SplunkLive! Milano 2016 - customer presentation - Yoox - Net a porter
5 likes•6,839 views
Gianluca Gaias presented on building an enterprise-grade security intelligence platform at YOOX NET-A-PORTER Group. The security approach evolved from technology-oriented to information-oriented, using Splunk. Dashboards advanced from standard to dynamic and real-time. Analysis evolved from log correlation to pattern recognition, risk management, and contextual security information. The goals were to gain a big picture view, move from passive to proactive security, and support risk analysis and decision making.
SplunkLive! Milano 2016 - customer presentation - Yoox - Net a porter
- 1. Gianluca Gaias Security, Risk & Compliance Director YOOX NET-A-PORTER Group Giovanni Curatola Building an Enterprise-grade Security Intelligence Platform at YOOX NET-A-PORTER Group (Gain the Big Picture)
- 2. Personal introduction Gianluca Gaias, YOOX NET-A-PORTER Group Security, Risk & Compliance Director YOOX NET-A-PORTER Group is the global Internet retailing partner for leading fashion and luxury brands 2
- 3. Key Takeaways From a technology oriented approach to an info-centric approach. From log correlation to pattern recognition. From a passive/display platform to a proactive/executive platform. From standard dashboards to real-time dynamic dashboards. From a security event to an context-aware security information. 3
- 4. Agenda 4 Yoox Group: business and challenges. Security evolution overview From Tech Oriented approach to Information Oriented approach – Deep Investigation – Proactive Dashboard: IP Blacklist – Real-time Dynamic Dashboard: Attack Map Risk Management and Pattern Recognition – Use Case: Attackers Activity Reconsidering dashboard design Next Steps
- 5. YOOX NET-A-PORTER GROUP Over 180 countries served DCs US, UK, Italy, China, Hong Kong, Japan Customer care covering all time zones Local Offices: New York, London, Milan, Bologna, Paris, Hong Kong, Shanghai, Tokyo Same-Day Delivery in London, Manhattan, Connecticut and Hong Kong Digital production facilities US, UK, Italy, China, Hong Kong, Japan Butler service and authenticity RFid seal 1 order processed every 4 seconds 1.7 billion revenues 27.1 million active customers PRO-FORMA 2015 FY 7.1 million orders 27.1 million active customers
- 6. Rest of Europe 48.8% Global premier online luxury fashion destination for content and commerce for the season’s must-have womenswear collections Unparalleled editorial content, including its weekly online magazine THE EDIT and bi- monthly print magazine PORTER Global destination for men’s style with unparalleled offering from the season of the leading menswear, watchmakers and specialist grooming brands Rich editorial content through the weekly online magazine The Journal and bi-monthly newspaper The MR PORTER Post MULTI-BRAND IN-SEASON MULTI-BRAND OFF-SEASON Rest of Europe 48.8% The world’s leading online lifestyle store for fashion, design and art Broad offering of off-season premium apparel and accessories, exclusive collections, home & design and artworks The online destination for women dedicated entirely to in-season high-end shoes Exclusive shoe-related services and editorial component Rest of Europe 48.8% Go-to destination for previous- season designer fashion for the global style-conscious woman looking for the best designer products at great prices In-house label of styling essentials “Iris and Ink” The luxury online boutique devoted to creating distinctive style through an eclectic and selective in-season assortment of high fashion and directional designers for men and women Dedicated mini-stores ONLINE FLAGSHIP STORES Official Online Flagship Stores of leading fashion and luxury brands for which YNAP is the exclusive partner Long-term partnerships and many more … JVCo with Kering .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com Proprietary business where YNAP operates as an e-tailer for the season’s luxury fashion collections under its four own brand names Proprietary business where YNAP operates as an e-tailer mainly for the previous-season designer fashion under its two own brand names “Powered by YOOX NET-A-PORTER GROUP”
- 7. YOOX NET-A-PORTER Group: Challenges 7 Keep the trust – Data Confidentiality – Data Integrity and Completeness – Data Processing Transparency High Availability in hostile enviroment Gain the big picture: – Challenge and Enabler Shareholders Customers Stakeholders
- 8. Security Evolution Overview 8 0 1 2 3 4 5 6 7 8 9 Data Leakage Prevention Information Security Compliance IPS & Anomaly Detection Administrative Access Control PCI-DSS Compliance Sites Vulnerability Checks Code Review Logical Access Governance Security Intelligence Platform Online Brand Protection Privacy Compliance Information Process Analysis 2011 2013 2015
- 9. Security Evolution – Tech vs Info Technology Oriented: – Info confined to technology – Partial identity definition – No covered gaps Information Oriented - Splunk: – Enrichement of tech logs – Event correlation – Clear identity definition 9
- 10. From Tech to Info “From a technology oriented approach to an info-centric approach.” 1
- 11. Investigation 1
- 13. Advanced Dashboard: IP Blacklist • Proactive Dashboard • One-click blacklist on Akamai WAF through Akamai API calls • Splunk is able to run a command on input source Drilldown «From a passive/display platform to a proactive/executive platform»
- 14. WAF activity rapresentation: standard dashboard • Statistical evidences by: – Source IP – Attack type – WAF Action • Event distribution over the time • Spike visibility depends from the scale • Is not evident: – Attack frequency – Relation between Source IP, Attack type and WAF action Pros Cons
- 15. “From standard dashboards to real-time dynamic dashboards” Real-time Dynamic Dashboard: Attack Map
- 16. Security Evolution – Risk Mgmt & Pattern Rec. Risk Management: – Correlation of Tech Elements and Business Elements – Support to quantitative risk analysis – Assigning Risk value to alerts Pattern Recognition: – Different levels of correlation – Pattern as result of several high-level events from different systems by identity – Knowledge from historical incidents and analysts experience – Goal: detect user behavior and recurrent attack patterns
- 17. Pattern Recognition Single security events may be part of a more complex action. Correlation Brute Force Exce. Out Data High Conn. Correlation Level 1 Correlation Level 2 Correlation Level n Data Exfiltration «From log correlation to pattern recognition» Sequence Introduced by high level analyst Pattern Consolidation Analyst
- 18. Risk Management “From a security event to an context-aware security information” Risk Static Assign. (Lookup) N level correlation Content Eval Usually single security event has a static risk We need risk value based on content and other events correlated.
- 19. Use Case: Attackers Activity Detect sequence of relevant event by identity Activity Score: vertical axes, max of the same alert type Activity Frequency: ball diameter Pattern Recognition Risk Value
- 20. Reconsidering dashboard design Native Log Collection Splunk Log Collection Standard Dashboards Advanced Dashboards Pattern Recognition Splunk Engineers NOC SOC Security Analyst Head of Security Knowledge Data Meaning The Big Picture
- 21. Key Takeaways From a technology oriented approach to an info-centric approach. From log correlation to pattern recognition. From a passive/display platform to a proactive/executive platform. From standard dashboards to real-time dynamic dashboards. From a security event to an context-aware security information.
- 22. Questions?
- 23. Grazie