WEBVTT

1
00:00:00.000 --> 00:00:01.740
Nick Lewis: I've started the recording now.

2
00:00:02.850 --> 00:00:11.610
Nick Lewis: Everyone this is Nicholas from internet to this is the net plus plunk community user group call, we're going to talk about data sources this month.

3
00:00:12.059 --> 00:00:22.080
Nick Lewis: And just a quick housekeeping. A couple housekeeping items. Everyone has been either allowed to talk or depending on the version of zoom client you're using

4
00:00:22.380 --> 00:00:38.010
Nick Lewis: I promoted you to panelists. If you're using an old version of zoom basically the intent is for us to be able to talk about how we're using spunk on our campus and the. The topic today is going to be about data sources and something I've got some examples on

5
00:00:39.360 --> 00:00:46.410
Nick Lewis: This next slide. So we can talk about what the data sources and what the value get, you get out of them.

6
00:00:47.910 --> 00:00:50.460
Nick Lewis: How do you have, what do you do to get those logs.

7
00:00:51.570 --> 00:01:02.160
Nick Lewis: What you've had to do to manage all those logs. Do you get logs from outside of it, things like that. And so, as part of this this user group call

8
00:01:03.300 --> 00:01:08.700
Nick Lewis: being recorded. It's going to be posted on the net plus one quickie so that if you

9
00:01:09.330 --> 00:01:28.710
Nick Lewis: Want to listen to it later or somebody who couldn't make the call want to listen to it, they can. It's available for them to listen to and to hear what the community talks about around spunk, and so everyone should be allowed to talk at this point. And so the

10
00:01:29.970 --> 00:01:32.280
Nick Lewis: That's sort of the intro and

11
00:01:34.440 --> 00:01:41.790
Nick Lewis: Wanted to start out with data sources and maybe since we've got a pretty small number of people on the call. It looks like we've got about

12
00:01:42.690 --> 00:01:58.860
Nick Lewis: 11 or 12 people on the call. I don't think we probably need to do a round of introductions unless we want, but everyone should be unmuted. And so I don't know who wants to start on what are some of the data sources you using your spelunking implementation.

13
00:02:06.480 --> 00:02:10.890
Nick Lewis: And it may be super boring to hear me talk for like five minutes.

14
00:02:12.300 --> 00:02:15.360
Nick Lewis: So if nobody else chimes in it may be a very short call

15
00:02:16.950 --> 00:02:22.860
GregGrasmehr: Hey, I'll chime in, I guess. So I just about anything you can think of. We import including your

16
00:02:24.180 --> 00:02:24.900
GregGrasmehr: name server.

17
00:02:27.180 --> 00:02:29.820
Nick Lewis: The DNS logs. Okay, and

18
00:02:31.650 --> 00:02:40.980
Nick Lewis: And when you and I assume when you say pretty much anything you can think of those are very focused on IT infrastructure related things and IT security systems, getting

19
00:02:41.430 --> 00:02:43.320
GregGrasmehr: Basically, since we're

20
00:02:44.820 --> 00:02:49.920
GregGrasmehr: You know, our environment is distributed anyone says log into us. It's going into spunk.

21
00:02:54.120 --> 00:03:08.220
GregGrasmehr: So if you think about CES log. Right. What is in CES log everything that's in such log is coming in this blank unless it's something that's completely unusable than we we parse those things out. Also importing AWS over 365 all of this stuff as well.

22
00:03:12.000 --> 00:03:19.650
Albert Ball: Yeah. And some of us are actually working on and partial importation of the Google

23
00:03:21.000 --> 00:03:24.270
Albert Ball: Information that exists out there for Google for education.

24
00:03:25.470 --> 00:03:27.360
Nick Lewis: That's Google Apps for Education.

25
00:03:27.720 --> 00:03:28.740
Nick Lewis: Yes. Okay.

26
00:03:29.010 --> 00:03:33.360
Albert Ball: Yeah, right now the Google app. So I'm getting like authentication logs and

27
00:03:34.530 --> 00:03:36.120
Albert Ball: User lockout information.

28
00:03:37.170 --> 00:03:43.200
Albert Ball: And like, how much data that they're each individual has upon the storage right now.

29
00:03:44.700 --> 00:03:52.200
Albert Ball: Still trying to parse out alerts that are coming in and at what severity and that they might be

30
00:03:56.160 --> 00:03:57.240
Christopher Caldwell: We consume a lot of

31
00:03:57.420 --> 00:04:11.610
Christopher Caldwell: Data from Google as well. We've got separate domains for students and for staff. We're actually getting my day consolidate and move to a 365 for mail on calendaring, but we do collect a lot of data from

32
00:04:12.960 --> 00:04:26.250
Christopher Caldwell: Google. We don't do much alerting on terms of content because we use cloud lock and the cloud lockout for flunk to do DLP and and look for that kind of content on Google Drive.

33
00:04:29.640 --> 00:04:32.760
Dan Villanti: Is anybody consuming Azure AD signings

34
00:04:34.290 --> 00:04:41.910
Christopher Caldwell: Yeah, we're doing that as well. We have ad on prem. We have ad in AWS and we have Azure AD.

35
00:04:43.980 --> 00:04:49.830
Dan Villanti: Gotcha. And did you write your own app for the Azure AD, or are you using something from spunk base.

36
00:04:50.370 --> 00:04:51.990
Christopher Caldwell: I'm using something from spunk base.

37
00:04:53.010 --> 00:04:54.540
Dan Villanti: Would you mind sharing what you're using

38
00:04:55.800 --> 00:04:59.760
Christopher Caldwell: It's the spunk app for Microsoft cloud services.

39
00:05:00.240 --> 00:05:00.630
Okay.

40
00:05:03.540 --> 00:05:03.870
Dan Villanti: Thank you.

41
00:05:04.110 --> 00:05:06.450
Christopher Caldwell: And then there's an add on for Azure AD.

42
00:05:08.880 --> 00:05:27.690
GregGrasmehr: We're using that as well. But I also started up with Microsoft, you can set up a seam X border as well. And so I use a combination of the same x border, as well as the Microsoft add on for cloud services to make sure we're getting all the data because I found each one

43
00:05:28.710 --> 00:05:35.760
GregGrasmehr: Depending is missing data. But by having both of these running at the same time we're getting a seems to be a lot better results.

44
00:05:37.770 --> 00:05:53.640
Dan Villanti: Gotcha. I've heard very similar feedback from other institutions that are trying to consume Azure logs, for example, the Microsoft Cloud Services app, I think, was getting good audit logs from the infrastructure as a service side, you know, like

45
00:05:54.900 --> 00:06:00.810
Dan Villanti: Like if you log into a subscription or make an action within a subscription, but it wasn't really getting the

46
00:06:02.010 --> 00:06:09.720
Dan Villanti: The Microsoft side of, say, a DFS signings or logins to the Azure portal, things like that. It was missing.

47
00:06:11.520 --> 00:06:18.990
Christopher Caldwell: One app that our security team is really liked is there's a app out there called the Blue Team app for office 365 and Azure.

48
00:06:20.040 --> 00:06:25.050
Christopher Caldwell: And that provides a lot of valuable insight into activity in that environment.

