Splunk FISMA for Continuous Monitoring


Published on

Splunk,Continuous Monitoring, FISMA Application for Splunk

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A quick level set – elevator pitch – what is Splunk.
  • By “logs” we mean logfiles, generated all across IT by applications, servers and network devices.They contain data vital for diagnosing service problems, detecting sophisticated security threats and demonstrating compliance, and more.Getting the data you need when you need it is labor-intensive, complex, and in many cases not possible.Virtualization and SaaS adoption is growing, but with increased abstraction, there is also added management complexity.Gartner (2009) predicts enterprise data will grow by 650% over the next three years, 80% of this being unstructured IT data.Traditional tools are silo-based, built on rigid schemas so unable to cope with increasingly dynamic data and too costly because they rely on custom parsers unique to specific data sources and vendors.
  • Dashboards let you extend the power of your data to wherever it’s needed, by role and on an authenticated basis. With Splunk you can create custom dashboards in minutes with the dashboard editor and make more sense of the huge volumes of data at your disposal. Combine pre-defined searches, charts, alerts and reports into a powerful dashboard. Or create mashups with other Web-based Apps, such as Tivoli, SAP, security consoles and more. Now your management, security analysts, auditors, developers and sysadmins are all empowered to get the visibility, information and intelligence they need.
  • A quick level set – elevator pitch – what is Splunk.
  • A quick level set – elevator pitch – what is Splunk.
  • Splunk was built on our founders’ frustrations running some of the world’s largest data centers and e-commerce sites. Companies like Infoseek, Yahoo, Disney, all of which had issues managing large geographically dispersed, complex, and highly dynamic infrastructures.While they were surrounded by the most state-of-the-art IT management technologies available, they found it nearly impossible to easily troubleshoot, secure and audit these IT silos in their environments. They knew there was a better way and they founded Splunk.The concept behind Splunk is simple: if Google could make it possible for users to search billions of pages of Web content, why couldn’t we do that for the datacenter? That’s what they built, an engine to search, alert, monitor and report on all “IT data”. Search and analyze all your IT data from one location in real-time. IT data such as all your logs, messages, configurations, metrics in virtual and non-virtual environments. With Splunk, silos of data are eliminated enabling organizations to make better use of their IT data.Traditional approaches have been built using a “schema first” mindset and attempt to normalize every data sourceto fit it into thispredetermined database schema. This approach is costly and rigid. New data sources require new schemas or custom adapters. Much of the data is simply not ‘seen’. IT data on the other hand is becoming more dynamic and increasingly prone to change. Splunk eats any type of IT data: no database, no schema, no DBA, no RDBMS license, no custom connector and it scales on inexpensive commodity servers.
  • Leverage distributed search to give each locale access to their own data, while providing a combined view to central teams back at headquarters. Whether to optimize your network traffic or meet data segmentation requirements, feel free to build your Splunk infrastructure as it makes sense for your organization. Further, each distributed search head automatically creates the correct app and user context while searching across other datasets. No specific custom configuration management is required; Splunk handles it for you.
  • Splunk isn’t the only technology that can benefit from collecting machine data, so let Splunk help send the data to those systems that need it. For those systems that want a direct tap into the raw data, Splunk can forward all or a subset of data in real time via TCP as raw text or RFC-compliant syslog. This can be done on the forwarder or centrally via the indexer without incrementing your daily indexing volume. Separately, Splunk can schedule sophisticated correlation searches and configure them to open tickets or insert events into SIEMs or operation event consoles. This allows you to summarize, mash-up and transform the data with the full power of the search language and import data into these other systems in a controlled fashion, even if they don’t natively support all the data types Splunk does.
  • Your logs and other machine data are important but often cryptic. You can extend Splunk’s search with lookups to external data sources as well as automate tagging of hosts, users, sources, IP addresses and other fields that appear in your machine data. This enables you to find and summarize machinedata according to business impact, logical application, user role and other logical business mappings. In the example shown, Splunk is looking up the server’s IP address to determine which domain the servicing web host is located in, and the customer account number to show which local market the customer is coming from. Using these fields, a search user could create reports pivoted on this information easily.
