WEBVTT

1
00:00:04.319 --> 00:00:27.690
Nick Lewis - Internet2: Everyone this is Nick Lewis from internet to welcome to the net plus blank community call for October 20 20 I'd like to thank Sean McNamara to talk about a green to come to talk about spunk cloud for this month and real quick couple housekeeping as, as you probably heard that recording

2
00:00:28.710 --> 00:00:44.400
Nick Lewis - Internet2: This call is being recorded will post the recording on the net plus blank community wiki. And so if you if you have a colleague that couldn't make the call or we'd like to refer back to anything. We talked about, it'll be there along with

3
00:00:45.420 --> 00:00:56.340
Nick Lewis - Internet2: Notes and other from previous calls and this call was brought to you by the net plus blank program, supported by campus sighs signing up for the program.

4
00:00:57.090 --> 00:01:07.440
Nick Lewis - Internet2: If you can, towards the end of the presentation or actually at the end of John's presentation, I'll go and unmute all the lines so that everyone

5
00:01:07.920 --> 00:01:20.160
Nick Lewis - Internet2: Can speak and ask questions. But while Sean's presenting, feel free to put your questions in chat and if there's any or if there's any sort of discussion. I can unmute you. And we can have a quick discussion.

6
00:01:20.670 --> 00:01:30.030
Nick Lewis - Internet2: And so I'd like to thank everyone for attending this month. And I'll switch over now to Sean for you to introduce yourself and start presenting

7
00:01:38.820 --> 00:01:41.910
Sean McNamara: Hello everyone, everyone able to see my screen, Nick.

8
00:01:42.240 --> 00:01:43.260
Sean McNamara: Can you see my screen at least

9
00:01:44.790 --> 00:01:52.770
Sean McNamara: Excellent. Well, thank you very much for attending as Nick said, I'm here to talk about documents experience with spunk cloud.

10
00:01:53.790 --> 00:02:02.190
Sean McNamara: will jump in and talk a little bit how we arrived at spring cloud as are chosen solution and then we'll go on to some use cases that were

11
00:02:02.670 --> 00:02:19.170
Sean McNamara: Using the platform for. And finally, we'll wrap up with some future direction. So I'm Sean nightmare. I'm the Senior Director of Information Security at Dartmouth College, which means I'm responsible for the whole mess that falls under information security. It's tons of fun.

12
00:02:21.510 --> 00:02:36.030
Sean McNamara: So yeah, and I would also welcome anyone. If you have any questions after the presentation that you don't think until afterwards I'll have my contact information on the final slide please do feel free to reach out and ask anything you would like to know.

13
00:02:37.560 --> 00:02:38.130
Sean McNamara: So,

14
00:02:39.840 --> 00:02:52.380
Sean McNamara: All right. Well, let's start by framing our what our world look like before spunk. So there's more to it than right have right here. But we had what I call him Frankenstein right we had

15
00:02:53.040 --> 00:03:12.180
Sean McNamara: Little bits of pieces of custom code CES reading into CES log, you know, different software deployed to kind of work. Click assume, but it wasn't very effective and you know it you know I say it's not effective, let's say, let's let's put it this way, it got the job done. But it wasn't

16
00:03:13.200 --> 00:03:22.020
Sean McNamara: It wasn't effective to maintain right there was a lot of every time a log message would change every time something unexpected would happen, you'd be back in the code.

17
00:03:22.470 --> 00:03:28.920
Sean McNamara: Looking through it, trying to figure out why something wasn't parsed properly, it was a mess, it was a it was a big time commitment.

18
00:03:29.640 --> 00:03:44.010
Sean McNamara: And we were very aware of the noise that it generated, you know, because you get false alarms about certain events, you would get repeated notifications of us have a single event when you're only needed one

19
00:03:45.510 --> 00:03:51.570
Sean McNamara: And, you know, it just became too much there was too much noise and we were not getting enough value out of the platform.

20
00:03:52.740 --> 00:04:12.210
Sean McNamara: So this led us to start thinking about, you know, what could we replace this big mess with right so at this point in time, our business school was already using spunk, and a very limited capacity. So we were able to talk with them. See how it was working for them.

21
00:04:13.680 --> 00:04:17.310
Sean McNamara: And of course there were there were a few other small pockets of use. I believe around campus.

22
00:04:18.450 --> 00:04:24.120
Sean McNamara: But primarily, you know, we did a evaluation of a number of vendors

23
00:04:25.950 --> 00:04:35.880
Sean McNamara: And I think, I think we brought in about five different vendors competitors and, you know, obviously we chose spunk, and why

24
00:04:36.660 --> 00:04:40.200
Sean McNamara: Really, it comes down to the maturity of the platform for from my perspective.

25
00:04:40.920 --> 00:04:49.230
Sean McNamara: Spunk has really been the leader in this space. I mean, I remember you know before I even knew what the word sim meant I was hearing about

26
00:04:49.950 --> 00:05:08.610
Sean McNamara: Spunk right and we expected to have a fairly quick turnaround and our investment in the sense that spunk has a lot of stuff that comes with their, their app store where you can install pre made dashboards that will

27
00:05:09.810 --> 00:05:14.310
Sean McNamara: Report on and consume, you know, popular data sources. And that was very

28
00:05:15.330 --> 00:05:26.040
Sean McNamara: Very appealing to us right we wanted to drop this thing in and get value out of it as quickly as possible. That said, we're going to, we're going to come back to that that question and a bit

29
00:05:26.640 --> 00:05:36.000
Sean McNamara: And of course, there's a huge user community around spunk. If you have a question or you need help with something. There's more likely than not someone out there who's already

30
00:05:36.420 --> 00:05:42.450
Sean McNamara: Struggling with the problem and can help you with it. And we've we've relied on that a number of times to get us

31
00:05:43.710 --> 00:06:01.290
Sean McNamara: Where we are, and also say, you know, spunk has a the support is pretty good when you have a problem when you have something you need to figure out, they, they get you to the right person, you know, which is different than my experience with a lot of other vendors

32
00:06:04.080 --> 00:06:18.420
Sean McNamara: So Why, spunk cloud. So I've given talks in the past about moving to the cloud. And a lot of these points are, you know, pretty much taken right from there.

33
00:06:19.170 --> 00:06:27.420
Sean McNamara: So I don't think anyone will ever save money going to the cloud. If your goal is to save money, then you're, you're not going to get there.

34
00:06:27.840 --> 00:06:35.970
Sean McNamara: But what software as a solution, particularly gives you is the ability to optimize or maximize the value from your investment.

35
00:06:36.390 --> 00:06:44.130
Sean McNamara: So instead of using your FTS to maintain infrastructure and servers and what have you. You're

36
00:06:44.610 --> 00:06:56.460
Sean McNamara: Instead, allowing them to vest their time into enhancing and using the platform that you're paying for. So you know it's it's a distinction and it's an important one because you know

37
00:06:57.240 --> 00:07:06.660
Sean McNamara: Early on when we were talking to our board and our, you know, our find a financial people about this and we were explaining that we were going after a cloud.

38
00:07:07.080 --> 00:07:14.970
Sean McNamara: Offering we had to really justify the fact that it was, you know, it was not necessarily going to be cheaper but it would allow us to really

39
00:07:15.720 --> 00:07:20.010
Sean McNamara: You know, maximize what we're getting from the investment.

40
00:07:20.490 --> 00:07:35.010
Sean McNamara: The other thing is, you know, you don't have to worry about patching, you don't have to worry about upgrading servers. You don't have to worry about replacing servers every five years, right. It certainly is a you know a good investment and

41
00:07:36.210 --> 00:07:46.050
Sean McNamara: The other thing I would point out is that, you know, when we first started this, we were basically given a directive.