49
00:06:27.330 --> 00:06:27.660
Thank you.

50
00:06:36.930 --> 00:06:47.670
Nick Lewis: Sounds like office 365 blogs are pretty popular so discussion topic. So I'm not sure if anybody's used any of the the rent I sack. They had some

51
00:06:49.500 --> 00:07:00.510
Nick Lewis: Logging guidance around office 365 for semi. It's been a while since its come out, maybe six or eight ish months. Has anyone been using that

52
00:07:02.880 --> 00:07:05.970
Nick Lewis: Let me see if I can track that down real quick. And I'll put it in the chat.

53
00:07:10.770 --> 00:07:12.720
Dan Villanti: No, I have not used that Nick.

54
00:07:14.220 --> 00:07:23.520
Dan Villanti: I think that was a lot more focused on monitoring email activity and office 365 and you know like SharePoint, things like that.

55
00:07:26.190 --> 00:07:27.840
Dan Villanti: And not necessarily

56
00:07:29.490 --> 00:07:31.770
Dan Villanti: Authentication from a security standpoint.

57
00:07:32.730 --> 00:07:33.030
Nick Lewis: Okay.

58
00:07:33.330 --> 00:07:36.360
Dan Villanti: But it could be both. I am not very familiar.

59
00:07:38.220 --> 00:07:41.100
Nick Lewis: Yeah, I'm just looking through the page right now it's

60
00:07:42.480 --> 00:07:57.900
Nick Lewis: Described but oh three 365 logs are available per common Ed license type describe how and what tools, the logs can be accessed as far as how the logs may be export it or external External Tools scripts to retrieve that information and

61
00:07:59.850 --> 00:08:06.780
GregGrasmehr: And oh, by the way, you know, I was, I was a part of that group that was putting that together and we had some discussion about

62
00:08:07.380 --> 00:08:14.610
GregGrasmehr: The licensing levels and all of that. And what I finally discovered and I'm not sure everyone knows this is

63
00:08:15.030 --> 00:08:22.530
GregGrasmehr: You can buy a single elevated license. So for the scene exporter, for example, we bought an elevated license for that.

64
00:08:22.890 --> 00:08:32.310
GregGrasmehr: One account so that the theme Explorer is export in a lot of useful information that otherwise we would not be getting if we didn't have a license. So we didn't need to have our, our entire

65
00:08:34.710 --> 00:08:41.250
GregGrasmehr: Number of accounts elevated to a certain license. Just that one single account. They just post for that one account and it's all good.

66
00:08:42.990 --> 00:08:43.320
Dan Villanti: No.

67
00:08:44.970 --> 00:08:45.390
Thank you.

68
00:08:56.340 --> 00:09:01.110
Nick Lewis: So let's see, we've talked about office 365 account logs Google account.

69
00:09:02.160 --> 00:09:12.630
Nick Lewis: A Google Apps for Education accounts infrastructure sources that I probably have already listed in that slide. Anything that

70
00:09:14.160 --> 00:09:31.380
Nick Lewis: Like from the infrastructure that we're missing, like I've got Firewalls. Intrusion Detection intrusion prevention flow data which could be from a number of different types of tools like bro, I'm sorry, Zeke, and things like that DTP logs net logs.

71
00:09:34.920 --> 00:09:37.740
Nick Lewis: Any other types of VPN systems.

72
00:09:38.700 --> 00:09:45.660
Christopher Caldwell: We've written a custom add on to pull in data from our blue cat I Pam system.

73
00:09:46.710 --> 00:09:55.290
Christopher Caldwell: And then another one, the ones that were out there for Cisco prime infrastructure were kind of lacking. And so I brought one for that as well. And so we do all of our

74
00:09:56.010 --> 00:10:11.730
Christopher Caldwell: wireless and wired authentication and we've put in a geo coordinates for all of our campus building. So if we have a missing or stolen device, you know, we can track approximate location, you know, using some of the map.

75
00:10:13.770 --> 00:10:15.330
Christopher Caldwell: Vision visualizations and plunk

76
00:10:20.970 --> 00:10:21.900
Nick Lewis: That's really interesting.

77
00:10:26.250 --> 00:10:29.370
Christopher Caldwell: It has some I guess some big brother potential reality as well.

78
00:10:31.530 --> 00:10:32.760
Christopher Caldwell: Where's my boss at right

79
00:10:34.470 --> 00:10:34.830
Christopher Caldwell: Right.

80
00:10:38.910 --> 00:10:49.500
Nick Lewis: Well that's maybe something for a future call but um there's been some interesting when we start talking about like application data sources and some of the things around student success.

81
00:10:49.920 --> 00:10:57.420
Nick Lewis: And being able to identify when a student might potentially fail a class within the first couple weeks of class.

82
00:10:57.420 --> 00:11:15.390
Nick Lewis: Based upon like how often they've logged into the learning management system and how and if they've been in the library and where they've logged in from and having that correlate to whether or not you're going to pass a class and then what action happens. That is a very interesting

83
00:11:16.620 --> 00:11:19.470
Nick Lewis: Privacy and ethics sort of discussion, maybe for

84
00:11:21.780 --> 00:11:22.740
Nick Lewis: For a future call

85
00:11:27.090 --> 00:11:36.120
Darren Fallis: This is Darren and NC State. So we have a lot of those standard logs that we have up here that we've discussed that we are missing some of the things we'd like to have like our DNS logs.

86
00:11:37.440 --> 00:11:42.060
Darren Fallis: Or flow logs. Hello, I'm sure we're going to be able to afford to do all all flows and spunk.

87
00:11:43.440 --> 00:11:48.720
Darren Fallis: But one of the things that we've historically gotten from some of our internal groups is we have a lot of

88
00:11:49.140 --> 00:11:59.340
Darren Fallis: homegrown tools, sometimes web tools, sometimes scripting tools to do various administrative things. And we've worked with those folks to create for them to create application logs for us.

89
00:12:00.390 --> 00:12:05.910
Darren Fallis: Usually we just let them help them map the actions that are being taken to one of the

90
00:12:07.350 --> 00:12:19.920
Darren Fallis: Columns formation models models or one or more and used as fields, usually in just the field equal value syntax textual so we don't have to write any any custom format. They just go ahead and use the fields retell them.

91
00:12:21.330 --> 00:12:30.660
Darren Fallis: And then we've been able to build reporting for our help desk for auditing, as well as just troubleshooting to see what has gone on with a particular account or machine.

92
00:12:31.560 --> 00:12:34.830
Darren Fallis: In the past we have recently started up a

93
00:12:35.760 --> 00:12:45.900
Darren Fallis: HP event collector and we're working with some developers to start taking advantage of that, especially maybe with more in the cloud, deploy things that don't necessarily have a server, but they're just

94
00:12:46.380 --> 00:12:53.160
Darren Fallis: You know PHP scripts that run. They can go ahead and send us a JSON blob and get get that done. So application logging.

95
00:12:53.610 --> 00:12:57.870
Darren Fallis: A lot of our dads are really excited about that because they don't often have much access

96
00:12:58.260 --> 00:13:12.180
Darren Fallis: To logs on the server and the HTTP access logs are sort of just side effects of the applications being used, whereas logs generated from the application are much more useful for the dads and we can get those right back into their hands. So that's been helpful.

