Department of State Splunk Factsheet
dsdddd
Department of State Splunk Factsheet
What is Splunk? • Human Resources (HR Bureau) • International Narcotics and Law Enforcement (INL) Splunk software provides you with an engine • Information Resources Management (IRM) that helps in monitoring, searching, correlating, • Legal Bureau (L) analyzing, and visualizing large amounts of data. • Overseas Building Operations Bureau (OBO) Splunk is an advanced technology which • Office of Inspector General (OIG) searches any machine data captured from any • Bureau of Population and Refugee Management (PRM) system, app, or other data source. The industry • Secretaries Executive Secretariat (S/ES) leader for IT Operations and IT Security, Splunk • Trade Bureau / Non-proliferation has also many mission focused uses and it does • T/ISN not suffer from the same legacy shortcomings of • T/NRRC similar technologies that use SQL or relational databases, manual connectors or limited data What kinds of questions can import controls. Splunk can also be deployed to Splunk help answer? an existing cloud, which makes it highly scalable IT Operations and reliable. How do I provide more transparency around IT Splunk helps the Department mature from operations to customers and better predict reactive to proactive, and eventually to service-level degradation before they impact predictive – eliminating or avoiding issues before mission? they occur and affording managers the Application Performance and DevOps opportunity to better control their time and resources to maximum effect and impact. Is my poor app performance due to code-level errors or infrastructure? Where are the integrations between Which Offices and Divisions Use my app and other centralized IT components (e.g. Splunk? network, Active Directory, etc.) Can Dev team’s debug Code without working with Ops? • Bureau of Administration (A Bureau) • A/ILMS Security and Compliance • A/OPE/RAM How can I augment security investigations to be • Consular Affairs (CA) more efficient and effective and reduce the • CA/CST impact of insider threats? • Charleston Government Financial Services (CGFS) Mission and Overseas Analytics • CGFS/ISSO Can I use data to drive my mission decisions, improve business intelligence, and empower better decision-making. • CGFS/EX • Diplomatic Security (DS) Automation and Orchestration • DS/CTS Where can I leverage out of the box (and custom) playbooks, • DS/CTO runbooks, and other Machine Learning and Artificial Intelligence • DS/ST capabilities to enhance productivity and realize ROI. • 10+ individual embassies • Foreign Assistance (F Bureau)
TECH BRIEF
What Other Splunk Capabilities Splunk Lantern - A knowledge base lights the Are Available to DOS? way with comprehensive guidance for any Enterprise Security App – Splunk Enterprise use case, any task, and any objective. Search Security is the nerve center of the cybersecurity for help with a specific scenario or ecosystem, giving teams the insight to quickly requirement you are faced with or browse the detect and respond to internal and external attacks, categories below for ideas on how you can simplify threat management minimizing risk. ES benefit from your data. Everyone in your helps teams gain organization-wide visibility and organization from the CEO to a novice security intelligence for continuous monitoring, incident responder, case agent and intel incident response, SOC operations, and providing analyst. executives a window into business risk. IT Service Intelligence App – Leverage machine learning, adaptive thresholds, and mission and business oriented Key Performance Indicators to created service models that visualize an entire tech stack or provide real-time predictive insights into an entire ecosystem. Create a platform for true operational intelligence. Splunk Phantom – A security orchestration, automation and response (SOAR) platform designed to help organizations dramatically scale their security operations. With Phantom, you can automate tasks, orchestrate workflows and support a broad range of SOC functions including event and case management, collaboration and reporting. Splunk User Behavior Analytics (UBA) – A machine learning-driven solution that helps organizations find hidden threats and anomalous behavior across users, devices and applications. Its data science driven approach produces actionable results with risk ratings and supporting evidence, augmenting Special Agents and Intelligence Analysts’ existing techniques.
AIOps/Machine Learning – Is the practice of applying analytics and machine learning to big data to automate and improve IT operations. AI can automatically analyze massive amounts of network and machine data to find patterns, both to identify the cause of existing problems and to predict and prevent future ones.
