SlideShare a Scribd company logo

Building a Security Information and Event Management platform at Travis Perkins

Splunk, profile picture
Splunk

The document discusses the implementation of a Security Information and Event Management (SIEM) platform at Travis Perkins, led by Nick Bleech, focusing on challenges in integrating on-premise and cloud services, as well as operational intelligence. Key success factors for the SIEM include incremental planning, establishing clear roles within security operations, and effective alerting processes, while also highlighting the importance of a risk-based approach to incident response. The presentation outlines the benefits obtained through the use of Splunk Cloud, including improved data ingestion and correlation, alongside future roadmap considerations.

Technology
1 of 45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2016 Splunk Inc. @SplunkUK Building a Security Information and Event Management Platform at Travis Perkins Nick Bleech Head of Information Security Travis Perkins Matthias Maier Security Product Marketing Manager Splunk
Q&A at the end Please use the Q&A panel window
3 At Splunk we have the best, most successful and passionate customers with incredible stories to share. These include how our customers ...
4 REMAIN COMPETITIVE
5 ESTABLISH NEW BUSINESS MODELS
6 IMPROVE CUSTOMER EXPERIENCE
7 AVOID MAJOR OUTAGES
8 ADOPT NEW TECHNOLOGIES
9 AVOID FINES
10 ...AND COMBAT CYBER THREATS
11 Make machine data accessible, usable and valuable to everyone. 11
Platform for Machine Data Applicatio n Delivery Security, Compliance and Fraud Business Analytics Industrial Data and Internet of Things IT Operations Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop The Use Cases for Operational Intelligence
13 Splunk Cloud Available Worldwide
Welcome Nick Bleech Travis Perkins
Speaker - Nick Bleech • I’m currently CISO for the Travis Perkins Group. • The UK's largest Building Materials Group. • I started in IT Security technology R&D in 1985. • Moved on to security management and architect roles in Aerospace, Government, Financial Services & Consulting. • Before Travis Perkins I was the CISO at Rolls-Royce plc. – Served on the board of the Jericho Forum – Expert group which established core principles for ‘Cloud’ Security
16 What We Do • My team at Travis Perkins tackles practical challenges including: • Security Monitoring • Incident Response • Driving the governance to tackle Cloud Computing • Data Security • Internet of Things • Agile Development practices • Information System Lifecycle security risks
17 Agenda • Introduction • Beginning – SIEM ‘mark one’ • CSFs for SIEM ‘mark two’ • CSFs for ‘Lean’ SOC • Operating Model • Monitoring Architecture • Productionization • Benefits we’ve realized and future roadmap
18 Travis Perkins Challenges • Complex IT, mix of on-premise legacy systems/services and the cloud services progressively replacing them • ‘Cloud First’ i.e. all new solutions must deploy into Cloud and interwork with on-premise as needed • This meant rolling Splunk out in the Cloud then extending back to on-premise rather than the other way round (although pilot was on-premise)
19 Travis Perkins Challenges • Need to be able to adapt data source interfaces at low cost / complexity using open source • Many parallel IT change / new build projects in flight - e- com, ERP, supply chain etc. • SIEM Business drivers balanced between Incidents, Investigations, and Compliance use-cases - need flexible and adaptable technology • No pre-existing internal or external ‘SOC’, no preference to engage a Managed Security Services Provider due to velocity of change and aim to grow in-house expertise
20 The Beginning • The ‘Big Bang’: • Acquire SIEM hardware & software – one size fits all - ($$$$$) • Connect as many sources as possible (Look Ma - all those connectors!) • No data source is too large or too complex • When budget/time/resources run out: SIEM ‘mark one’ that was tagged ‘never again’ Oh dear...stop!
21 The Beginning • Must show early cost/benefit to retain stakeholder buy-in • Need service integration architecture - not just SIEM infrastructure • No long term strategy initiated/developed • SIEM projects very similar to Data Warehouse & Business Intelligence app projects • This experience gave other security improvement projects a bad name! Lessons learnt – the hard way Worst of all… CISO was replaced!
22 Critical Success factors for SIEM ‘mark two’ ● Plan/Deliver incrementally - no ‘big bang’ ● Grow ‘Lean’ SOC: Develop clear roles for IT Ops Service Ops vs. Infosec forensics ● Design Op team alerting carefully for maximum effectiveness ● Monitoring architecture to include both ‘agent-based’ & ‘agentless’ data collection ● Acknowledge and meet multiple stakeholder needs SIEMIT New Build IT Ops CIO EA Legal/Compl iance Infosec