42
00:07:47.280 --> 00:08:05.400
Sean McNamara: By our CIO to, you know, consider everything cloud first and, you know, I think that makes a lot of sense for certain offerings, but not always. One of the considerations that you may have that might make a cloud offering like spunk not

43
00:08:06.630 --> 00:08:15.210
Sean McNamara: useful or not attainable is, you know, if you have limited bandwidth if you if you have some constraints that might, you know, operationally

44
00:08:15.600 --> 00:08:22.800
Sean McNamara: Prevent the solution from being successful. So it's something it's something to keep in mind. You know that cloud offerings are generally

45
00:08:23.700 --> 00:08:38.460
Sean McNamara: You know it. Like I said, allows you to focus your resources on enhancing the use of the tool, but there may be other considerations that would drive you towards a on prem solution.

46
00:08:41.730 --> 00:08:42.150
Sean McNamara: So,

47
00:08:43.200 --> 00:08:52.590
Sean McNamara: The nice thing about this as we partnered with our so as soon as we had all the ink and paper and you know we were ready to go. We had a var sitting with us for a week.

48
00:08:53.010 --> 00:09:05.310
Sean McNamara: That worked through the initial deployment. So we call a cloud service but there still are some components that do need to be on premise. So there's a console server, which is basically where you go to configure

49
00:09:06.150 --> 00:09:13.770
Sean McNamara: You know access and all that and then their indexes. So this these are things that will actually take your log data and

50
00:09:14.460 --> 00:09:23.370
Sean McNamara: Parse it and send it up to the cloud environment they're fairly lightweight. Now there's two two different ways you can handle this. And you know the

51
00:09:23.970 --> 00:09:33.960
Sean McNamara: It's still we i think i think we're running all of ours in VM. So we're not even throwing physical hardware at it at this point, but it's just something to consider. There is some

52
00:09:35.040 --> 00:09:37.860
Sean McNamara: On Premise presence that will be necessary.

53
00:09:39.210 --> 00:09:40.080
Nick Lewis - Internet2: Sean, there's a

54
00:09:40.110 --> 00:09:48.240
Nick Lewis - Internet2: question in the chat. So the on prem. So the question would from Darren was indexers or the heavy borders stayed on prem.

55
00:09:48.960 --> 00:09:56.640
Sean McNamara: I have before. There's yeah sometimes miss use the term, we do have the if we do have heavy foreigners on campus. I, I, I call them indexers. I'm sorry.

56
00:09:57.990 --> 00:09:59.130
Nick Lewis - Internet2: Thanks for the clarification.

57
00:09:59.550 --> 00:10:00.270
Sean McNamara: Yep, sorry.

58
00:10:03.240 --> 00:10:05.610
Sean McNamara: So things to consider. And these are really

59
00:10:08.160 --> 00:10:18.120
Sean McNamara: Across the board, regardless of whether you're using the on premise or the cloud offering spunk is not a replacement for CES log. So if your goal.

60
00:10:18.720 --> 00:10:31.740
Sean McNamara: Is to archive and store logs, then you're probably more likely than not better off just sticking with a traditional CES log server that's writing off to reading off the desk right

61
00:10:34.200 --> 00:10:44.610
Sean McNamara: I think we've been very successful. And this is something that spunk preached to us from the very beginning that any data that you're ingesting and indexing should be based on a well defined use case.

62
00:10:45.150 --> 00:10:51.900
Sean McNamara: Right. It's not a matter of what do I want to put into spunk, but rather what do I want to get out of it and and we've had a

63
00:10:52.380 --> 00:10:57.510
Sean McNamara: couple interesting conversations off quite a few interesting conversations with people who approached us with the

64
00:10:58.290 --> 00:11:10.620
Sean McNamara: You know, the, the position of one just wanting to put their data in there so they can be more easily searched and that's fine, but it's not necessarily going to be the best use of your investment in my opinion swamp does

65
00:11:11.670 --> 00:11:17.220
Sean McNamara: does cost money. It's you know it, but it's when used properly. I believe it's well worth it.

66
00:11:18.900 --> 00:11:27.720
Sean McNamara: What we found was very exciting as we brought in a really a cross functional team of people in it, and then also outside of it to

67
00:11:28.350 --> 00:11:34.110
Sean McNamara: Take a look at the product and to build use cases for us. Most of the use cases, we're going to talk about today. Next.

68
00:11:34.860 --> 00:11:39.840
Sean McNamara: Our it use cases. But we have been able to use it for some other cases as well.

69
00:11:40.830 --> 00:11:50.520
Sean McNamara: And there's something I would say, and this is something that we're exploring now is that there are alternate pricing models and licensing models available for certain high volume data sources.

70
00:11:51.300 --> 00:11:59.040
Sean McNamara: One thing that we've really been itching to throw in an index, because it would save a lot of our time is net flow data right

71
00:12:00.180 --> 00:12:03.990
Sean McNamara: And I believe there is an alternate pricing model available for that.

72
00:12:05.040 --> 00:12:05.340
Sean McNamara: You're

73
00:12:05.400 --> 00:12:06.660
Nick Lewis - Internet2: You're reading my mind.

74
00:12:06.780 --> 00:12:13.890
Nick Lewis - Internet2: So yeah, so that's one of the things that that net plus blank Advisory Board has worked with spunk quite a bit on

75
00:12:15.180 --> 00:12:28.590
Nick Lewis - Internet2: In the march, march timeframe and over the previous six months. And so there are some changes to how that works, and where it's now much more expansive what's covered in the, the net flow licensing. So if you have any

76
00:12:29.250 --> 00:12:40.590
Nick Lewis - Internet2: If you have any questions like, follow up, put in the notes and I'll see if I can track down the details and put them in the chat. But yeah, that'd be great. There's been a lot of improvements around that.

77
00:12:40.800 --> 00:12:55.590
Sean McNamara: Yeah, I mean, and that's really, if you look at that, that area. It's the fact that you know it's it's high volume noisy log data that's not frequently used, necessarily, but it needs to be used to be fast.

78
00:12:56.640 --> 00:13:05.100
Sean McNamara: So it's a you know it's that'd be great. Same thing with DNS logs. That's that sort of stuff. It would be, I don't know if that's covered, but if it was, that would be great.

79
00:13:06.600 --> 00:13:14.730
Sean McNamara: Alright, so I'm going to pause for a moment, I'm about to transition into talking about some use cases that we've worked through

80
00:13:15.780 --> 00:13:23.310
Sean McNamara: Does anyone have any questions, particularly about the cloud or why we chose to go to the cloud.

81
00:13:27.930 --> 00:13:28.590
Sean McNamara: And Nick, I guess.

82
00:13:29.700 --> 00:13:31.650
Sean McNamara: Just relate through the chat. That would be great.

83
00:13:31.860 --> 00:13:32.880
Nick Lewis - Internet2: Yeah, exactly. Um,

84
00:13:34.110 --> 00:13:36.990
Nick Lewis - Internet2: Do you maintain another long term archival store.

85
00:13:38.520 --> 00:13:38.850
Nick Lewis - Internet2: Yeah.

