The University of Exeter - Part 1: "Zero to SIEM" in 8 weeks, the Splunk Deployment
01/08/19 – Author: Baz Donaghue – Certified Splunk Consultant at Somerford Associates
The first and subsequent steps on any organisations IT Security journey can be difficult and uncertain at the best of times. To go from little or no security use cases and consolidated view of your security landscape, to a fully implemented SIEM solution is a challenging undertaking. Throw into the mix a compressed timeframe for planning and implementation, this makes an already precarious task all the more formidable.
This is exactly what University of Exeter (UoE) did with their Splunk Enterprise Security Implementation, along with expert support and services provided by Somerford Associates.
From ZERO: The Challenges
Like many organisations, UoE faced several challenges when it came to realising their desired security posture:
- UoE had no centralised security tooling with which to consolidate the many tools currently used by the security operations team. Whilst the tools themselves tackled a particular security challenge, by having no “single pane of glass” with which to work from meant that the team had to resort to carrying out security investigations by logging into and utilising several tools across multiple screens. This is often referred to as a “Swivel Chair” approach; where by an analyst would have lots of different screens open for various different tools and would swivel between the screens to get a joined up view of the situation.
- UoE utilised very little in the way of a formally developed security use cases, instead relying on burned out security heroes holding up the world, and responding reactively to security incidents as they were detected. This was at large compounded by the lack of a centralised view of their security “backyard”.
- They also recognised that whilst they required a SIEM solution and the supporting framework to enable it, they wanted to achieve this at pace. This called for a compressed timeline in order to ensure all deliverables were met, from scoping of security use cases, through on-boarding and normalising of data, to a fully implemented SIEM solution ready for the security team to pick up and further develop with use cases and additional data sources as the extant threats dictated.
- Finally, they really wanted to understand what data was available and how this can be leveraged to gain immediate value, as well as highlighting any gaps in the organisation’s security visibility through lack of data available.
To SIEM: The Challenges
UoE had a clearly defined vision of how they were going to surmount this task:
- Select an agile and adaptable SIEM solution. In this case, of course we are talking about Splunk Enterprise Security (ES). Thanks to Splunk “Schema-on-read” approach to normalising data, making the required changes to data normalisation such as field extraction, event tagging and enrichment via mechanisms such as lookups, does not impact data already ingested, which lends itself well to projects where being able to quickly make adjustments to data sets and sources is key to a successful deployment.
- Choose a tried and trusted delivery partner, Somerford Associates. We at Somerford have a long and storied history of deploying successful Splunk and Splunk ES implementations. Our experience in this field, along with a shared vision and understanding of UoE’s ambitious timelines ensured that we were perfectly placed to provide support and services.
- If you have machine data, then there is pretty much a use case available for Splunk. This is further augmented by the wealth of apps available on Splunk base to help gain a significantly faster flash-to-bang time of value from potential data sources. With so much choice on apps and direction to take, it can often seem overwhelming. UoE in partnership with Somerford Associates employed a methodology of focusing on clear goals to achieve success.
- On top of this, UoE and Somerford Associates adopted a policy of a targeted delivery of critical data sources and some 15 key use cases during the first phase of implementation. All of this ultimately leading the ability to witness rapid, measurable value for UoE.
In part 2 we will explore how the above was achieved utilising security use case planning, data availability analysis and a culture of Rationalise, Rectify and Reassess.
The clock is ticking, make that first step on the security journey today and like the University of Exeter, you too can go from ZERO to SIEM at pace.