Copyright 2013 Splunk Inc. Patching, AlerFng, BYOD and More: Managing Security in the Enterprise with Splunk Enterprise Marquis Montgomery, CISSP, SSCP, GSEC Senior Security Architect, CedarCrestone #splunkconf
Meet CedarCrestone, Inc. Industry- focused consulfng, technical, and managed services for the deployment, management, and opfmizafon of applicafons and technology! Founded in 1981; based in Atlanta, Georgia! ERP ConsulFng & Managed Services Provider Specialists in ê Oracle ApplicaFons ConsulFng ê Strategy and AnalyFcs Services ê Hosted & Remote Managed Services ê ImplementaFon & Technical SoluFons with a focus on EBS, PeopleSoX, Business Intelligence, Workday By the numbers ê Host 700 different PeopleSoX environments / mulfple versions ê HosFng over 700 Oracle database instances ê 1500+ servers / network devices ê 53 hosted customers 2
Meet Marquis! Senior Security Architect and Interim Manager, Managed Services Security! 8 years coding experience! Primary responsibilifes include Engineering enterprise technical security controls Chief Splunker AutomaFon / Web App Development (Ruby on Rails) Incident Response Lead 3
Agenda! Life before Splunk! BYOD and the Patching Problem! IntegraFng Splunk Enterprise with the CMDB! Firewall and IDP IP Address IdenFficaFon! Key Takeaways! Q&A 4
Life Before Splunk
Life Before Splunk! Previously had a tradi0onal SIEM many bugs, lost a lot of logs other issues were: Gejng the right data out (retrieval) was painful Example: SIEM provided canned reports ê Data points, but no context Last hour 50 failed logins, Yes, but?? ê Canned reports don t answer the quesfons: So what? Is this bad or good? Who s doing this? Why is this happening? How does this compare to X months ago?! No way to collect PeopleSoA log data while suppor0ng mul0ple versions! Significant product bugs and QA issues 6
Life Before Splunk Splunk Enterprise solved all of these issues for us, and brought along some compelling new ways to work with our data 7
BYOD and the Patching Problem
BYOD and the Patching Problem! CedarCrestone has always been a Bring Your Own Device environment (20+ years, and counfng)! CedarCrestone is entrusted with sensifve informafon in many business applicafons and databases owned by its clients! One major tenant of good informafon security is proper OS and applicafon patching (SANS Top 20 Controls)! How do we ensure employee- owned machines are properly patched, even when they are at home or on a client site? 9
BYOD and the Patching Problem! A brief explanafon of Secunia PSI (www.secunia.com)! A brief explanafon of Secunia CSI (www.secunia.com)! Custom Development (Ruby and Rails)! Splunk DB Connect 10
BYOD and the Patching Problem! We had to get creafve with Secunia PSI, some custom development, and Splunk Enterprise to solve this problem 11
BYOD and the Patching Problem Metric Risk What we look for % Employees Patched Unpatched Machines Secunia Score % Employees Encrypted Data Loss OS Sejngs % Employees With AV Malicious Code Installed Programs % Employees Without DLP Data Loss Installed Programs! Reported to business units and execufves monthly 12
Let s Explore some Data DEMO 13
IntegraFng Splunk with the CMDB
IntegraFng Splunk With the CMDB! Most Enterprises have a CMDB or an asset management database to help organize IT assets like servers, applicafons and network devices! The CedarCrestone security team referenced this type of informafon regularly when invesfgafng events in Splunk! Wouldn t it be nice if Splunk Enterprise showed us all the relevant info from asset management and CMDB automa&cally? 15
How to IntegraFng With the CMDB! Use Splunk DB Connect to explore your CMDB/Asset Database and develop SQL that returns the info you care about! Create a saved search that runs on an interval, and pipe the results of your DB Connect search to the outputlookup command to generate a constantly updated lookup table! Create an automafc lookup that runs your lookup table against the data you are exploring, and enjoy details from the CMDB as fields in your search if they exist 16
Let s Explore some Data DEMO 17
Firewall and IDP IP Address IdenFficaFon
Firewall and IDP IP Address IdenFficaFon! Problem: When exploring firewall and IDP data in Splunk, you have to deal with idenffying a mountain of IP addresses on your own! SoluFon: Use Splunk DB Connect and lookup tables to generate your own up to date list of IP addresses and descripfons! Enjoy having your Splunk events automafcally tagged with fields from your asset database as you invesfgate, correlate, and explore your data 19
Let s Explore some Data DEMO 20
Key Takeaways
Key Takeaways! Splunk Enterprise ships with many useful and interesfng ways to explore, correlate, analyze and report on your data! Take advantage of some of the useful search knowledge tools like DB Connect and lookup tables to enhance the convenience of exploring data in Splunk! Think outside of the box and get creafve Splunk Enterprise has the power and flexibility to allow you to do what you need to 22
What s Next! ValidaFon of PC encrypfon sejngs (custom agent reporfng to Splunk)! Merging asset, patching, and vulnerability management systems for trend analysis and outliers! Tracking user acceptance of our custom Security Portal 23
Copyright 2013 Splunk Inc. Thank You! Marquis Montgomery, CISSP, SSCP, GSEC Senior Security Architect, CedarCrestone marquis.montgomery@cedarcrestone.com @trademarq