Splunk FISMA for Continuous Monitoring

Splunk forContinuous Monitoring

Copyright © 2011, Splunk Inc. Listen to your data.

Splunk = VisibilitySplunk is IT search engine for machine data-”Google for the Data Center”

Provides visibility, reporting and search across all your IT systems and infrastructure

2

Reduces IT costs with one solution to solve many challenges

Software that runs on all modern platforms


Machine Generated Data Across All IT

No real standards – formats, types and sources vary widely

IT environments becoming more dynamic and complex

Volumes of log data growing

Traditional management tools too costly and don’t scale

Logs contain data critical for running, securing and auditing IT

3


Dashboards and Views for Every Role

Executive Overview

4


Splunk is Used Across IT and the Business

5

Web Analytics

App Mgmt

ComplianceSecurityIT Ops

Business Analytics

Developer Framework


What is CM?

The objective of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. - The NIST CM FAQ

Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes; (800-37)

…to support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity; (800-37)

6


What is CM?CM is not Continuous Patching or Continuous Patch Compliance

800-37 TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation

Continuously enforce application of security controls

Continuously monitor the effectiveness of security controls– Server logs

– Perimeter defenses

– Application logs

Tweak controls

Rinse, repeat

7


Bridging the Gap

Sto

rage

Serv

ice

Des

k

Ap

plic

atio

ns

Serv

ers

Co

mp

lian

ce

Dev

elo

pm

ent

Ch

ange

Man

agem

ent

Vir

tual

izat

ion

Secu

rity

Net

wo

rkin

g

Monitor & Alert Search & Investigate Reporting & Analytics


Splunk & Data Challenge

9

SplunkTraditional Approaches

Any data format, any volume, any pattern-Machine Based

Decide what to look for ahead of time-Human vs. Machine


Multiple Datacenters

10

Headquarters

Arizona California Georgia New York

Distributed Search

Index and store locally. Distribute searches to datacenters, networks & geographies.


Problem Investigation

Service Desk

Event Console

SIEM

Send Data to Other SystemsRoute raw data in real time or send alerts based on searches.


Integrate External Data

12

LDAP, AD Vulnerability Lists / Waivers

Service Desk

CMDB

Associate IP addresses with locations, accounts with regions

Extend search with lookups to external data sources.


Integrate Users and Roles

13

Problem Investigation Problem Investigation Problem Investigation

Save Searches

Share Searches

LDAP, AD Users and Groups

Splunk Flexible Roles

Manage Users

Manage Indexes

Capabilities & Filters

org=OIT

app=ERP …

Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter.

Integrate authentication with LDAP and Active Directory.


Palo Alto Networks

CentrifyF5 Networks

FISMAMonitoring

Splunk Enterprise Security

BlueCoat

Splunk PCI Compliance

Cisco Security

Splunk Apps for Security and Compliance

14

Developer Framework

Splunk for FISMA


Splunk for FISMA v1.1

16

Isn’t it about time you automated your compliance audits?

Executive dashboards. Auditor details.



17

Core Splunk has always provided our customers with fantastic compliance and auditing insights, among other things. The new Splunk for FISMA app takes that to a whole new level.

Splunk for FISMA is a comprehensive suite of reports and searches enabling customers to easily audit agency compliance of 800-53 revision 3 controls for the entire enterprise.

Even custom applications and log formats.



18

Control Families:• Access Control (AC)• Audit & Accountability (AU)• Security Assessment &

Authorization (CA)• Configuration Management

(CM)• Contingency Planning (CP)• Identification &

Authentication (IA)• Incident Response (IR)• Personnel Security (PS)• Risk Assessment• System & Communications

Protection (SC)• System & Information

Integrity (SI)

11 Control Families40 Controls60 Searches

Data Sources: • Windows• Unix• Proxy• Firewall• IDS• Wireless Security• Vulnerability Scanners• Network Scanners• Application Installation and Patching• Anti-virus systems• and more!



19

• AC-2 Account Management

• AC-3 Access Enforcement

• AC-4 Information Flow Enforcement

• AC-5 Separation of Duties

• AC-6 Least Privilege

• AC-7 Unsuccessful Login Attempts

• AC-10 Concurrent Session Control

• AC-11 Session Lock

• AC-17 Remote Access

• AC-18 Wireless Access

• AC-19 Access Control For Mobile Devices

• AU-2 Auditable Events

• AU-3 Content Of Audit Records

• AU-4 Audit Storage Capacity

• AU-5 Response To Audit Processing Failures

• AU-6 Audit Review, Analysis, And Reporting

• AU-7 Audit Reduction And Report Generation

• AU-8 Time Stamps

• AU-9 Protection Of Audit Information

• AU-11 Audit Record Retention

• AU-12 Audit Generation

Controls• CA-2 Security Assessment

• CA-7 Continuous Monitoring

• CM-2 Baseline Configuration

• CM-6 Configuration Settings

• CM-7 Least Functionality

• CP-9 Information System Backup

• IA-2 Identification And Authentication (Organizational Users)

• IA-8 Identification And Authentication (Non-Organizational Users)

• IR-4 Incident Handling

• IR-5 Incident Monitoring

• IR-6 Incident Reporting

• IR-7 Incident Response Assistance

• PS-4 Personnel Termination

• RA-5 Vulnerability Scanning

• SC-5 Denial Of Service Protection

• AC-4 Information Flow Enforcement

• SI-3 Malicious Code Protection

• SI-4 Information System Monitoring



20

Control references are built into each dashboard…

as are real event data and a real search language



21

Core Splunk features allow you to easily move from dashboards to alerts.


CM Compliance Simplified

22

Thank You

Email: [email protected]

Technology

Splunk FISMA for Continuous Monitoring