NET Splunk Community User Group We will start

NET+ Splunk Community User Group We will start at 5 min. after the hour to allow others time to join

Agenda • • Introductions Duquesne University using NET+ Splunk [1]

Speakers Today Brad Maloney, Duquesne University, Manager, Secure Integrated Infrastructure • Nick Lewis, Internet 2, Program Manager • [2]

Future NET+ Splunk User Group calls Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT • Registration for future calls for the calendar invite and call in details can be found at: • – https: //internet 2. zoom. us/webinar/register/3015669127723/WN_a. Nbz. Ax. Bg. QOOj. Nz. ZLX 4 Vv. EQ • Recordings posted to: – https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 [3]

Future NET+ Splunk User Group calls continued • • Future calls will have NET+ Splunk campus submitted questions Future topics could include based on community interest Research engagement – ML/AI toolkit – Higher Ed Splunk Apps - Shib, Canvas, Duo, others – [4]

Brad Maloney Manager, Secure Integrated Infrastructure

Duquesne University: The Numbers • Private University in Pittsburgh, PA • 9 schools, offering 189 academic programs – Coming 2021: College of Osteopathic Medicine • 11, 000 students • 2, 700 staff • 60 central IT staff

Duquesne University + Splunk: A match made in regex • Customer since 2008 with 2 GB/day - Central log repository for Solaris ERP systems • Upgraded to 5 GB in 2012 • Upgraded to 50 GB in 2015 - Central log repository for all servers, authentication services, select web traffic - Created initial SOC application • Changed licensing to Internet 2 NET+ 2016 - Central log repository and monitoring/alerts for servers, network equipment, authentication services, web traffic, 2 FA, cloud services, endpoint security • Upgraded to 100 GB in 2016, 200 GB in 2019

Machine Data Sources • • • RHEL/Solaris/Windows servers Palo Alto Firewall L 4 network logs Palo Alto Global. Protect A 10 Networks ADC/NLB audit trail and L 7 HTTP AD/LDAP/Shibboleth/2 FA authentication services Aruba Wi. Fi controllers Oracle Database Auditing DNS queries DHCP activity

Splunk Architecture • • 100% virtualized in VMware Net. App Flash Storage for “hot” data Net. App tiered storage for “cold” data Splunk HA cluster configuration – 3 Search Heads (12 v. CPU, 12 GB) – 4 Indexers (14 v. CPU, 24 GB) – 1 Deployment/License server – 2 Heavy Forwarders

Duquesne SOC App • Dashboards, searches and alerts with security in mind • Monitored 24/7 by MSSP partner • Utilizes public & private “bad” IP lists to monitor for malicious traffic • Leverages Palo Alto threat intelligence

Duquesne SOC App

Duquesne SOC App

Duquesne SOC App

Duquesne SOC App

Duquesne Help Desk App • Dashboards for authentication from all services • Displays 30 days of AD changes to group membership and OUs • Reduces calls to Tier 2 & 3 staff

Duquesne Help Desk App

Endpoint Tech App • Provides user auditing of staff workstations and campus computer labs • Single pane of glass for endpoint data – Vulnerabilities – Malware activity – Domain activity

Endpoint Tech App

Other Use Cases • Compliance – PCI, HIPAA, NIST all require some level of log integrity, monitoring and archiving • Consolidate costly logging and monitoring tools – Vendor provided tools may not be the best fit • Catch fraud before it’s successful – Easy ROI when you reduce risk & theft

Future Plans • Phantom – Automate IP blocks with Palo Alto – Automate email blocks with Office 365 • Physical security systems • Science DMZ monitoring • Splunk Mobile App

Thank You! Q&A Brad Maloney Manager, Secure Integrated Infrastructure maloneyb@duq. edu

Closing and Thank you! • • • Future NET+ Splunk activities: Boss of the SOC and Splunk SIG at Tech. Ex Dec 9 -12 in New Orleans • https: //meetings. internet 2. edu/2019 -technology-exchange/ Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT – next call on Nov 14 th Recordings posted to: • https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 • • Submit your questions for the next call! If you have any questions, please the advisory board at splunkadvisory@internet 2. edu or Nick Lewis (nlewis@internet 2. edu)