97
00:13:17.730 --> 00:13:25.980
patrick casey: Hey this is Patrick from UNC, I would just echo. A lot of what Darren just said we have all of our major application stacks providing log information.

98
00:13:26.790 --> 00:13:37.830
patrick casey: To blog. We typically delineate developer logs into one index and server logs into another, but depending on who you are and what your access is you may have access to both of those.

99
00:13:38.610 --> 00:13:44.250
patrick casey: The other one that we would mention just because it hasn't come up yet is we do all of our vulnerability management.

100
00:13:45.630 --> 00:13:56.760
patrick casey: Reporting we use qualities for vulnerability management. We are also bringing that information in this blog because we think we can get enhanced reporting, that's a little bit more challenging to get from qualify themselves.

101
00:14:01.860 --> 00:14:06.840
Nick Lewis: And then you can sort of merge that data with some of the other sort of

102
00:14:08.970 --> 00:14:26.700
Nick Lewis: Some of the other tool data to get a picture of what's the risk on this particular thing. And should we try to patch this now because if you're not seeing scans for it. Maybe you can wait into next patch cycle versus immediate patching.

103
00:14:27.750 --> 00:14:33.300
patrick casey: Well, it's almost even a little bit different than that. The typical report that I would get monthly with several hundred pages long.

104
00:14:34.080 --> 00:14:41.940
patrick casey: By doing it, it's blank, I get a report that's a couple of pages long. So we've been able to kind of reduce a lot of the noise that you get with the canned reports that come up

105
00:14:43.140 --> 00:14:45.120
patrick casey: My spunk architect also built a

106
00:14:47.070 --> 00:14:58.620
patrick casey: An aging system. You know how old is the, this, this vulnerability. Did it get reopen did it, you know, and so we have a relative age, about how long that that vulnerability has been there so that we can stay within compliance or security policies.

107
00:15:02.310 --> 00:15:03.540
Nick Lewis: That's cool. And that's something

108
00:15:03.900 --> 00:15:12.810
Nick Lewis: That's it sounds like that's something you built custom there wasn't like a quality app for spunk or something like that. You could start with, or is that all just totally

109
00:15:13.590 --> 00:15:19.410
patrick casey: Believe we used a TA, I'd have to confirm that with him to get the data and then we build a custom app on top of the data that was pulled

110
00:15:21.630 --> 00:15:22.290
Nick Lewis: For things

111
00:15:32.040 --> 00:15:32.940
Nick Lewis: Other times, when

112
00:15:33.990 --> 00:15:51.450
Nick Lewis: I've talked with campuses about logs getting authentication logs into their spunk implementations are those sins. One of the identity management or SSO systems like getting Shibboleth logs into their spunk, and I think that probably

113
00:15:52.830 --> 00:16:04.260
Nick Lewis: Probably most of the camp, but my assumption is most campuses. Try to get those logs or if you're not using Shibboleth using cabs or something else and that you try to get those logs as well into your

114
00:16:05.700 --> 00:16:08.370
Nick Lewis: Into your spunk implementations. Yeah.

115
00:16:08.790 --> 00:16:10.770
Nick Lewis: Not doing that or something.

116
00:16:14.250 --> 00:16:16.590
Albert Ball: We worked a little bit on with Ren

117
00:16:17.760 --> 00:16:29.370
Albert Ball: Other end people online to get this ship app going. And so we've got our ship data coming in using the ship app that was created by Sparky.

118
00:16:30.420 --> 00:16:30.900
Nick Lewis: And good

119
00:16:31.350 --> 00:16:33.600
Albert Ball: In the rooms. Folks, it's pretty interesting though, it helps

120
00:16:34.920 --> 00:16:42.120
Albert Ball: Do the same model correctly so you're able to do a unified like authentication source and correlation

121
00:16:43.560 --> 00:16:44.850
Albert Ball: With like radius for heavy

122
00:16:56.130 --> 00:16:58.350
GregGrasmehr: Did you say there was a ship out for spunk.

123
00:16:58.680 --> 00:16:59.280
Albert Ball: Yes, there is.

124
00:17:00.720 --> 00:17:01.380
GregGrasmehr: OK, cool.

125
00:17:01.800 --> 00:17:03.720
Albert Ball: dig that up in chat.

126
00:17:04.920 --> 00:17:11.940
GregGrasmehr: I did some really know the rejects matching on on ship logs to plot the data we need but if there's an app that does that. That'd be great.

127
00:17:12.210 --> 00:17:15.330
Albert Ball: Yeah, that's a whole lot better do it that way.

128
00:17:19.620 --> 00:17:21.630
Nick Lewis: So you're gonna go track down that URL, would you want me

129
00:17:21.630 --> 00:17:22.020
Albert Ball: To

130
00:17:22.380 --> 00:17:33.900
Nick Lewis: Do that. Okay, thank you. Then I'll put basically I'll put it in. I'm taking some very rough notes and if it goes into the chat. It'll be posted on the wiki so people can find that later.

131
00:17:44.580 --> 00:17:46.230
Nick Lewis: Thanks, Albert, I got that.

132
00:17:48.120 --> 00:17:52.170
Nick Lewis: Just put in the chat. The link displaying face for the ship app.

133
00:17:58.860 --> 00:18:07.560
Nick Lewis: So how about for some of the other log sources like we've talked about some of the web apps. But I assume this most campuses is a web app, but

134
00:18:08.190 --> 00:18:21.390
Nick Lewis: If you're using banner or PeopleSoft or other similar types of student information systems earpiece. Are any of you getting those logs into your spunk, and environments.

135
00:18:23.250 --> 00:18:35.670
Christopher Caldwell: We're definitely doing the banner at least the the web stuff because we had a rash of banking fraud with direct deposit rod that was hitting a lot of universities. A few years ago, that's been a requirement.

136
00:18:36.300 --> 00:18:44.820
Christopher Caldwell: Right for all of our new implementations for banner and then we do just, you know, General hosting and logging in the database itself.

137
00:18:48.600 --> 00:18:49.770
patrick casey: We do PeopleSoft

138
00:18:50.940 --> 00:18:56.670
patrick casey: That would be everything in PeopleSoft web in the tuxedo servers and in the database, dear.

139
00:19:00.000 --> 00:19:03.240
Dan Villanti: Did oh PeopleSoft and also work day as an earpiece.

140
00:19:04.500 --> 00:19:05.220
Nick Lewis: And work day

141
00:19:09.690 --> 00:19:12.630
Nick Lewis: So that's, that's kind of what I'm expecting to hear. It's like

142
00:19:13.980 --> 00:19:14.790
Nick Lewis: Want to put things

143
00:19:15.330 --> 00:19:17.070
Nick Lewis: As many things into your spunk.

144
00:19:17.070 --> 00:19:22.980
Nick Lewis: Implementation to be able to see to have as much visibility over what's going on in your environment.

145
00:19:23.370 --> 00:19:36.480
Nick Lewis: So that, for example, when you're doing an incident response for direct deposit frog. Well, where's that authentication. Where did that authentication come from what x, what other things did they access today only access to direct deposit page.

146
00:19:37.530 --> 00:19:38.460
Nick Lewis: And so forth.

