Hey Hey! Eniro and Unibet at SplunkLive Stockholm

SplunkLive continued its 2010 tour in Stockholm yesterday, at the lovely Radisson Strand hotel, organized to perfection by our local partner, Sentor. What a fun and informative morning in a wonderful city.

We had a great turnout of over 50 prospects and customers, with most staying through the entirety of Splunk’s Munich-based solution architect Christian Glatschke’s afternoon technical workshop. There were particularly great customer and partner presentations with very rich, multifaceted use cases and hard hitting facts and benefits.

Anders Söderström from Sentor played host throughout the day and gave a short presentation outlining their managed security and Splunk offerings.

Patrik Nordlén provided an overview of the Splunk security monitoring and forensics deployment that he completed for Eniro, the leading Nordic search engine company with over SKR7b in annual revenues (>US$100m). He has implemented comprehensive indexing of all security-relevant data along with predefined alerts for significant security events. Sentor manages this deployment, responding to, investigating and escalating alerts per an agreed policy.

Patrick told of a specific incident where Splunk showed its value in facilitating rapid and thorough investigation. A user came into the office in the morning and found their account locked out. The Sentor response team was asked to investigate. Within a few minutes they were able to pinpoint the lockout as part of a batch account maintenance task completed by a specific administrator that has incorrectly included her account with accounts to be deleted. Additionally, they were able to provide a comprehensive report of all activities by the locked out user in the weeks leading up to the lockout to ensure that her behavior was not in any way suspicuous, adding confidence prior to quickly re-activating her account.

Then Anders Lantz, Head of Application Management and Operations at Unibet, a leader in online gaming, or “moneytainment” as the company prefers, described how his organization initially chose Splunk to comply with an alphabet soup of mandates faced by companies in his industry (PCI-DSS, sure, but LGA, KGC, UKGC, ARJEL, and AMS? New even to me) but find themselves using it in a myriad of other valuable ways.

Anders’ presentation was particularly interesting to me as, like me, he has a lot of checkered history with different log management products and approaches over the last decade or so, and by 2008 he’d come to the same conclusion as I had before I found Splunk – that any log management project takes 6-24 months, then involves a lot of maintenance, and any one log management solution can at best only address a fraction of the requirements across a complex organization. Also, like me, Splunk changed his mind – he said “before we found Splunk, I thought we would need multiple tools to do everything we needed to do.”

Anders emphasized a point that I think is often lost in discussion and marketing in this space – that PCI-DSS specifically forces segregation of duties that ends the practice of developers having direct production server access for debugging. Splunk’s ability to not just support compliance log retention/reporting, but also flexible application troubleshooting, means that he can use it to provide the 50-100 people who used to need production privileges with “tailored remote access” to just data from just the subset of his 250+ servers and 20+ applications indexed by Splunk that they should be allowed to search. With an audit trail.

Anders noted that his company is releasing new functionality constantly today – controlled change windows are a thing of the past with constant market pressure for new games and features. This directly impacts operational stability and workload and is a big reason why troubleshooting is more mission critical and Splunk is vital. Another echo of a theme I hear across all of our customers with complex web offerings.

And he also said that using a consistent tool (Splunk) makes it easier for remote outsourced tier 1 staff to learn how to support more different applications with minimal training/handoff. “It takes less knowledge to find root cause.”

All in all a great event. And to boot I was taught how to properly spell and pronounce my own Swedish name. (It’s really Norén not Noren.) Thanks Milan @ Sentor!

Posted by