Saviynt Security Manager V1.0

Saviynt Security Manager V1.0

Splunk Integration & Administration Guide

Saviynt Security Manager v1.0: Splunk Integration & User Guide 2

Edition notice Note: This edition applies to version 1.0 of Saviynt Security Analyzer and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright Saviynt Inc. 2016


Contents 1. Introduction to Saviynt Security Analyzer ................................ 4 2. Description of the Application ......................................... 4 3. Pre-Requisites ....................................................... 4 3.1 Supported OS Platforms .................................................................................................................... 4 3.2 Connectivity and Firewalls consideration ........................................................................................ 4 3.3 Supported Splunk versions ............................................................................................................... 4 3.4 Splunk Application .............................................................................................................................. 4

4. Installation and Configuration .......................................... 5 4.1 Installing the Saviynt application ...................................................................................................... 5 4.1.1 Not Connected to the Internet ................................................................................................ 5 4.1.2 Connected to the Internet ....................................................................................................... 8 4.2 Creating Cross Account Role ARN .................................................................................................. 9 4.3 Importing Data .................................................................................................................................... 9 4.3.1 Importing Data for the first time .............................................................................................. 9

5. AWS Dashboard .................................................... 12 5.1 AWS Controls .................................................................................................................................... 12 5.2 Understanding the graphs ............................................................................................................... 13 5.2.1 Bubble Graph .......................................................................................................................... 13 5.2.2 High Risk Summation ............................................................................................................ 16 5.2.3 Pie Charts ............................................................................................................................... 17

6. Analytics .......................................................... 20 6.1 Creating New Analytics ................................................................................................................... 20

7. AWS IAM Users ..................................................... 22 7.1 List of AWS IAM Users .................................................................................................................... 22 7.2 Account Detail ................................................................................................................................... 23 7.3 Associated AWS Object .................................................................................................................. 24 7.4 Search ................................................................................................................................................ 24

8.AWS Objects ....................................................... 25 9. Upgrade to Saviynt Premium ......................................... 26

10. Contact Us ........................................................ 28


1. Introduction to Saviynt Security Analyzer Saviynt Security Analyzer provides a single pane of glass for managing security across AWS services and cloud infrastructure ecosystem, enabling businesses to accelerate the migration of mission-critical workloads and data to cloud. With over 250 security controls and risk signatures available out of box and more that can be user-defined, Saviynt Security Analyzer enables you to continuously monitor the effectiveness of AWS security posture. This document aims to provide detailed instructions for installation, configuration, and use of the Saviynt Application for Splunk. 2. Description of the Application The app connects to the organization's AWS environment, imports data from there, and monitors the effectiveness of AWS security posture. 3. Pre-Requisites The following components must be installed and configured on your Splunk infrastructure for the Saviynt App to function correctly.

3.1 Supported OS Platforms The Saviynt application for Splunk is Platform Independent.

3.2 Connectivity and Firewalls consideration Make sure that Splunk environment is connected to the Internet and firewall is not blocking the connectivity to your AWS environment.

3.3 Supported Splunk versions This version of the Saviynt App has been tested on Splunk 6.2, 6.3, 6.4 and 6.5 versions.

3.4 Splunk Application Splunk should be configured in your enterprise before the Saviynt application can be used. If you don’t have Splunk, go to the Splunk website to download it.


4. Installation and Configuration

4.1 Installing the Saviynt application

4.1.1 Not Connected to the Internet If your Splunk Enterprise server and client do not have Internet connectivity, you must download apps from Splunkbase and copy them over to your server.

• From a computer connected to the Internet, browse Splunkbase for the “Saviynt Security Analyzer” app. Download the “Saviynt Security Analyzer” app.

• Once unzipped, copy it to your Splunk Enterprise server.

• Copy it in your $SPLUNK_HOME/etc/apps directory.

• Go to $SPLUNK_HOME/etc/apps. The file “splunk_app_saviynt_aws.tar.gz” should be present.

• Untar and ungzip your app, using a tool like tar -xvf (on *nix) or WinZip (on Windows).


• Once you see the “splunk_app_saviynt_aws” at the location $SPLUNK_HOME\etc\apps, login to Splunk Enterprise and enter your credentials

• Go to Settings à Server Controls and click on “Restart Splunk”.


(Note: It is necessary to restart Splunk before using it for the first time after downloading the application)

• After the Splunk has been restarted, go to the “Saviynt App for AWS”.


4.1.2 Connected to the Internet

If Splunk Enterprise server or client machine is connected to the Internet, the app browser can be navigated from the home page.

• Click the + sign below your last installed app to go directly to the app browser. Search for “Saviynt Security Analyzer”. You can also click the gear next to Apps to go to the apps manager page.

• Click on “browse more apps” to go to the app browser. Search for “Saviynt Security Analyzer”.

• Download and Install the app. • Restart Splunk. • Once Splunk Enterprise has been restarted, the Saviynt Security Analyzer app is now

installed and will be available from Splunk Home. Important: If Splunk Web is located behind a proxy server, you might have issues accessing Splunkbase. To solve this problem, set the you need to set the HTTP_PROXY environment variable.


4.2 Creating Cross Account Role ARN The instruction to create the Cross Account Role ARN is accessible here: http://saviynt.com/wp-content/uploads/2016/11/Saviynt_Splunk_Integration_Guide.pdf You will need this Role ARN to import the data from AWS account.

4.3 Importing Data

4.3.1 Importing Data for the first time

• Click on the Import Data link.

• Enter the Contact Information and AWS connection details. Please note that Company name cannot be changed later. Enter the cross-account role ARN created and AWS account ID.

• Once the details have been entered, click on the Save & Test Connection button. The following dialog box appears.


• Click on the ‘Yes” button to confirm data import. This imports the data and populates the data on AWS dashboard and other tabs.