23 Critical Success Factors for ‘Lean’ SOC Plan/Deliver incrementally: • Roll out the most effective handling/response process to cover most likely scenario • Train teams on new process, tune data source and Splunk correlation searches • ‘Rinse - Wash - Repeat’
24 Critical Success Factors for ‘Lean’ SOC Develop clear roles for IT Ops Service Ops vs. Infosec forensics teams: • IT Ops catch, gather info, dispatch for further investigation/remediation • Infosec forensics have specialist skills including Splunk training • Enable follow up detailed investigation post initial response
25 Critical Success Factors for ‘Lean’ SOC Design Op team alerting carefully for maximum effectiveness without detailed knowledge of Splunk or other tools • Use Splunk/ES risk scoring appropriately • An alert can be like a finger on a spray can: a little alert can trigger a lot of response if you put the right stuff in the can....
26 Operating Model Canned alerts are 80% effective in the first instance, and always provide value by gathering some additional information
27 Last 30 days of ‘Ransomware’ attacks tracking. Splunk detected 135 low-level events it correlated as ‘high risk’ in the period
28 Splunk Response Process Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target
29
30 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
31
32 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
33 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
34
35 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
AWS Monitoring Architecture
37 Monitoring Architecture (1) • Allow for both ‘agent-based’ & ‘agentless’ data collection to trade off: – Performance, data volumes, server/network impacts and ‘IT politics’! • Standard Splunk data source integration methods: – Cloud / “as a service” products e.g. ServiceNow and FireEye ETP publish APIs, which can be accessed using Splunk apps or Splunk RESTful API data source configurator – Excellent AWS app enables both collection of AWS native log data (AWS Auth etc) and ingestion / indexing of application data from AWS S3 buckets – Standard Splunk Forwarder sends on prem data to Splunk Cloud
38 Monitoring Architecture (2) • Open source data integration: Highly scalable and performant, OSQuery for host based IDS and FIM (PCI compliant) across whole AWS estate – No central server required (as would be the case for OSSEC) – Easy to deploy in ‘continuous integration’ automated pipelines • Although OSQuery output not Splunk Common Information Model compliant, Splunk immediately understands its json format data • Enables meaningful correlation searches to be written once data is indexed • We are free to choose where we parse out meaningful source data for each use case - in OSQ or in Splunk - or both
39 Productionisation ● We ran an on prem pilot / proof of value using “found” hardware ● Bore an uncanny resemblance to hardware from our previous SIEM… ● We got a working solution, but speed, storage, and reliability issues arose ● Analysts not good SysAdmins - so get better not minding infrastructure ● Per our Cloud First strategy, we considered two options: ● host within our own AWS VPCs, or ● purchase the Splunk Cloud SaaS ● In terms of cost/benefit, Splunk Cloud option came out ahead ● Migration took 2 days to get basic functionality up and running
40 Benefits Obtained and Future Roadmap ● Quicker from ingesting new data to creating meaningful correlation searches ● We were used to having console access to edit .conf files on-prem; but fewer concerns now Splunk Cloud increasing functionality in the GUI ● Splunk CloudOps are taking pain out of managing host infrastructure ● Intrinsic risk-score based correlation in Slunk/ES has been pivotal in several security incidents ● Our architecture and approach now serve as blueprint for IT Ops and App support teams to leverage Splunk for non-security event/log monitoring
Sophos Security in the cloud, UK, Splunk powers their SOC Security analytics driven SOC to protect the business Splunk Cloud delivered from within EU as SaaS Splunk for real-time reporting, alerting & investigation How Sophos Uses Splunk Cloud For An Analytics Driven SOC
42 How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud On-time efficiency & dramatic queue reduction with 925 flights per day Real-time, predictive airfield analytics deliver on mobile app & Apple watch Data from airport gates, board pass scans, x-ray, travel, passenger flow
Security Operations IT Operations Business Operations With Splunk, your enterprise data platform SAME DATAOf the Asking Different QUESTIONS Different PEOPLE
Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification for your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification 15
Explore: The Art of the Possible http://splk.it/artofpossible Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Please complete the survey Thank you

More Related Content

PPTX
Getting Started with Splunk (Hands-On)
Splunk
 
PPTX
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
PPTX
dlux - Splunk Technical Overview
David Lutz
 
