Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy...
Transcript of Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy...
![Page 1: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/1.jpg)
Copyright©2016Splunk Inc.
ManagingInformationCollaborationwithDecentralizedSplunkInfrastructure
BryanSchaefer,MSISA,CISSPSuccessAdvisoryEngineer,Splunk
![Page 2: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/2.jpg)
DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.
2
![Page 3: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/3.jpg)
about.speakerSuccessAdvisoryEngineerforSplunk– LargeCivilianAgency&allsubagencies
PriorSecurityArchitectwhofellintorunninga2.5TBglobalSplunkinstanceSt.Louisnative,justrelocatedtoMDthisyearPriorNavy,lovedbeingatseaEmail:[email protected]– TherearetwoBryanSchaefer’satSplunk.
Bryan Schaefer
![Page 4: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/4.jpg)
Agenda
SIEMTransition
DecentralizedArchitectureOptions
OrganizationalCollaboration
SecurityDataSharing
![Page 5: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/5.jpg)
TopicsNotCoveredChargebackModelsHardwareRecommendations/Requirements/CostsManagedSplunkAsaServiceProviderHowtoWinFriendsandInfluencePeopleWorldPeace
![Page 6: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/6.jpg)
Sowhyarewehere?Youmightbealargeagencywith42separateorganizationalunitseachusingSplunk,andyouwantasingleviewofthewhoenvironment?Perhapsyou’renotthatlarge,butstillhavemultipleteamsrunningdisparateSplunkinstancesthatyouneedtocorrelatedatabetweenMaybeyou’reattemptingtofigureouthowyourorganizationthinksaboutdatasharing?Oryoucouldjustbecuriousandwanttolearnandshareyourknowledgewhenyougetback?
![Page 7: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/7.jpg)
SplunkSIEMtoSAPRoadmap
SIEMAugmentation
SIEMReplacement
FrameworkMaturity
SecurityAnalytics
Maturity
Effectiveness
Definesuccessviamaturitysteps&cleargoalsforeachphase.Setmilestonestodefinewhenyou’rereadytomovefromonesteptothenext.
![Page 8: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/8.jpg)
SIEMTransitionApproachESimplementationasablankcanvas– Lotsofoutoftheboxmaterial,maynotalwaysapplytoyourusage
DefinewhatmustworkDay-1,currentreports,andmetrics– Getthoseimplementedfirstsothatyoucanmigrate
DefineaframeworkandmaturitymodelforyourSOC– Setusecases,priority,datarequirements,andmeasureprogress
PlanprogressionfromSIEMtoSAP– Thinkmorearoundanalytics,usingnon-securitylogstodrivesecurity
![Page 9: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/9.jpg)
SplunkArchitectureBasicEnterpriseDesignSearchEntities:SearchHeads,SearchHeadClustersDataStorage:Indexers,IndexerClusters,HunkForwarders:UniversalForwarder,HeavyForwarder,REST,HEC,HunkAuxiliarySystems:LicenseMaster,DeploymentServer,MonitoringConsole,SearchHeadDeployer,IndexerClusterMasterApps&TA’s:– configurationcontainersforingesting,storing,parsing,
dashboarding,searching,reporting
![Page 10: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/10.jpg)
DesignOptionsSplunkCentralization– OneSplunkforEveryone
SearchPeering– Groupscansearchothergroup’sSplunk
SegmentedPeering– SegmentingIndexerstosharedvs.notshared
ParallelIngest– Groupsingestthesamedatasourcesinparallel
![Page 11: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/11.jpg)
SearchPeeringDesign• CentralSOCoperatesSplunkinternallytostore
notableeventsandinternallogs• DivisionallowsCSOCtosearchagainstinternal
indexers• Singlerecordismaintained,CSOCandDivision
canmonitorsearchutilization• CSOChasaccesstoalldataatDivision,notjust
“agreedsources”,mustmaintainproperaccesscontrolseparateofDivision.
• CSOCwillneedtonormalizeindexnamesacrossentireorganization.
• DataModelAccelerationscanbeproblematic
Simplesttechnicalmodel,requiresmostcooperation
![Page 12: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/12.jpg)
SegmentedPeeringDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedonce.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.Bothgroupsthensearchasinglecopyoftheshareddata.Thedivisionoperatesit’sownsearchtierandindexingfornon-shareddata.Accesscontrolisenforcedbyarchitecture,centralSOCcannotreadinternaldivisiondata,divisioncanonlyseetheirsecuritydata.ThedivisionandCentralSOCcanmonitorsearchloadandperformanceofsharedindexers.
Indexonce,searchmultipletimes,segmentsdatasources
![Page 13: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/13.jpg)
ParallelIngestDesignCentralSOCoperatesSplunkinfrastructureatDivision.Dataisindexedtwice.Datasourcesaresegmentedbyusecase,andallshareddatasourcesgointothe“enclave”Splunk.DataisindexedinCSOCandDivision.Nosharedinfrastructure,CSOCmustmonitordatasourcehealth.Organizationmustdecidewhichenvironmenthosts“authoritativerecord”andseparateretentionpolicies.Alternatively,theDivision’sHeavyForwardersandIndexerscanforwarddatatotheCSOCinsteadofthedownstreamforwarders.