86
00:13:39.150 --> 00:13:59.850
Sean McNamara: We do so, where we have compliance needs. We actually do maintain a slog archive of our logs for whatever period that they need to be maintained for really. So, I believe. Right now we have about 90 days of logs and spunk which meets our

87
00:14:01.710 --> 00:14:08.130
Sean McNamara: Our policy requirements in general. But there are some other obviously log types that needs to be maintained longer

88
00:14:09.900 --> 00:14:20.100
Sean McNamara: So i again i don't think as I said that spunk is a replacement for slide I think this slide will always have a role in a place on a and network infrastructure but

89
00:14:21.180 --> 00:14:24.690
Sean McNamara: Certainly you can very much enhance the

90
00:14:25.350 --> 00:14:35.220
Sean McNamara: Utilization and the use of all this data that you're collecting I think about the Gigabytes and gigabytes of data that are produced in this really interesting stuff there, especially when you're able to

91
00:14:35.730 --> 00:14:43.950
Sean McNamara: Start correlating events and that's where we'll talk about a little bit with some of our use cases that you really start to see the value of it and it's it's it's cool.

92
00:14:48.930 --> 00:14:49.590
Sean McNamara: Anything else

93
00:14:50.940 --> 00:14:53.340
Sean McNamara: And we can come back to this at the end if anything else does come up

94
00:14:53.850 --> 00:14:55.410
Nick Lewis - Internet2: That sounds great. Yeah, perfect.

95
00:14:56.730 --> 00:15:04.440
Sean McNamara: So as I said, we're going to go through a couple of are a number of our use cases just kind of give you insight into how we're using spelunking what

96
00:15:05.010 --> 00:15:18.840
Sean McNamara: You know it's able to provide for us something I would say, you know, before I transition over is that we've not run into any limitations with the cloud platform that would make us

97
00:15:19.620 --> 00:15:31.440
Sean McNamara: That made us regret choosing the cloud platform over the on prem platform basically all of our use cases has been able to be accommodated. And we even I believe I mentioned early on that our

98
00:15:33.120 --> 00:15:39.360
Sean McNamara: Our business school was already using Blanca in a limited capacity, we've since

99
00:15:40.530 --> 00:15:49.020
Sean McNamara: Brought them on board into our central repository, and they've had no no issue converting the dashboards and what have you over to the cloud instance

100
00:15:49.710 --> 00:16:00.690
Nick Lewis - Internet2: And and you're able to do is like the same type of access control, probably because I suspect the business school doesn't have access to all the security logs like Correct, yeah.

101
00:16:00.780 --> 00:16:08.400
Sean McNamara: Correct. Yep. All the index based access controls that are capable of being put in place an on prem solution are also

102
00:16:09.030 --> 00:16:22.800
Sean McNamara: To the best of my knowledge available in the cloud, at least we've never we've never gotten to a point where we've run into a case that we couldn't properly secure something or provide access control that we needed

103
00:16:25.110 --> 00:16:26.730
Sean McNamara: Alright, so this is a cool

104
00:16:27.780 --> 00:16:39.630
Sean McNamara: It's often a big one, when there's an emergency or a stolen device right we're consuming data from our D HTTP logs or access points or radius.

105
00:16:40.740 --> 00:16:51.540
Sean McNamara: Servers are, you know, web off so servers. Active Directory and all sorts of fun stuff. I think we're also consuming our, you know, our

106
00:16:52.380 --> 00:17:04.860
Sean McNamara: Tables from our network. We're putting all this fun stuff together. And what we're able to do is if we're given a user ID or an Ethernet address and the time range.

107
00:17:06.120 --> 00:17:15.990
Sean McNamara: We can basically show where that device was or that person was and or, more importantly, sometimes where they are right now.

108
00:17:17.190 --> 00:17:25.500
Sean McNamara: You know there's been a number of cases where we've had devices stolen and we've been able to success successfully locate them.

109
00:17:25.950 --> 00:17:41.430
Sean McNamara: By essentially queuing up a an alert or that would fire when this device was seen because you know if it was another student that's took the device at some point they're going to open it up, it's going to pop on the network. And then we're able to basically triangulate it

110
00:17:42.480 --> 00:17:52.500
Sean McNamara: Based on where the, where its associated. So that's a that's worked well for us. Locating people. There's been a couple cases where you know someone

111
00:17:53.400 --> 00:18:02.730
Sean McNamara: went missing. And, you know, for whatever reason, we couldn't track them down and well they had their phone on them. We were able to locate them using this report.

112
00:18:03.480 --> 00:18:09.690
Sean McNamara: As well. And of course, most recently, and this is something I'll spend a little bit of time talking about the contact tracing

113
00:18:10.260 --> 00:18:22.980
Sean McNamara: If someone's on campus and with all this fun coven stuff going on. If you know we find out that they've been potentially exposed, we could see where they've been and who else they may have come in contact with

114
00:18:23.970 --> 00:18:34.470
Sean McNamara: I'd also like to mention that, you know, spunk has worked quite a bit with us towards contact tracing and the app. And we had access to some of their

115
00:18:35.430 --> 00:18:46.410
Sean McNamara: I consider some of their best engineers to work with us on that in the end we moved towards another solution, but the work that we did with them.

116
00:18:47.490 --> 00:19:00.510
Sean McNamara: Towards contact racing has been extremely, extremely valuable and we were nearly at a point where we would be able to type in a person and a timeframe and get a, get a picture on a map of where someone wasn't could have been

117
00:19:01.770 --> 00:19:04.110
Sean McNamara: So it was pretty neat stuff pretty powerful.

118
00:19:06.240 --> 00:19:15.780
Sean McNamara: So this is a fun one. If any of your campuses or anything like mine. This is a daily occurrence. So what we were able to do is

119
00:19:17.100 --> 00:19:33.360
Sean McNamara: Basically, put in consumer of our mail logs from office 365 we're an office 365 shop, but I think this would work just as well with Google or any other platform. Basically, the, the email sender recipient subject and or in time range right

120
00:19:34.470 --> 00:19:39.870
Sean McNamara: What we get from that is a report that shows how many people have received the message.

121
00:19:40.410 --> 00:19:57.510
Sean McNamara: How many people, how many of the messages were actually delivered to the inbox, right, because you know office 365 and most spam filtering or malware fishing filtering tools are responsive to the number of messages and eventually they'll start dropping them or moving them to junk.

122
00:19:58.830 --> 00:20:02.370
Sean McNamara: And then finally, you know, who responded. More importantly, right, who fell for it.

123
00:20:03.810 --> 00:20:16.410
Sean McNamara: And this has been extremely valuable because these phishing messages. They're, they're the non stop there. You know, people almost always fall for someone always falls for them.

124
00:20:18.420 --> 00:20:26.250
Sean McNamara: And this allows us really to immediately assess the risk of a particular fishing campaign right based on the number, the volume, right.

125
00:20:26.910 --> 00:20:39.000
Sean McNamara: Whether or not it was able to a large number of the messages were able to bypass the filters that we have and then you know how how well crafted was it so that people were falling for it.

126
00:20:39.510 --> 00:20:46.440
Sean McNamara: So that's cool. That's a with a couple button clicks, a little bit of input that's right there in our face for my engineers to respond to

127
00:20:47.370 --> 00:20:55.140
Sean McNamara: We also are able. Well, let me put it this way. We're also we're moving towards these last two bullets are really something that we're moving towards

128
00:20:55.950 --> 00:21:16.350
Sean McNamara: Where we're going to be able to take a look at the reports that are coming in have efficient because you know there's a little button in your Outlook client that you can click that says report is fishing, if we're monitoring the inbox, we could pull from that and then assess risk automatically

129
00:21:17.490 --> 00:21:34.740
Sean McNamara: You know, based on this report and alert us first of all right, a step one, then we can do additional triage. And then finally, really. I want to get to a point where we're able to automatically notify recipients of the message or just flat out removed the message from the inbox.

