CYBERSECURITY AND AWS: A Case Study on Shell Information Technology International BV
“Using Splunk Enterprise on AWS, we have a much better way of protecting Shell … than we ever had before.”
Oskar Brink
CyberDefence Manager, Shell Information Technology International BV
The Amazon Web Services or AWS as we know today provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. It was the vision of Chris Pinkham and Benjamin Black.
It was first launched in 2002 and publicized in the year 2003. In November 2004, the first AWS service launched for public usage: Simple Queue Service (SQS). On March 14th, 2006 Amazon web services were re-launched combining the three initial service offerings of Amazon S3 cloud storage, SQS, and EC2.
Most services are not explicitly available to end-users, but instead provide features for developers to use in their applications through APIs. Using the REST architectural style and SOAP protocol for older APIs and just JSON for newer ones, the offerings of Amazon Web Services are accessed over HTTP.
AWS includes more than 175 products and services as of 2020, including computing, storage, networking, database, analytics, application services, distribution, administration, mobile, developer software, and Internet of Things software. Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (Amazon S3) are among the most popular.
About Royal Dutch Shell
Shell Information Technology International BV, referred to as Shell, is an international energy company with expertise in the exploration, production, refining, and marketing of oil and natural gas, and the manufacturing and marketing of chemicals. Headquartered in the Netherlands, the British-Dutch company operates in more than 70 countries.
Staying Ahead on Cybersecurity
Like any large corporation with international exposure, Shell needs to protect itself against a constant barrage of cybersecurity threats. The oil and gas industry in particular has seen an uptick in cyberattacks in recent years, and as a result, Shell took a critical look at its security information and event management (SIEM) solution and considered ways to improve it.
“We had a traditional, on-premises SIEM solution which was not scalable to future demands.” says Oskar Brink, CyberDefence manager at Shell.
“Moving to a cloud-based solution would provide a scalable and cost-effective solution, allowing us to also integrate with advanced analytics.”
The company wanted to look at trends and perform detailed analyses over a longer period of time, which requires a larger pool of historical data.
Shell also wanted to incorporate cyber threat hunting: the ability to analyze data to proactively identify vulnerabilities.
“For hunting, you primarily need to analyze data older than seven days.” says Stefan Hazenbroek, CyberDefence analyst.
“Our SIEM solution was unable to meet these demands because it had limited ability to store historical data.”
The company’s SIEM solution had also reached the physical limits of what it could do.
“We were already pushing more data through it than the architecture could handle.” says Hazenbroek.
“We need a SIEM environment that we could easily scale.”
Moving to the AWS Cloud
Shell decided to expand its SIEM solution by adopting Splunk Enterprise and Splunk Enterprise Security, a platform the company could use to rapidly search and analyze historical machine and log data from its various systems. It chose to host Splunk on Amazon Web Services (AWS) because AWS offered the scalability and flexibility it needed to accommodate Shell’s global footprint.
The company anticipated collecting several terabytes of log data per day from its various systems, and it wanted to store more data for historical analysis.
“We quickly concluded that an on-premises solution would not be cost-effective, because we would need additional servers and storage on a weekly basis.” says Hazenbroek.
Although it initially intended to keep its real-time SIEM solution on-premises and add Splunk on AWS for historical analysis Shell ultimately decided to integrate the two solutions (historical and real-time) with Splunk on AWS.
“We realized that running our real-time SIEM solution on AWS would give us a more reliable and scalable solution than running it on premises, where we continued to struggle with the hardware components we needed,” says Brink.
“It was better to have an integrated solution that would allow us to perform real-time monitoring as well as deep-dive analysis on historical data, and to have all our data in the same system.”
Empowering Fast Analysis Using Amazon EBS
Shell relies on approximately 100 Amazon Elastic Compute Cloud (Amazon EC2) instances to run its Splunk infrastructure on AWS. “We use Amazon EC2 c4.2 instances for the Splunk forwarders, c4.8 instances for the Splunk indexers, and c4.4 instances for the Splunk search applications,” says Hazenbroek.
It also has several on-premises instances to move the data into the Splunk platform, and it uses SSL client authentication to help ensure a trusted connection.
“We decided not to use a VPN in between because we did not want to be limited by the connection speed.” says Hazenbroek.
“We knew we would be sending several terabytes a day through that connection.”
For the indexers — the Splunk components that store the data and handle search queries — Shell uses two types of Amazon Elastic Block Store (Amazon EBS) volumes for optimal performance and cost. “Splunk indexers require really fast disks and a lot of IOPS,” says Hazenbroek.
Shell found that Amazon EBS gp2 volumes provided the speed needed for the most recent 30 days of data, which is searched most often. For the remaining 11 months of data: which is searched less frequently, as it uses sc1 volumes, which provide the lowest cost per gigabyte of all Amazon EBS volume types.
Creating a Scalable Cybersecurity Solution
With the scalability of AWS and functionality of Splunk Enterprise Security, Shell has a comprehensive SIEM solution and the means to analyze both real-time and historical data and to stay ahead of the ever-changing cybersecurity landscape.
“Our original on-premises SIEM solution had limited scalability and we were not able to process all the events in the needed fashion,” says Brink.
“We could not maintain the data for more than a couple of days and had no ability to test or look at trends. That meant certain malicious attempts persisted for a long time before they were noticed.”
Shell is currently ingesting several terabytes of data each day into Splunk and has a data lake of multiple petabytes to use for historical analysis, which means its CyberDefence team can engage in identifying trends and proactive cyber threat hunting.
“Using Splunk Enterprise on AWS, we have a much better way of protecting Shell and the Shell perimeter: internally as well as externally,because we have a much bigger capacity than we ever had before,” says Brink.
What benefited Shell from AWS
- Scalable infrastructure for expanding cybersecurity solution
- Ingests four terabytes of data each day into Splunk Enterprise
- Stores a two-petabyte data lake for trending analysis and cyberthreat hunting
- Utilizes AWS storage options for hot and cold data, gaining optimal performance and cost
- Increases detection and remediation of potential security breaches by 100%
Conclusion
Today, the company can prevent incidents from occurring by identifying vulnerabilities through data analysis and closing them upfront.
“Our CyberDefence team is now finding more than twice as many events that could have resulted in security incidents and breaches.” says Brink.
“We are really happy with the flexibility, scalability, and functionality of our Splunk SIEM solution on AWS, compared to our old on-premises solution.”
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
