NHS Trust SIEM
Background
An NHS Trust wanted to use Splunk Cloud to help minimise service outages as well as help to protect against potential cyber threats. The Trust was extremely busy due to the Covid-19 pandemic and the IT and security teams needed to adapt to a more remote workforce. This placed additional pressure IT services and security monitoring.
The Trust required a Splunk implementation that involved minimal disruption to their day to day activities, and could be used effectively used across the organisation.
Approach
A proven methodology was used which deployed Splunk rapidly and with minimal business disruption. An initial workshop allowed us to propose a solution and security use cases which met the specific requirements of the Trust. The Trust were able to achieve a clear view of what the program of work would look like. We then rapidly architected, deployed and onboarded the relevant data into Splunk. The Trust also received a full demonstration of the use cases and value that they could get from the product.
Outcome
The Trust secured a rapidly deployed Splunk infrastructure which was scalable and robust, giving the Trust a platform to build on. By achieving a deployment which understood and met their security requirements and implementing the right use cases, the Trust were left with a solution which added value from the outset.
If, like our NHS Trust customer, you want to deploy Splunk, download our Splunk Quickstart Guides.
Large Scale ES Deployment
Background
A Financial Services business was using an externally hosted SIEM solution and wanted to improve their security posture. They decided to deploy Splunk Enterprise Security into their Splunk Cloud instance.
Approach
We engaged with the customer to run a discovery workshop, understanding their security maturity and proposing an approach to move to a robust deployment of Splunk ES. During this workshop we captured the essential outcomes required and understood the key data sources needed for the security information.
The customer was able to gain experience from ‘over the shoulder’ training and collaborative working. Ensuring that the required data forwarding elements and all data were forwarded in a Common Information Model (CIM) compliant manner, Splunk ES was enabled to cross-correlate searches across different data sources. This provided the customer with powerful threat and issue hunting capabilities.
All security stakeholder groups were consulted to ensure that the use cases met all the security requirements. The customer also recieved guidance and advice on what other organisations have found of most use and value, as well as advice on where the highest impact activities were likely to be. In our work with the customer we also covered topics including:
• Indexing and retention requirements
• Role-based access control – to ensure confidentiality, integrity and availability of data to appropriate stakeholder groups only
• Authentication requirements
• Discussion and identification of assets and identities
• Requirements for threat intelligence
• Custom configuration requirements for incident review process
• Alert priorities
With the platform deployed and use cases set up, we configured the asset and identity management elements of the platform, the incident review process and configured any alerts and reporting requirements, plus threat intelligence feeds.
Outcome
The customer gained a fully operational SIEM solution that improved their security maturity. By working closely with us, the customer was left with a full understanding of their SIEM solution, how it had been architected and deployed, and how to maintain it themselves. Whilst self-suffcient, the customer was at the start of their journey with Splunk, and made use of our Splunk Expert Service to ensure they always had help close by when they needed it.
Cloud Migration
Background
A financial service business wanted to migrate to Splunk Cloud from their on premise instance.
Approach
We carried out an initial migration workshop to understand some of the key concerns for this customer. We understood whether their Splunk data needed to be migrated to the cloud, how much data they had, and how that migration would occur. We also understood what assets they had and how they could be migrated to cloud. As part of the workshop we also carried out a healthcheck of the forwarding tier, to ensure that it was following best practice for the move to Cloud.
We provided the output of the workshop, and recommended approach, to the customer in a report. We worked through the findings to help the customer decide on the approach which was best for them.
With a plan in place, we helped the customer perform the migration. We started by performing some remediation activities, ensuring that the forwarding tier was set up correctly for Cloud and would provide a robust, scalable solution for the customers future requirements. We then set about migrating both their data and assets into Splunk Cloud. Specifically, we helped prepare their apps to ensure that they migrated smoothly onto the Splunk Cloud platform.
Outcome
Using our knowledge of Splunk, and cloud migrations, we were able to run an organised, managed approach for the customer. The end results was a smooth, well planned transition to cloud which had minimal disruption of the customers day to day activities. If you’re interested in migrating to Splunk Cloud then download our Cloud migration e-book.
-
7 October 2024
SIEM vs XDR
-
25 September 2024
What a SIEM Audit Involves: A Comprehensive Guide
-
23 September 2024
All about Licence management
See how we can build your digital capability,
call us on +44(0)845 226 3351 or send us an email…