PPTX
SplunkLive! - Splunk for IT Operations
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PDF
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk
 
PPTX
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
PPTX
Splunk for IT Operations
Splunk
 
Getting Started with Splunk (Hands-On)
Splunk
 
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
dlux - Splunk Technical Overview
David Lutz
 
SplunkLive! - Splunk for IT Operations
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
Splunk for IT Operations
Splunk
 

What's hot (20)

PPTX
Splunk for ITOps
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PDF
Enterprise Security Guided Tour
Splunk
 
PPTX
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
PPTX
Security Automation & Orchestration
Splunk
 
PPTX
SplunkLive! - Splunk for IT Operations
Splunk
 
PPTX
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
PPTX
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk
 
PPTX
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
PPTX
Machine Data 101 Hands-on
Splunk
 
PDF
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
PPTX
Getting started with Splunk - Break out Session
Georg Knon
 
PPTX
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
PPTX
Splunk Overview
Splunk
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
Splunk for ITOps
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
Enterprise Security Guided Tour
Splunk
 
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
Security Automation & Orchestration
Splunk
 
SplunkLive! - Splunk for IT Operations
Splunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk
 
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
Machine Data 101 Hands-on
Splunk
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Getting started with Splunk - Break out Session
Georg Knon
 
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
Splunk Overview
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
Ad

Viewers also liked (20)

PPTX
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Delivering business value from operational insights at ING Bank
Splunk
 
PDF
Machine Data 101
Splunk
 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
 
PPTX
Splunk Webinar – IT Operations auf den nächsten Level bringen
Splunk
 
PDF
Don't Re-write Code to Get Better Analytics
Splunk
 
PDF
Building Business Service Intelligence with ITSI
Splunk
 
PPTX
Taking Splunk to the Next Level - Architecture
Splunk
 
PPTX
Splunk sales presentation
jpelletier123
 
PPTX
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Introducing Splunk – The Big Data Engine
Swiss Big Data User Group
 
PPTX
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
PPTX
SplunkLive! Utrecht - Keynote - Rick Fitz
Splunk
 
PDF
Building Business Service Intelligence with ITSI
Splunk
 
PDF
Molina Healthcare Customer Presentation
Splunk
 
PDF
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk
 
PPTX
SplunkLive! Utrecht - Splunk for IT Operations - Rick Fitz
Splunk
 
PPTX
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
Threat Hunting with Splunk
Splunk
 
Delivering business value from operational insights at ING Bank
Splunk
 
Machine Data 101
Splunk
 
Threat Hunting with Splunk Hands-on
Splunk
 
Splunk Webinar – IT Operations auf den nächsten Level bringen
Splunk
 
Don't Re-write Code to Get Better Analytics
Splunk
 
Building Business Service Intelligence with ITSI
Splunk
 
Taking Splunk to the Next Level - Architecture
Splunk
 
Splunk sales presentation
jpelletier123
 
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
Getting Started with Splunk Enterprise
Splunk
 
Introducing Splunk – The Big Data Engine
Swiss Big Data User Group
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
SplunkLive! Utrecht - Keynote - Rick Fitz
Splunk
 
Building Business Service Intelligence with ITSI
Splunk
 
Molina Healthcare Customer Presentation
Splunk
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk
 
SplunkLive! Utrecht - Splunk for IT Operations - Rick Fitz
Splunk
 
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
Ad

Similar to Building a Security Information and Event Management platform at Travis Perkins (20)

PPTX
SplunkLive! London 2017 - Travis Perkins
Splunk
 
PPTX
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
PPTX
Machine Learning + Analytics in Splunk
Splunk
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
PPTX
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
PPTX
Splunk for Enterprise Security Featuring UBA
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
PPTX
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
PPTX
Splunk at Weill Cornell Medical College
Splunk
 
PPTX
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Interset
 
PDF
Navy security contest-bigdataforsecurity
stelligence
 
PDF
Digital Transformation: How to Run Best-in-Class IT Operations in a World of ...
Precisely
 
PPTX
Machine Learning and Analytics Breakout Session
Splunk
 
PPTX
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
PPTX
Splunk for ITOA Breakout Session
Splunk
 
PPTX
Machine Learning and Analytics Breakout Session
Splunk
 
PDF
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Precisely
 
PDF
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
PPTX
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
Jon Papp
 
PPTX
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
SplunkLive! London 2017 - Travis Perkins
Splunk
 