Mostcomplexandexpensive,highlikelihoodtofail
![Page 14: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/14.jpg)
DecentralizedOperationsDecisionsDecidewhatusecasesareneedacentralizedview– IOCsweeps,L1securitymonitoring,auditing,securityposture
DecidewhereauthoritativerecordwillresideWheredoesdataphysicallyneedtobeDeterminedownstreamconsiderationsandaccesscontrolSetpolicyregardingavailability,access,servicerequirements– DOTHISEARLY
DeterminewhoneedsDataModelAccelerationandonwhatdata.– Thisisbig,asithasrealhardwareimplications.
![Page 15: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/15.jpg)
OrganizationConsiderationsAccessControl– Whoneedstoaccesswhat?Whatneedstobesharedvsquarantined?Anything
“toosensitive”?
CenterofExcellenceModel– Howcaneveryoneworktogether?WhoistheinternalPM,architect?– Whoistrained?Tracktrainingofalladminsandkeyanalysts.
MetricsReporting– Howdoyoumeasuresuccess?Whocaresaboutsuccess?
![Page 16: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/16.jpg)
OperatingatLargeScaleUseeventtypes!– Groupbyorg,setaccess
controlaroundSplunkservers
GetlocalizedTA’sfromdatasharinggroupsStartusingDataModelsearly– Populatewitheventtypes,get
fieldsnormalized
eventtype=group1_indexerssplunk_server=group1*
eventtype=all_indexerseventtype=group*_indexers
eventtype=group1_firewalls(eventtype=group1_indexers index=secsourcetype=fw)
eventtype=firewallseventtype=group*_firewalls
DataModel=Network
Eventtype=group*_network
![Page 17: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/17.jpg)
TwoThingstoAvoidInceptionSplunk– Striveforasfewlayersaspossible.– Determineifaninstanceis“too
small”andcanbeconsolidated.
“Wheredidthedatago?”– Determine“whocares”fordata
sources– Monitordatainputsreligiously!– Findnormal,andreportoutsideof
that
![Page 18: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/18.jpg)
AdditionalInformationWhitepapercomingSplunkMulti-tenancy– http://blogs.splunk.com/2011/11/04/splunk-and-multitenancy/
SplunkMSaaS Concept– http://blogs.splunk.com/2016/01/22/msaas-a-conceptual-multi-splunk-
architecture-framework-for-multitenant-splunk-deployments-for-msps-mssps-and-enterprises/
TypicalDeploymentCharacteristics– http://docs.splunk.com/Documentation/Splunk/6.5.0/Deploy/Deploymentcharac
teristics
![Page 19: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/19.jpg)
Announcements
![Page 20: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/20.jpg)
.conf2017iscomingtoWashington,D.C.!
20
September25-28,2017WalterE.WashingtonConventionCenter
Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!
Reserveyourspottoday,paylater!
SignUpToday:http://live.splunk.com/LP=1822
Afterregistrationopens,youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.
VisittheInformationKioskintheSolutionPavilion!
![Page 21: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/21.jpg)
SupportOperationHomefront!
21
EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram
foreveryattendeethatcompletestheirmissionofearning6sponsor badges.Theprogramwillprovidemealstoour localmilitaryfamiliesthisholidayseason.
Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldouble the$3,500donation to$7,000!
![Page 22: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/22.jpg)
Workshops:GetSplunkHands-onExperienceAttendaSplunk Workshop
UpcomingScheduleDecember1:IntroductiontoSplunkEnterprise
December14:IntroductiontoSplunkITTroubleshooting
January11:IntroductiontoSplunkEnterpriseSecurity
January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop
January25:IntroductiontoSplunkITServiceIntelligence
January25:NEW! SplunkforApplicationDevelopers
LocationSplunkOfficeMcLean,VA
Visithttp://www.doyouknowsplunk.com/workshops
VisittheInformationKioskintheSolutionPavilion!
![Page 23: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/23.jpg)
SplunkUserGroups- ConnectwithLocalSplunkers
NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html
DCMeetsthelastWednesday ofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html
BaltimoreMeetsthe3rd Mondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html
VisittheInformationKioskintheSolutionPavilion!
![Page 24: Managing Information Collaboration with ... - Splunk...Forwarders: Universal Forwarder, Heavy Forwarder, REST, HEC, Hunk ... Alternatively, the Division’s Heavy Forwarders and Indexers](https://reader033.fdocuments.us/reader033/viewer/2022051510/5fedc5be4a491514d171f894/html5/thumbnails/24.jpg)
TaketheGovSummit PostEventSurvey!
24
Wevalueyourfeedback!TaketheposteventsurveyontheiPadsinthefoyerstartingat2:30pm!