Case Study: Large-Scale Splunk ES Deployment In Financial Services

Background

A large international Financial Services business was using an externally hosted SIEM solution and wanted to improve its security posture. They decided to deploy Splunk Enterprise Security into their Splunk Cloud instance.

Approach

We engaged with the customer to run a discovery workshop, understanding their security maturity and proposing an approach to move to a robust deployment of Splunk ES. During this workshop, we captured the essential outcomes required and understood the key data sources needed for the security information.

The customer was able to gain experience from ‘over the shoulder’ training and collaborative working. Ensuring that the required data forwarding elements and all data were forwarded in a Common Information Model (CIM) compliant manner, Splunk ES was enabled to cross-correlate searches across different data sources. This provided the customer with powerful threat and issue-hunting capabilities.

All security stakeholder groups were consulted to ensure that the use cases met all the security requirements. The customer also recieved guidance and advice on what other organisations have found of most use and value, as well as advice on where the highest impact activities were likely to be. In our work with the customer, we also covered topics including:

• Indexing and retention requirements
• Role-based access control – to ensure confidentiality, integrity and availability of data to appropriate stakeholder groups only
• Authentication requirements
• Discussion and identification of assets and identities
• Requirements for threat intelligence
• Custom configuration requirements for incident review process
• Alert priorities

With the platform deployed and use cases set up, we configured the asset and identity management elements of the platform, the incident review process and any alerts and reporting requirements, plus threat intelligence feeds.

Outcome

The customer gained a fully operational SIEM solution that improved their security maturity. By working closely with us, the customer was left with a full understanding of their SIEM solution, how it had been architected and deployed, and how to maintain it themselves. Whilst self-sufficient, the customer was at the start of their journey with Splunk, and made use of our Splunk Expert Service to ensure they always had support close by when they needed it.