Secret Server Splunk Integration Guide

Transcription

1 Secret Server Splunk Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration... 1 The Secret Server Approach to Privileged Account Management... 1 Risks and Benefits:... 1 Initial Configuration and Event Log Analysis... 2 Exporting Logs from Secret Server... 2 Configuring Splunk... 2 Making use of Splunk... 2 Use Case #1: Tracking Very Frequent Use... 4 Use Case #2: Alerting for Unlimited Administration Mode... 4 Secret Server Syslog Explained... 5 Secret Server s Reported Events... 5 Secret Server Data Fields... 5 Events... 6 Conclusion... 7

2 Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration Leveraging Secret Server event data with Splunk SIEM solutions can give organizations deep insight into the use of privileged accounts (such as Windows local administrator, service or application accounts, UNIX root accounts, Cisco enable passwords and more). Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats. The Secret Server Approach to Privileged Account Management Many environments that have strict Information Security policies also require methods to control and monitor access to privileged accounts. Enterprises often apply security policies such as physical access restrictions to hardware, network firewalls, appropriate-use guidelines, and user account restrictions. In the case of privileged accounts, access is more difficult to track and verify. Implementing privileged account management software such as Secret Server enables organizations to strictly control and track access. Enterprises that implement Secret Server gain the ability to grant or deny granular access to critical systems. When access is granted, use of that access is tracked based on a wide range of events. While alerting is core functionality within Secret Server, managing real-time events on the aggregate can be cumbersome. Leveraging Splunk to manage these real-time events allows users to build customized risk analysis into their privileged account management policies. Mitigating internal privilege account threats helps organizations meet compliance requirements like Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). Risks and Benefits: Unmanaged privileged accounts often enjoy unchecked access across a wide array of systems, networks, and databases. Unmitigated top-level access, in the wrong hands, can be devastating to an organization. The potential for liability is not limited to internal data and productivity loss, but can include criminal and civil penalties for unauthorized disclosure of private or regulated information. Implementing an enterprise-level privileged account management system (Secret Server) with a realtime event management system (Splunk) allows organizations to mitigate risk. Critical systems can only be accessed by pre-defined users. IT Security Auditors are able to track access based on the needs of the enterprise. Figure 1 depicts the general workflow around the relationship between these two technologies. Page1 Copyright 2012 Thycotic Software Ltd. Page 1 Revised: August 4, 2014

3 Initial Configuration and Event Log Analysis Use the steps below to configure Secret Server and Splunk in a matter of minutes. Exporting Logs from Secret Server To export event logs from Secret Server to Splunk, begin by logging in to Secret Server as an Administrator and click on Administration -> Configuration -> Edit -> Check the Enable Syslog/CEF Logging box -> Fill out Splunk Server IP & Port & Protocol TCP for this example (UDP works as well) -> Save. Data is immediately flowing to your Splunk instance. See Figure 1 below from the Secret Server Configuration menu. Figure 1 Configuring Splunk From the Home tab, click Add Data > Syslog > Consume syslog over TCP (UDP works as well) > select TCP Port > Source Type from list and syslog > Save. Note Your Splunk settings may differ, however the functionality remains the same. Figure 2 (on the next page) displays the first few events from Secret Server after configuration. Making use of Splunk Using Splunk s field extraction capabilities will allow easy correlation of Secret Server Syslog data. One example is to create a full_suser custom extraction field. This allows Splunk to extract fields that may have a space in the reported data, a user s full name in this case. This is due to the syslog format from Secret Server and the methods in which Splunk interprets the data. By default, Splunk is able to identify Secret Server users by their User ID as stored in the database which is represented as their user number. The Local Admin account first created during the Secret Server installation is User ID 2. To create a custom extraction field, click on the blue down arrow new to the line in any syslog entry (Figure 3). User this regex to extract the full user name (and ignore the space between first and last name): (?i) suser=(?p<full_suser>.+?)\s\s+= Page2 Copyright 2012 Thycotic Software Ltd. Page 2 Revised: August 4, 2014