130
00:21:36.030 --> 00:21:50.460
Sean McNamara: You know I'm as you'll probably get the sense as I go through this. I'm very much enthusiastic about automation and as much as I can get the computer to do for me, the happier. I am

131
00:21:51.840 --> 00:21:56.280
Sean McNamara: So another email use case. And I don't know if folks have dealt with this but subscription bombing.

132
00:21:57.570 --> 00:22:13.680
Sean McNamara: We've had a number of incidents incidents where students are upset at a professor or administrator and they decided to go to one of the subscription bombing sites and subscribe. The individual for 100,000 obscene.

133
00:22:14.610 --> 00:22:28.410
Sean McNamara: Mail mailing lists right what we're able to do is based on the recipient email. So the person who's getting the email and a time range we can take a look and make an assessment of whether a message is likely

134
00:22:29.760 --> 00:22:41.820
Sean McNamara: A part of that campaign and we then identify the domains that are associated with it. And we can then go through and programmatically pull the

135
00:22:42.630 --> 00:22:57.450
Sean McNamara: The messages from the inbox. So it's a good way to basically stop the the the mess. One thing we're working on right now that I didn't mention is a way to parse out the unsubscribe link and to

136
00:22:58.530 --> 00:23:13.710
Sean McNamara: Actually have it on subscribe the person from the the mailing list that still is a manual step in the process, which is a bit of a pain. Occasionally, depending upon what we

137
00:23:14.910 --> 00:23:30.090
Sean McNamara: With the data that we ever able to pull. We're also able to then take the data and find a person through user correlation queries to, you know, track him down. So you actually did it we were successful doing that. About a week ago, which was kind of cool.

138
00:23:33.450 --> 00:23:38.100
Sean McNamara: So this is a big one right account status. So this is really looking for, you know,

139
00:23:38.910 --> 00:23:50.640
Sean McNamara: events that are affecting accounts. So this could potentially be looking for, you know, password cracking attempts, you know, all compromised credentials right accounts that have already been credentialed, excuse me.

140
00:23:51.480 --> 00:24:02.160
Sean McNamara: Credentials that have already been compromised and also troubleshooting Miss configured devices. I don't know. You know, we frequently have the case where someone will change their password on

141
00:24:02.640 --> 00:24:12.750
Sean McNamara: Something you know and five devices, but they forget to change it on their iPad and then 15 minutes later, they're locked out our help desk uses this all the time to

142
00:24:13.170 --> 00:24:22.590
Sean McNamara: help identify. Number one, you know, the people who are having that problem proactively and then also if they're receiving reports of

143
00:24:23.760 --> 00:24:42.360
Sean McNamara: Accounts getting locked. This gives them the ability to track down. Why, which is helpful. So again, it's, Will you put in a user ID, a time range and it goes through all the lockout events bad password attempts NSA failures password reset attempts both

144
00:24:43.620 --> 00:24:46.350
Sean McNamara: Failed and successful ones.

145
00:24:47.820 --> 00:24:56.190
Sean McNamara: And where they're coming from. So that's also an interesting thing that we've all been able to rely on for anomaly detection.

146
00:24:56.880 --> 00:25:05.910
Sean McNamara: If someone's sitting in Hanover, New Hampshire, and then suddenly they're logging in from South Africa. That's probably not legitimate right there's something going on there and we can alert on that.

147
00:25:08.040 --> 00:25:13.260
Nick Lewis - Internet2: Sean. I've got a question. I'm wondering. So is that an app that you've developed it's at a dashboard.

148
00:25:13.410 --> 00:25:14.640
Nick Lewis - Internet2: Dashboard dashboard.

149
00:25:14.670 --> 00:25:16.200
Sean McNamara: All of these are dashboards.

150
00:25:17.430 --> 00:25:38.550
Nick Lewis - Internet2: Excellent. And there's a question that came in the QA about the previous slide, asking about the office 365 blogs and is this through the Microsoft graph connector. So did you have to make different alerts from the back end of office 365 to get more than security alerts.

151
00:25:39.450 --> 00:25:54.900
Sean McNamara: So we are periodically running a API call into office 365 that retrieves all the Email Delivery data and then pull that into slunk for indexing. Excellent. Thank you.

152
00:25:55.620 --> 00:26:06.120
Nick Lewis - Internet2: And Albert, if you want to ask some more questions. When we get the QA section or the one Sean's done with his presentation, we can drill down a little bit more on that. Thanks. JOHN. You got it.

153
00:26:06.930 --> 00:26:07.710
Sean McNamara: So another very

154
00:26:09.000 --> 00:26:18.660
Sean McNamara: Similar case user profile. And this is really where we take a look at anomaly detection, this, this is a dashboard that will see we kind of rank.

155
00:26:20.070 --> 00:26:30.270
Sean McNamara: People and or user IDs based upon you know things that we don't expect so we're able to look and see all the devices that a particular President uses

156
00:26:31.470 --> 00:26:43.080
Sean McNamara: A access points. They're associating with the logins what services are logging into IP addresses. They're using you know how often they're using the VPN, and where they're coming from.

157
00:26:43.710 --> 00:26:54.690
Sean McNamara: So with all of that, you know, we're able to build a profile of the user. And if we if there's a divergence from that profile, we can identify it and

158
00:26:56.040 --> 00:27:06.150
Sean McNamara: You know, take action. This is to be totally clear this. This is something that it's more used for we use this more responsibly, then

159
00:27:06.930 --> 00:27:16.770
Sean McNamara: Proactively i'd like to change that. And I think with a little bit more work, we could get to a place where you know we're, we're getting alerts. If someone suddenly, you know,

160
00:27:18.090 --> 00:27:36.630
Sean McNamara: Exhibit say odd behavior. But you know, I also look at some of these things that there are already tools out there that do this sort of profiling and anomaly detection and alerting so I'm hesitant tomorrow and necessarily reinvent the wheel. But yeah, well, we'll think about it.

161
00:27:38.670 --> 00:27:55.590
Sean McNamara: And finally, yeah, we have another thing here. This is again a user correlation. This is basically the idea where we take a you know a source IP or poor a destination IP and port and we ask the question, who did it right. We use this when we get abuse reports, you know, the

162
00:27:56.730 --> 00:28:15.870
Sean McNamara: Always our favorite thing the DMCA copyright infringement reports and also incident response right if we, you know, we've often seen off, geez. We've had a case where someone made a bomb threat posted it on a public forum and we were able to then take the

163
00:28:16.950 --> 00:28:29.190
Sean McNamara: The IP address of the forum and, you know, then look back for everyone that was communicating to that form and the period of time that the the the request was made.

164
00:28:29.700 --> 00:28:43.320
Sean McNamara: Or excuse me not to request the the post was made. And then, you know, send our safety and security folks how to talk to them. And in that particular case it you know it did correlate down to a single person, which was, you know, pretty, pretty cool.

165
00:28:44.670 --> 00:28:51.180
Sean McNamara: So this, this is this was actually one of the use cases that really drove our adoption of spunk.

166
00:28:52.320 --> 00:28:57.900
Sean McNamara: I previously. I can't tell you how many hours and weeks, I spent doing this, you know, with my own code.

167
00:28:58.860 --> 00:29:18.990
Sean McNamara: Years back, but we had a piece a system that did this manually, but you know every, every six weeks for one reason or another break or you'd have to make a change because of, you know, shifting the log format or what have you. So I was very happy to get this off to someone, someone else.