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
Machine Learning + Analytics in Splunk
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Splunk for Enterprise Security Featuring UBA
Splunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
Splunk at Weill Cornell Medical College
Splunk
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Interset
 
Navy security contest-bigdataforsecurity
stelligence
 
Digital Transformation: How to Run Best-in-Class IT Operations in a World of ...
Precisely
 
Machine Learning and Analytics Breakout Session
Splunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
Splunk for ITOA Breakout Session
Splunk
 
Machine Learning and Analytics Breakout Session
Splunk
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Precisely
 
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
Jon Papp
 
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
The Future of Artificial Intelligence (AI)
Mukul
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 

Building a Security Information and Event Management platform at Travis Perkins

  • 1. Copyright © 2016 Splunk Inc. @SplunkUK Building a Security Information and Event Management Platform at Travis Perkins Nick Bleech Head of Information Security Travis Perkins Matthias Maier Security Product Marketing Manager Splunk
  • 2. Q&A at the end Please use the Q&A panel window
  • 3. 3 At Splunk we have the best, most successful and passionate customers with incredible stories to share. These include how our customers ...
  • 11. 11 Make machine data accessible, usable and valuable to everyone. 11
  • 12. Platform for Machine Data Applicatio n Delivery Security, Compliance and Fraud Business Analytics Industrial Data and Internet of Things IT Operations Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop The Use Cases for Operational Intelligence
  • 15. Speaker - Nick Bleech • I’m currently CISO for the Travis Perkins Group. • The UK's largest Building Materials Group. • I started in IT Security technology R&D in 1985. • Moved on to security management and architect roles in Aerospace, Government, Financial Services & Consulting. • Before Travis Perkins I was the CISO at Rolls-Royce plc. – Served on the board of the Jericho Forum – Expert group which established core principles for ‘Cloud’ Security
  • 16. 16 What We Do • My team at Travis Perkins tackles practical challenges including: • Security Monitoring • Incident Response • Driving the governance to tackle Cloud Computing • Data Security • Internet of Things • Agile Development practices • Information System Lifecycle security risks
  • 17. 17 Agenda • Introduction • Beginning – SIEM ‘mark one’ • CSFs for SIEM ‘mark two’ • CSFs for ‘Lean’ SOC • Operating Model • Monitoring Architecture • Productionization • Benefits we’ve realized and future roadmap
  • 18. 18 Travis Perkins Challenges • Complex IT, mix of on-premise legacy systems/services and the cloud services progressively replacing them • ‘Cloud First’ i.e. all new solutions must deploy into Cloud and interwork with on-premise as needed • This meant rolling Splunk out in the Cloud then extending back to on-premise rather than the other way round (although pilot was on-premise)
  • 19. 19 Travis Perkins Challenges • Need to be able to adapt data source interfaces at low cost / complexity using open source • Many parallel IT change / new build projects in flight - e- com, ERP, supply chain etc. • SIEM Business drivers balanced between Incidents, Investigations, and Compliance use-cases - need flexible and adaptable technology • No pre-existing internal or external ‘SOC’, no preference to engage a Managed Security Services Provider due to velocity of change and aim to grow in-house expertise
  • 20. 20 The Beginning • The ‘Big Bang’: • Acquire SIEM hardware & software – one size fits all - ($$$$$) • Connect as many sources as possible (Look Ma - all those connectors!) • No data source is too large or too complex • When budget/time/resources run out: SIEM ‘mark one’ that was tagged ‘never again’ Oh dear...stop!
  • 21. 21 The Beginning • Must show early cost/benefit to retain stakeholder buy-in • Need service integration architecture - not just SIEM infrastructure • No long term strategy initiated/developed • SIEM projects very similar to Data Warehouse & Business Intelligence app projects • This experience gave other security improvement projects a bad name! Lessons learnt – the hard way Worst of all… CISO was replaced!
  • 22. 22 Critical Success factors for SIEM ‘mark two’ ● Plan/Deliver incrementally - no ‘big bang’ ● Grow ‘Lean’ SOC: Develop clear roles for IT Ops Service Ops vs. Infosec forensics ● Design Op team alerting carefully for maximum effectiveness ● Monitoring architecture to include both ‘agent-based’ & ‘agentless’ data collection ● Acknowledge and meet multiple stakeholder needs SIEMIT New Build IT Ops CIO EA Legal/Compl iance Infosec
