A couple of weeks ago, I was in one my favourite cities for SplunkLive Stockholm. We had a couple of hundred people in one of the most impressive rooms we’ve ever had a SplunkLive in. It felt more like the setting of Romeo and Juliet (as far as I know, there weren’t any declarations of undying love – not even for machine data).
This year we were very happy to have Statnett, Klarna and IKEA presenting on how they use Splunk.
Statnett own, build and maintain the Norwegian power grid and “make sure the lights are on in Norway”. We had Linus from Statnett talking about how they “monitor all the things” using Splunk and how this feeds into their troubleshooting, DevOps, IT Service Management and security programs. The challenges they faced included issues such as how do you troubleshoot, monitor and secure 1000s of servers and network devices. You can see their presentation on SlideShare below:
Next up was Henrik from Klarna who are an eCommerce company that provides payment services for online retail. Henrik spoke about how they work in 18 markets, with 250,000 payments a day from 35 million users. They explained how they started using Splunk in engineering for a distributed payments system and security monitoring of correlated events. They spoke about how over 50% of their 1200 employees have access to Splunk in IT Operations, development, technical sales, merchant customer support, operation analytics and business intelligence (truly making machine data accessible, usable and valuable to everyone…). They ended up talking about their security operations team and how Splunk is used to monitor and correlate authentication events, malware, firewall/netflow data, vulnerability management and address allocation. Their presentation is below:
Last but by no means least was Magnus Johansson, Splunk Ninja at IKEA. He was presenting on how and why IKEA replaced their existing SIEM with Splunk:
He spoke about the new demands required of a security intelligence platform and the big wins on the way to SIEM replacement. First of these was the ability to monitor eCommerce systems. The adoption of Splunk enabled the eCommerce team to go from reactive troubleshooting to being much more proactive by correlating multiple data sources to show the business impact of any issues. The time to troubleshoot problems came down from days or weeks to minutes.
The second big win on the way to replacing their SIEM was that they started to deliver business analytics in four key areas:
- Real time sales compared to last week for the major regions
- Payment provider availability
- Performance of Akamai
- Business process tracing (orders that takes longer than 10 seconds to process)
During the implementation of Splunk as their new SIEM/security intelligence platform, they found that Splunk started off as an enabler to allow greater collaboration when working with security intelligence. The IKEA security teams then started to look into the “background noise” in the machine data. They detected new risk areas and insight into areas such as:
- “Hey – I think we are hacked!”
- Attempts to bypass security mechanisms (slow-rate and brute force attacks)
- Google search bot from Ukraine?
- Fraud attempts
IKEA are now managing over a TB of machine data a day in Splunk from a huge number of sources including 1000 AIX servers, 3500 Linux servers, 5500 Windows servers and 100,000 Windows clients
Magnus summarised their enterprise security journey and the benefits along the way below:
IKEA are now using Splunk for enterprise wide security and they explained the key benefits as:
- Real-time reaction instead of weeks later
- Before it was hard to get access to data – now we have a queue of data to get to…
- Splunk is a collaboration enabler – teams works together in a new ways
- Security put the ball in play, business is now our driver
IKEA’s presentation can be found below:
Many thanks to everyone who attended and special thanks to Linus, Henrik and Magnus.
As always, thanks for reading and hopefully see you at a SplunkLive soon.