168
00:29:20.550 --> 00:29:21.120
Sean McNamara: Um,

169
00:29:23.700 --> 00:29:34.740
Sean McNamara: So this is a pretty, pretty simple one, you know, basically our okay yeah I'm going to actually frame this a little bit differently. So up to this point we've really talked a lot about

170
00:29:36.600 --> 00:29:53.700
Sean McNamara: My use cases security use cases. But I also wanted to include some use cases for operations operational folks. So our systems administration team and applications administration team uses plunk quite heavily to

171
00:29:54.810 --> 00:29:59.850
Sean McNamara: Alert when an application, maybe or server may be misbehaving. So they're

172
00:30:00.810 --> 00:30:09.450
Sean McNamara: Basically what they do is they define what normal looks like right and if they start seeing alerts or log messages or events that

173
00:30:09.960 --> 00:30:21.480
Sean McNamara: Deviate from normal either in the number of events that are occurring over time or the particular you know as an MP counters that are being returned when we are pulling them.

174
00:30:23.370 --> 00:30:33.270
Sean McNamara: Or just thinking maybe a you know a message that has never been seen before they're able to alert on that. So there's often those are already been a number of cases where we've identified

175
00:30:33.840 --> 00:30:43.080
Sean McNamara: You know systems and services that were under provisioned that we were able to then, you know, identify preemptively and

176
00:30:44.340 --> 00:30:53.940
Sean McNamara: You know, add more resources to before it became a problem, right, which was very useful and also identifying attempted abuse here have to sneak in my use case, of course.

177
00:30:55.140 --> 00:31:02.910
Sean McNamara: You know someone's banner system trying to SS SSH brute force login. Well, you know, that's pretty easy to detect and flag.

178
00:31:03.630 --> 00:31:15.990
Sean McNamara: And another cool thing is, I don't know. You know, I think everyone out there who runs you sort of services, always ask the question, you know. Are people really using these things.

179
00:31:17.460 --> 00:31:34.500
Sean McNamara: You know, we've been able to put together some pretty neat reports that show how resources are being used in our environment and, you know, identify underused resources as well as you know over overused or over utilized and under provision resources.

180
00:31:35.670 --> 00:31:46.650
Sean McNamara: Then it, you know, it gives you the opportunity to ask. Number one, is this something we need to continue providing or why aren't people using it, which is sometimes a fairly interesting rabbit hole to go down.

181
00:31:47.760 --> 00:31:49.230
Sean McNamara: So our network team.

182
00:31:51.000 --> 00:31:55.440
Sean McNamara: Also relies on spunk for very similar

183
00:31:56.880 --> 00:32:02.670
Sean McNamara: Usage so they're able to take a look at network traffic and, you know, for example, if a loop.

184
00:32:03.000 --> 00:32:16.230
Sean McNamara: someone accidentally you know messes up their spanning tree configuration and loops, the network, often on switch somewhere, they're able to detect that and you know trigger an alert that allows them to, you know, track that down and

185
00:32:17.340 --> 00:32:20.730
Sean McNamara: You know, fix it before, ideally before it becomes too much of a problem.

186
00:32:21.270 --> 00:32:29.580
Sean McNamara: Also failing hardware, you know, this was one of the things that we usually hear about it, three o'clock in the morning when it's already broken

187
00:32:30.030 --> 00:32:44.430
Sean McNamara: But they've had been able to put together some reports and what have you to help identify devices that need replacement or attention and yep you know really all goes into that preemptive notification. Right. We want to know about a problem before, it's a problem.

188
00:32:45.690 --> 00:32:49.350
Sean McNamara: And finally, this is my last use case that I'm going to cover and it's a

189
00:32:50.460 --> 00:32:59.040
Sean McNamara: One, I think is pretty cool. So we've been able to use flunk quite a bit to detect malware activity.

190
00:33:00.270 --> 00:33:22.530
Sean McNamara: And this is essentially looking at firewall logs, looking at, you know, server logs and, for example, if we're if we hear about a new SMB vulnerability that maybe warm a fight, we can look for behavior that we'd expect from a infected machine was scanning for other vulnerable systems or

191
00:33:23.610 --> 00:33:30.720
Sean McNamara: You know, attempting a logins to multiple devices that you know they had never connected to before.

192
00:33:31.920 --> 00:33:39.480
Sean McNamara: And this is this is caught some pretty is this. This is coming to us quite a, quite a number of times, you know, whenever we see a

193
00:33:40.740 --> 00:33:48.480
Sean McNamara: Zero Day type attack or vulnerability or malware my engineers will sit down with me and we'll talk through like what

194
00:33:49.020 --> 00:34:01.800
Sean McNamara: Speculate, you know, we don't have. We don't have a signature for this yet. And our IPs. What will this look like, you know, and we've been able to come up with fairly effective signatures that would have

195
00:34:02.970 --> 00:34:07.320
Sean McNamara: Prevented or identified potential malware activity.

196
00:34:08.790 --> 00:34:11.640
Sean McNamara: And the nice part is, is, you know,

197
00:34:13.020 --> 00:34:19.110
Sean McNamara: Whenever you think about something like this, your immediate concern is false positives. Right. You really want to

198
00:34:20.130 --> 00:34:36.300
Sean McNamara: You know, if you're getting alerted on something at four in the morning. You want to make sure it's worth getting up for and we've. We have a number of these alerts in place and I never the seeds, the false positive, which is pretty pretty reassuring show

199
00:34:37.710 --> 00:34:39.210
Sean McNamara: So do you guys

200
00:34:39.240 --> 00:34:46.080
Nick Lewis - Internet2: try any of that investigations, with the the zero login sort of vulnerability that came out, what, three weeks ago, or four weeks ago.

201
00:34:46.170 --> 00:34:54.630
Sean McNamara: Yeah, we did. Yeah, that's actually one of the cases that we did use it for app. Yeah. Yes. It's really, really neat stuff. And if you think a little bit creatively about it.

202
00:34:55.680 --> 00:34:58.650
Sean McNamara: There's really cool stuff. And it's, you know, something else you know well

203
00:34:59.760 --> 00:35:08.220
Sean McNamara: Let me say enough. You know, I really think that spunk is a tool that can be used for more than just it you know obviously it's, you know, heavily

204
00:35:09.450 --> 00:35:20.760
Sean McNamara: It's geared towards it, but it's pretty much a data analytics engine we've really been trying to pull you know our finance people are business people into the

205
00:35:22.020 --> 00:35:35.250
Sean McNamara: Into the space to see if they might be able to use the platform for some of the work that they're doing. And in doing so, you know, I, I always say the, you know, you have to really drive your

206
00:35:36.360 --> 00:35:48.930
Sean McNamara: Ingest by use cases and I do definitely believe in stand by that but what I do find those once you start getting more diverse data sets into the platform, you can, you know, enhance the

207
00:35:49.560 --> 00:35:56.340
Sean McNamara: You know the utility of the other reports and stuff by, you know, integrating it with those other data sets.

208
00:35:57.780 --> 00:35:59.700
Sean McNamara: So what's next.

209
00:36:01.650 --> 00:36:05.850
Sean McNamara: We're going to continue we have plans for a number of additional

210
00:36:07.080 --> 00:36:09.030
Sean McNamara: Dashboards inquiries and what have you.

211
00:36:10.500 --> 00:36:21.720
Sean McNamara: We will continue moving towards security orchestration and response that's really where we want to get a, you know, we're a small team.

212
00:36:23.370 --> 00:36:28.710
Sean McNamara: It's me two engineers. We have one opening. So if you know anyone feel free to send them my way

213
00:36:30.540 --> 00:36:37.650
Sean McNamara: But we really need to get a point where we're relying on the, you know, an orchestration platform spunk, obviously.

