Secret Server Splunk Integration Guide



Similar documents
Secret Server Syslog Integration Guide

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Privileged Identity Management for the HP Ecosystem

Boosting enterprise security with integrated log management

NetFlow Analytics for Splunk

Secret Server Qualys Integration Guide

Integrate ExtraHop with Splunk

How To Manage A Privileged Account Management

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Integrating LANGuardian with Active Directory

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

nfx Cinxi One SIEM Partner Guide Revision: H2CY10

Group Management Server User Guide

EMC Smarts Network Configuration Manager

NETWRIX EVENT LOG MANAGER

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

RSA Authentication Manager 7.1 Basic Exercises

orrelog SNMP Trap Monitor Software Users Manual

Log Management Solution for IT Big Data

Integration With Third Party SIEM Solutions

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Netwrix Auditor for Windows Server

Exporting IBM i Data to Syslog

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Feature. Log Management: A Pragmatic Approach to PCI DSS

Netwrix Auditor for SQL Server

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Matrix Technical Support Mailer 61 SMDR [Offline & Online] Through Ethernet Port

Management, Logging and Troubleshooting

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Netwrix Auditor for Active Directory

ALERT LOGIC LOG MANAGER & LOGREVIEW

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

The Purview Solution Integration With Splunk

FireEye App for Splunk Enterprise

orrelog Ping Monitor Adapter Software Users Manual

How To Use The Correlog With The Cpl Powerpoint Powerpoint Cpl.Org Powerpoint.Org (Powerpoint) Powerpoint (Powerplst) And Powerpoint 2 (Powerstation) (Powerpoints) (Operations

VMware vcenter Log Insight Getting Started Guide

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

High End Information Security Services

Immotec Systems, Inc. SQL Server 2005 Installation Document

SMS Database System Quick Start. [Version 1.0.3]

How To Buy Nitro Security

Using GhostPorts Two-Factor Authentication

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Using GhostPorts Multi-Factor Authentication

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Clavister InSight TM. Protecting Values

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

Network Metrics Content Pack for VMware vrealize Log Insight

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Review: McAfee Vulnerability Manager

QRadar SIEM 6.3 Datasheet

Defining, building, and making use cases work

Windows Least Privilege Management and Beyond

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

How To Manage Sourcefire From A Command Console

NETWRIX EVENT LOG MANAGER

TRIPWIRE NERC SOLUTION SUITE

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Netwrix Auditor. Administrator's Guide. Version: /30/2015

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Matrix Technical Support Mailer 33 COSEC Integrate (Import from Active Directory)

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Vulnerability. Management

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Managing Identities and Admin Access

How To Manage Log Management

Enterprise Security Solutions

HIPAA and HITECH Compliance for Cloud Applications

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

After you have created your text file, see Adding a Log Source.

Analyzing Logs For Security Information Event Management Whitepaper

SECURE ICAP Gateway. Blue Coat Implementation Guide. Technical note. Version /12/13. Product Information. Version & Platform SGOS 6.

Server Installation, Administration and Integration Guide

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

The Comprehensive Guide to PCI Security Standards Compliance

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Fortinet FortiGate App for Splunk

VMware vcenter Log Insight User's Guide

Did you know your security solution can help with PCI compliance too?

IBM Tivoli Compliance Insight Manager

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

CorreLog Alignment to PCI Security Standards Compliance

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Network Load Balancing

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

CONTINUOUS LOG MANAGEMENT & MONITORING

Dell SonicWALL Aventail Connect Tunnel User Guide

Transcription:

Secret Server Splunk Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration... 1 The Secret Server Approach to Privileged Account Management... 1 Risks and Benefits:... 1 Initial Configuration and Event Log Analysis... 2 Exporting Logs from Secret Server... 2 Configuring Splunk... 2 Making use of Splunk... 2 Use Case #1: Tracking Very Frequent Use... 4 Use Case #2: Alerting for Unlimited Administration Mode... 4 Secret Server Syslog Explained... 5 Secret Server s Reported Events... 5 Secret Server Data Fields... 5 Events... 6 Conclusion... 7

Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration Leveraging Secret Server event data with Splunk SIEM solutions can give organizations deep insight into the use of privileged accounts (such as Windows local administrator, service or application accounts, UNIX root accounts, Cisco enable passwords and more). Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats. The Secret Server Approach to Privileged Account Management Many environments that have strict Information Security policies also require methods to control and monitor access to privileged accounts. Enterprises often apply security policies such as physical access restrictions to hardware, network firewalls, appropriate-use guidelines, and user account restrictions. In the case of privileged accounts, access is more difficult to track and verify. Implementing privileged account management software such as Secret Server enables organizations to strictly control and track access. Enterprises that implement Secret Server gain the ability to grant or deny granular access to critical systems. When access is granted, use of that access is tracked based on a wide range of events. While alerting is core functionality within Secret Server, managing real-time events on the aggregate can be cumbersome. Leveraging Splunk to manage these real-time events allows users to build customized risk analysis into their privileged account management policies. Mitigating internal privilege account threats helps organizations meet compliance requirements like Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). Risks and Benefits: Unmanaged privileged accounts often enjoy unchecked access across a wide array of systems, networks, and databases. Unmitigated top-level access, in the wrong hands, can be devastating to an organization. The potential for liability is not limited to internal data and productivity loss, but can include criminal and civil penalties for unauthorized disclosure of private or regulated information. Implementing an enterprise-level privileged account management system (Secret Server) with a realtime event management system (Splunk) allows organizations to mitigate risk. Critical systems can only be accessed by pre-defined users. IT Security Auditors are able to track access based on the needs of the enterprise. Figure 1 depicts the general workflow around the relationship between these two technologies. Page1 Copyright 2012 Thycotic Software Ltd. Page 1 Revised: August 4, 2014

Initial Configuration and Event Log Analysis Use the steps below to configure Secret Server and Splunk in a matter of minutes. Exporting Logs from Secret Server To export event logs from Secret Server to Splunk, begin by logging in to Secret Server as an Administrator and click on Administration -> Configuration -> Edit -> Check the Enable Syslog/CEF Logging box -> Fill out Splunk Server IP & Port & Protocol TCP for this example (UDP works as well) -> Save. Data is immediately flowing to your Splunk instance. See Figure 1 below from the Secret Server Configuration menu. Figure 1 Configuring Splunk From the Home tab, click Add Data > Syslog > Consume syslog over TCP (UDP works as well) > select TCP Port > Source Type from list and syslog > Save. Note Your Splunk settings may differ, however the functionality remains the same. Figure 2 (on the next page) displays the first few events from Secret Server after configuration. Making use of Splunk Using Splunk s field extraction capabilities will allow easy correlation of Secret Server Syslog data. One example is to create a full_suser custom extraction field. This allows Splunk to extract fields that may have a space in the reported data, a user s full name in this case. This is due to the syslog format from Secret Server and the methods in which Splunk interprets the data. By default, Splunk is able to identify Secret Server users by their User ID as stored in the database which is represented as their user number. The Local Admin account first created during the Secret Server installation is User ID 2. To create a custom extraction field, click on the blue down arrow new to the line in any syslog entry (Figure 3). User this regex to extract the full user name (and ignore the space between first and last name): (?i) suser=(?p<full_suser>.+?)\s\s+= Page2 Copyright 2012 Thycotic Software Ltd. Page 2 Revised: August 4, 2014

Figure 2 Page3 Figure 3 Copyright 2012 Thycotic Software Ltd. Page 3 Revised: August 4, 2014

