Using Splunk Data Analytics to Protect Students, Faculty, and the University


  • Chris Kurtz, System Architect, Arizona State University

About Us

  • First Google Apps for Education customer
  • Multiple campuses with a diverse IT infrastructure
  • Large # of governing reqs: FERPA, HIPAA, DARPA, DoJ, NASA, JPL
  • Splunk is an Enterprise-level product, with easy access to all departments inside the University Technology Office (ISO/InfoSec, Ops, Dev, BA/BI, Accounting, Netcom, etc.). We wanted everyone to have equal access

The Power of Splunk

  • Is ASU’s universal aggregator of all machine generated logs
  • Typical response time to incident without Splunk: multiple days.
  • With Splunk, we have direct, immediate access…minutes!

Splunk and ASU

  • Had it for 4 years now.
  • It needs a lot of power to run properly
  • Use enterprise search head clustering and security
  • Licensing 1TB/day
  • Growth slowing down because we’re learning to better filter data
  • Admissions and payroll are beginning to use it

We Didn’t Know!

“It was like the invention of the microscope: we didn’t know what we couldn’t see” – Martin Idaszak, Security Architect, ASU

Use Case: Protecting Direct Deposit

  • Changing EE info online is great, but a target for hackers
  • ASU has international students, faculty and staff, just blocking other countries isn’ accessible
  • Before Splunk: whenever an EE was missing a direct deposit check, the investigation would take days, during which time it would sit between HR and Payroll systems. We were hand-protecting only a handful of people’s paychecks.
  • With Splunk, we check geo tag info, do an affiliate lookup, and put it into an unusual changes report which payroll checks.
  • Payroll will not run the payroll job WITHOUT this report now.
  • This is the most valuable data I have in Splunk, by far.
  • Where do you change your direct deposit from? Home and work. We take advantage of the “user’s center of gravity” to make a determination if the request is unusual.
  • False positives? YES. False responses? NO.

Use Case: Phishing as a Teaching Tool

  • We have 100K users. In 2015, we received 1 billion email messages, more than 750 million were spam and phishing.
  • We have students from all across the world, transient by nature, can’t assume traffic from Nigeria, China or Malaysia are hacking attempts. In fact, it’s probably legitimate!
  • Some Indian students were forced by their parents to give them their login credentials, which resulted in some interesting traffic and double-logins from completely different areas! We ended up setting up special limited accounts for these parents.
  • Do NOT store user emails in Splunk, only the headers that transit our system.
  • “This is the best tool we’ve seen in 10 years” – Jay Steed, AVP for UTO Operations, ASU

Leveraging Your Custom Data

  • It’s limited if you’re only reading logs.
  • If you don’t understand context of your data sources, you won’t get as much as you can get out of the product.
  • No schemas! No types! Eval is your friend.
  • Combine all data types in any way you want, on the fly.
  • “Think of it like a database where time is the primary key”
  • Don’t limit the power of Splunk!
  • Start using the Common Information Model now!
  • Not formatting data limits its value. Pull in secondary/ancillary data that makes sense of data in your logs. Makes the field extractions more valuable.
  • For ASU, the master datasource is the Data Warehouse. Affiliate ID is the unique ID.
  • Isolated Splunk server running Splunk DB Connect (DBXv2) runs SQL queries on several databases, and writes a series of lookup tables (with the Affiliate ID) every 4 hours. Linux ionotify monitors the lookup tables, and on write-close copies data to production systems (sanity checking applies).


  • Heavily invested in Splunk because it solves many of our outstanding problems.
  • 1st round of data onboarding concentrated on needs of ISO office
  • 2nd round focused on operations needs, with some interesting use cases thrown in as they appear
  • 3rd round is expanding Splunk usage and bringing it to the enterprise
  • Splunk’s savings in man hours, extreme flexibility, use to validate other systems, and goals to replace antiquated systems has very much paid off
  • Get your data into Splunk!
  • Modify it later.
  • Use the people who “get it” as evangelists
  • Don’t get caught up on “use cases.” Once you have the data in Splunk, use cases present themselves repeatedly. Think of it as use case on demand.
Accessibility Technology

Making Mobile Both Accessible and Secure


URL for slides (you’re gonna need it, the slides have thousands of bullets and I couldn’t possibly capture all of it here):

  • Costs to business of incompatible mobile secrity and accessibility?
  • Weak links
  • There are security gaps to be checked for


  • BYOD
  • Examples of inaccessible security
  • Risks of inaccessible secirty
  • Risks of non-secure accessibility
  • Items to consider when implementing a secure accessibility
  • Challenges you’ll encounter

A whole slide of disclaimers:  how IBM is approaching this topic, conclusions are based on anecdotal experiences, etc.

