Telenor Gains Greater Insight for Incident Investigation, Troubleshooting and Improved Security

With millions of customers, thousands of servers and routers, and datacenters located throughout Norway, Telenor needed to understand the essential operating details of its infrastructure. Communications between different departments were challenging and log event data was difficult to analyze.  Granting access to certain logs on a server often meant giving access to all the logs collected on that server, which posed definite security and privacy risks. The few people with authorized access faced the impossible task of manually browsing through hundreds of millions of log records a day. Unsurprisingly, kernel errors and other issues sporadically slipped by unnoticed.

Splunk has provided Telenor Norway the visibility and operational insight to keep its IT systems and networks running at peak performance. Telenor’s network operations team runs dashboards visualizing network health and monitors for error events and unfamiliar patterns. The security team uses Splunk Enterprise for correlation and analysis of security alarms. With Splunk software it can look for, and be proactively alerted on, abnormal remote access patterns and investigate attacks on Internet-exposed services. Finally, Splunk also underpins the Telenor Computer Emergency Response Team (CERT), which is a cross-departmental incident response team. This virtual team uses Splunk for incident investigation, pinpointing the origin of large issues and performing rapid manual analysis of failing components to limit business impact.

With Splunk Enterprise, Telenor can easily get to the root cause of any issue and resolve it. For example, the team noticed that Telenor WebMail accounts were being abused to send hundreds of thousands of SMS messages abroad. They used Splunk Enterprise to analyze the incident and were immediately able to identify which accounts were being abused and how many SMS were being sent, as well as when and where the logins were coming from. Armed with this insight, it was a simple job to shut down the offending accounts and stop the abuse, preventing further revenue loss.

Using the Splunk platform, Telenor’s security teams can now determine the baseline for “normal” and track any deviations from that standard. This gives Telenor the ability to quickly and efficiently detect brute force login attacks and other security issues. With this established, they can now use easy-to-compose dashboards to monitor systems and services for anomalous activity. Other examples include correlating timing and IP addresses to determine if attacks from multiple countries are coordinated, and the ability to identify vulnerable Internet exposed services. 

Since deploying Splunk Enterprise, Telenor Norway has dramatically improved visibility into its complex IT infrastructure and networks. There is now a ‘Splunk first’ policy in place, so any new data has to be put into Splunk Enterprise. Role-based access control ensures users get the access to the data they need without compromising security or violating customer privacy regulations.

Not only can Telenor’s internal teams investigate and resolve issues much more quickly, they are also able to use Operational Intelligence to create baseline views to catch errors or anomalies early on, often addressing these issues before they impact the customer experience.