DOS Enterprise Splunk Factsheet 2
TECH BRIEF
DOS ELA Products and Services
Products & Services Description Notes Splunk Enterprise (Core) w/ Standard 50,000 GB / Day, Term 5-Term Years Support Entitlements Splunk Enterprise Security (ES) 15,000 GB / Day, Term 5-Term Years
Splunk IT Service Intelligence (ITSI) 10,000 GB / Day, Term 5-Term Years
Splunk User Behavior Analytics 120k entities, Term 5-Term Years
Splunk Phantom Automation and Unlimited, Term 5-Term Years Orchestration Splunk Fundamentals Part 1 and Instruction On Demand Free Training Part 2 (through 9/30/2021) (IOD) Subscription, One Splunk Fundamentals 1: year, once class per https://www.splunk.com/en_us/ student (30-days) training/courses/splunk-fundamentals-1.html
Splunk Fundamentals 2: https://www.splunk. com/en_us/training/courses/splunk- fundamentals-2.html
Splunk Success Program Description Splunk Dedicated Customer Dedicated agency advocate and business advisor, responsible for helping Success Manager customers define use cases, drive adoption, realize value, and overcome obstacles with Splunk Splunk OnDemand Services 39 credits / quarter. Remote consultative services to support platform or specialty IT Ops, IT Security needs. Splunk Adoption Services Tailored professional services focused on Customer Success / Adoption .conf Event Passes Passes for .conf Event & Splunk University
Splunk Professional Services Descriptions
DOS Enterprise Splunk Factsheet 3
TECH BRIEF
Splunk EDU Services and Recommend Classes SKU Class Name Duration N/A Fundamentals 1 Self-paced EDU-FUN2* Fundamentals 2 Four 4.5-hour days 1) Power User EDU-CDSH Creating Dashboards Two 4.5-hour days
EDU-ADSRPT-1 Advanced Searching and Reporting Three 4.5-hour days
EDU-SADM Splunk Enterprise System Admin Two 4.5 hour days 2) Admin and Users EDU-DADM Splunk Enterprise Data Admin Three 4.5-hour days
EDU-DEPL Architecting Splunk Enterprise Deployments Two 4.5-hour days
EDU-ICESS-1 Administering Enterprise Security Deployments Three 4.5-hour days
Specialists EDU-UESS-1 Using Splunk Enterprise Security Three 4.5-hour days and EDU-ITSI Implementing Splunk ITSI Four 4.5-hour days Premium App EDU-UITSI Using Splunk ITSI One 4.5-hour days coming soon Administering Phantom Two 4.5-hour days EDU-DPHT Developing Phantom Playbooks Two 4.5-hour days N/A Splunk UBA Self-paced EDU-CLDADM Splunk Cloud Administration Three 4.5-hour days
*Fundamentals II Class Subscription is available to all DOS Users
DOS Splunk FAQs How do I start using Splunk? Using Splunk is dependent on whether or not your program wants to stand up their own Splunk instance or take advantage of an existing or enterprise Splunk environment. For example, if your program wants to take advantage of an existing Splunk instance - IRM has developed an enterprise platform: IRM Splunk Data Analytics for IT Operations (DAFI). IRM Splunk is available to those in the Department who wants to use Splunk on the enterprise unclassified SBU network - OpenNet. Classified Splunk is part of the roadmap for the future. As IRM matures their enterprise instance of Splunk, that platform will serve any customers that choose to take advantage of the service, allowing bureaus or programs to send data (e.g. application logs) and benefit from integration with enterprise datasets (e.g. network and active directory) while IRM would also deliver the Splunk ‘platform’ (to include administering and maintaining the Splunk server and storage environment).