147
00:19:40.140 --> 00:19:40.500
Bingdong Li: You know,

148
00:19:41.760 --> 00:19:50.310
Bingdong Li: My name is being from Nevada. I want to know, how do you guys do the most of the stuff works no data do you can you can

149
00:19:52.140 --> 00:19:58.320
patrick casey: We get the web logs, we get the server logs, we get database activity and audit logs, the

150
00:19:58.500 --> 00:19:59.670
patrick casey: Idea was

151
00:20:00.570 --> 00:20:03.720
Bingdong Li: How do you get the log file. Did you to the

152
00:20:05.250 --> 00:20:07.230
Bingdong Li: University for water on the server.

153
00:20:09.270 --> 00:20:11.940
patrick casey: Yeah, there's quarters on all the entire PeopleSoft to infrastructure.

154
00:20:13.170 --> 00:20:31.260
Bingdong Li: Okay. Do you have. Do you guys have a performance issues. I tried to talk with the guys here to gather logs. He said, they always against us to provide the university forward is no no no I don't want input for the home. So you guys have that kind of issue.

155
00:20:31.710 --> 00:20:33.870
patrick casey: No, we don't have any performance issues by doing that.

156
00:20:34.710 --> 00:20:44.820
Bingdong Li: Okay, so for us. The problem is our the close of the server on the hand the load balancer.

157
00:20:46.290 --> 00:21:05.370
Bingdong Li: The people in the most of the guy told me that I, well, I actually, I said, I saw the data finger TASC access log the server that what's the kinda I can address is lot of Benzer here. This isn't not the true correct your IP and you need to

158
00:21:05.880 --> 00:21:10.080
patrick casey: Configure PeopleSoft to use the X forwarded for IP so that you get the client.

159
00:21:10.980 --> 00:21:11.460
Bingdong Li: Yeah yeah

160
00:21:12.630 --> 00:21:15.720
patrick casey: We first did it all of our load balancer logs.

161
00:21:15.780 --> 00:21:23.760
patrick casey: Also go to Swank as well. So we have the ability to look at load balancer issues versus web servers that are behind it, whether it's in the DMZ or Tulsa.

162
00:21:25.140 --> 00:21:37.890
Bingdong Li: So what do you say it is he attended the on the feature X for the full feature they will pass on the correct your IP and Jesse log access lot table.

163
00:21:39.690 --> 00:21:40.110
patrick casey: Right.

164
00:21:40.980 --> 00:21:42.780
Bingdong Li: Okay, so he says that

165
00:21:44.460 --> 00:21:47.190
Bingdong Li: Okay. That'd be good. We are we are trying to do that right now.

166
00:21:48.330 --> 00:21:52.200
Bingdong Li: But me, I have your contact address where you're from.

167
00:21:53.880 --> 00:21:56.430
patrick casey: I'm from the University of North Carolina. The easiest

168
00:21:57.300 --> 00:21:59.850
patrick casey: To get in touch with us would be spunk at UNC edu.

169
00:22:00.750 --> 00:22:05.190
Bingdong Li: Oh yeah I sick. Are you deaf person elegant

170
00:22:05.520 --> 00:22:08.670
patrick casey: On this Patrick Davis my spunk architect.

171
00:22:08.970 --> 00:22:25.860
Bingdong Li: He's the brains of the. Oh, I see, I see. I got a unique contact with them, I guess, a month ago, two months ago. Good. Good. Thank you. Thank you for the confirmation. I got then I talk with the people guys here. So we get to hear from that were doing good. Thank you very much.

172
00:22:26.160 --> 00:22:36.510
patrick casey: Yeah, what I would tell you our experience was. Was it was very difficult initially to get people so people to think about it this way because they were so accustomed to looking across logs via

173
00:22:37.020 --> 00:22:43.050
patrick casey: Say the Windows Explorer. And then, you know, they go to host one host to history and so on.

174
00:22:43.770 --> 00:22:57.090
patrick casey: Once we started showing them how you could do that in spoke with one command without having to go through all these individual things that they are very quick adopters. It took a little bit longer to get the developers to do more. But from an infrastructure standpoint.

175
00:22:57.330 --> 00:23:00.720
patrick casey: PeopleSoft admins are one of our biggest users of flow.

176
00:23:01.800 --> 00:23:20.760
Bingdong Li: Okay, cool. So basically, what are you doing that for the unit for water in the process of the server collect all the log files, then basically that log file information is policies punk can be used by the pilot episode guide to troubleshooting to see laws that are right.

177
00:23:22.650 --> 00:23:25.710
patrick casey: Yeah, I mean, there's a little bit more to it than that. But that's the basic idea.

178
00:23:27.210 --> 00:23:39.540
patrick casey: If they didn't already pass it along. We can certainly pass a little bit of information. My team's not PeopleSoft experts, but we were heavily involved. And again, Dave did most of the heavy lifting there to be able to do that.

179
00:23:40.980 --> 00:23:45.240
Bingdong Li: Okay, good my email address is

180
00:23:49.350 --> 00:24:04.140
Bingdong Li: Right now I send out big initiative, Daddy. My daddy up in the system level color Nevada system or hello education. If you will please see me. Oh, I know your images are coming to your office offline would be great. Thank you very much. Sure.

181
00:24:08.220 --> 00:24:22.650
Christopher Caldwell: I'm sure probably everybody's dealt with that concerned about the impact of the forward or at some point in their spunk journey. I know we had that a hard time, years and years and years ago with the DBS and the banner admins.

182
00:24:23.760 --> 00:24:27.330
Christopher Caldwell: Being resistant putting it on their database servers.

183
00:24:31.140 --> 00:24:37.050
Bingdong Li: Yeah, so I bought my appearance goes through. I mean, two years, I really didn't

184
00:24:38.070 --> 00:24:53.130
Bingdong Li: See any performance issues, but just a bias, I will see just by us a panic, not really issue. I think it's been a very good job on the university folder I will see us a lot of network traffic.

185
00:24:54.270 --> 00:25:03.480
Bingdong Li: Issues but not a server issue at all not CPU or memory or just if you have never been that cleaner.

186
00:25:07.170 --> 00:25:08.910
Bingdong Li: Just my point could be wrong.

187
00:25:20.160 --> 00:25:25.170
Nick Lewis: Alright, good. So it sounds so that covers people saw talked a little work day

188
00:25:26.400 --> 00:25:36.330
Nick Lewis: So sometimes when I think of the database logging Oracle Microsoft whatever the database you're using that sort of rolls into some of the, the general application.

189
00:25:37.500 --> 00:25:38.250
Nick Lewis: Logging

190
00:25:39.570 --> 00:25:52.410
Nick Lewis: How about some of the other things like physical access, like if you use Blackboard transact for managing doors or things like that, are you logging that type of data as well.

191
00:25:54.720 --> 00:26:09.150
Christopher Caldwell: We're just now in the process of we're doing through remediation of a physical the cyber audit so access to scatter system to up the cameras G world access for

192
00:26:10.410 --> 00:26:17.460
Christopher Caldwell: Our card readers and door swipes and that's just a long list of remediation. We've got to work through

193
00:26:24.780 --> 00:26:25.620
Nick Lewis: Anyone else

194
00:26:26.850 --> 00:26:28.170
Nick Lewis: Including that type of data.

