A Website analytics tool, originally implemented by Internet service provider iiNet to gauge customer reaction to changes to its online applications, has delivered an unexpected bonus by allowing the company’s technical staff to detect and monitor hacking attempts in real time.
iiNet’s implementation of the Splunk real-time intelligence tool was originally designed to provide “marketing metrics to determine how the user experience is going,” iiNet development manager Mark McDonald told attendees at this week’s SplunkLive! Conference in Melbourne.
In the past, Web metrics had been collated using data from Omniture, whose suite forms part of the hosted Adobe Marketing Cloud. However, limitations on the use of the data drove McDonald to look for a deeper-level tool for analytics to support the work done by his ten-strong development team in maintaining iiNet’s Toolbox customer portal.
“We wanted to know how many people were hitting the site, whether they were buying things, and whether changing the colour of a button would sell more widgets,” he explained. “The Adobe metrics is good data, but it doesn’t address the effect of what’s happening inside, and doesn’t really help you look at what the cause of the problem is.”
Splunk provided that, allowing the team to track visitors’ experiences across all of its sites. Statistics on page loads, new visitors, traffic sources, and more are grouped into real-time dashboards providing great visibility for the platform, and performance monitoring of its servers.
This allowed developers to post an updated feature, then measure its effect on overall site performance, and quickly tweak again to see the effect. It also supported iiNet’s move to introduce a measure of customer ‘happiness’ – icons of a smiley face, sad face and indifferent face added to iiNet pages and used to ask customers how they are feeling.
“We’ve gotten a heap of data out of that, and it’s great to be able to see which things about the site they’re struggling with or enjoying the most.”
Yet as Splunk became tightly embedded with the team’s development processes, it became clear that it could be used for proactive monitoring of hacking attempts on iiNet’s customer-facing sites.
“We were having a bit of a search around through the logs and saw what looked like a suspicious query string in one of the Web server logs,” McDonald recalled. “It looked like someone was trying to do a remote file traversal exploit, so we had a look at what they were trying to do.”
Further digging into the data revealed that the site was being hit by someone trying a variety of approaches to compromise the site, including SQL injections and other attacks. The iiNet team then used the real-time Splunk capabilities to watch the ongoing attempts to breach the site’s security.
“We were able to watch this guy trying to break into our site in real time,” he said, “just going through the different hack attempts. We got his IP address, send it through to our security team and told them to check it out because this guy wasn’t mucking around.”
As it turns out, the intruder wasn’t able to penetrate the site: the security team advised that iiNet had previously already run extensive pen testing as part of its PCI DSS compliance work. However, having learned firsthand that its tools could be used for security as well as user-experience testing, the team built out additional reports that it uses to monitor security-related statistics.
For example, “in a matter of minutes we were able to whip up a real-time map dashboard showing where all of the international logins were coming from,” McDonald said, “and people accessing Toolbox who weren’t our customers.”
“We only sell products within Australia, to Australian households – but we found over seven days that we had all of these international logins within this window, which was insane. We did not expect that to happen at all, and we had no idea there were that many people trying to get to our Toolbox internationally. That was a pretty cool insight to find.”