214
00:36:38.910 --> 00:36:48.180
Sean McNamara: Has phantom we are taking a look at that. And frankly, I would be interested to see how it fits into our, our environment.

215
00:36:50.220 --> 00:36:57.930
Sean McNamara: The idea and goal is to basically automate and orchestrate everything we can, and have what's left over.

216
00:36:59.160 --> 00:37:03.150
Sean McNamara: The you know reviewed and triage to buy a managed sock solution.

217
00:37:04.890 --> 00:37:13.680
Sean McNamara: You know, we're we're looking into that for this year, as you know, everything is up in the air with a funding and all that. I don't know where we'll end up with it, but

218
00:37:14.250 --> 00:37:25.050
Sean McNamara: Fingers crossed that will end up you know getting getting both things done. But I definitely see that there's despite, you know, I feel that we've done a lot with spunk.

219
00:37:25.800 --> 00:37:37.710
Sean McNamara: And I, but I still feel that there's a lot more we can do, I would say that we're still kind of in the middle of our maturity range, I think, you know, if we had the opportunity to

220
00:37:39.120 --> 00:37:41.790
Sean McNamara: You know dedicate a single FDA to it.

221
00:37:42.960 --> 00:37:49.680
Sean McNamara: That would be great. But we're not there right now and i know i think that is actually something that's worth following up on because I didn't mention that earlier.

222
00:37:51.780 --> 00:38:03.780
Sean McNamara: Spunk will eventually save you time FTS but you need to make the investment. Yes, be prepared. I think for six to 12 month investment and really spinning up the platform.

223
00:38:04.920 --> 00:38:06.990
Sean McNamara: To customize it for your environment.

224
00:38:08.220 --> 00:38:16.860
Sean McNamara: Understanding that you're still you still will get immediate value out of it. But to really start getting that return on your investment your, you do have to put time into it.

225
00:38:19.530 --> 00:38:25.380
Sean McNamara: And that's all I have to say, I'll turn it over to the floor for any questions. Thanks, all.

226
00:38:26.880 --> 00:38:28.200
Nick Lewis - Internet2: That's really great. Sean

227
00:38:29.250 --> 00:38:36.330
Nick Lewis - Internet2: That sort of that that last point that you had around putting that investment into really getting the most out of the tool is

228
00:38:36.630 --> 00:38:45.000
Nick Lewis - Internet2: One of the things where we're hoping from the net plus spunk program perspective, if we can find a way from as a community to work together to make that

229
00:38:45.330 --> 00:38:57.930
Nick Lewis - Internet2: Up front investment slightly less to say, you know what, here's like the use cases that you've figured out, like let's share how that's done. Let's share what's a log sources that were used for that so that we can figure out how to put those so that

230
00:38:58.680 --> 00:39:12.510
Nick Lewis - Internet2: A campus can go back and say, well, I need. I've got this specific date CP server. I've got this specific DNS log. Here's how I can put these pieces together so that, oh, I can now start finding lost and stolen devices. Pretty straightforward, but like

231
00:39:12.870 --> 00:39:19.020
Sean McNamara: Or and and you know the cool thing there is you know splinters have their, what is it they're universal data format that they

232
00:39:19.380 --> 00:39:30.900
Sean McNamara: You can normalize data into. So if you start building these dashboards around, you know, consuming and processing data in that format, then you can really abstract away the original data source and

233
00:39:31.710 --> 00:39:37.440
Sean McNamara: It would be. It'd be amazing to have a large library of these sort of things out there. I'd certainly be all over that.

234
00:39:40.230 --> 00:39:52.410
Nick Lewis - Internet2: We've talked on some previous net plus blank community calls around data sources and we've drilled into a lot of the data sources. Have there been any that have been you think the most challenging and

235
00:39:52.830 --> 00:40:01.770
Nick Lewis - Internet2: And I'll after after you're done answering that I'll follow up with sort of Albert's question a little bit more in office 365 blogs. Because I've heard those are very challenging.

236
00:40:02.910 --> 00:40:03.570
Sean McNamara: Yeah.

237
00:40:08.010 --> 00:40:10.530
Sean McNamara: You know, I think, you know, it's

238
00:40:13.980 --> 00:40:17.370
Sean McNamara: I'm thinking about this. We've had issues and

239
00:40:18.450 --> 00:40:28.590
Sean McNamara: I believe, pulling logs from our single sign on solution because they're actually stored in a Mongo database. So we had to have a

240
00:40:31.980 --> 00:40:41.850
Sean McNamara: Essentially a process that would pull and then push it into spunk. I forget exactly what the issue was, I think it was something weird that we were struggling with parsing timestamps

241
00:40:42.570 --> 00:40:52.800
Sean McNamara: But we were, we were able to work through it. It just took slightly, slightly longer than, than we would have hoped. I've not run into anything. I'm not aware of any

242
00:40:53.340 --> 00:41:06.150
Sean McNamara: data source that we've not been able to consume again you know it's some of them, you just start and it works, and some of them take a little bit more work, depending upon how you know variable and

243
00:41:07.980 --> 00:41:09.960
Sean McNamara: The blog formatting is

244
00:41:14.070 --> 00:41:15.240
Excellent. And

245
00:41:17.550 --> 00:41:22.380
Nick Lewis - Internet2: So that's all the questions that have come in so far.

246
00:41:23.700 --> 00:41:25.980
Nick Lewis - Internet2: I'm going to go through and

247
00:41:27.330 --> 00:41:29.010
Nick Lewis - Internet2: unmute everyone

248
00:41:30.030 --> 00:41:32.790
Nick Lewis - Internet2: So if you want to ask a question.

249
00:41:34.350 --> 00:41:35.010
Nick Lewis - Internet2: Please.

250
00:41:36.930 --> 00:41:39.180
Nick Lewis - Internet2: Ask your question so

251
00:41:40.650 --> 00:41:42.630
Just get that all everyone on mute.

252
00:41:51.660 --> 00:41:58.260
Nick Lewis - Internet2: And you may need to unmute yourself on your end, I'm going to allow you to talk, but you may need to

253
00:42:01.980 --> 00:42:11.100
Nick Lewis - Internet2: unmute yourself to actually ask a question or feel free to put a question in the chat or put it in the QA

254
00:42:13.890 --> 00:42:23.250
Albert Ball: Hey, Sean. Hey, Nick, how y'all doing today, my thanks my quick question. Because I'm going through this, like, love of Microsoft Graph.

255
00:42:24.000 --> 00:42:35.580
Albert Ball: And office 365 like it sounds like you have gone through and not only is I'm finding that it's a license situation where you have to have the license to turn on.

256
00:42:36.150 --> 00:42:46.620
Albert Ball: The product of the product and send the log to graph so graph and send it out through the API is that basically the same problem you're running into

257
00:42:47.340 --> 00:42:54.120
Sean McNamara: You know, so we have an E three license, I believe, and we've certainly run into cases where

258
00:42:54.630 --> 00:43:01.680
Sean McNamara: There's some component that needs in different license and it's very confusing as you pointed out, what I'd like to offer to do though.

259
00:43:02.220 --> 00:43:12.810
Sean McNamara: Is I can get in touch with my engineer that did the work. If he might be able to actually help you out a little bit more if you just grab my email address, I can get in touch with them.

260
00:43:13.320 --> 00:43:13.980
Albert Ball: Everything.

261
00:43:14.250 --> 00:43:15.150
Albert Ball: I would appreciate that.

262
00:43:15.180 --> 00:43:16.230
Sean McNamara: Thank you. Yeah. Yeah, definitely.