195
00:26:31.410 --> 00:26:33.420
Christopher Bennett: We added the door. Sweet.

196
00:26:34.770 --> 00:26:37.710
Christopher Bennett: Into our systems, but

197
00:26:38.820 --> 00:26:57.480
Christopher Bennett: We actually have two different systems. Now they're growing another one for our remote sites and we haven't got those logs quite yet, but we will hope to have those we can correlate physical access when we're trying to do some of our HR investigations.

198
00:27:01.980 --> 00:27:03.270
Nick Lewis: Back to incident response.

199
00:27:06.780 --> 00:27:09.780
Bingdong Li: Question, what can I try investigation.

200
00:27:10.860 --> 00:27:11.400
Bingdong Li: Curious

201
00:27:12.450 --> 00:27:17.820
Bingdong Li: If, if you don't want to share. That's okay because I have a request.

202
00:27:19.860 --> 00:27:45.840
Bingdong Li: For few months ago. It's also HR related question about the performance issues, but I don't feel like in a security team or these kind of data can provide. I mean to evidence about the process evaluation performance. So I just feel we are requested.

203
00:27:47.100 --> 00:27:49.650
Bingdong Li: We use your what was, what is your experience.

204
00:27:49.920 --> 00:28:07.530
Christopher Bennett: Well, we've we've used it for two different types of in depth investigation. So we've had some employee fraud. So if you can get your buddy to check you in every day so that you don't your time clock looks like. You work all day and you don't

205
00:28:08.640 --> 00:28:11.280
Christopher Bennett: That was one of the one of the investigations.

206
00:28:12.660 --> 00:28:13.620
Christopher Bennett: That we did, but

207
00:28:15.060 --> 00:28:19.470
Christopher Bennett: We're an academic medical centers so HIPAA violations for

208
00:28:20.970 --> 00:28:25.710
Christopher Bennett: Access to patient that are not part of your care plan.

209
00:28:26.940 --> 00:28:30.900
Christopher Bennett: Are very serious offenses and we use

210
00:28:32.670 --> 00:28:47.130
Christopher Bennett: Some of those logs when we're trying to prove the person's presence at a particular workstation, because a lot of times they'll go, Well, I didn't look at that somebody else must have got on the computer. So we use things like door swipes.

211
00:28:48.270 --> 00:29:01.080
Christopher Bennett: Time tracking those kinds of things to, you know, try to prove prove that the person is in multiple ways. You know, showing up in a single place so

212
00:29:01.770 --> 00:29:06.270
Nick Lewis: And that's where this is Nick. That's where from my previous campus experience, it's been

213
00:29:06.930 --> 00:29:17.910
Nick Lewis: Working with your, your public safety or HR or general counsel, make sure that they have established policies and procedures around some of this so that

214
00:29:18.450 --> 00:29:35.580
Nick Lewis: You're protecting the employee privacy, along with making sure that appropriate things are being done. And so it's to me. It's very much a will collect all this data and then there's some really significant policy discussions, particularly around privacy.

215
00:29:35.730 --> 00:29:46.170
Christopher Bennett: Yeah, I mean we've, we've got a whole big process, you know, for every type of investigation, we will have to make sure that you know the

216
00:29:47.760 --> 00:30:03.630
Christopher Bennett: The head of HR signs off on it. The head of legal are we have three different compliance offices internal internal audit those kinds of offices, depending on the kind of what what we're looking at. We require their

217
00:30:05.310 --> 00:30:11.310
Christopher Bennett: approval to do any of that. Otherwise, yes, we're not, we can't provide that information, just to

218
00:30:12.450 --> 00:30:22.110
Christopher Bennett: You know, a leader, you know, a manager or any of those kinds of things you can't do any of it without it being a an official investigation so sorry.

219
00:30:22.620 --> 00:30:24.510
Nick Lewis: got off on cool. That's good.

220
00:30:25.350 --> 00:30:33.090
Bingdong Li: That's good. Yeah, I like to hear. I didn't get clearance. You sure I'm doing the cracks. You know, they're against the law.

221
00:30:34.350 --> 00:30:46.470
Nick Lewis: So it sounds like one person on this college is getting EHR data or electronic health record data or log data into their smoke and implementation anyone else.

222
00:30:49.560 --> 00:30:52.710
Nick Lewis: Or maybe even a student health clinic or maybe not.

223
00:30:54.780 --> 00:30:59.160
Nick Lewis: From a health system or hospital perspective, but from the

224
00:30:59.820 --> 00:31:05.580
Christopher Caldwell: School of Medicine is a separate IT organizations. So it's a black box to

225
00:31:07.590 --> 00:31:07.950
Christopher Caldwell: Write

226
00:31:10.620 --> 00:31:18.660
Christopher Caldwell: I am surprised that that I don't hear more people speaking up about needing to collect the physical access because like I said, you know, we had to do an audit and that was

227
00:31:19.050 --> 00:31:30.630
Christopher Caldwell: Called that as something that was high priority for mediation, you know, for access to student dorms for access to the building control systems and we have research lab nuclear materials.

228
00:31:32.970 --> 00:31:35.850
Christopher Caldwell: Access to that. Please cameras, things like that.

229
00:31:38.100 --> 00:31:43.080
Darren Fallis: We are. We do have a need to collect that information specifically for our data centers for PCI compliance.

230
00:31:44.100 --> 00:31:48.660
Darren Fallis: Is being collected in the the seaboard system itself.

231
00:31:49.710 --> 00:31:53.820
Darren Fallis: We are working to get it into our spawn system that is a

232
00:31:54.900 --> 00:31:55.830
Darren Fallis: political challenge.

233
00:31:56.940 --> 00:31:58.530
Darren Fallis: But we continue to work on that.

234
00:31:59.580 --> 00:32:14.940
Darren Fallis: We are actually getting some data or or soon to get data from the student health system, but it's not going to contain PII at least it should not so it should not expand our HIPAA scope, it's more about auditing.

235
00:32:16.380 --> 00:32:17.790
Darren Fallis: user access

236
00:32:18.990 --> 00:32:19.380
Darren Fallis: We'll see.

237
00:32:29.580 --> 00:32:34.440
Nick Lewis: That's where the person before Darren was saying that there's the somewhat of a

238
00:32:35.700 --> 00:32:42.720
Nick Lewis: Distance, though the health system or the health stuff is a black box off from central it. I think that's a pretty common.

239
00:32:44.580 --> 00:32:53.310
Nick Lewis: Common setup and lots of campuses and that may be changing in some to be more centralized and that's where I'm trying to

240
00:32:54.570 --> 00:33:01.650
Nick Lewis: Understand better understand, like, how many campuses are trying to move the those things together and are now trying to put

241
00:33:02.100 --> 00:33:13.950
Nick Lewis: Their all of that into spunk into one implementation and now they're going to huge amounts of data. So, you know, logging out of EHR sometimes can generate a huge amount of data.

242
00:33:17.070 --> 00:33:18.600
Christopher Bennett: Right, yeah, I guess.

243
00:33:19.770 --> 00:33:29.940
Christopher Bennett: You know I'm somewhat unique. So the Medical University of South Carolina our academic side is all health care programs.

