How To Use Splunk For Automated Regulatory Compliance PDF
How To Use Splunk For Automated Regulatory Compliance PDF
John Stoner
– Federal Security Strategist
– 1.5 years at Splunk
– Formerly HP Enterprise Security (ArcSight), Symantec
3
Questions for You—Show of Hands
• Which of these words is in your title/department?
• Audit or compliance
• Security
Technical Controls
• Logging/SIEM • Must have Compliance officer
• Strong passwords Technology People • Must have IT Security team
• Anti-virus
• Encryption
• Segmented network
• Backup machines
Compliance Regulations and Frameworks
Many regulations to comply with & often overlap. Ideally 1 solution for all.
Often vague & a framework is used
Compliance Regulations
CIS NIST
COSO CoBIT
CSC 800
Governance Frameworks
9
Splunk for Compliance
Solution: Splunk, the Platform for Machine Data
Splunk Can Complement OR Replace an Existing SIEM
Online
Services
Badging
records Data Loss
Prevention Logging / Compliance Monitor /
Smartphones Investigate Reporting Detect
and Devices
Web
Proxy Desktops
Storage
File
Firewall servers
Authentication
Endpoint
VPN
Packaged Email
servers
External Lookups
Applications
Databases
Assets Employees Networks Applications
Call Detail
Custom
Records
Applications
Use Case 1 – Logging / Investigate
January February March April
Centralized logging to meet compliance
requirements client=unknown[9
9.120.205.249]<1
60>Jan 2616:27
(cJFFNMS
• Combine 1-3
• Alerts; Optionally can initiate automated remediation
14
Splunk for Compliance Offerings
Splunk App for Splunk Splunk User
Other key apps Behavior Analytics
PCI Compliance Enterprise Security
CIS CSC App for
Splunk (SE)
Qmulos Enterprise
Compliance
(NIST/FISMA, partner)
15
Splunk Spanning 5+ Regulations
– Ohio State Univ: 63k+ students, 32k+ employees, 14 colleges
– FERPA, HIPAA, PCI, FISMA, GLBA
– Very diverse, heterogeneous IT infrastructure
– Centralized logging of all security events for compliance and security
– Retain 700GB/day from thousands of sources for 92 days
16
PCI, HIPAA and Security/IT Ops
• The old way: Slow, manual, inefficient process
– One of the world’s largest food & drug retailers with 1600+ stores
and 185k+ employees
– Much of the information needed for compliance was missing
– Manual correlation of data across thousands of machines and
servers
– Too many tools deployed in their environment
17
Case Studies in Appendix
Recorded demos of Splunk Enterprise Security and Splunk App for PCI Compliance:
Splunk.com > Videos > Apps
Critical Security Controls: Formerly SANS 20
• Formerly maintained by NSA, consortium+SANS, and now Center for
Internet Security (CIS)
• Why good?
– Covers people, process, technology
– Covers overall IT Security (not just specific industry or type of sensitive data)
– Very specific/prescriptive and focuses on most critical controls
– Real-world practitioners and the private sector helped write it
– Kept up-to-date with the changing times!
• A great starting point for customer who is clueless about what they
need to do for IT security or compliance
We wrote a book…
http://www.splunk.com/goto/Top20CSC
Splunk Helps You Meet All 20 of the CIS CSC
VERY HIGH HIGH/MED
1 Hardware Inv 8 Malware Defense
4 Vuln Management
Report & Search & 5 Control Privs
Analyze Investigate
MED/LOW
6 Audit Logs
13 Data Protection
14 Controlled Access
20 Pen Testing
Verification Execution Verification & Execution Support 16 Acct Monitoring
19 Incident Response
Technical Best Practices
Splunk Best Practices Specific to Compliance
• Work closely with audit before starting
• Measureable in machine data? > Determine data source > Write search/alert/report
• Measure processes? (reviewing reports, closing incidents, etc)
• Data enrichment
• External lookups of asset, identity and network information
• Why? Narrow down searches and reports to in-scope, high-criticality
employees/assets, etc
• Modularize components
• Saved searches, macros, event types, tags
• Why? Re-use (overlapping controls) and changes only made in one place
27
Other Splunk Best Practices cont.
For speed and scale use:
• Scheduled searches
29
Popular Compliance Search cont…
2. Add Lookup definition
30
Popular Compliance Search cont…
3. Search
| metadata type=hosts index=criticalsystems
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
|eval last60=relative_time(now(),”-60m@m")
4. Visualize
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged
31
Takeaways
• Log mgmt and review is typically required (Splunk!)