263
00:43:17.700 --> 00:43:20.520
Nick Lewis - Internet2: One of the things that the run I sack did

264
00:43:21.840 --> 00:43:30.660
Nick Lewis - Internet2: I think it was in 2018 2019 they pulled together a whole bunch of office 365 logging resources and they tried to and I

265
00:43:31.080 --> 00:43:47.220
Nick Lewis - Internet2: Just tracked down the link and so I'll put that in the chat for anybody who can on wants to look at that. But there's they've got some a GitHub space where they've talked about some of the some of the things. And so maybe that might have some additional information.

266
00:43:47.730 --> 00:43:49.650
Sean McNamara: I do recall reading that that was very helpful.

267
00:44:03.540 --> 00:44:05.880
Nick Lewis - Internet2: Okay, any other questions.

268
00:44:07.980 --> 00:44:09.000
May need to

269
00:44:10.020 --> 00:44:11.010
Nick Lewis - Internet2: unmute yourself.

270
00:44:14.280 --> 00:44:19.560
Mark Slafka: John. This is Mark slap that was spunk Great presentation, thanks for providing the overview

271
00:44:20.640 --> 00:44:22.770
Mark Slafka: Can you maybe summarize knowing that

272
00:44:23.910 --> 00:44:32.580
Mark Slafka: You'll oftentimes when you work with cloud vendors you they have very unique Terms of Service for how their SAS or cloud based term or other product operates.

273
00:44:33.150 --> 00:44:42.090
Mark Slafka: You maybe highlight a couple of the maybe the more delicate terms that were very important to you and maybe how you kind of work through that with the spunk team, please.

274
00:44:42.930 --> 00:44:52.200
Sean McNamara: Yeah, sure. So I'll be entirely transparent that, you know, we do have a very thorough and diligent General Counsel's Office.

275
00:44:53.700 --> 00:45:04.530
Sean McNamara: And in this particular case, you know, we were working with an internal person who also and we were overloaded at that point. So we brought in an external counsel to help us through the negotiation process.

276
00:45:05.790 --> 00:45:11.070
Sean McNamara: You know it it was fairly tedious getting through it. Yes, spunk is

277
00:45:12.900 --> 00:45:21.150
Sean McNamara: Not always quite as flexible and willing to negotiate in terms as other vendors, in my experience,

278
00:45:22.260 --> 00:45:28.410
Sean McNamara: Some of the issues that we got hung up on were quite, you know,

279
00:45:30.120 --> 00:45:39.720
Sean McNamara: Minor, from my perspective, but our Council is concerned with them. So to the to the points that really hung. I suppose there were

280
00:45:40.380 --> 00:45:53.580
Sean McNamara: indemnity causes that essentially that we had to agree to indemnify spunk for criminal activity or what have you, but they would not indemnify us against claims for the same thing. So we went back and forth about that for a number of

281
00:45:55.260 --> 00:46:02.580
Sean McNamara: Times, and I, I honestly don't remember exactly how that that that particular piece ended up

282
00:46:04.320 --> 00:46:06.810
Sean McNamara: My I think we may have been able to work it out.

283
00:46:08.130 --> 00:46:13.290
Sean McNamara: The other piece is, there's some this is this is not one and this is actually something I would encourage

284
00:46:15.150 --> 00:46:24.480
Sean McNamara: folks to think about. There are a lot of nuances around export control and the idea of a dean export when you're using Cloud services.

285
00:46:25.080 --> 00:46:39.060
Sean McNamara: The general feeling is that the use of a cloud service does not necessarily constitute a deemed export when a deemed export means, essentially, you know, basically a foreign individual who is

286
00:46:40.350 --> 00:46:41.730
Sean McNamara: Most cases are not

287
00:46:42.810 --> 00:46:51.720
Sean McNamara: On a embargo list or you know List of areas of the world that the United States does not want to export.

288
00:46:54.000 --> 00:46:54.750
Sean McNamara: Sensitive

289
00:46:56.040 --> 00:46:57.240
Sean McNamara: Intellectual property to

290
00:46:59.010 --> 00:47:08.010
Sean McNamara: And if an individual of that region or in that region uses the software. It's potentially considered a deemed export.

291
00:47:09.240 --> 00:47:16.770
Sean McNamara: You know, our we went back and forth and we struggled with whether or not the use of spunk, and I don't know why it came up in this one because the

292
00:47:19.050 --> 00:47:32.640
Sean McNamara: Again, this is something that affects pretty much any product that uses encryption, right, which is, you know, Microsoft Windows, you know, I'm office Microsoft Word or, you know, they all have this

293
00:47:33.750 --> 00:47:39.750
Sean McNamara: technology built into it that balls and friction and there's still some legacy stuff out there and our

294
00:47:40.620 --> 00:48:00.960
Sean McNamara: You know, our export control regulations that restrict the export certain regions due to national security concerns. So we had a big back and forth about that. That took a while to resolve you know its usual things about you know we spend a lot of time reviewing data security terms.

295
00:48:02.160 --> 00:48:13.440
Sean McNamara: So when you essentially when you're going to the cloud, right, you're also transferring risk to the cloud vendor, you have to ensure that really your

296
00:48:14.250 --> 00:48:20.760
Sean McNamara: Your, your only instrument to really protect yourself and to ensure that the risk is being appropriately transfer and assumed

297
00:48:21.060 --> 00:48:26.940
Sean McNamara: Is through the contract. So you really need to take a look at that very close look at it and make sure that it meets

298
00:48:27.420 --> 00:48:39.240
Sean McNamara: Your data security standards and specifically around, you know, we find a lot of cases where you know someone basically will come back and say, hey, we use AWS and

299
00:48:39.900 --> 00:48:50.700
Sean McNamara: Not our problem. But if a cloud vendor is not willing to take responsibility for their subcontractors, you know, you're not going to have any remedy if something goes wrong and they said talk. They say, talk to

300
00:48:51.060 --> 00:48:59.760
Sean McNamara: AWS. We don't have a relationship with AWS. In that case, right, it's indirect. So that's, that's something to be very concerned with I. We didn't have a problem with that with spunk.

301
00:49:00.300 --> 00:49:09.810
Sean McNamara: You know, I think they were generally very accepting of our data security review process. You know, we really should be using the heck out at this point, but we have our own

302
00:49:11.790 --> 00:49:14.550
Sean McNamara: That we go through, we're in the process of revising it

303
00:49:17.190 --> 00:49:25.170
Sean McNamara: I think we had some issues around insurance limits you know caps on liability, you know, the usual the usual things that you will go through

304
00:49:26.010 --> 00:49:35.160
Sean McNamara: With contract negotiation, but I mean, I would say overall and Mark, you know I mentioned this before that, you know, it was, it was a difficult negotiation.

305
00:49:35.970 --> 00:49:49.350
Sean McNamara: Spunk wasn't willing to give much, but we were ultimately able to arrive at a place where we, you know, we're able to accept the terms and accept the residual risk.

306
00:49:51.300 --> 00:49:56.940
Mark Slafka: That's great shot. I appreciate you sharing that you're respected and thank you again for presenting to the whole for of the day.

307
00:49:57.480 --> 00:49:58.680
Sean McNamara: Yeah, anytime. Happy to be here.

308
00:49:59.070 --> 00:50:08.160
Nick Lewis - Internet2: Yeah, and that's and that's Sean It's really great to hear you. So just for everyone else. So that net plus plonk Advisory Board has been talking with spunk for quite a while around

309
00:50:08.790 --> 00:50:14.940
Nick Lewis - Internet2: Spunk cloud and how to get traction within the program and the community to bring the

310
00:50:15.810 --> 00:50:24.480
Nick Lewis - Internet2: Spunk cloud onto the net plus blank program and the terms and conditions have been one of the big challenges because campuses.