244
00:33:30.660 --> 00:33:33.690
Christopher Bennett: And then, you know, for hospitals, so

245
00:33:35.490 --> 00:33:47.820
Christopher Bennett: We were, you know, we don't have kind of the separate instance because pretty much everything we have falls under you know we just kind of consider it all HIPAA

246
00:33:48.450 --> 00:33:50.610
Christopher Bennett: Because most of our

247
00:33:52.050 --> 00:33:53.280
Christopher Bennett: Nursing and

248
00:33:55.980 --> 00:33:56.580
Christopher Bennett: Research

249
00:33:58.560 --> 00:34:04.980
Christopher Bennett: People there, they're all working in patient data with access to our EHR so

250
00:34:06.000 --> 00:34:10.770
Christopher Bennett: We just kind of our that black box. It's just us so

251
00:34:13.200 --> 00:34:14.430
Nick Lewis: Thanks for that clarification.

252
00:34:21.900 --> 00:34:35.370
Nick Lewis: There's, there's the learning, may I think the only other thing that I could think of is like learning management systems. But that's sort of like a subset of applications like canvas blackboard D to L, things like that.

253
00:34:36.540 --> 00:34:39.780
Nick Lewis: I assume lots of most campuses are getting your LM s data.

254
00:34:41.100 --> 00:34:44.700
Nick Lewis: At least logging data into your spunk implementations

255
00:34:46.350 --> 00:34:48.870
patrick casey: Yeah, we're bringing all of our sekai learning management system.

256
00:34:49.020 --> 00:34:50.940
Nick Lewis: To log into the into the system.

257
00:34:51.780 --> 00:34:59.850
patrick casey: And we're also using that data along with data from PeopleSoft and external systems like Pearson to do student success work.

258
00:35:11.520 --> 00:35:21.390
Darren Fallis: Our Learning Management folks have said that the difficulty in in leveraging that data force for detection of student success problems.

259
00:35:22.080 --> 00:35:30.750
Darren Fallis: Lies often in the case that the these there is very little standard and how the professors are putting the data into the system.

260
00:35:31.140 --> 00:35:43.950
Darren Fallis: Quite often, they don't record it in a timely manner because they don't need it in a timely manner or they recorded in a in a in a just non standard across even separate sections of the same course.

261
00:35:44.370 --> 00:35:57.240
Darren Fallis: And without a great deal more standardization than we have. They, they have been, it's not a new thing for them to try to analyze that data to look for warnings or problems, but it's difficult because of the non standardization.

262
00:36:07.260 --> 00:36:12.900
Nick Lewis: And that's where, that's like that's not really. I mean, there's a technical component to that.

263
00:36:13.410 --> 00:36:28.620
Nick Lewis: But it's getting the people to record that it sounds like the getting the faculty to record the data in a timely fashion so that if you wanted to do student success. You need to have that you need to have that data first. And it needs to be.

264
00:36:30.390 --> 00:36:39.840
Nick Lewis: Updated or know that you're not going to have that data and that you need to look at other sources of data to try to figure out if there's any proxies for

265
00:36:41.190 --> 00:36:42.810
Nick Lewis: The data that you don't have

266
00:36:42.990 --> 00:36:43.200
Darren Fallis: To

267
00:36:43.680 --> 00:36:45.450
Nick Lewis: Be used for student success.

268
00:36:48.630 --> 00:36:59.670
Darren Fallis: Yeah, we have a new sort of a biotech group. So we're hoping that they can start a project on on mind control device it's sufficiently power for to work on faculty and then you can address a lot of problems on campus.

269
00:37:10.710 --> 00:37:13.350
Nick Lewis: I hope that sarcasm comes across in the recording.

270
00:37:16.920 --> 00:37:18.900
Darren Fallis: I'm sure it will know

271
00:37:19.830 --> 00:37:22.350
Darren Fallis: There are there are a lot of reasons that we have non standard

272
00:37:22.470 --> 00:37:33.420
Darren Fallis: business processes across University, things are very different. And it is difficult to argue that things need to be run the same way, only to satisfy a particular IT system.

273
00:37:35.460 --> 00:37:39.330
Darren Fallis: So we are often just working on adapting instead

274
00:37:41.280 --> 00:37:41.520
Right.

275
00:37:47.520 --> 00:37:48.300
Nick Lewis: Okay, so

276
00:37:48.690 --> 00:37:50.070
Nick Lewis: Question. Yeah, good.

277
00:37:50.430 --> 00:38:00.510
Christopher Caldwell: Has anyone dealt with the challenge of people outside of it wanting access to the data that's in the blank. For example, we have a researcher.

278
00:38:01.620 --> 00:38:06.930
Christopher Caldwell: Who's one of the one of the faculty who's interested in doing machine learning and

279
00:38:08.280 --> 00:38:21.120
Christopher Caldwell: We've kind of had a long running battle trying to, you know, raise the issues with yeah and other potential confidential information in the logs.

280
00:38:23.400 --> 00:38:25.140
patrick casey: Well, we have here at UNC

281
00:38:25.650 --> 00:38:36.420
patrick casey: We've had people, including the registrar logging this want to get you get business data. Typically, we try to put them into roles and then segregate what they can see

282
00:38:37.320 --> 00:38:39.450
patrick casey: solely because of some of the issues that you brought up.

283
00:38:40.380 --> 00:38:48.180
patrick casey: But you can think about things like the Student Success project or you can think about some of the student information where maybe you have famous athletes.

284
00:38:48.540 --> 00:38:58.140
patrick casey: Went to school here and being able to track that from a business perspective as opposed to our business or academic perspective as opposed to an IT operations perspective.

285
00:39:05.970 --> 00:39:15.150
Nick Lewis: Into it sounds like, I suspect, what it's around some of the governance and making sure that the like the register's office. They know that

286
00:39:15.870 --> 00:39:26.700
Nick Lewis: Or maybe for some campuses. They are the data owner for certain types of student data. And so they want to be able to report on that data and you have the governance in place that

287
00:39:28.170 --> 00:39:45.690
Nick Lewis: That basically that says they can look at that data and then you can say when you're going into spunk that oh this is student data or we can set up an index or an appropriate report so that they can report on the data that they should have access to that kinda

288
00:39:45.990 --> 00:39:55.620
patrick casey: Should I think that's a fair characterization, what we ended up doing for the registrar in particular was limiting their role via search filters so they can only see PeopleSoft hosts.

289
00:39:55.680 --> 00:40:04.680
patrick casey: As an example, as opposed to all of the other applications that happened have hosted that same shared index but but it's the same general idea is, yes, if you've got a

290
00:40:05.460 --> 00:40:13.320
patrick casey: Mature governance process by which you're handling roles and access to the system. You can do you can do pretty much anything

291
00:40:15.540 --> 00:40:20.790
Christopher Caldwell: And that's where our challenges as a researcher as an information security researcher and once access

292
00:40:21.750 --> 00:40:38.460
Christopher Caldwell: To everything without, you know, realizing really the implications of kind of the profiles, you can build up on people, you know, correlating all these different data sources. So there's a huge lift in order to you know anonymize the data to be able to do that and just

293
00:40:41.130 --> 00:40:45.900
Christopher Caldwell: Not something we have the manpower or the interest in doing right now.

