With the threat of cyberattacks mounting and following JPMorgan Chase's breach in 2014 Orrstown Bank wanted to find a way to more quickly detect anomalous behavior in its performance, application and network data logs.
"If attackers can penetrate environments like JPM, we have to work under the assumption they can penetrate us as well," said Andrew Linn, senior vice president and chief information security officer at the Shippensburg, Pa., bank.
So Orrstown decided to subscribe to Splunk Cloud to better monitor, analyze and visualize its data in one place, at a time when the institution's log events continue to grow.
Orrstown, which has $1.2 billion in assets, employs several former IT execs from JPMorgan Chase who had been exposed to the Splunk technology there.
The tool is designed to crunch enterprise data in a single place to monitor for specific behaviors and spotlight potential trouble within the enterprise quickly.
"You can collect all the log data you want," said Linn. "But if you are not sure what the bad behavior is, you can find yourself drowned in data."
Orrstown, which has linked 60 of its data sources to Splunk, knows that it normally sees very low traffic in and out of the bank's data center at night, for example. So if Splunk alerts the bank to a large amount of traffic flowing from its data center to the public Internet off-hours, it's an indicator that something requires investigation.
Luckily, no breaches have been caught. Rather, tangible benefits from using Splunk include having a way to show auditors answers to questions the institution may not have anticipated. Orrstown has also found Splunk's intuitive user interface benefits its help desk in answering employee questions more quickly.
"Very simple searches are possible," said Chris Thompson, Orrstown's senior vice president and chief architect, who led the Splunk project.
Orrstown is also conducting an ATM upgrade with Diebold and plans to use Splunk on the devices in order to more quickly detect when one is down.