Embed Size (px)
Citation preview
Copyright © 2015 Splunk Inc.
Patrick Hofmann Head of IT Infrastructure, PostFinance
How Splunk Connects Business and IT at Swiss Bank PostFinance Ltd
Disclaimer
2
During the course of this presentaGon, we may make forward looking statements regarding future events or the expected performance of the company. We cauGon you that such statements reflect our current expectaGons and esGmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentaGon are being made as of the Gme and date of its live presentaGon. If reviewed aQer its live presentaGon, this presentaGon may not contain current or
accurate informaGon. We do not assume any obligaGon to update any forward looking statements we may make.
In addiGon, any informaGon about our roadmap outlines our general product direcGon and is subject to change at any Gme without noGce. It is for informaGonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaGon either to develop the features
or funcGonality described or to include any such feature or funcGonality in a future release.
About Me – In a Nutshell
About Me – In a Nutshell
4
Agenda
PostFinance Ltd at a glance Splunk@PostFinance Use case 1 – Fraud detecGon and report generaGon for E-‐Payment Use case 2 – Online banking security and threat detecGon Wrap up
5
PostFinance At a glance
PostFinance at a Glance
7
One of the leading retail financial ins,tutes of Switzerland Number one in Swiss payment transac,ons An ideal partner for customers who wish to independently manage their finances
Assets and TransacGons
8
Customer funds (in CHF millions)
More and more customers entrust PostFinance with their money.
Transactions processed (in millions)
PostFinance is the market leader in Swiss payment transacGons.
Customers Total and Online
9
E-Finance users (in millions)
More than 1.6 million customers manage their finances online.
Number of customers (in millions)
PostFinance is one of Switzerland's leading retail financial insGtuGons.
Splunk @ PostFinance
PostFinance’s Splunk Timeline
11
2007 2010 2013 2014 2015
Central Logging Systems (OS only)
Traceability
Splunk 3.x Splunk 4.x Splunk 5.x Splunk 6.x …
Appl. Logging Online Banking
DB & MW
Fraud DetecGon Splunk 6 Refactoring
Business Apps
Performance & Availability
800 Searches per minute
Number of applications
> 30
Splunk apps > 55
PostFinance’s Splunk Numbers
12
40 Terabytes SAN data
(per site)
Search head cluster 5 Members 1 Deployer
28 Splunk indexers
Indexing rate average 434 KB/s
Data volume per day
800GB – 1TB
Source systems
> 2360
Cores 480
Memory 2816GB
Number of
roles 68
High Level Architecture
13
Source Systems Log Data Repository
Search Heads
Custom analysis
Export to database
Alerts to ITSM Oracle, MSSQL (52) DB Connect
Messageforwarder Tomcat Java applicaGon
DB enrichment Python ApplicaGon
SNMP Traps Syslog
Custom analysis / Alarming tool Export database
Indexers
Indexers Network Devices & Appliances
Linux (700)
Solaris(1200)
Windows (500)
Deployed in Two Datacenters
14
Datacenter Bern
Datacenter Zofingen
Search Peers >150 Indexes
Solaris Linux Windows Network Devices & Appliances
Solaris Linux Windows
Search Head Cluster Captain
Deployer
Cluster Members
>500 Users
Network Devices & Appliances
14
Use Case 1: Fraud DetecGon and Report GeneraGon For E-‐Payment
Automated StaGsGcs GeneraGon for Fraud DetecGon
and Product Management
E-‐Payment -‐ IntroducGon
16
E-‐Payment Plakorm Info Automated Fraud DetecGon
General Support Info Ad Hoc Searches for Support
E-‐Payment -‐ Architecture
17
Reverse Proxy Entry Servers
Applica,on Servers
Database Servers
Transac,on Logs Business Logs Database Logs System Logs
Shoppers
Business Logs
Transac,on Logs
Transac,on History (2 Years)
Indexer Search Head
Ad Hoc Searches
Automated sta,s,cs and report genera,on
Monitoring & Aler,ng
E-‐Payment -‐ Overview of Splunk Usage
18
Two main types of Splunk searches:
Examples of global searches: – Alempted payments with wrong credenGals – Payments with same card – Number of first Gme debit card users – TransacGons close to the card limit
Examples of merchant report searches: – Percentage of new buyers – Change of revenue
E-‐Payment – Merchant Report Example
19
TransacGons
Revenue
E-‐Payment: Fraud Workflow
20
Search recognizes fraud
or assumed fraud
Escala,on, card blocking, merchant contact
Dashboards and forms for ad hoc
searches
Logfiles from various systems and applica,ons sent to Splunk
indexers Support team is no,fied by email or incident ,cket.
Further analysis and resolu,on starts
E-‐Payment – Performance challenges
21
E-‐Payment – Searching for Fraud
22
E-‐Payment – Dashboard Examples
23
Use Case 2: Online Banking Security and Threat DetecGon
PostFinance – E-‐Finance IntroducGon
25
E-‐Finance -‐ Architecture
26
Load-‐balanced Entry Servers Authen,ca,on and Security Servers
Applica,on Servers Authen,ca,on backend Session Servers Malware protec,on
Database Servers Central Storage
Datacenter Bern
Indexers
Search Head Cluster
Online Security Team Ad Hoc Searches
Monitoring & Aler,ng
Applica,on Management Systems Management Database Administrator Ad Hoc Searches
Online Banking -‐ Phishing
27
E-‐Finance -‐ Phishing Alack Workflow
28
Security team analyzes the new a^ack pa^erns
The online security team is no,fied about a new phishing a^ack by email
Opera,onalize the findings for use in daily business
All transac,ons are rated using
CEP rules
Online Banking Security – Western Union
29
Online Banking Security – Login Behavior
30
Online Banking Security – OI
31
Wrap-‐Up
Wrap-‐Up: Success Factors
33
Start small, think big Dedicated «virtual» team
Business value always in mind Show & tell Have security on priority list Regulatory Gghtening
Management support
THANK YOU
