Shell Information Technology International BV, referred to in this article as Shell, is an international energy company with expertise in the exploration, production, refining and marketing of oil and natural gas, and the manufacturing and marketing of chemicals. Headquartered in the Netherlands, the British-Dutch company operates in more than 70 countries. Like any large corporation with international exposure, Shell needs to protect itself against a constant barrage of cybersecurity threats. The oil and gas industry in particular has seen an uptick in cyberattacks in recent years, and as a result Shell took a critical look at its security information and event management (SIEM) solution and considered ways to improve it.
“We had a traditional, on-premises SIEM solution which was not scalable to future demands,” says Oskar Brink, CyberDefence manager at Shell. “Moving to a cloud-based solution would provide a scalable and cost-effective solution, allowing us to also integrate with advanced analytics.”
The company wanted to look at trends and perform detailed analyses over a longer period of time, which require a larger pool of historical data.
Shell also wanted to incorporate cyberthreat hunting—the ability to analyze data to proactively identify vulnerabilities. “For hunting, you primarily need to analyze data older than seven days,” says Stefan Hazenbroek, CyberDefence analyst. “Our SIEM solution was unable to meet these demands because it had limited ability to store historical data.”
The company’s SIEM solution had also reached the physical limits of what it could do. “We were already pushing more data through it than the architecture could handle,” says Hazenbroek. “We need a SIEM environment that we could easily scale.”
Shell decided to expand its SIEM solution by adopting Splunk Enterprise and Splunk Enterprise Security, a platform the company could use to rapidly search and analyze historical machine and log data from its various systems. It chose to host Splunk on Amazon Web Services (AWS) because AWS offered the scalability and flexibility it needed to accommodate Shell’s global footprint.
The company anticipated collecting several terabytes of log data per day from its various systems, and it wanted to store more data for historical analysis. “We quickly concluded that an on-premises solution would not be cost-effective, because we would need additional servers and storage on a weekly basis,” says Hazenbroek.
Although it initially intended to keep its real-time SIEM solution on premises—and add Splunk on AWS for historical analysis—Shell ultimately decided to integrate the two solutions (historical and real-time) with Splunk on AWS.
“We realized that running our real-time SIEM solution on AWS would give us a more reliable and scalable solution than running it on premises, where we continued to struggle with the hardware components we needed,” says Brink. “It was better to have an integrated solution that would allow us to perform real-time monitoring as well as deep-dive analysis on historical data—and to have all our data in the same system."
Shell relies on approximately 100 Amazon Elastic Compute Cloud (Amazon EC2) instances to run its Splunk infrastructure on AWS. “We use Amazon EC2 c4.2 instances for the Splunk forwarders, c4.8 instances for the Splunk indexers, and c4.4 instances for the Splunk search applications,” says Hazenbroek.
It also has several on-premises instances to move the data into the Splunk platform, and it uses SSL client authentication to help ensure a trusted connection. “We decided not to use a VPN in between because we did not want to be limited by the connection speed,” says Hazenbroek. “We knew we would be sending several terabytes a day through that connection.”
For the indexers—the Splunk components that store the data and handle search queries—Shell uses two types of Amazon Elastic Block Store (Amazon EBS) volumes for optimal performance and cost. “Splunk indexers require really fast disks and a lot of IOPS,” says Hazenbroek. Shell found that Amazon EBS gp2 volumes provided the speed needed for the most recent 30 days of data, which is searched most often. For the remaining 11 months of data—which is searched less frequently—it uses sc1 volumes, which provide the lowest cost per gigabyte of all Amazon EBS volume types.
With the scalability of AWS and functionality of Splunk Enterprise Security, Shell has a comprehensive SIEM solution and the means to analyze both real-time and historical data and to stay ahead of the ever-changing cybersecurity landscape.
“Our original on-premises SIEM solution had limited scalability and we were not able to process all the events in the needed fashion,” says Brink. “We could not maintain the data for more than a couple of days and had no ability to test or look at trends. That meant certain malicious attempts persisted for a longer time before they were noticed.”
Shell is currently ingesting several terabytes of data each day into Splunk and has a data lake of multiple petabytes to use for historical analysis, which means its CyberDefence team can engage in identifying trends and proactive cyberthreat hunting. “Using Splunk Enterprise on AWS, we have a much better way of protecting Shell and the Shell perimeter—internally as well as externally—because we have a much bigger capability than we ever had before,” says Brink.
Today, the company can prevent incidents from occurring by identifying vulnerabilities through data analysis and closing them upfront. “Our CyberDefence team is now finding more than twice as many events that could have resulted in security incidents and breaches,” says Brink. “We are really happy with the flexibility, scalability, and functionality of our Splunk SIEM solution on AWS, compared to our old on-premises solution."
Learn more about Amazon Elastic Block Store.