311
00:50:25.200 --> 00:50:38.370
Nick Lewis - Internet2: As Sean was mentioned, there's a couple really hot button issues that are very important that we've incorporated into the net plus templates and it's really challenging sometimes working with large companies.

312
00:50:39.090 --> 00:50:47.070
Nick Lewis - Internet2: Because of the the complexities of the companies and the risk profiles trying to come to a mutually agreeable sort of solution and so

313
00:50:47.370 --> 00:50:55.170
Nick Lewis - Internet2: Hearing from Sean hearing from you if that's something that you want the net plus spunk program to look into or work on so that

314
00:50:55.560 --> 00:51:03.720
Nick Lewis - Internet2: It's ready for you to make it easier for you to adopt because that's one of the key programs are key aspects of the necklace blink program this

315
00:51:04.320 --> 00:51:06.900
Nick Lewis - Internet2: Try to make spunk easier for you to adopt easier for

316
00:51:07.620 --> 00:51:13.110
Nick Lewis - Internet2: You to manage over time and sort of talk about and back to what some of the things Sean was talking about the beginning to like

317
00:51:13.350 --> 00:51:26.220
Nick Lewis - Internet2: Where you can get the most value out of your investment because we know every campuses their budgets are tight or cutting Matt. I've heard 20% cuts in some campuses and it's like resourcing furloughs

318
00:51:27.480 --> 00:51:42.840
Nick Lewis - Internet2: Lots of challenges. But if we can work together as a community to make it easier for you to use the tools you already have and you can get more value out of them. Hopefully that will provide something to make make your life easier.

319
00:51:44.820 --> 00:51:49.440
Sean McNamara: Speaking from my own experience with net plus program we've contracted with a few

320
00:51:50.070 --> 00:51:58.290
Sean McNamara: You know vendors or providers through it, it's you know it's it's reassuring it simplifies our life quite a bit, knowing that it's been vetted through the community.

321
00:51:58.890 --> 00:52:12.330
Sean McNamara: And we still do read through it. We still have our general counsel review it, but the amount of diligence that we have to do is much, much less and it does, it hits the ground moving instead of, you know, being stuck in months and months of negotiation.

322
00:52:16.350 --> 00:52:22.830
Nick Lewis - Internet2: So if any of the campus other campuses on the call. If you have any questions or you want to give me feedback, that would be great.

323
00:52:24.120 --> 00:52:26.340
Nick Lewis - Internet2: And feel free to reach out to me afterwards.

324
00:52:30.180 --> 00:52:33.210
Nick Lewis - Internet2: Yeah. And then, thanks for the additional comment on

325
00:52:34.860 --> 00:52:44.460
Nick Lewis - Internet2: The Office 365 blogs from the run is activated at the those log sources change office 365 changes quickly. So some of that may be a bit dated

326
00:52:47.700 --> 00:52:51.990
Nick Lewis - Internet2: Okay. Any last questions in the last minute or two that we have

327
00:52:53.880 --> 00:52:59.880
Darren Fallis: Now this is Darren phallus at NC State Shawnee you talk to getting about maximizing your investment and then

328
00:53:00.270 --> 00:53:13.650
Darren Fallis: You know, the cloud is not going to be cheaper but you're maximizing your investment. I assume you sort of me maximizing the scares people resources that you have. Can you talk about you know what the sort of increase in your capital your operating expenses.

329
00:53:14.970 --> 00:53:22.140
Darren Fallis: Were and versus how much people time you got back, what percentage of their time they got back from not having to do the admin as well. Sure.

330
00:53:22.560 --> 00:53:37.920
Sean McNamara: Oh, I can't disclose exact numbers, but I could say that, you know, certainly we saw a we didn't have a capital expenditure up front. So we shifted the, the, the cost entirely over to operational expenses, right, which were more

331
00:53:39.060 --> 00:53:44.790
Sean McNamara: more easy to work into our budgeting cycles and plan for long term.

332
00:53:45.930 --> 00:53:52.500
Sean McNamara: Again, I would say that you're going to, if you really want to make an investment, you should consider that you're going to have a

333
00:53:53.160 --> 00:54:08.370
Sean McNamara: Full FDA dedicated to the platform for at least the first 12 months if not the first 18 months and then after that you would probably start seeing a shift where you're returning a tee time on the investment as you pull the

334
00:54:08.910 --> 00:54:20.040
Sean McNamara: Resource back on to other projects and tasks, but I would say, certainly you need to be planning for the 12 months at a minimum.

335
00:54:25.740 --> 00:54:27.690
Sean McNamara: The answer the question, or did I did I miss it.

336
00:54:30.390 --> 00:54:32.220
Darren Fallis: No, it's kind of what I'm talking about.

337
00:54:32.760 --> 00:54:36.810
Darren Fallis: Is you are already spending time managing your own spunk have a charger gathered to begin with.

338
00:54:37.410 --> 00:54:37.920
Sean McNamara: No.

339
00:54:38.460 --> 00:54:40.590
Sean McNamara: Actually, no. You just we we did you

340
00:54:40.800 --> 00:54:42.900
Darren Fallis: Go from an on prem to cloud you started with.

341
00:54:42.900 --> 00:54:47.280
Sean McNamara: Cloud, right. We started with cloud our business school had a on prem.

342
00:54:48.270 --> 00:54:53.790
Sean McNamara: Environment that we work with them to migrate into our, our cloud instance. So we do have some experience with that.

343
00:54:54.240 --> 00:55:03.870
Sean McNamara: But we mostly allowed them to work through the migration and it took them about four months, I think, to get all the dashboards.

344
00:55:04.770 --> 00:55:18.030
Sean McNamara: Moved up and all that and they they didn't report any particular difficulty was it I think there was one or two dashboards that they had some trouble with. But were you able to work it out.

345
00:55:20.430 --> 00:55:20.820
Sean McNamara: Yeah.

346
00:55:22.260 --> 00:55:28.680
Nick Lewis - Internet2: It did sound like Sean, you were saying how you did have an on prem system that you were that was home grown and that

347
00:55:28.680 --> 00:55:29.400
Sean McNamara: Yes.

348
00:55:29.430 --> 00:55:30.570
Nick Lewis - Internet2: That you went, yeah, the cloud.

349
00:55:30.900 --> 00:55:41.310
Sean McNamara: Yes, yes, that's exactly true. And so we did have a number of you know scripts, we have tools that we're running to pars alert data to correlation

350
00:55:42.630 --> 00:55:51.570
Sean McNamara: And that was replaced by spelunking, and nearly all of the functionality that we continued to need or was

351
00:55:52.830 --> 00:56:02.040
Sean McNamara: replicated in spunk. One of the cool things. I don't know a lot of people are into worried about Kalia quite as much anymore, but we had a net read system on that we were using

352
00:56:03.150 --> 00:56:16.140
Sean McNamara: Since we're able to do such great inaccurate user correlation. Now, we decided that we would just disband our net red system and rely on the data in spunk for any clear related requests.

353
00:56:19.440 --> 00:56:34.500
Nick Lewis - Internet2: Excellent. That's really great. So it's i'd like to we're right at time for today. And I'd like to thank Sean for talking about spunk cloud this month for the necklace spunk community call and I will

354
00:56:35.550 --> 00:56:42.960
Nick Lewis - Internet2: Send a follow up email with the recording and a reminder for next month. And so, thank you everyone for your time this month and hope to see you next month. Thank you.

355
00:56:43.470 --> 00:56:44.250
Goodbye to everyone.