Use Case #1: Tracking Very Frequent Use One way to use this field is to create a Count-based table using the full_suser field extraction. Put the following term into the Search field in Splunk where INSTANCE is the Secret Server Syslog-specific data: source="instance" "SECRET - VIEW" stats count by suid,full_suser table suid full_suser count search count > 2 This should display a table similar to Figure 4 below: Figure 4 Use Case #2: Alerting for Unlimited Administration Mode Another important event to track is UNLIMITEDADMIN ENABLE. This event is an ideal candidate for a Real-Time Alert. Create an alert on this functionality by inputting this search in Splunk: source="instance" "UNLIMITEDADMIN - ENABLE" Next, click Create > Alert > Name your Alert > Select Trigger in real-time whenever a result matches > Next > Choose your actions (email is recommended in addition to any other actions you may wish to make) > Next > Choose a level of Sharing and finally click Finish. Splunk will now alert immediately when the event UNLIMITEDADMIN ENABLE is received from Secret Server. Your alert will be available in the Searches & Reports dropdown menu in Splunk. Additionally, this event has a field for Details that should be filled out by any Secret Server Admin who has the ability to enable Unlimited Administrator Mode. Page4 Copyright 2012 Thycotic Software Ltd. Page 4 Revised: August 4, 2014

Secret Server Syslog Explained Secret Server s detailed Syslog currently contains 44 different events tracking more than 20 unique data fields. Secret Server s Reported Events Table 1, on the following page, is a complete list of events in Secret Server s Syslog. Both the Event Name and Event ID are contained in the log as well as the data fields that apply to the event. Secret Server Data Fields Table 2, on the following page, is a complete list of data fields in Secret Server s Syslog. Only Data Fields relevant to the Event ID are included in the log. Some log entries may differ in terms of their field content, see examples below. Example Event #1: In this event, the Local Administrator account in Secret Server has edited the secret for a Brother Printer: Sep 06 17:15:04 THY221 CEF:0 Thycotic Software Secret Server 7.8.000062 10005 SECRET - EDIT 2 msg=[secretserver] Event: [Secret] Action: [Edit] By User: Local Administrator Item Name: Brother HL-5370DW Container Name: Printers suid=2 suser=local Administrator src=192.168.0.10 rt=sep 06 2012 17:15:02 fname=brother HL-5370DW filetype=secret fileid=2 cs3label=folder cs3=printers Example Event #2: In this event, the Local Administrator account in Secret Server has enabled Unlimited Administrator Mode: Sep 05 15:43:10 THY221 CEF:0 Thycotic Software Secret Server 7.8.000062 10014 UNLIMITEDADMIN - ENABLE 4 msg=[secretserver] Event: [Unlimited Administrator] Action: [Enable] By User: Local Administrator suid=2 suser=local Administrator src=192.168.0.10 rt=sep 05 2012 15:43:05 Page5 Copyright 2012 Thycotic Software Ltd. Page 5 Revised: August 4, 2014

Events Page6 Copyright 2012 Thycotic Software Ltd. Page 6 Revised: August 4, 2014

Conclusion Organizations that need to meet strict compliance requirements can implement privileged account management and real-time event analysis using Secret Server and Splunk. Integrating these two products allows enterprises to both manage their privileged accounts and correlate and reduce security threats within a network. About Thycotic Software: Thycotic Software, Ltd., a Washington DC-based company, is committed to providing password and AD group management solutions to IT administrators worldwide. With over 30,000 IT professionals using our IAM tools, Thycotic helps securely manage all credentials critical to an organization s operations. About Secret Server: Secret Server is an enterprise password management tool that is used to store, distribute, monitor, and update privileged / shared account passwords in a central, web-based location. For more information, visit http://thycotic.com/products/secret-server/. About Splunk: Splunk is patented software with the flexibility to collect and index virtually any machine data. Splunk provides the scalability to handle massive live data streams from across the entire infrastructure and the power to provide deep drilldown, statistical analysis and real-time, custom dashboards for anyone in an organization. Splunk offers real-time security monitoring, historical analysis and visualization of massive data sets, providing security intelligence for both known and unknown threats. Splunk facilitates data exploration of incidents in real time to perform comprehensive incident investigations, maintain a proactive defense and support the creation of ad hoc reports in minutes. Taken from: http://www.splunk.com/web_assets/pdfs/secure/splunk_company_overview.pdf Note: Terminology used in this document is based on the SANS Glossary of Security Terms available at http://www.sans.org/security-resources/glossary-of-terms/ Page7 Copyright 2012 Thycotic Software Ltd. Page 7 Revised: August 4, 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information