  • Splunk allows you to extend your existing AAA systems into the Splunk search system for both security and convenience. Splunk can connect to your LDAP based systems, like AD, and directly map your groups and users to Splunk users and roles. From there, define what users and groups can access Splunk, which apps and searches they have access to, and automatically (and transparently) filter their results by any search you can define. That allows you to not only exclude whole events that are inappropriate for a user to see, but also mask or hide specific fields in the data – such as customer names or credit card numbers – from those not authorized to see the entire event.
  • Example Splunk Apps.
  • Splunk FISMA for Continuous Monitoring

    1. 1. Splunk for Continuous Monitoring
    2. 2. Copyright © 2011, Splunk Inc. Listen to your data. Splunk = Visibility Splunk is IT searchengine for machine data- ”Googlefor the Data Center” Provides visibility, reporting and searchacross all your IT systems and infrastructure 2 ReducesIT costs with one solution to solve many challenges Softwarethat runs on allmodern platforms
    3. 3. Copyright © 2011, Splunk Inc. Listen to your data. Machine Generated Data Across All IT No real standards– formats,types and sources vary widely IT environmentsbecomingmore dynamicand complex Volumesof log data growing Traditionalmanagementtools too costlyand don’t scale Logs containdatacriticalfor running, securingand auditingIT 3
    4. 4. Copyright © 2011, Splunk Inc. Listen to your data. Dashboards and Views for Every Role Executive Overview 4
    5. 5. Copyright © 2011, Splunk Inc. Listen to your data. Splunk is Used Across IT and the Business 5 Web Analytics App Mgmt ComplianceSecurityIT Ops Business Analytics Developer Framework
    6. 6. Copyright © 2011, Splunk Inc. Listen to your data. What is CM? Theobjectiveof a continuousmonitoringprogram is to determineif the completesetof planned,required, and deployed security controls within an informationsystemor inherited by thesystem continueto be effectiveover time in light of theinevitablechangesthatoccur. - The NISTCM FAQ Promotestheconceptof near real-timerisk managementand ongoing informationsystem authorizationthrough theimplementationof robust continuousmonitoringprocesses; (800-37) …tosupport consistent,well-informed,and ongoing securityauthorizationdecisions(through continuousmonitoring),transparencyof securityand risk management-relatedinformation,and reciprocity;(800-37) 6
    7. 7. Copyright © 2011, Splunk Inc. Listen to your data. What is CM? CM is not Continuous Patching or Continuous Patch Compliance 800-37 TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environmentof operation Continuouslyenforceapplicationofsecuritycontrols Continuouslymonitortheeffectivenessofsecuritycontrols – Serverlogs – Perimeterdefenses – Applicationlogs Tweakcontrols Rinse,repeat 7
    8. 8. Copyright © 2011, Splunk Inc. Listen to your data. BridgingtheGap Storage ServiceDesk Applications Servers Compliance Development Change Management Virtualization Security Networking Monitor & Alert Search & Investigate Reporting & Analytics
    9. 9. Copyright © 2011, Splunk Inc. Listen to your data. Splunk & Data Challenge 9 SplunkTraditional Approaches Any data format, any volume, any pattern-Machine Based Decide what to look for ahead of time-Human vs. Machine
    10. 10. Copyright © 2011, Splunk Inc. Listen to your data. Multiple Datacenters 10 Headquarters Arizona California Georgia New York Distributed Search Index and store locally. Distribute searches to datacenters, networks & geographies.
    11. 11. Copyright © 2011, Splunk Inc. Listen to your data. Problem Investigation ServiceDesk EventConsole SIEM Send Data to Other Systems Route raw data in real time or send alerts based on searches.
