The IT Service Provider Finanz Informatik - Splunk...2015/09/14 · 6 x decentralize Intermediate Forwarder 12 x Decentral event-data transportation to the datacenters September 2015

The IT Service Provider

Finanz InformatikWho we are. What we do.

© Finanz Informatik 2015Alle Rechte vorbehalten. Jegliche Weitergabe

und Verwendung erfordert die Zustimmung der FI.

Content

.Overview of the company Finanz Informatik and Requirements

.Architecture

.Use case

.Questions

23.09.2015

The IT Service Provider Finanz Informatik – splunk.conf2015

Page 2



The company serves a large part of the German retail banking

market

September 2015


Page 3

Finanz Informatik – Company

Revenue (in mill. €) 1,624

with saving banks 976

with state banks 338

Employees (full-time equivalents) 4,825

Customers

Savings banks 414

State banks + DekaBank 8

State home loan banks 9

Accumulated balance sheet of supported

savings banks (in bill. €) (2014)

764

December 30st, 2015

1) Sources: DSGV, statista (12/31/2014)

Savings Banks Financial Group Credit Unions Private Banks, other



Significant scale can be achieved through bundling volume IT

services

September 2015


Page 4

Supported financial institutions

Branches of supported savings banks 14,676

Bank-specific employees of supported

savings banks

189,362

Processing volumes

Supported accounts (in mill.) 123

End devices

ATMs 24,693

Statement printers 14,155

Other self-service terminals 14,790

Booked entries per annum (in bill.) 11,6

December 31st, 2014



Finanz Informatik is competitively positioned with its

comprehensive portfolio

September 2015


Page 5



What was our initial situation

September 2015


Page 6

.Requirements



Our Requirements for one solution

September 2015


Page 7

High availability, efficiency

and safety

Cross-Platform correlation

Multi-Tenancy

Realtime reporting and

alerting

Mainframe UNIX Windows Network

Logfile analysis

Separated by platform

Mainframe UNIX Windows Network

splunk>

Logfile analysis

Cross-platform

Different Enterprise solutions

The Requirements The SolutionThe Problem



2014 / 1.Q.

The todays result of our logvolume growth

September 2015


Page 8

PoC Implementation run & ongoing development

Todays data

1.7 TB/d Logvolume

4,500 Searches

450 Apps

2013 / 4.Q. 2014 / 2.Q. 2014 / 3.Q. 2014 / 4.Q. 2015/ 1.Q. 2015 / 2.Q.

Am

ou

nt

Time

500 GB/d



How we implemented the Requirements

September 2015


Page 9

.Architecture



FI-Architecture-Pyramid for splunk>

September 2015


Page 10

Presentation

Data

Security and Forwarding

Sources

6 SearchHead Pools for

• Customer-Product and

• internal investigations.

38 Indexer divided in 3 Clusters

which are holding the data.

48 Forwarders - Door-Keepers

for the Security-Environment.

Linux, AIX, Solaris ,Windows,

Mainframe, Network, Databases



Transport-Layer – Syslogs and Heavy-Forwarders as

entry points for the different sources

September 2015


Page 11

Datacenter 1 Datacenter 2

Syslog-ng

and

Heavy-Forwarder

Intermediate – Forwarder

(trusted Network)



6 x decentralize Intermediate Forwarder

12 x

Decentral event-data transportation to the

datacenters

September 2015


Page 12

6 x decentralize Intermediate Forwarder

Centralized Intermediate Forwarder

12 x

Centralized Intermediate Forwarder

Dual-Datacenter A

Decentral Dual-DatacenterDecentral Dual-Datacenter

Dual-Datacenter B

secured

trusted

Volume:

600 GB

Volume:

500 GB

Volume:

400 GB

Volume:

200 GB



The Main-Core: Data delivering, replication and

searching within a dual datacenter design

September 2015


Page 13

Infrastructure-Data38 Indexer (physical)

• each 24 Cores and 128 GB

48 Forwarder

12 Search Heads (physical)

30 TB NAS

120 TB SAN

Searching

Replication and

distributed

data storing

Data delivering



Presentation and Administration: Operating with well

known apps …

September 2015


Page 14

… and self developed Apps!



FI-Operation-Monitoring-App for adminstration and

monitoring of the infrastructure

September 2015


Page 15

BucketsAssets

Performance

Storage

Status

Operating



A short story about one of our main use cases

September 2015


Page 16

.Use case



Control checks the contact with customer data and

follows on all platforms a uniform expiry

September 2015


Systemprotocols Central saving Longterm saving

noncriticalCheck by

head of

department

Check by

Securitiy

Information

ManagementWith suspicion of a security incident the standard process "Critical

Security Incident" will be started with participation of workers’s council

Control

Systems Databases Network Application

1

2

scheduled searches (automatic inspection)3

4 5 6

7

1 - creating logfiles

2 - central saving logfile

3/4 - scheduled searches on Logfiles

5/6/7 - control

Page 17



In the Finanz Informatik the demands of control

are fulfilled with the application splunk>

September 2015


Page 18

logon• unsuccessful logons

• successful logons on non-buiseness times, etc.

Access to and change of configuration• (un-)successful access to objects under control,etc.

Change of access authorization• creating and deleting/deactivating accounts, etc.

• blocking accounts

• right escalation

Services of control are offered to saving banks and to Finanz Informatik departments

• 90 savings banks (End of 2015) daily get the results of savedsearches as automatically created reports (pdf)

• each report inherits the results of (at the moment) 25 saved searches

• Head of departments (Finanz Informatik) also get daily reports and an alarm in one hour (in case of a security incident)

• depending on the requirement the amount of savedsearches is between 15 up to 30 savedsearches

• each report is equivalent to on app(UI)

when – who – what – where – from where



~190,000

technical accounts

~8,000

natural accounts

names

business units

…

Events

• security

• applications

• platforms

• …

services

hostnames

applications

configurations

...

Different sources and mechanismen are used

to create ~200 dashboards/reports

September 2015


Page 19

report/

dashboardcorrelation

technical

userlogs

data

organisationcmdb



Complex IT-architectureHigh amount of searches will be scheduled daily in a short time period

September 2015


Page 20

~200 Apps (UI)

Platforms• mainframe (zOS),

• unix (solaris, AIX, linux),

• Windows (2003, 2012)

Databases• DB/2, Oracle, MSSQL, IMS

Network• switches, routers, firewalls

Application• OSPLus (core banking)

• transaction management

• identity access management

• and many, many more …

System Control

~300 Technical Apps

• TA, CFG, LK, SA

Administrator

Business

Intelligence

1



about 2,500 searches …about 2,000 searches …

Complex IT-architectureVery great amount of searches will be scheduled daily in a short time period

September 2015


Page 21

Saving Banks

customer reports

Finanz Informatik

internal reports

daily

01:00 am to 03:00 am

Actually Finanz Informatik schedules about 4,500 searches a day

Great challenge for splunk> and infrastructure at Finanz Informatik (economic view)

daily

03:00 am to 06:00 am

2

In 2016 more then

10,000 searches

will be expected


und Verwendung erfordert die Zustimmung der FI.September 2015


Page 22

.Questions?

Thank you for

your kind attention.

Back up

Documents

The IT Service Provider Finanz Informatik - Splunk...2015/09/14 · 6 x decentralize Intermediate Forwarder 12 x Decentral event-data transportation to the datacenters September 2015