Cisco and Splunk: Under the Hood of Cisco IT Breakout Session

Robert Novak, Cisco Big Data Partner CSE
Quinn Zuo and Ruby Chiang, Cisco IT
July 2015
Cisco and Splunk:
Under the Hood of Cisco IT

Agenda
• Cisco’s History with Splunk
• How Cisco Uses Splunk
• IT Operations
• Security Analytics
• There’s an App for that!
• Splunk + Cisco UCS = Better Together
• Learn More

Would you like
to play a game?

Top 3 Questions
5
Cisco makes servers?

Top 3 Questions
6
Cisco does big data?
2

Top 3 Questions
7
Cisco does big data?
2
What’s going on with
Cisco and Splunk?

Big Data & Analytics – Gain Insight from your Data
Data Analytics with Splunk on Cisco UCS
Splunk drives operational insights and outcomes
for our customers on Cisco UCS Infrastructure
Data is the lifeblood of any
applications and business.
While the real value is in the
analytics and the ability of a
company to use that intelligence
to gain a desired business
outcome
UCS 6200 Series
Fabric Interconnects
UCS Manager,
UCS Director
Express
UCS C220/C240
M4 Servers
LAN, SAN,
Management

Cisco’s Footprint with Splunk
70+ Monitored
Applications
7+ Year
Relationship
Across 7
Global
Data
Centers
Flexible
infrastructure
to
accommodate
new business
needs

How Cisco Uses Splunk
Data Analytics with Splunk on
Cisco UCS for Cisco’s IT Operations

Cisco IT Operations Challenges
Provide
self-service
& self-
healing
capabilities
Reduce
time
required to
detect &
resolve
issues
Monitor,
manage,
protect,
and avoid
security
incidents
Manage
Cisco UCS
Hardware
Platforms
Empower
Cisco’s
internal
Cloud users
to manage
their own
environments

Cisco’s IT Operations Results
 Proactive monitoring enables 50% reduction in high priority
issues
 80% reduction in operational costs
 90% improvement in problem resolution and root cause analysis
times
 Improvements in system stability, availability and performance
“Splunk pulls data from all the logs and gives our operations teams
a single place to look and work together to solve problems.”
— Piyush Bhargava, Distinguished Engineer, Cisco IT

IT Operations @ Cisco
 Aggregated multiple siloed systems into Splunk
 Monitoring 70+ Applications
 846% increase of search volume per day in one year
 Operational Intelligence in minutes rather than hours
Cisco IT uses Splunk to index a broad range of system logs and machine data for
networking devices, operating systems, unified communications, video events, and
applications.

Don’t take my word for it…
 Ruby Chiang, IT Program Manager for Cisco IT
 Quinn Zuo, Cisco IT Architect responsible for EventPro
Observations and experiences
from the folks at Cisco IT who make it happen

Under the hood
of Cisco EventPro

Data Center on Canvas
Service
Categories
Service Assets
Logical
Architecture
Physical
Architecture
End to
End View

Insights Across Cisco - Platform
Business
Unit
Platform SPLUNK App
Sources and Logs
SYSLOG Windows
Active
Directory
ACS Storage
• Infra Structure
• IT OPS
• Security
• Commerce
• Sales & Marketing
• Channels
• Engineering
• Webex
• CCIX (web + app)
• FTP
• RAC DB
• WSG
• PING
• OBIEE
• ACE
• Splunk on Splunk
• Deployment Monitor
• VMware App
• UCS App
• JMX App
• Unix App
• NetApp App
• Network
• Linux / Unix
• UCS
• VMWare ESXi
• Datacenter battery /
temperature logs
• Pre-Prod
Event Logs
• Production
Event Logs
• Event Logs • Event
Logs
• AAA
Logs
• ISE Logs
• Event Logs
Search Heads Indexers Storage Data Center
• 16 VMs (64 core X 32 GB) • 32 VMs (16 core X 16 GB) • 56 TB SAN – Hot & Warm
• 28 TB NAS - Cold
• Prod: RCDN – 8 SH & 10 Indexers
• Prod: ALLEN – 8 SH & 10 Indexers
• DR: RTP – 4 SH & 2 indexers

Insights Across Cisco - Dashboard
3. Security – Hits Monitoring
1. ATS Index Utilization for CCIX layer 2. IT Infrastructure – App Monitoring
4. Marketing – Campaign Activity

Splunk Searches – Daily Average
1. Interactive Searches = 55K+ 2. Scheduled Searches = 45K+
3. Total Searches = 100K+ 4. Number of Users = 180+

10 Indexers
16 Search Heads
47 Search Heads
32 Indexers
Daily Indexing
~ 2TB
2014
2014
2015
2015
2015
Cisco’s IT Operations Evolving with Splunk
Daily Indexing
300G
2010

Data Analytics
with Splunk on Cisco UCS
for Security Analytics
Using Splunk @ Cisco CSIRT

About CSIRT
• Cisco Computer Security Incident Response Team (CSIRT)
• CSIRT = Security Monitoring and Incident Response
• Architecture, Engineering, Research, and Investigations
• Enterprise global threat and 24x7 incident response

CSIRT Environments Recent Snapshot
 300 locations in 90 countries
 400 buildings
 1500+ labs
 100,000+ employees on network
 50-300 malware-related cases opened in a typical week
 650,000+ ip devices on network
 130,000 windows hosts
 50,000 Linux hosts
 40,000 routers
 2-3 million highly tuned ids events per day
 10+ billion netflow records per day

