Success Stories - Security Solutions

Customer Success Story: Design and Implementation of Splunk and Enterprise Security

The Customer

This customer is a large New Zealand technology company and the project was undertaken mid 2023 over a three-month period.

The Challenge

Our customer provides a Cloud Platform for government customers. This cloud platform itself required a SIEM solution deployed in their Air Gapped management network. The existing on-prem SIEM product they were using was end-of-life and compliance issues were becoming an issue. The customer has experience operating Splunk Enterprise Security but not in designing or deploying Splunk Enterprise. The customer chose Splunk Enterprise and Enterprise Security as a replacement platform and engaged GKC to help design and implement the Splunk environment, with options for ongoing support.

The Solution

After understanding our customer’s requirements, GKC’s consultants worked through a number of design workshops, which presented multiple options to ascertain what would meet their security needs and work best in their environment. A high-level design walkthrough was presented and agreed to, before the detailed design document was prepared.

This design delivered a solution with a strong security focus, particularly on protecting ingested data, with all received data replicated to a secondary data centre and historical data replicated (and offloaded) to Splunk Smart Store. The previous solution did not support replication between the two geographically diverse sites, which the Splunk solution that we have implemented now does.

The implemented solution saw all data encrypted with TLS1.2 in transit, with certificate verification turned on to ensure data could not be intercepted in transit. The TLS certificates gave the Universal Forwarder assurance that they were talking to the right servers.

SplunkTCP Tokens were chosen over client certificates, to ensure the Indexers were receiving valid data. This mitigated the risk of a threat actor injecting false data into the SIEM.All Splunk REST (8089/tcp) connections. Index Cluster Replication were also protected with TLS1.2 and certificate validation. In these cases, the clients were validated by Pass4SymmKey.

GKC delivered the agreed design on-site at the customer’s location. This involved installing and preforming the base configuration for the Splunk environment and installing and configuring agreed ingestion components. GKC provided as-built documentation following the build.

The Outcome

GKC provided a solution that replaced their existing installation and met all specified requirements. The customer now has a best of breed (Gartner Magic Quadrant) SIEM solution that does not compromise the strict compliance requirements of their government customers.

This has allowed the customer to close audit compliance issues related to the end-of-life SIEM product, while delivering a more modern solution.

Following the success of this project, this customer has engaged GKC for further work involving Splunk this year.