32
What Now?
• App Showcase: “Splunk for Compliance & Anti-Fraud” booth
COBIT Intl IT governance framework that emphasizes regulatory compliance. Written by ISACA.
ITIL Intl set of concepts and best practices for IT service mgmt, dev, ops. Security based on ISO 27001.
CIS Critical
Security Intl, independent list of top 20 security controls for effective cyber defense. Formerly SANS 20.
Controls
SSAE 16 U.S./AICPA guidance to auditors when assessing internal controls of a service/outsourcing organization. Type I and II.
COSO Intl frameworks and guidance on enterprise risk management, internal control and fraud deterrence
HITRUST CSF U.S. security framework for the healthcare industry. Leverages other regs/standards like HIPAA, NIST, ISO, PCI, COBIT.
Splunk Benefits vs Traditional SIEMs
Better, faster, cheaper compliance
Splunk Compliance/Security Use Cases
Splunk Can Complement OR Replace an Existing SIEM
User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type
Endpoint ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers
Logs Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type"" Rarely seen service
Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
43
Splunk App for PCI Compliance
Pre-built searches, alerts, reports, dashboards, workflow, and more
47
47
Leading Utility Complying with NERC and SOX
48
Dignity Health Improves HIPAA Compliance
Splunk closes HIPAA compliance gaps
– Search data to instantly assess reports of ePHI
leakage
– Meet HIPAA’s explicit log collection and
“Splunk is the CHW standard for centralized monitoring requirements
event logging for HIPAA. It is a critical tool for
monitoring access to information critical to – Complete data visibility across systems to
our business, and most importantly to the respond to patient complaints
privacy of our patients.”
– Reduce level of exposure and risk of violations
Netsmart – ISO and SSAE 16
• The old way: Slow, difficult compliance process
– Netsmart is a SaaS provider to health care organizations
– Siloed logs, no unified view, no easy way to investigate
incidents or correlate
– ISO and SSAE 16 compliance reporting was difficult
– Managing appropriate log access for IT staff was tedious
“Splunk has enabled us to be
more proactive in managing • The Splunk way: Fast ISO and SSAE16 compliance
our IT environment”
– Troubleshooting, incident detection, and reporting
- Dir. Security & Compliance
requirements correlation, and reporting much faster
– Use the Splunk App for Enterprise Security to automate
ISO compliance
– Comply with data retention & log review requirements
50
Splunk Maps in Four Ways to Compliance
VERIFICATION: Ingest data from 3rd
party sources, prove you are meeting
this control
EXECUTION: Satisfy the control
entirely with Splunk
VERIFICATION/EXECUTION: Splunk
cannot execute entirely, but can do
some of it, still need ingest of 3rd
party
SUPPORT: Usually policy or
procedure, Splunk useful tool for
staff.
Can they help me become more “compliant”?
• There’s meaningful overlap. PCI and NERC-CIP are good examples…
• PCI: Malware. Default passwords. Audit logs.
• CIP: Known ports and services. Patch management. Security Event Monitoring.
Recent scan
activity
Identities
Network Devices
Servers
Connect to CMDB
Is CMDB Being
Updated from Scans?
Correlate fields
found in machine
data with CMDB
fields
Put DHCP logs in
Splunk, just like CSC
1 says. They have
hostname, MAC,
ipaddress…
Correlate DHCP logs
against CMDB by
MAC, find
unauthorized
devices
Stream data has ip,
mac, useragent from
devices seen on
network
Use useragent data +
ipaddress from Stream
or proxy to find
devices/browsers
surfing that are not
approved.
Track multiple vendors
for malware defense,
aggregate their
information.
Drill down into specific
malware found on
endpoints or servers.
Understand when
systems are not being
updated with new
malware signatures
We don’t talk about the
ES reports
enough…check out all
of these malware
reports…
Here’s all the clients
that need attention.
Check out the four
different vendors on
one report…
CSC 5 “Execution” Example
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\UsbStor
USB ports are a
common malware
Set that to “4” to disable USB.
threat vector. Have the
forwarder watch this
[WinRegMon://hklm_usb]
entry for changes…
disabled=0
hive =
\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlS
et\\Services\\UsbStor\\.*
proc = .*
type = set|create|delete|rename
CSC 5 “Execution” Example
2 3
4
Splunk App for PCI Compliance
• Measures effectiveness and status of PCI compliance technical controls
73
Splunk FISMA App
74