View
715
Download
3
Category
Preview:
Citation preview
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk = VisibilitySplunk is IT search engine for machine data-”Google for the Data Center”
Provides visibility, reporting and search across all your IT systems and infrastructure
2
Reduces IT costs with one solution to solve many challenges
Software that runs on all modern platforms
Copyright © 2011, Splunk Inc. Listen to your data.
Machine Generated Data Across All IT
No real standards – formats, types and sources vary widely
IT environments becoming more dynamic and complex
Volumes of log data growing
Traditional management tools too costly and don’t scale
Logs contain data critical for running, securing and auditing IT
3
Copyright © 2011, Splunk Inc. Listen to your data.
Dashboards and Views for Every Role
Executive Overview
4
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk is Used Across IT and the Business
5
Web Analytics
App Mgmt
ComplianceSecurityIT Ops
Business Analytics
Developer Framework
Copyright © 2011, Splunk Inc. Listen to your data.
What is CM?
The objective of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. - The NIST CM FAQ
Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes; (800-37)
…to support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity; (800-37)
6
Copyright © 2011, Splunk Inc. Listen to your data.
What is CM?CM is not Continuous Patching or Continuous Patch Compliance
800-37 TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation
Continuously enforce application of security controls
Continuously monitor the effectiveness of security controls– Server logs
– Perimeter defenses
– Application logs
Tweak controls
Rinse, repeat
7
Copyright © 2011, Splunk Inc. Listen to your data.
Bridging the Gap
Sto
rage
Serv
ice
Des
k
Ap
plic
atio
ns
Serv
ers
Co
mp
lian
ce
Dev
elo
pm
ent
Ch
ange
Man
agem
ent
Vir
tual
izat
ion
Secu
rity
Net
wo
rkin
g
Monitor & Alert Search & Investigate Reporting & Analytics
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk & Data Challenge
9
SplunkTraditional Approaches
Any data format, any volume, any pattern-Machine Based
Decide what to look for ahead of time-Human vs. Machine
Copyright © 2011, Splunk Inc. Listen to your data.
Multiple Datacenters
10
Headquarters
Arizona California Georgia New York
Distributed Search
Index and store locally. Distribute searches to datacenters, networks & geographies.
Copyright © 2011, Splunk Inc. Listen to your data.
Problem Investigation
Service Desk
Event Console
SIEM
Send Data to Other SystemsRoute raw data in real time or send alerts based on searches.
Copyright © 2011, Splunk Inc. Listen to your data.
Integrate External Data
12
LDAP, AD Vulnerability Lists / Waivers
Service Desk
CMDB
Associate IP addresses with locations, accounts with regions
Extend search with lookups to external data sources.
Copyright © 2011, Splunk Inc. Listen to your data.
Integrate Users and Roles
13
Problem Investigation Problem Investigation Problem Investigation
Save Searches
Share Searches
LDAP, AD Users and Groups
Splunk Flexible Roles
Manage Users
Manage Indexes
Capabilities & Filters
org=OIT
app=ERP …
Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter.
Integrate authentication with LDAP and Active Directory.
Copyright © 2011, Splunk Inc. Listen to your data.
Palo Alto Networks
CentrifyF5 Networks
FISMAMonitoring
Splunk Enterprise Security
BlueCoat
Splunk PCI Compliance
Cisco Security
Splunk Apps for Security and Compliance
14
Developer Framework
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
16
Isn’t it about time you automated your compliance audits?
Executive dashboards. Auditor details.
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
17
Core Splunk has always provided our customers with fantastic compliance and auditing insights, among other things. The new Splunk for FISMA app takes that to a whole new level.
Splunk for FISMA is a comprehensive suite of reports and searches enabling customers to easily audit agency compliance of 800-53 revision 3 controls for the entire enterprise.
Even custom applications and log formats.
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
18
Control Families:• Access Control (AC)• Audit & Accountability (AU)• Security Assessment &
Authorization (CA)• Configuration Management
(CM)• Contingency Planning (CP)• Identification &
Authentication (IA)• Incident Response (IR)• Personnel Security (PS)• Risk Assessment• System & Communications
Protection (SC)• System & Information
Integrity (SI)
11 Control Families40 Controls60 Searches
Data Sources: • Windows• Unix• Proxy• Firewall• IDS• Wireless Security• Vulnerability Scanners• Network Scanners• Application Installation and Patching• Anti-virus systems• and more!
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
19
• AC-2 Account Management
• AC-3 Access Enforcement
• AC-4 Information Flow Enforcement
• AC-5 Separation of Duties
• AC-6 Least Privilege
• AC-7 Unsuccessful Login Attempts
• AC-10 Concurrent Session Control
• AC-11 Session Lock
• AC-17 Remote Access
• AC-18 Wireless Access
• AC-19 Access Control For Mobile Devices
• AU-2 Auditable Events
• AU-3 Content Of Audit Records
• AU-4 Audit Storage Capacity
• AU-5 Response To Audit Processing Failures
• AU-6 Audit Review, Analysis, And Reporting
• AU-7 Audit Reduction And Report Generation
• AU-8 Time Stamps
• AU-9 Protection Of Audit Information
• AU-11 Audit Record Retention
• AU-12 Audit Generation
Controls• CA-2 Security Assessment
• CA-7 Continuous Monitoring
• CM-2 Baseline Configuration
• CM-6 Configuration Settings
• CM-7 Least Functionality
• CP-9 Information System Backup
• IA-2 Identification And Authentication (Organizational Users)
• IA-8 Identification And Authentication (Non-Organizational Users)
• IR-4 Incident Handling
• IR-5 Incident Monitoring
• IR-6 Incident Reporting
• IR-7 Incident Response Assistance
• PS-4 Personnel Termination
• RA-5 Vulnerability Scanning
• SC-5 Denial Of Service Protection
• AC-4 Information Flow Enforcement
• SI-3 Malicious Code Protection
• SI-4 Information System Monitoring
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
20
Control references are built into each dashboard…
as are real event data and a real search language
Copyright © 2011, Splunk Inc. Listen to your data.
Splunk for FISMA v1.1
21
Core Splunk features allow you to easily move from dashboards to alerts.
Recommended