Travis Perkins cements its security with a Splunk foundation
- Summary:
- The UK-based building materials and home improvement retailer can now respond to IT security incidents in hours, rather than weeks, according to CISO Nick Bleech.
While Travis Perkins, the UK’s largest builders merchant and home improvement retailer remained secure, one of its competitors did not escape. French construction materials company Saint-Gobain was forced to disconnect IT systems in order to protect its data. The company’s UK-based subsidiary Jewson, branches of which were taken offline during the attack, is one of Travis Perkins’ closest rivals.
The events of that week confirmed to Bleech the value of measures that he has taken at Travis Perkins to ensure the company stays on top of any threats to its own systems. Speaking to diginomica on the 29 June, he said:
The thinking that has guided us through the last 72 hours since the news broke is that there’s been a cyber security incident and we won’t wait to be attacked. We’ve put ourselves on the alert so that we can respond in a matter of hours it it turns out we come under attack. That’s the posture we’ve been in this week.
Just a year or so ago, however, a response measured in hours would have been impossible for Bleech and his team to achieve. They might have been scrabbling around for the best part of three weeks to get a real grip on the situation, he said.
But today, Travis Perkins has an effective security information and event management (SIEM) system in place to give it insight into what’s happening across its IT environment. This is based on technologies from Splunk, including Splunk Cloud, Splunk Enterprise and Splunk Enterprise Security (Splunk ES).
A cloud-first approach
When Bleech arrived at Travis Perkins almost four years ago, he was drawn to the company by its ‘cloud-first’ IT strategy. His work in the early years of the millennium on the Jericho Forum, an international group of corporate CISOs working to define and promote ‘de-perimeterization’ as a security approach, meant he recognized early on the likely impact of cloud technologies on the threat landscape.
The CISO role at Travis Perkins thus presented a good opportunity to put to the test the thinking he’d already developed in previous jobs, including the CISO position at Rolls-Royce. Said Bleech:
Coming in to Travis Perkins, my pitch, if you will, to the CIO and to the board was: ‘Well, we are going to be putting a lot of trust in the Cloud, but as Ronald Reagan once said, ‘Trust, but verify’ - and, for me, verify means monitoring.
Bleech was informed that the company already had some security monitoring in place and was invited to take a look and give his opinion:
What I found was a failed strategy. There was no clear idea of what the monitoring was there to do, what the use cases or critical success factors were and there was no clear idea either of where the implementation was going.
The process of coming up with a better alternative led Bleech very quickly to Splunk, he says, although tools from HP, IBM and LogRhythm were also considered. He also spent a great deal of time on identifying the broad use cases that Travis Perkins needed to cover - for example, compliance with the PCI-DSS standard for handling credit card payments in its retail operations.
Aside from compliance, there were two other categories into which use cases fell: incident handling and forensic investigation. As Bleech explained:
If we’ve got all this data coming in from security tools and controls, it’s not just the ‘here and now’ of responding to an incident that we need to handle, but also how we find out what happened in an incident, what led up to it and what damage may have been done.
Feeding Splunk
A twelve-month pilot of Splunk convinced Bleech that the technology was up to the job of handling the predefined use cases he threw at it, leading to a full implementation in early 2016. The log data that ‘feeds’ Splunk includes firewall logs, server logs (both Windows and Unix), security tools such as Forcepoint (previously Websense), FireEye and Cisco Cloudlock. In other words, log files are coming into Splunk from both on-premise and cloud systems, and is supplemented with threat intelligence feeds from Facebook.
This data is then presented to the IT operations team in the form of dashboards and alerts, so that they can act as ‘first responders’ to potential threats, taking immediate action and, where necessary, escalating cases the more difficult or complex cases to a dedicated security operations centre, or SOC.
Using Splunk ES, Travis Perkins is now able to calculate risk scores for different threat activities based on previously correlated data or alerts from the company’s existing security solutions. The relevant IT teams then react to risk scores, using a pre-defined ‘playbook’ response.
That playbook response is important, argued Bleech, because it’s fast:
If you’ve got a canned procedure, you can deal with the vast majority of security incidents very quickly. It’s like a spray can: you spray it, and the fly will drop dead.