Splunk Experience

NHS Trust SIEM

Background

Our customer, an NHS Trust, wanted to use Splunk Cloud to help minimise service outages as well as help to protect from potential cyber threats. The trust was busy due to the additional demands placed on it due to Covid-19. In addition, the IT and security teams needed to adapt to having a workforce working remotely more of the time, and the pressure this placed on the IT services and security monitoring. The Trust needed to implement Splunk with minimal disruption to their day to day activities and ensure that it was adopted and used widely within the business.

Approach

As an experienced professional services partner, Apto Solutions have a proven methodology for deploying Splunk rapidly and with minimal business disruption. Via an initial workshop we were able to propose a solution, and security use cases, which met the specific requirements of the Trust. We were able to give the Trust a clear view of what the program of work would look like. Once this had been agreed, we rapidly architected, deployed and onboarded the relevant data into Splunk. We then worked with the customer to set up and demonstrate the use cases, and value, that they could get from the product.

Outcome

We were able to rapidly deploy Splunk in a scalable, robust way, giving the Trust a platform to build on. By understanding their security requirements and implementing the right use cases we left them a solution which added value from the outset.

If, like our NHS Trust customer, you want to deploy Splunk, download our Splunk Quickstart Guides.

Large Scale ES Deployment

Background

Our customer was a Financial Services business who used an externally hosted SIEM solution. In order to improve their security posture, our customer decided to deploy Splunk Enterprise Security into their Splunk Cloud instance.

Approach

We engaged with the customer to run a discovery workshop, understanding their security maturity and proposing an approach to move to a robust deployment of Splunk ES. During this workshop we captured the essential outcomes required and understood the key data sources needed for the security information.

Our customer wanted to work closely with us, and gain experience from ‘over the shoulder’ training. We were able to facilitate this, involving the customer as we deployed the required data forwarding elements and ensured that all data was forwarded in a Common Information Model (CIM) compliant manner. This is key to enabling Splunk ES to cross-correlate searches across different data sources, providing our customer with powerful threat and issue hunting capabilities.

With the main data sources onboarded we worked closely with our customer over a period of days. We worked with all the security stakeholder groups to ensure that use cases were implemented to meet all the security requirements. We used our experience of having deployed ES before to provide guidance and advice on what other organisations have found of most use and value, as well as guide on where the highest impact activities are likely to be. In our work with the customer we also covered topics including:

• Indexing and retention requirements
• Role based access control – to ensure confidentiality, integrity and availability of data to appropriate stakeholder groups only
• Authentication requirements
• Discussion and identification of assets and identities
• Requirements for threat intelligence
• Custom configuration requirements for incident review process
• Alert priorities

With the platform deployed and use cases set up we configured the asset and identity management elements of the platform, the incident review process and configured any alerts and reporting requirements, plus threat intelligence feeds.

Outcome

Our customer was left with a fully operational SIEM solution that improved their security maturity. By working closely with us, and supplementing with formal Splunk training, our customer was left with a full understanding of their SIEM solution, how it had been architected and deployed, and how to maintain it themselves. Whilst self-suffcient, our customer was at the start of their journey with Splunk, and made use of our Splunk Expert Service to ensure they always had help close by when they needed it.

Cloud Migration

Background

Our customer, a financial service business, wanted to migrate to Splunk Cloud from their on premise instance.

Approach

We carried out an initial migration workshop to understand some of the key concerns for this customer. We understood whether their Splunk data needed to be migrated to the cloud, how much data they had, and how that migration would occur. We also understood what assets they had and how they could be migrated to cloud. As part of the workshop we also carried out a healthcheck of the forwarding tier, to ensure that it was following best practice for the move to Cloud.

We provided the output of the workshop, and recommended approach, to the customer in a report. We worked through the findings to help the customer decide on the approach which was best for them.

With a plan in place, we helped the customer perform the migration. We started by performing some remediation activities, ensuring that the forwarding tier was set up correctly for Cloud and would provide a robust, scalable solution for the customers future requirements. We then set about migrating both their data and assets into Splunk Cloud. Specifically, we helped prepare their apps to ensure that they migrated smoothly onto the Splunk Cloud platform.

Outcome

Using our knowledge of Splunk, and cloud migrations, we were able to run an organised, managed approach for the customer. The end results was a smooth, well planned transition to cloud which had minimal disruption of the customers day to day activities. If you’re interested in migrating to Splunk Cloud then download our Cloud migration e-book.

See how we can build your digital capability,
call us on +44(0)845 226 3351 or send us an email…