CAMBRIDGE, Mass.—With the help of Splunk, the University of Connecticut was able to help the FBI.
Someone had been calling in bomb threats at universities around the country in order to see the chaos they could cause. The large amounts of data being collected and utilized by the university allowed UConn system managers to look at extensive browsing histories of their students until they found the one who had been keeping closest track of the bomb scare stories in the news. It turned out that the student calling in the threats was his own biggest fan and spending the most time looking at his own criminal activities online. With the data on student browsing behavior collected and made easy to understand by Splunk, the university was able to identify the alleged culprit.
The story of UConn’s machine data detective work, related by Jason Pufahl, the chief information security officer for the University of Connecticut, was one of several customer presentations at the second annual SplunkLive Boston event held at a packed Boston Marriott Cambridge ballroom on June 12. Splunk collects, indexes, and harnesses machine data generated by applications, servers, and devices. Used by everyone from universities to hospitals and marketing firms, it is a serious contender in the world of machine data aggregation and analysis.
For example, one university network engineer spoke about using Splunk for security processes like network registration monitoring, which allows the IT team to know who is using what devices, tracking potential network threats and performing daily overviews for network planning; the university can take all of this data and use it for predictive analysis to catch compromised accounts before they become a threat and make a map of the hotspots as they occur.
The event featured a panel of speakers from companies that use Splunk. Speakers included Pufahl; Ant Lefebvre, senior systems engineer for Middlesex Hospital in Middletown, Conn.; and Sam Silberman, director of standards and industry relations at Constant Contact. Two Splunk executives – Steve Sommer, chief marketing officer and Ed Elisio, a senior sales engineer – also presented, providing an overview of Spunk and where Splunk is going.
The core concept of Splunk, according to Sommer, is “being able to take any machine data, analyze it, index it, and harness it.” It provides real time business insight, operational visibility, proactive monitoring, and search and investigation. Splunk recently opened a lab in Seattle which is currently working on developing real-time big data applications to add on top of the company’s enterprise system. Other notable updates are a new version of Splunk for Microsoft Office Exchange and new apps for enterprise security and PCI compliance 2.0. However, the real focus of the presentation at SplunkLive Boston were the speeches from Splunk users who recounted how their business practices were deeply changed by the introduction of Splunk.
For example, Splunk, allows Middlesex Hospital to reduce network incident resolution times from a matter of hours to just a snap, Lefebvre said. With the increase in information at a doctor’s fingertips, they can customize patient care decisions. Even if symptoms look exactly the same between two patients, the patient history data in Splunk means that the doctor can tell if their illnesses are completely different, he said.
At the University of Connecticut, Pufahl said he has wired everything he can to send machine data to Splunk in order to collect and analyze network security data. It has allowed the University of Connecticut to have the data necessary to be able to create a profile of everyone’s log-on patterns and how far from the university they usually travel while still using the university network. Pufahl can use this to immediately identify compromised accounts because they are accessed from outside the parameters of the account user’s standard behavior.
Constant Contact is a marketing company that helps small businesses keep in touch with clients and others through email campaigns and other services. Silberman explained that what his company needed from Splunk was centralization. They needed to have Web services data, application data, and email data all in one place. This has helped the company maintain compliance with the US Can-SPAM law by tracking customer behavior and looking for potential anomalies.