    12. 12. Copyright © 2011, Splunk Inc. Listen to your data. Integrate External Data 12 LDAP, AD Vulnerability Lists / Waivers Service Desk CMDB Associate IP addresses with locations, accounts with regions Extend search with lookups to external data sources.
    13. 13. Copyright © 2011, Splunk Inc. Listen to your data. Integrate Users and Roles 13 Problem Investigation Problem Investigation Problem Investigation Save Searches Share Searches LDAP,AD Usersand Groups SplunkFlexibleRoles Manage Users Manage Indexes Capabilities& Filters org=OIT app=ERP … Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter. Integrate authentication with LDAP and Active Directory.
    14. 14. Copyright © 2011, Splunk Inc. Listen to your data. Palo Alto Networks Centrify F5 Networks FISMA Monitoring Splunk Enterprise Security BlueCoat Splunk PCI Compliance Cisco Security Splunk Apps for Security and Compliance 14 Developer Framework
    15. 15. Splunk for FISMA
    16. 16. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 16 Isn’t it about time you automated your compliance audits? Executive dashboards. Auditor details.
    17. 17. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 17 Core Splunk has always provided our customers with fantastic compliance and auditing insights, among other things. The new Splunk for FISMA app takes that to a whole new level. Splunk for FISMA is a comprehensive suite of reports and searches enabling customers to easily audit agency compliance of 800-53 revision 3 controls for the entire enterprise. Even custom applications and log formats.
    18. 18. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 18 Control Families: • Access Control (AC) • Audit & Accountability (AU) • Security Assessment & Authorization (CA) • Configuration Management (CM) • Contingency Planning (CP) • Identification & Authentication (IA) • Incident Response (IR) • Personnel Security (PS) • Risk Assessment • System & Communications Protection (SC) • System & Information Integrity (SI) 11 Control Families 40 Controls 60 Searches Data Sources: • Windows • Unix • Proxy • Firewall • IDS • Wireless Security • Vulnerability Scanners • Network Scanners • Application Installation and Patching • Anti-virus systems • and more!
    19. 19. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 19 • AC-2 Account Management • AC-3 Access Enforcement • AC-4 Information Flow Enforcement • AC-5 Separation of Duties • AC-6 Least Privilege • AC-7 Unsuccessful Login Attempts • AC-10 Concurrent Session Control • AC-11 Session Lock • AC-17 Remote Access • AC-18 Wireless Access • AC-19 Access Control For Mobile Devices • AU-2 Auditable Events • AU-3 Content Of Audit Records • AU-4 Audit Storage Capacity • AU-5 Response To Audit Processing Failures • AU-6 Audit Review, Analysis, And Reporting • AU-7 Audit Reduction And Report Generation • AU-8 Time Stamps • AU-9 Protection Of Audit Information • AU-11 Audit Record Retention • AU-12 Audit Generation Controls • CA-2 Security Assessment • CA-7 Continuous Monitoring • CM-2 Baseline Configuration • CM-6 Configuration Settings • CM-7 Least Functionality • CP-9 Information System Backup • IA-2 Identification And Authentication (Organizational Users) • IA-8 Identification And Authentication (Non-Organizational Users) • IR-4 Incident Handling • IR-5 Incident Monitoring • IR-6 Incident Reporting • IR-7 Incident Response Assistance • PS-4 Personnel Termination • RA-5 Vulnerability Scanning • SC-5 Denial Of Service Protection • AC-4 Information Flow Enforcement • SI-3 Malicious Code Protection • SI-4 Information System Monitoring
    20. 20. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 20 Control references are built into each dashboard… as are real event data and a real search language
    21. 21. Copyright © 2011, Splunk Inc. Listen to your data. Splunk for FISMA v1.1 21 Core Splunk features allow you to easily move from dashboards to alerts.
    22. 22. Copyright © 2011, Splunk Inc. Listen to your data. CM Compliance Simplified 22
    23. 23. Thank You Email: fed@splunk.com