Main content

BSkyB bolsters customer ID and login security with Splunk

Derek du Preez Profile picture for user ddpreez October 8, 2014
Summary:
The media giant had been using in-house tools to analyse logs for malicious activity, but these were struggling under the strain of BSkyB's growing portfolio.

British Sky Broadcasting (BSkyB), Rupert Murdoch's media empire, is about to go live with Splunk to help it bolster security and monitor suspicious activity

sky_logo
across its customer identity login services.

The company has, up until now, been using in-house developed tools, dashboards and visualisations to keep an eye on malicious activity, but these have begun to creak under the pressure of new services requiring customer ID constantly being rolled out.

I spoke with Mark Debney, BSkyB's principal engineer of DevOps, at Splunk's annual user conference in Las Vegas this week to discuss the project. Debney explained that Sky iD, which provides a gateway to a whole host of services that include NOW TV, Sky Go and Sky Email, requires constant monitoring to ensure that customer details do not end up in the wrong hands. He said:

A few years ago our own internal security team started looking for customer behaviour attacks. So a basic example would be, a Sky customer signs in from one IP and then half an hour later signs in from another IP in another country, that would look suspicious to us. We now have to analyse over a long period of time the lots of different types of attacks we may experience.

But Sky brings on new services all of the time and so our capacity for Sky ID was growing. We had previously been using a bunch of tools that we had developed in house - dashboards, visualisations, plus a bunch of number crunching engines that would look at log files and analyse IPs. However, these were becoming time consuming and there was a lot of development work to keep them up and running, to keep them coping with additional loads.

The actual core identity applications, those we can scale, that's our day job. We found that the security tools needed to be more powerful because they were analysing all of that data that was generated by the other apps – so we got to the point where we stopped and thought, let's think about this sensibly and let's not try scale these things, let's get something in that can do the job for us.

Things weren't falling apart, but they were getting pretty close.

Debney said that the team decided against spending “huge amounts” of money on building the new tools in-house to scale the monitoring capabilities, and decided to run a proof of concept with Splunk, where they were able to quickly transpose a lot of the rules the old tools had been using into the test environment.

Sky_remote
BSkyB has testing Splunk for a few months now and has just come out of its proof of concept. As part of going through a capacity increase project for the Sky iD front-end, Debney's team is now building a fully featured Splunk cluster, where he expects that this will come online in the next couple of weeks.

Apart from the scaling capabilities, BSkyB was also impressed with Splunk's visualisation capabilities – which Debney's team often use to visually spot unusual patterns in behaviour on the fly, allowing them then to create custom rules around that activity. However, he is also hoping that Splunk will be able to improve the efficiency of BSkyB's DevOps environments. Debney said:

I also look after a DevOps team and part of one of the use cases for getting Splunk was that we could do management of our VMware clusters, to get better visibility of what we are actually using at any one point. We are very focused on the performance of our applications and its about getting our stage environments as closely replicated to our production environments as possible, so getting that visibility is key to us.

At the moment it is very manual, we have to go on to the VMware tools and look at it that way, but with the Splunk app we are able to get much better dashboard visibility.

So, why pick Splunk? Debney said that he was impressed with other log analysis tools on the market, but he found that they all still required a certain amount of development on top.

There are other fantastic tools out there, but they don't have that user friendliness on top. It would still require a fair amount of development time, it would require a development team, to create the apps that go on top of those to create the rule based systems. We can now focus more on the security and less on the development.

Debney also provided some words of warning for others planning to embark on a similar project. He said that companies wanting to get ahead with

Security concept with padlocks © Maksim Kabakou – Fotolia
(© Maksim Kabakou – Fotolia)
Splunk should ensure that they know what they want to get out of their log files, before dumping them into the Splunk environment (which is something that I've heard a few times at the user conference this week). He said:

I think we had an advantage because we were already very focused on our logs because we had been using the custom tools, so we were replacing something that we had already created. We already understood what our logs were like, we had already customised them a lot to provide the data that we needed.

But I definitely think understanding what is in your logs, rather than chucking it in there and hoping for the best, will help. Get a clear picture about what data you want out of them before you start.

Loading
A grey colored placeholder image