294
00:40:46.170 --> 00:40:46.470
Right.

295
00:40:47.580 --> 00:41:00.810
Nick Lewis: They talked to like back. So when I think of governance in this scenario, I would think that the IRB could be helpful and trying to figure out some of those things. Is that an option.

296
00:41:06.330 --> 00:41:10.800
Christopher Caldwell: I think because he brings in so much in the way of grants.

297
00:41:11.640 --> 00:41:12.030
The

298
00:41:13.350 --> 00:41:14.970
Christopher Caldwell: University higher ups are determined

299
00:41:15.540 --> 00:41:18.930
Christopher Caldwell: To eventually make this happen in some fashion. Yeah, so

300
00:41:19.260 --> 00:41:19.530
Right.

301
00:41:25.980 --> 00:41:44.160
Nick Lewis: That could go with some future discussion around privacy ethics and maybe expand that out in the governance of making sure that, yeah, that when you're you've appropriately vetted and approved. Some of these students access things so that in your transparent about it with

302
00:41:45.240 --> 00:42:02.280
Nick Lewis: As as appropriate to say, you know what, we're using it for this reason it's to help students to do better in their classes and to graduate on time, things like that. And that we've taken these types of safeguards to make sure that we're protecting your privacy.

303
00:42:03.570 --> 00:42:06.000
Nick Lewis: Because of the sensitive nature of what you're doing.

304
00:42:08.730 --> 00:42:21.300
Darren Fallis: As an as an aside, so I have sent on our IRB is a voting member for, I don't know, seven or eight years now since we had a fairly sensitive breach that involve research data.

305
00:42:21.780 --> 00:42:42.840
Darren Fallis: And that's been an uncountable benefits to educate our be about data security on we've improved that a lot across campus but we discuss the risks of correlated data re identification a lot as we deal with more and more electronic data on human subjects.

306
00:42:44.250 --> 00:42:56.730
Darren Fallis: They are good bulwark against this, but the answer is almost never know. It is, in general, what do we have to do to to protect the human subjects.

307
00:42:58.260 --> 00:43:00.660
Darren Fallis: From from consequences from risk.

308
00:43:01.680 --> 00:43:19.770
Darren Fallis: It's also the case that, you know, one can have agreements with between departments like security and a researcher group, but it's sometimes politically that's difficult to enforce. However, if it's part of an IRB proposal and the IRB proposal is

309
00:43:20.790 --> 00:43:40.890
Darren Fallis: Is broken and someone is a non compliance that has much more serious consequences for researchers than simply a departmental staff department like security being upset about things. So, you know, leveraging IRB. There is only one possible route to give yourself a larger enforcement stick

310
00:43:50.790 --> 00:43:51.450
Nick Lewis: Okay, good.

311
00:43:52.560 --> 00:43:57.900
Nick Lewis: So back to the log sources, anything that we've missed so far.

312
00:43:59.220 --> 00:44:12.960
Nick Lewis: Because basically my thought was, we talked about what the sources are and then talk about what's the most value for a little bit and I don't know if we'll have enough time to go into the value discussion, but are there any types of log data that we haven't talked about so far.

313
00:44:15.390 --> 00:44:21.480
Christopher Caldwell: I think the most interesting one. I've been asked to do recently is Watson chat pod logs.

314
00:44:23.010 --> 00:44:30.240
Christopher Caldwell: And using that to kind of enhance our service in terms of where we need to have

315
00:44:32.520 --> 00:44:40.260
Christopher Caldwell: Kind of self service information and the knowledge base and and what kind of answers. We need to populate the chat with what people are looking to get

316
00:44:41.940 --> 00:44:42.930
Christopher Caldwell: Assistance with

317
00:44:47.310 --> 00:44:49.770
Nick Lewis: I would not have guessed that. That's really interesting.

318
00:44:56.250 --> 00:44:57.960
Nick Lewis: Incident. It sounds like that.

319
00:44:59.280 --> 00:45:03.210
Nick Lewis: provide better service for trying to find

320
00:45:04.890 --> 00:45:06.240
Nick Lewis: helpful information.

321
00:45:07.530 --> 00:45:25.530
Nick Lewis: And so by identifying what they're looking for. You feed that back into the AI and Watson to improve the sort of the responsive, here's what you're looking or the response to the question of what are you looking are what they're looking for.

322
00:45:26.730 --> 00:45:31.620
Christopher Caldwell: Yeah, and to lower that support costs as well for the for the students.

323
00:45:41.700 --> 00:45:43.200
Nick Lewis: Is that a lot of data.

324
00:45:45.330 --> 00:46:04.170
Christopher Caldwell: Um, it's, it's ramping up. It's a fairly new tool we just started using it in August of last year. And, you know, we're building workflows that are launched by the chat process for example registering a you know a gaming device for the network and things like that.

325
00:46:06.090 --> 00:46:12.570
Christopher Caldwell: So I expected to continue to ramp up but it's fairly small amounts of a JSON data.

326
00:46:22.650 --> 00:46:23.640
Nick Lewis: Anything else

327
00:46:38.040 --> 00:46:49.590
Nick Lewis: Okay, so we've done. We've talked for about 45 minutes on the type data sources and my hope was to get in the next thing was the what value. What has the most value.

328
00:46:50.070 --> 00:47:00.240
Nick Lewis: And what you do with those logs. I'm not sure if we'll have enough. Do we want to talk about that. So the intent of this call is to have just this type of discussion and

329
00:47:01.290 --> 00:47:03.120
Nick Lewis: And I don't know if we'll have enough time to

330
00:47:04.740 --> 00:47:14.040
Nick Lewis: To talk about the providing what large provide the most value do we want to save that for next month, or do we want it. Or we can just keep going right now and see if we get through.

331
00:47:16.470 --> 00:47:17.430
Nick Lewis: Any preferences.

332
00:47:21.420 --> 00:47:25.530
patrick casey: I would tend to think you might want to push that because I have a feeling we could go longer than nine minutes.

333
00:47:26.520 --> 00:47:26.730
Yeah.

334
00:47:29.490 --> 00:47:41.040
Darren Fallis: I wouldn't mind that just going to the third point about what do you have to do to get to them, just some operational challenges if people have them or what they've done is that maybe a smaller, smaller discussion.

335
00:47:42.180 --> 00:47:48.840
Nick Lewis: That yeah that's a good point. So one of the things that so I actually think a couple people on this call.

336
00:47:49.620 --> 00:47:57.330
Nick Lewis: Have were on a panel, we did a panel at educated security professionals last year. And one of the things we talked about was

337
00:47:58.260 --> 00:48:11.130
Nick Lewis: Having like a log evangelist, that would go and work with all the various people on campus to get the data and your system. And so that's that's kind of the person that I'm thinking of the role

338
00:48:12.360 --> 00:48:18.480
Nick Lewis: But somebody needs to go out typically to to do that work with, I don't remember who is talking about the

339
00:48:18.780 --> 00:48:23.610
Nick Lewis: When you went and talked to the PeopleSoft admins and said, Oh, you were looking at one host at a time.