• For future data re-imports, you can either follow the previous steps, or click on the ‘Re-Evaluate Risks’ button on the Home page, or schedule import to run as job at a particular time by enabling and scheduling pre-existing search “Scheduling for importdata” as shown below

• Enable the search and then schedule it after checking “Schedule this search” checkbox.



5. AWS Dashboard

5.1 AWS Controls An AWS Control is a procedure or a policy that ensures that the data in the AWS environment of an organization is reliable and in compliance with applicable laws & regulations. These controls help you implement common scenarios for potential conflicts for an AWS Object (such as VPC, EC2, etc). Saviynt provides a comprehensive range of AWS controls to detect and/or prevent various access and security violations occurring in your environment. The AWS controls provided by Saviynt are divided into three different categories:

• Risk Signatures

Category Compliance Violation Analytics Name Occurrence Control-

Type Description Risk Recommendations

CloudFormation AWS Best Practices

CloudFormation templates with No Output Sections

Often Basic

Detects CloudFormation templates with No Output Sections

Medium Is recommended to add Output sections to CF templates


CloudFormation templates with Password Violations

Basic

Detects CloudFormation templates with Password Violations

High

it is recommended to not to Echo passwords and keep encrypted passwords in CF templates


CloudFormation templates with Open RDP Port Security Groups

Basic

Detects CloudFormation templates with Open RDP Port Security Groups

High

It is recommended to not to use Open RDP Port Security groups in CF templates

• Preventative Controls


Saviynt’s analytics also provide an administrator with the risk level (high, medium, or low) for a violation.

As the AWS Dashboard gets populated, you will see various AWS analytics, such as EC2, VPC, S3 Buckets related to the AWS account.

5.2 Understanding the graphs

5.2.1 Bubble Graph To see the number of security violations in the different AWS objects related to the account, scroll down to the following screen on the Home page.

On this chart, hovering over any of the bubbles gives the number of instances and violations on the object.

Category Type Analytics Name Description Actions Risk

Preventative control - EC2 Premium

Workloads with open Internet access via Security Groups

Detects Workloads with open Internet access via Security Groups

Notify via Email, SNS Notification , Stop EC2 instances Medium

Preventative control - EC2 Premium Security Groups with

open SSH Ports Detects Security Groups with open SSH Ports

Notify via Email, SNS Notification , Stop EC2 instances High

Preventative control - EC2 Premium

Workloads with open SSH access via Security Groups

Detects Workloads with open SSH access via Security Groups

Notify via Email, SNS Notification , Stop EC2 instances High


Click on the bubble for any of the AWS analytics listed on the right. For example, if you click on the brown colored EC2 bubble on the chart, the following screen should appear:


This page provides following information:

• Analytics Name: This field contains the name of the control created for AWS. The application provides around 150 out-of-the-box controls

• Description: This field gives a brief description of the control • Category: The AWS category under which the analytics is included • Conflict Count: The number of violations occurring for the specific control • Risk: The risk level of the violations (can be high, medium or low) • Last Run: The last run time of the control • Recommendations: Provides the recommendations for the administrators to remediate the

violationsClick on any row to get more information about the violations for a particular analytics.

Click on any Analytics and it will show you the details of violations associate with the particular Analytics


5.2.2 High Risk Summation Click on the Home button and scroll down to the section “High Risk Summation”.

This bar graph gives the conflict count for various analytics. Hover over the bar corresponding to any of the analytics and click on it.


5.2.3 Pie Charts Scroll down further to get various pie charts, which give an insight into the current AWS ecosystem and actual or potential occurring violations.


The below example explains the pie chart titled “Open Access on EC2 Security Groups”. Hovering over any section of the pie chart gives the number of violations and the percentage it represents for the total number of violations for open access on EC2 security groups.


Click on the section of the pie chart. The following screen should appear.


6. Analytics

Click on the Analytics tab on the top.

The following screen should appear. It provides a list of analytics under different AWS categories, their descriptions and the number of conflicts occurring. Click on anyone of them to see the list of violations in that particular analytics along with the details.

6.1 Creating New Analytics

Click on the Create New Analytics tab to create a customized AWS analytics that is currently not included in the controls provided by Saviynt.


Once the details are entered and the request is created, an email is sent to Saviynt’s support team. The process to include the new analytics is initiated within 24 hours.


7. AWS IAM Users

7.1 List of AWS IAM Users

Click on the AWS IAM Users Tab on the top. The following screen should appear:

This shows a list of all active IAM users associate with the AWS account.


7.2 Account Detail

Click on any account name and it gives the details of the account for the particular user.


7.3 Associated AWS Object Click on the Associated AWS Object tab

7.4 Search To search for a specific user’s account, use the application’s search functionality by entering the user name in the search field.


8.AWS Objects

Click on the AWS Objects tab on the top. The following screen should appear:

This screen provides a list of the AWS objects and their criticalities (very low, low, medium, high, very high, none).


9. Upgrade to Saviynt Premium To upgrade to the Premium application for access to many more risk signatures and preventative controls and to Import data for more than one AWS account. More details for premium features are available at: http://saviynt.com/saviynt-‐security-‐analyzer/

Click on the “Get Premium Application” button on the top right corner of the Home page. The following payment screen appears:

Enter the number of accounts in your AWS environment and your Splunk ID. There are two modes of payment:

● Pay Now: Pay the amount for subscription via PayPal or any other major credit card ● Invoice Me: Upon clicking on the Invoice Me button, the following box appears:


Once a request is submitted, you will be contacted by a Saviynt team member to confirm and process the request.


10. Contact Us

For any issues of questions regarding the app, scroll down to the bottom of the home page.

Click on contact us to open the following window:

Documents

Saviynt Security Manager V1.0