  • 23. 23 Critical Success Factors for ‘Lean’ SOC Plan/Deliver incrementally: • Roll out the most effective handling/response process to cover most likely scenario • Train teams on new process, tune data source and Splunk correlation searches • ‘Rinse - Wash - Repeat’
  • 24. 24 Critical Success Factors for ‘Lean’ SOC Develop clear roles for IT Ops Service Ops vs. Infosec forensics teams: • IT Ops catch, gather info, dispatch for further investigation/remediation • Infosec forensics have specialist skills including Splunk training • Enable follow up detailed investigation post initial response
  • 25. 25 Critical Success Factors for ‘Lean’ SOC Design Op team alerting carefully for maximum effectiveness without detailed knowledge of Splunk or other tools • Use Splunk/ES risk scoring appropriately • An alert can be like a finger on a spray can: a little alert can trigger a lot of response if you put the right stuff in the can....
  • 26. 26 Operating Model Canned alerts are 80% effective in the first instance, and always provide value by gathering some additional information
  • 27. 27 Last 30 days of ‘Ransomware’ attacks tracking. Splunk detected 135 low-level events it correlated as ‘high risk’ in the period
  • 28. 28 Splunk Response Process Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target
  • 29. 29
  • 30. 30 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
  • 31. 31
  • 32. 32 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
  • 33. 33 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
  • 34. 34
  • 35. 35 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target Splunk Response Process
  • 37. 37 Monitoring Architecture (1) • Allow for both ‘agent-based’ & ‘agentless’ data collection to trade off: – Performance, data volumes, server/network impacts and ‘IT politics’! • Standard Splunk data source integration methods: – Cloud / “as a service” products e.g. ServiceNow and FireEye ETP publish APIs, which can be accessed using Splunk apps or Splunk RESTful API data source configurator – Excellent AWS app enables both collection of AWS native log data (AWS Auth etc) and ingestion / indexing of application data from AWS S3 buckets – Standard Splunk Forwarder sends on prem data to Splunk Cloud
  • 38. 38 Monitoring Architecture (2) • Open source data integration: Highly scalable and performant, OSQuery for host based IDS and FIM (PCI compliant) across whole AWS estate – No central server required (as would be the case for OSSEC) – Easy to deploy in ‘continuous integration’ automated pipelines • Although OSQuery output not Splunk Common Information Model compliant, Splunk immediately understands its json format data • Enables meaningful correlation searches to be written once data is indexed • We are free to choose where we parse out meaningful source data for each use case - in OSQ or in Splunk - or both
  • 39. 39 Productionisation ● We ran an on prem pilot / proof of value using “found” hardware ● Bore an uncanny resemblance to hardware from our previous SIEM… ● We got a working solution, but speed, storage, and reliability issues arose ● Analysts not good SysAdmins - so get better not minding infrastructure ● Per our Cloud First strategy, we considered two options: ● host within our own AWS VPCs, or ● purchase the Splunk Cloud SaaS ● In terms of cost/benefit, Splunk Cloud option came out ahead ● Migration took 2 days to get basic functionality up and running
  • 40. 40 Benefits Obtained and Future Roadmap ● Quicker from ingesting new data to creating meaningful correlation searches ● We were used to having console access to edit .conf files on-prem; but fewer concerns now Splunk Cloud increasing functionality in the GUI ● Splunk CloudOps are taking pain out of managing host infrastructure ● Intrinsic risk-score based correlation in Slunk/ES has been pivotal in several security incidents ● Our architecture and approach now serve as blueprint for IT Ops and App support teams to leverage Splunk for non-security event/log monitoring
  • 41. Sophos Security in the cloud, UK, Splunk powers their SOC Security analytics driven SOC to protect the business Splunk Cloud delivered from within EU as SaaS Splunk for real-time reporting, alerting & investigation How Sophos Uses Splunk Cloud For An Analytics Driven SOC
  • 42. 42 How Gatwick Airport Ensures Better Passenger Experience With Splunk Cloud On-time efficiency & dramatic queue reduction with 925 flights per day Real-time, predictive airfield analytics deliver on mobile app & Apple watch Data from airport gates, board pass scans, x-ray, travel, passenger flow
  • 43. Security Operations IT Operations Business Operations With Splunk, your enterprise data platform SAME DATAOf the Asking Different QUESTIONS Different PEOPLE
  • 44. Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification for your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification 15
  • 45. Explore: The Art of the Possible http://splk.it/artofpossible Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Please complete the survey Thank you