. Tomas presented the main Fraud Detection tool features which Linux Polska built and demonstrated how they utilized Splunk to quickly build such a tool.
If you want to find out more, see how you can protect yourself from modern security attacks and “drop your breaches” then visit our SplunkLives or join us next year for .conf2016 in Orlando, FL.
Looking forward to seeing you soon!
Br
Matthias