340
00:48:23.970 --> 00:48:35.100
Nick Lewis: I've got a better tool for you. Do you can look at all your hosts and save you a bunch of time. Let's put your log data into spunk, and now you can look across all of your host, rather than having to look at one host at a time.

341
00:48:35.730 --> 00:48:43.260
Nick Lewis: Do is that what you've been doing, or is there somebody on your team, or what do you have to do to get those logs.

342
00:48:46.800 --> 00:48:54.690
patrick casey: And a lot of ways, it's kind of been more build it and they will come. I mean, we've really started initially

343
00:48:56.310 --> 00:49:04.680
patrick casey: He can call it evangelizing but just just getting central idea is to get their logs into spelunking and just try to use every opportunity we can

344
00:49:05.730 --> 00:49:15.840
patrick casey: You know, as, as we've grown that more departments have seen the value being able to search for the data as well. And we've tried to make getting them relatively easy.

345
00:49:17.190 --> 00:49:23.220
patrick casey: At least to try to minimize the barriers for getting it. So we don't do a lot of control as to

346
00:49:24.270 --> 00:49:37.170
patrick casey: Who gets to install it. How do they decide what they want to log that sort of thing. We kind of keep the framework open and do a minimum and kind of just stay out of the way of getting people

347
00:49:38.190 --> 00:49:43.350
patrick casey: Getting in their way of getting it in there. So we do kind of, you know, help them along the way but

348
00:49:44.370 --> 00:49:54.390
patrick casey: You know, we, it's very distributed. Most of the campus units manage their own foreigners, for instance, but we've gotten a fairly extensive set of documents on how to configure those

349
00:49:54.780 --> 00:50:07.950
patrick casey: And then we use the deployment server to ensure at least the basics are set up properly. Like, you know, the deployment configuration, the inputs and the required keys to be able to talk to the infrastructure and stuff so

350
00:50:08.370 --> 00:50:09.840
Christopher Caldwell: How do you bounce easy

351
00:50:11.940 --> 00:50:21.030
Christopher Caldwell: How do you balance that with your license limits having that open the structure. I mean, because we often find that, you know, like, there'll be a platform upgrade will replace the firewalls and we'll go from

352
00:50:21.990 --> 00:50:33.000
Christopher Caldwell: You know 40 gigabytes a day to over 100 gigabytes today, you know, because of changes in the verbosity in the number of devices or the configuration of the devices or

353
00:50:34.980 --> 00:50:42.420
Christopher Caldwell: You know, we've had that with Windows as well. We've seen exponential growth in the Windows server logs. So we, we kind of constantly have to

354
00:50:43.080 --> 00:50:57.870
Christopher Caldwell: Balance the operational needs of the security department, which is the group paying for slunk versus the evangelists evangelizing you know uses spunk other departments and getting them to put, you know, not so security focused data in it.

355
00:50:59.070 --> 00:51:08.700
patrick casey: Well, yeah, there's a lot of it for us is just reporting and detection. So I've gone through and I've written fairly extensive reporting.

356
00:51:09.180 --> 00:51:17.190
patrick casey: And tracking of log usage by host by index overall. And then when we see anomalies. For instance, if something does go up.

357
00:51:17.730 --> 00:51:32.910
patrick casey: Double or, you know, triple or quadruple what we have emails and alerts right away. So you do kind of kind of got to keep on it day by day basis and track your growth. But generally, we find that it's it's centralized yes this

358
00:51:32.910 --> 00:51:41.040
patrick casey: is by far the biggest log or 90% of the data 90 plus percent of the data, a lot of the smaller campus it and it's we have a

359
00:51:41.520 --> 00:51:50.730
patrick casey: Kind of a loose agreement that if it's going to be more than five to 10 gigabytes per day. Then we really got to start talking about how we're going to handle that.

360
00:51:52.290 --> 00:52:02.220
patrick casey: Thankfully, we've been able to to control the growth enough that what we have for licensing hasn't restricted us too much.

361
00:52:02.940 --> 00:52:09.300
patrick casey: I guess when I say that we've had a number of systems, especially when we talk about like secure NAS data where

362
00:52:09.720 --> 00:52:20.520
patrick casey: You know, or when security wanted to start pushing an oddity data where you know we gone from eight 900 gigabytes two terabytes. So then it becomes a fairly

363
00:52:21.000 --> 00:52:24.840
patrick casey: Involved effort to try to prove out what's not necessary.

364
00:52:25.560 --> 00:52:41.910
patrick casey: And try to, you know, work with security to make sure that only the important bits of data are getting logged and then filter out the garbage. So there is a fair amount of bear you know care and feeding in that process, but overall it's I think it's worked pretty well to do it that way.

365
00:52:45.240 --> 00:52:50.160
patrick casey: The other thing I would add to that. So again, this is Patrick and that with Dave. That was just trying to you and say,

366
00:52:50.970 --> 00:53:00.270
patrick casey: The hardest blog to get to us haven't been machine logs. It's been business Lodge, where you actually have to work through the actual data governance processes you have at your institution.

367
00:53:00.870 --> 00:53:07.800
patrick casey: So if you're going to get admissions data, you have to work through the data stewards in the admissions office student data, you got to work through the register and so on.

368
00:53:08.520 --> 00:53:16.530
patrick casey: Because you're having to explain a fairly technical environment to a business customer as opposed to a technical customer

369
00:53:17.700 --> 00:53:24.270
Nick Lewis: And that's the the technical team is doing that or the business owner, who wants to use a system is doing that.

370
00:53:24.390 --> 00:53:25.890
patrick casey: It's a joint effort.

371
00:53:26.370 --> 00:53:37.950
patrick casey: Okay, we usually find that having the technical people sit with the kind of the, the, our first customer. And then sit with the data stewards can kind of shortcut haven't had 10 meetings.

372
00:53:39.300 --> 00:53:39.840
Nick Lewis: Meetings.

373
00:53:39.990 --> 00:53:44.040
patrick casey: And work through it and answer the questions or concerns that each audience might have

374
00:53:58.620 --> 00:54:05.760
Nick Lewis: We've got about one minute left. And so I'm not sure if we have enough time for any more discussion. So I'll do is we can hold the

375
00:54:06.720 --> 00:54:19.560
Nick Lewis: What data sources you get the most value and then. Any additional discussion on what you had to do to get these logs for our call next month. And then if there's any specific questions that you want to talk about with the group.

376
00:54:20.190 --> 00:54:34.170
Nick Lewis: Let me know by the next call and I'd like to thank everyone for attending and I will get this posted on the net plus blank wiki probably in the next day or two. So thanks everyone for attending this month.

377
00:54:36.420 --> 00:54:36.960
Christopher Bennett: Thank you.

378
00:54:37.320 --> 00:54:37.860
Darren Fallis: Thanks, Nick.

379
00:54:38.160 --> 00:54:38.820
Nick Lewis: You're all right.

380
00:54:38.850 --> 00:54:39.390
Bingdong Li: Thank you.

381
00:54:39.420 --> 00:54:39.930
Albert Ball: Thank you.

382
00:54:40.230 --> 00:54:40.800
I did.

383
00:54:45.120 --> 00:54:46.530
patrick casey: There and he says, by two.

384
00:54:47.100 --> 00:54:47.580
Okay.