4 Figure 2 Page3 Figure 3 Copyright 2012 Thycotic Software Ltd. Page 3 Revised: August 4, 2014

5 Use Case #1: Tracking Very Frequent Use One way to use this field is to create a Count-based table using the full_suser field extraction. Put the following term into the Search field in Splunk where INSTANCE is the Secret Server Syslog-specific data: source="instance" "SECRET - VIEW" stats count by suid,full_suser table suid full_suser count search count > 2 This should display a table similar to Figure 4 below: Figure 4 Use Case #2: Alerting for Unlimited Administration Mode Another important event to track is UNLIMITEDADMIN ENABLE. This event is an ideal candidate for a Real-Time Alert. Create an alert on this functionality by inputting this search in Splunk: source="instance" "UNLIMITEDADMIN - ENABLE" Next, click Create > Alert > Name your Alert > Select Trigger in real-time whenever a result matches > Next > Choose your actions ( is recommended in addition to any other actions you may wish to make) > Next > Choose a level of Sharing and finally click Finish. Splunk will now alert immediately when the event UNLIMITEDADMIN ENABLE is received from Secret Server. Your alert will be available in the Searches & Reports dropdown menu in Splunk. Additionally, this event has a field for Details that should be filled out by any Secret Server Admin who has the ability to enable Unlimited Administrator Mode. Page4 Copyright 2012 Thycotic Software Ltd. Page 4 Revised: August 4, 2014

6 Secret Server Syslog Explained Secret Server s detailed Syslog currently contains 44 different events tracking more than 20 unique data fields. Secret Server s Reported Events Table 1, on the following page, is a complete list of events in Secret Server s Syslog. Both the Event Name and Event ID are contained in the log as well as the data fields that apply to the event. Secret Server Data Fields Table 2, on the following page, is a complete list of data fields in Secret Server s Syslog. Only Data Fields relevant to the Event ID are included in the log. Some log entries may differ in terms of their field content, see examples below. Example Event #1: In this event, the Local Administrator account in Secret Server has edited the secret for a Brother Printer: Sep 06 17:15:04 THY221 CEF:0 Thycotic Software Secret Server SECRET - EDIT 2 msg=[secretserver] Event: [Secret] Action: [Edit] By User: Local Administrator Item Name: Brother HL-5370DW Container Name: Printers suid=2 suser=local Administrator src= rt=sep :15:02 fname=brother HL-5370DW filetype=secret fileid=2 cs3label=folder cs3=printers Example Event #2: In this event, the Local Administrator account in Secret Server has enabled Unlimited Administrator Mode: Sep 05 15:43:10 THY221 CEF:0 Thycotic Software Secret Server UNLIMITEDADMIN - ENABLE 4 msg=[secretserver] Event: [Unlimited Administrator] Action: [Enable] By User: Local Administrator suid=2 suser=local Administrator src= rt=sep :43:05 Page5 Copyright 2012 Thycotic Software Ltd. Page 5 Revised: August 4, 2014

7 Events Page6 Copyright 2012 Thycotic Software Ltd. Page 6 Revised: August 4, 2014

8 Conclusion Organizations that need to meet strict compliance requirements can implement privileged account management and real-time event analysis using Secret Server and Splunk. Integrating these two products allows enterprises to both manage their privileged accounts and correlate and reduce security threats within a network. About Thycotic Software: Thycotic Software, Ltd., a Washington DC-based company, is committed to providing password and AD group management solutions to IT administrators worldwide. With over 30,000 IT professionals using our IAM tools, Thycotic helps securely manage all credentials critical to an organization s operations. About Secret Server: Secret Server is an enterprise password management tool that is used to store, distribute, monitor, and update privileged / shared account passwords in a central, web-based location. For more information, visit About Splunk: Splunk is patented software with the flexibility to collect and index virtually any machine data. Splunk provides the scalability to handle massive live data streams from across the entire infrastructure and the power to provide deep drilldown, statistical analysis and real-time, custom dashboards for anyone in an organization. Splunk offers real-time security monitoring, historical analysis and visualization of massive data sets, providing security intelligence for both known and unknown threats. Splunk facilitates data exploration of incidents in real time to perform comprehensive incident investigations, maintain a proactive defense and support the creation of ad hoc reports in minutes. Taken from: Note: Terminology used in this document is based on the SANS Glossary of Security Terms available at Page7 Copyright 2012 Thycotic Software Ltd. Page 7 Revised: August 4, 2014