DOS Enterprise Splunk Factsheet 4
TECH BRIEF
If a program wants to leverage the IRM Splunk, how will IRM support requests for specific program dashboards, additional Splunk apps, assistance with Splunk searches, and data ingestion issues? In the short term, the best way to accomplish this goal would be for a given program to purchase their own Splunk professional services. IRM will have a small team who will be working these types of requests and issues based on priority, but they will be primarily focused on enterprise data sets and dashboards (especially at the beginning). Additional details on obtaining Splunk professional services via the Splunk PS BPA can be found below. How much does Splunk cost? Example costs associated with operating an individual Splunk instance include Splunk software license, infrastructure (physical or virtual machines, or cloud IaaS), and trained resources who can admin and operate the Splunk platform. In FY19 the Department signed an Enterprise License Agreement for Splunk license. This ELA provides anyone in the Department a single acquisitions vehicle for procuring Splunk software licenses and benefits all with discounts through bulk purchasing economies of scale. More details on the ELA (including a cost calculator to obtain your own Splunk license for your own Splunk instance) can be found on this IRM Splunk SharePoint. If a program wishes to use the enterprise IRM Splunk platform instance, IRM has also developed a cost model for leveraging that as a service. More details on the IRM Splunk as a service cost model (including a cost calculator) can be found on this site. What is the cost model based on? The cost model for Splunk license is developed based on data ingest, per 100 GB. For example, if the cost per GB is $300, and the program wanted to ingest 1TB (1,000 GB of data), they would pay $300 X 1000 GB (for core and premium apps) = $300,000. Programs can buy any amount of license in 100GB segments. What is in the DOS Splunk ELA? What’s included? How do I access it? The Department’s ELA includes 50 TBs of average daily data ingestion per day (in aggregate for the entire organization), as well as entitlements to use the ELA’s Splunk Premium apps, including: IT Service Intelligence (ITSI) – Splunk IT Service Intelligence (ITSI) is a service mapping enterprise monitoring and analytics solution powered by artificial intelligence for IT Operations (AIOps). It provides visibility into the health of critical IT and business services and their infrastructure through key performance indicators. ITSI is used to solve a variety of IT challenges, including deriving service-level insights and analysis on events, metrics, and logs to find and fix the most important issues first and provide both executives and engineers full visibility into critical business functions, services, and applications – maturing from reactive to proactive to predictive. Enterprise Security (ES) – Splunk ES is the nerve center of the IT security ecosystem, giving teams the insight to quickly detect and respond to internal and external attacks, simplify threat management, and minimize risk. ES helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk. • Continuously monitor clearly visualize security posture with dashboards, key security indicators, static & dynamic thresholds, and trending • Prioritize and act: optimize, centralize, and automate incident response workflows with alerts, centralized logs, and pre-defined reports and correlations • Conduct rapid investigations: use ad-hoc search and correlations to detect malicious activities • Handle multi-step investigations: trace activities associated with compromised systems and apply the kill-chain methodology to see the attack lifecycle Phantom – automation, orchestration, and remediation – Phantom delivers security orchestration, DOS Enterprise Splunk Factsheet 5
TECH BRIEF
automation and response (SOAR) capabilities that allow analysts to improve efficiency and shorten incident response times. Organizations are able to improve security and better manage risk by integrating teams, processes and tools together. With Phantom, security teams can automate tasks, orchestrate workflows and support a broad range of SOC functions including event and case management, collaboration and reporting. User Behavior Analytics (UBA) – UBA is Splunk end-to-end advanced insider threat management solution that leverages a machine learning to help organizations find hidden threats and anomalous behavior across users, devices, and applications. Its data science driven approach produces actionable results with risk ratings and supporting evidence, augmenting SOC analysts’ existing techniques. In addition, it provides visual pivot points for hunters to proactively investigate anomalous behavior. • Detects insider threats using out-of-the-box purpose-built but extensible unsupervised machine learning (ML) algorithms • Provides context around the threat via ML driven anomaly correlation and visual mapping of stitched anomalies over various phases of the attack lifecycle • Increases SOC efficiency with rank-ordered threats and supporting evidence • Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security for incident scoping, workflow management and automated response