Replacing a SIEM @ Cisco
• Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data
– Serious scale and speed issues. 10GB/day and searches took
> 6 minutes
– Difficult to customize with reliance on pre-built rules which
generated false positives
Security
Information
and event
management

Replacing a SIEM @ Cisco, cont’d
• Enter Splunk: Flexible SIEM and empowered team
– Easy to index any type of machine data from any source
– Over 60 users doing investigations, correlations, reporting, advanced
threat detection
– All the data + flexible searches and reporting = empowered team
– 2TB/day and searches take less than a minute. 7 global data centers with
350TB stored data
– Flashback Malware Example
– Estimate Splunk is 25% the cost of a traditional SIEM

CSIRT Logging DeploymentCSIRT Logging Deployment

33 percent reduction in the time required to conduct security
investigations
All security data is readily available in a single, centralized portal for
faster and simpler access
Ability to automate routine tasks and search log data allows CSIRT
analysts to work more effectively
Substantially easier correlation allows for more thorough investigations
Heading
Cisco Security Analytics Results

Cisco’s CSIRT engineers
applied their experiences during
the CSIRT deployment to a new
O’Reilly book now available
at most booksellers
bitly.com/infosecplaybook
“And they wrote the book …”
30

There’s an app for that…
(or a technology add-on, at least)

120+ security apps & add-onsSplunk app for
Enterprise Security
Splunk Apps for Cisco Environments
Cisco ASA
NetFlow Logic
OSSEC
Cisco WSA
Cisco ESA
Cisco ISE
Sourcefire
Active Directory
Cisco Security
Suite
MobileIron
Bit9 ETD
Norse Darklist
500+ apps/add-ons
Cisco ACI, IOS,
Nexus 9000
Cisco UCS
VMware
NetApp
Servicenow
UNIX/Linux

Splunk App for Cisco UCS
NEW AND IMPROVED as of May 28, 2015
Aggregates, monitors, trends and analyzes all
relevant data from Cisco UCS Manager
instances
Enables proactive capacity and performance
monitoring/ management, fault trending,
power and cooling, and more
Works with other Splunk add-ons and data
sources (including Enterprise Security and
PCI Compliance add-ons) to aggregate and
correlate data across your enterprise
33
Application
s
Operating Systems
Hypervisors
UCS server, storage,
network

What is
Cisco’s
Unified
Computing
System
(UCS)?
Unified Management: UCS Manager
uses policy-based configuration to
ensure consistent deployments
Unified Fabric: Integrated 10 Gigabit
Ethernet and Storage Networking
(FCoE/iSCSI)
Service Profiles: Maintain consistency
across batches of servers and multiple
applications. Deploy and expand in
record time.
Performance: Built with 10GbE at the
core, 40GbE available, repeatable
configurations and performance, and
over 100 benchmark records

Why Splunk
on Cisco
UCS?
Time to Deployment: Spin up a
mutually validated, pre-tested
environment in minutes rather than days
or weeks
Total Cost of Ownership: Integrated
networking and management reduce
customer cost and effort to migrate,
deploy, and expand
Time to Grow: Expand servers and
network capacity quickly and
consistently

Cisco UCS + Splunk = Better Together
Seamless Scalability Facilitates Rapid Growth
– Scale Splunk from a single server to distributed/clustered deployment
– Grow your clusters efficiently and consistently
– Runs on the same UCS C-Series servers as other big data platforms
Split Second Response Times
– Exceptional performance for “needle-in-a-haystack” searches
– Consistent performance as simultaneous users increase
Simplified Repeatable Deployments
– Four pre-tested UCS Integrated Infrastructures
– Capacity or performance optimization
– NEW! Cisco Validated Design (CVD) with HA and Archiving

250 GB indexed per day
4 months retention
250 GB indexed per day
1 month retention
Single Server
Cisco UCS Reference Architectures
UP to 4TB indexed per day
3 months Retention
Up to 4TB indexed per day
1 year Retention
Clustered Deployment
Retention
optimized
Performance
optimized

Cisco Validated Design (CVD) for Splunk
• Developed by Cisco and Splunk
engineers in Spring 2015
• 250+ page guide to design and
deployment, pallet to production
• Based on UCS C-Series (C220, C240,
C3160) servers and Splunk Enterprise
software
• Includes high availability & data archiving
• Download for free at
cisco.com/go/bigdata_design

Learn more about
Splunk and Cisco UCS

SplunkBase app resources: splunkbase.splunk.com
Cisco’s Big Data Design Hub: cisco.com/go/bigdata_design
features Cisco Validated Designs (CVDs) and other architectural docs
Big Data Applications Hub: cisco.com/go/bigdata
features reference architectures, solution briefs, infrastructure, automation, etc.
Learn More About Splunk on Cisco UCS!

Cisco and Splunk: Under the Hood of Cisco IT Breakout Session

Cisco and Splunk: Under the Hood of Cisco IT Breakout Session

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cisco and Splunk: Under the Hood of Cisco IT Breakout Session (20)

More from Splunk (20)

Recently uploaded (20)

Cisco and Splunk: Under the Hood of Cisco IT Breakout Session