Copyright © 2015 Splunk Inc.

Splunk at Texas Roadouse

John Miller,Information Security ManagerTexas Roadhouse IT

A Bit About Me …I’m an old school BBSer, phreaker and general mayhem generator who STILL gets excited with the new issue of 2600 magazine comes out20+ years “professional” experience networking or securing just about everything30+ years “non-professional” experience trying to break networks to discover the how and why when it goes boomHave designed or secured networks ranging from Fortune 100 corporations to mom and pop stores, banks, police departments, prisons and government installationsAlways learning, testing and finding ways to both break things and fix them…sometimes with extra parts

About Texas Roadhouse465 locations – 49 U.S. States– 4 Foreign Countries

Saudi Arabia Kuwait UAE Taiwan

$1.6 billion in annual revenue43,300 employees

What We’re ProtectingAlways looking to improve security and visibility to protect proprietary and sensitive information across the organization

Internal Data: – Employee information– Corporate Information– Financials– Proprietary recipesExternal Data:– Credit card data– Customer InformationAssets:– Business Process Systems– POS terminals– Employee workstations– Laptops

Security Challenges We FaceVariety of Threats: – Attacks against corporate entities– Phishing/spear phishing attacks– Social media phishing / hashtag hijack / account takeover– POS malwareDiverse, Dispersed Endpoints– 8,000 in store locations endpoints – geographically dispersed!

POS Devices Computers

– 2,000 corporate endpoints Laptops / Desktops / Servers Infrastructure devices / security hardware and software Mobile devices

– Small security teamSOX / PCI Compliance

What I Stepped Into …Situation:

Using Splunk for many years – but not for security– Event logging for PCI compliance– General logging

Multiple vendor interfaces for managementImpact:

Security felt more reactive at timesNo idea what might be lurking in the networkwithout touching multiple tool interfaces to research anomalies

Time to Roll Up My SleevesHumble Beginnings:

Looked through dozens of dashboards and streams from disparate apps and hardware front ends

Weaving the Story:Looked for anomaliesStitched it all together to get a complete picture

Inherently FlawedChasing one-off anomaliesManual correlationsIneffective use of timePotential to miss a lot of threats/malwareNo centralized visibility No centralized reporting

Why Splunk Enterprise Security?Looked at QRadar, ArcSight, LogRhythm– Limited on what data can be ingested– Difficult to impossible to customize– Strict rule sets

Existing investment in Splunk– Leverage existing data store– One Interface to manage

Needed a big data tool that could handle security and non-security use cases

Splunk Helped Us Learn About Ourselves!Much better idea of what was going on with the network and systems as a whole– More data– More categories and blocks

New levels of visibility– Blacklisted sites– Inappropriate lookups– Malware on endpoints not caught by AV– Insights into POS Communications

Identified weak pointsSingle pane of glass = one stop shop!

Additional BenefitsOne tool for IT Ops and Security– All data allowed from any group– Flexible and customizable

Visibility across the organization

ITOperations

Application Delivery

Developer Platform (REST API, SDKs)

Business Analytics

Industrial Data and

Internet of Things

Business Analytics

Industrial Data and

Internet of Things

Security, Compliance,

and Fraud

My AdviceLook at your options and choose what fits your talent pool– Customize dashboards– Dig into data– Perform complex searches

Legacy SIEMs wouldn’t let us do that!

Future PlansDevelopment team to see if can help them– Development process – Developmental testing

More IT operations integrationTicketing system integrationActive defense

Thank You