Who is responsible for distributing the license? What options do DOS customers have for accessing the license? How is the license cut? At this time IRM is managing the ELA and all license requests. [email protected] ATTN: ELA Current POCs for the Splunk ELA: COR: Patsy Saisuwan GTM: Charles Chen (Gene Tien) Splunk team: [email protected] Programs that wish to obtain only the license from IRM are expected to use the cost calculator to obtain an initial cost estimate, arrange for a technical exchange to validate use cases/requirements and assumptions in the cost estimate, and then complete an MOU. Once payment of funding has been coordinated via the IRM Splunk license management team, the program will be sent a license key for immediate use. Per Agency and Splunk corporate policy, Splunk will not and cannot honor any requests for license splits from: i. Other Splunk instance owners ii. Any other Department Splunk admins, management, or executives iii. Resellers, Distributors, or other Third Parties If I have perpetual Splunk license from a previous purchase -- do I have to convert my license to subscription? Yes. Per the terms and conditions of the Splunk ELA, all current Department perpetual licenses must be converted to subscription/term licenses under the enterprise ELA. Splunk no longer sells or supports Splunk perpetual licenses. What options do I have for using Splunk in the Cloud? There are two options for Splunk in the Cloud. Option 1: Splunk Software as a Service (SaaS). Splunk SaaS includes the license and infrastructure and administrative resources needed to leverage Splunk for any on-prem or cloud monitoring use cases and requirements.
DOS Enterprise Splunk Factsheet 6
TECH BRIEF
Splunk SaaS is hosted today in Amazon Web Services and is certified FedRamp Moderate. Note: the program sits in a FedRamp high Gov cloud. Any programs that wish to obtain Splunk SaaS or convert existing Splunk license to SaaS should reach out to the Splunk sales account team. Option 2: any program may use their existing Splunk term subscription license to stand up Splunk on any cloud platform (Bring Your Own License - BYOL), leveraging the CSP of their choice for infrastructure (e.g. Azure, AwS, Google, etc.). How do programs purchase Splunk Professional Services or EDU/training credits? IRM is working to develop a Splunk BPA for certified Splunk professional services and training/education credits. This BPA is expected to be available before the end of 2020. Alternatively, Splunk PS can also be purchased through a reseller or on the open market through SEWP or another G-WAC. Contact your Splunk sales account team for more information. How will IRM Splunk handle responsibility for data security, ATOs, privacy issues, PII/data spillages, etc.? If a program leverages the IRM Splunk instance, then as the system owner, IRM would own all of the above responsibilities. If IRM is not the service provider, each individual program that stands up their own Splunk instance would own any standard system owner obligations. What if a program wants additional data retention for longer periods than the retention offered by the IRM Splunk as a service? Additional data storage requirements outside of what will be provided by IRM would be at the cost of the individual program, based on their requirements. IRM, as the Department’s enterprise infrastructure provider, may be able to provide other storage solutions based on specific requirements.
Where can I find introductory or general Splunk help and support? Splunk Lantern Knowledge Base - https://lantern.splunk.com/hc/en-us Can Splunk operate in the cloud? Yes, Splunk has been FedRamp certified at the Moderate impact level https://www.splunk.com/en_us/newsroom/press-releases/2019/splunk-cloud-attains-fedramp- authorization.html Are there release notes for the latest Splunk Version 8.x? https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/MeetSplunk Where can I get general Splunk Answers to my questions? https://answers.splunk.com/index.html Where can I download Splunk Apps and Essentials? https://splunkbase.splunk.com/ Where do I find out more about .conf events? https://conf.splunk.com/ Will Splunk solve all my problems? I can’t believe you are still reading this document. The answer is some. Maybe a lot. Not all. Will Splunk solve all my problems? I can’t believe you are still reading this document. The answer is some. Maybe a lot. Not all. Who do I contact at Splunk if I need help? DOS Enterprise Splunk Factsheet 7
Learn more about Splunk by contacting Splunk at [email protected].
www.splunk.com
© 2020 Splunk Inc. All rights reserved. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and/or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2020-Splunk-SEC-FBI Factsheet-101-TB