Risks related to inaccessible security:  biggest risk is the human element

Some interesting stats on BYOD::  most enterprises have personal devices accessing corporate resources, 89% of IT departments support them, but 46% are unmanaged.

Accessibility and Security don’t always work together; we start from a foundation of risks (508 and other intl. legislation).  Showed a slide of big corporations that had litigation against them, Target, Netflix, Google, etc.  Yes, the “risk” is real, but of course we all know that corporations should do accessibility because it’s good for business AND it’s the right thing to do.  Presenter Talked about brand, what it’s worth to your company, that sort of thing.  Sadly, the presentations I’ve seen given to corporate audiences seem to be driven primarily by fear and pursuit of the bottom line.  This presentation (so far) is following that line.

PDFs recently had an issue where secured docs could be read with a screen reader.  Within IBM, Antivirus could not be used by blind employees, so they needed to use an alternate AV program.

QUOTABLE QUOTE:  “If a security test fails an individual’s capabilities, it fails as an implementation.  If a security test fails the situation, it fails as a solution.”


  1. AT do not function correctly in a secure env
  2. Unverified AT leave exposures to secrity
  3. Security is unusable
  4. Secure solutions may not be able to be retrofitted for accessibility

They had a complicated slide that showed “10-Steps to security”

Slide with a triangle containing:  Accessibility, Security, Enterprise

Embed standards into the enterprise (mandates, processes, guidance, metrics, education, documentation, tools)


Slide about platforms:  OS, Hardware, carrier, AT

Slide showing a pie chart of platforms, there were about 50 (completely unreadable, but did show the scale of the problem)


  • AT (SR, Zoom, preconfigure, dev tools)
  • Security (platform settings, policy, partitioning)


Siri is a problem because “we don’t know what happens to that spoken utterance, it doesn’t stay on the device, it goes to what we’re told is a secure server.”

QUESTION:  what about captioning and transcription services?  These fall into the same bucket.  Concern is the unknown about “who’s wearing the Siri face” right now.

Evaluate AT for security

  • Does it run correctly when the security is engaged?
  • Have artifacts that leave unprotected content (logs, buffers, off-device processing, transmission, secure processing, is encription adequate
  • Does it work in public / private situations?
  • Does it require a network connection?

Accessible Authentication

  • Pwd length, complexity, time-outs, alternatives
  • Biometrics:  consider cost, environmental considerations, alternatives
  • Graphical pwds (not suitable for device without a mouse or touch-screen access


  • MDM, Security, Enterprise Applications
  • Bare metal vs. Hosted (type 2 like VMWare)
  • Container virtualization (i.e. Enterproid Divide), similar to UNIX chroot solution
  • Have to assess these solutions for accessibility

Paul’s sidebar regarding the “model” of IBM presentations:  they provide lots of big-sounding questions and problems, present slides that are overloaded with gobs of information, focus on compliance (often injected with fear), but not a lot of practical information.  Ya gots ta pay for that stuff, buddy.

IBM uses “Worklight,” a tool that sounds similar to PhoneGap, but it comes with a lot more under-the-hood stuff for policies, server interaction, endpoint management and management of services, etc.

Enable, monitor, and enforce compliance

System settings, software inventory, software distribution, automation, monitoring, reporting, taking action

Slide:  Rapid transformation of change (loaded with literally a hundred items and completely unreadable.  Again, shows just how complicated things are)

Mobile standards are lagging growth

New hypervisors have been announced by VMware (type 2) and Redbend vLogix Mobile (type 1)

10 new MDM solutions reported May 2012

Retrofitting is expensive and may in fact not work at all

%d bloggers like this: