Overview

A federal government agency embarked on a mission with Hyperion3 to migrate its on-premises Splunk instance to the IRAP-certified Splunk Cloud. The objectives were to bring several years' worth of searchable data into the cloud, minimise the impact on the Security Operations Center (SOC) team’s core activities, and reduce the need for on-premises infrastructure by decommissioning the aging infrastructure and deployment of a custom UF management solution to eliminate the need of an on prem Splunk Deployment Server for endpoint configuration management.

Key Challenges

• Data Migration: Ensuring the seamless transfer of several years' worth of searchable data to Splunk Cloud.

• Minimising Impact: Reducing the impact on the SOC team’s daily operations during the migration.

• Infrastructure Reduction: Eliminating aging on-premises infrastructure that was reaching the end of its lifecycle.

• Simplified Management: Removing the need effort and time spend on patching and maintaining Splunk infrastructure, including an ongoing need for a Splunk Deployment Server to manage endpoint configurations.

• Policy Alignment: Aligning with the agency's cloud-first strategy and moving towards a zero trust model.

• UF Outputs Migration: Quickly cutting over Universal Forwarder (UF) outputs to Splunk Cloud to minimise data being sent to legacy indexing tier.

Solution and implementation

The agency collaborated with Splunk and the professional services team from Hyperion3 to develop and execute a comprehensive migration plan. The initial steps involved conducting a thorough assessment of the current environment, identifying data sources and apps, and assisting with defining a migration strategy. Data preparation was crucial, involving resolution of corrupt buckets from a legacy migration off windows infrastructure and adjusting the existent retention policies to roll data older than 3 years to frozen to ensure a smooth transition to the cloud.

The migration was executed over several weeks with the bulk of time being a lead up of preparation, testing and pre-migration configuration in the cloud instance with a focus on minimising disruption to the SOC team’s operations. Utilising Splunk’s data migration tools, the agency, with Hyperion3’s expertise, efficiently transferred terabytes of data to Splunk Cloud without any data loss. Upon completion of the data migration, new data streaming was promptly cut over to stream new logs to the Cloud directly resulting in the successful cessation of data ingestion into on-premises infrastructure. Notable events were migrated to the Cloud hosted Splunk Enterprise Security out of hours to ensure the SOC team’s daily operations were minimally affected.

Key Outcomes

The migration to Splunk Cloud was completed quickly and resulted in the delivery being completed 1 week ahead of the planned schedule. The data migration was completed swiftly with no data loss and minimal impact on the SOC team’s operations. Legacy apps and configurations were successfully packaged and deployed to the Cloud instance. In addition to paving the way for the decommissioning of the Splunk on-premises infrastructure, servers used for Windows Event Log Forwarding were also set for decommissioning further reducing infrastructure.

Customer Feedback

"Migrating to Splunk Cloud was a strategic move for us. We managed to transition several years' worth of data with minimal disruption to our SOC operations. The support from Splunk was outstanding, ensuring a smooth and efficient migration."

— Tech Lead

Conclusion

The successful migration to Splunk Cloud, delivered by Hyperion3, enabled the government agency to overcome its on-premises challenges, enhance its data analytics capabilities, and align with the agency's cloud-first strategy. The agency is now well-positioned to leverage its data for improved security operations and strategic decision-making.

Looking to migrate to Splunk Cloud?

Reach out to us using the form below or shoot us an email at contact@hyperion3.com.au.