NET+ Splunk User Group call
Date: 10/8/2020
Please register for the user group to get the call-in information and a calendar invite at:
https://internet2.zoom.us/webinar/register/7615688226058/WN_aNbzAxBgQOOjNzZLX4VvEQ
Agenda:
- Start the recording
- Introductions and reminder about the format of this call.
- This call brought to you by the NET+ Splunk program supported by campuses signing up for the NET+ Splunk program.
- Sean R. McNamara from Dartmouth will talk about Splunk Cloud
- Open discussion and questions
- Feedback on this call
Attendees: 9
Recording: 
GMT20201008-180419_NET--Splun_1920x1080.mp4
Auto-generate transcript from Zoom:
Chat transcript:
Presentation Slides:
Notes:
Thank you to Sean and the Splunk team!
SIEM-like Frankenstein
Evaluation of multiple vendors
Chose Splunk because of the maturity
Initially interested in the App store to consume data from many sources
Huge user community
Support is pretty good and get you to the right person
Cloud benefits
Goal wasn’t the save money moving to the cloud, but change how the resources were being spent
Spend the time maximizing value
Get the most out of the people time
Don’t need to worry about patching, replacing servers, etc
Cloud first directive
One consideration around limited bandwidth
Focus resources on enhancing tool
Partnered with a VAR on implementation
Some components are still on-prem
Heavy forwarders and panel still on-prem
Fairly lightweight
All in VMs
Splunk not a replacement for Syslog
Any data ingested should be based on a well-defined use case
What do you want to get out of Splunk
Just putting data in to make it easier to search may not been the best use
Cross functional group
Most use cases are IT use cases
Alternative pricing models for licenses
Netflow and DNS logs license
Do maintain a separate long-term archive store for syslog
90-day logs in Splunk
We haven’t run into limitations that made us regret using Cloud over on-prem
B school now
All of the index-based access controls in place that were needed
Lost stolen devices
Lots of different data sources
Look up userID and machine to find a person
Contact tracing
Worked with us quite a bit on the app for contract tracing
Phishing analysis
Consuming O365 logs
Assess the risk from a phishing campaign
Moving towards automation
Notifying precipitants or potentially moving in future to remove message
Subscription bombing response
Can help user clean up from the message
Building profiles to take action to respond to investigations
Tools out there that do this
Don’t want to re-invent the wheel
Responding to abuse reports
DMCA
Incident response
Working with their campus safety – helped drive Splunk usage
Outside of security use cases for IT OPS
Alerting when server or App misbehaving
Proactive monitoring and increases resources when needed
Helps answer the question of if people are using various resources in their environment
What apps are used a lot or not enough
Help figure out what isn’t being use
Malware IOCs
Using Splunk to detect malware activity
Look for SMB vulnerability and monitoring for logins
Used for the ZeroLogin vulnerability
Used for more than just IT
Data analytics engine
Pulling other people on campus into using Splunk for data analysis
Ingest by use cases
More diverse datasets into platform, you can enrich the data
Moving towards security orchestration
Has Phantom interest that might be able to do some of it
Hope to get to a managed SOC
Up in the air around budgeting
A lot more we can do with Splunk and the data
Would like to be able to dedicate more FTE
Splunk will eventually save you time
Need to make that investment to customize it for your environment
Most value, you need to put time into
Universal data format
Abstract away the data source
Most challenging log sources?
From SSO solution in Mongo database
Parsing timestamps
Not aware of any data sources that we haven’t been able to consume
O365 Graph – need the license to turn on the product
Graph through API
E3 license
https://www.ren-isac.net/public-resources/0365resources.html
That doc is dated
Cloud terms
It was hard to work through the terms
Worked with external counsel to work through the details
Some of the issues minor from security perspective. Indemnity.
A lot nuances around export control around cloud services
Usual things around reviewing data security terms
Transferring risk to the cloud vendor through the contract
Remedy if something goes wrong
Insurance and caps on liability
Difficult negotiation, but able to work through it
NET+ simplifies
How budgeting and capital costs
Full FTE dedicated to the platform at start and then less resource needed over time
CALEA
Replaced Netreg system with Splunk