Copyright

© 2016 Splunk Inc.

How to Use Splunk for Automated Regulatory

Compliance
Joe Goldberg
Product Marketing, Splunk
John Stoner
Federal Security Strategist, Splunk
 Disclaimer
During the course of this presentation, we may make forward looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not, be incorporated into any
contract or other commitment. Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or functionality in a future release.
 Personal introduction
Joe Goldberg
– Product marketing for compliance, cybersecurity, anti-fraud
– 4.5 years at Splunk
– Previously Symantec, VMware, Sun

John Stoner
– Federal Security Strategist
– 1.5 years at Splunk
– Formerly HP Enterprise Security (ArcSight), Symantec

3
 Questions for You—Show of Hands
• Which of these words is in your title/department?
• Audit or compliance
• Security

• Who needs to comply with

• PCI
• HIPAA
• FISMA
• NERC
• SOX
• GLBA
 Agenda
Compliance 101
Splunk for Compliance, use cases, case studies
Demos
Technical Best Practices
Compliance 101
 Goal of Compliance: Protect Information/Systems
All Three Often Covered in A Single Regulation/Framework

Private/Not Stolen Accessible/Reliable

•
•
Credit cards (PCI)
Personal data
(GLBA, GDPR, FISMA, RMF)
CIA •
•
•
Electric grid (NERC)
Processing systems (GDPR)
Critical systems (FISMA, RMF)
•
•
Healthcare info (HIPAA)
Intellectual property Triad
Integrity
Accurate/Unchanged
• Financial statements (SoX)
• Personal data (FISMA, RMF, GDPR)
• Healthcare info (HIPAA)
 Controls: How to Protect
Splunk Enables Compliance; Not = Compliance
Non-technical Controls
• Process to detect/respond threats
• Incident response process
• Locks on cabinets and doors
Process • Paper policies

Technical Controls
• Logging/SIEM • Must have Compliance officer
• Strong passwords Technology People • Must have IT Security team
• Anti-virus
• Encryption
• Segmented network
• Backup machines
 Compliance Regulations and Frameworks
Many regulations to comply with & often overlap. Ideally 1 solution for all.
Often vague & a framework is used
Compliance Regulations

PCI HIPAA FISMA GLBA

EU Data
State
NERC SSAE16 SOX Directive
Privacy / GDPR

CIS NIST
COSO CoBIT
CSC 800
Governance Frameworks

9
Splunk for Compliance
 Solution: Splunk, the Platform for Machine Data
Splunk Can Complement OR Replace an Existing SIEM
Online
Services
Badging
records Data Loss
Prevention Logging / Compliance Monitor /
Smartphones Investigate Reporting Detect
and Devices
Web
Proxy Desktops
Storage

File
Firewall servers
Authentication

Endpoint
VPN
Packaged Email
servers
External Lookups
Applications

Databases
Assets Employees Networks Applications
Call Detail
Custom
Records
Applications
 Use Case 1 – Logging / Investigate
January February March April
Centralized logging to meet compliance
requirements client=unknown[9
9.120.205.249]<1
60>Jan 2616:27
(cJFFNMS

Investigate security threats or data loss

truncating integer
value > 32 bits

Need all the original data and fast way <46>Jan

ASCII from
client=unknown
to pivot through it
DHCPACK
=ASCII
from
host=85.19
6.82.110
Use Case 2 – Compliance and Security Reporting

Show auditors compliance

against technical controls

Many types of visualizations

 Use Case 3 - Monitoring / Detection
Many regulations require “continuous monitoring”

1. Correlations/patterns A AND B NOT C = THREAT

2. Anomalies/outliers off baseline

Asset Risk Scoring

3. Risk scoring Asset IPS risk score AV risk score Threat Intel Total
Server 12 0 2 0 2
Server 8 6 9 20 35
Endpoint 35 1 3 1 5

• Combine 1-3
• Alerts; Optionally can initiate automated remediation
14
 Splunk for Compliance Offerings
Splunk App for Splunk Splunk User
Other key apps Behavior Analytics
PCI Compliance Enterprise Security
CIS CSC App for
Splunk (SE)

Qmulos Enterprise
Compliance
(NIST/FISMA, partner)

HIPAA Privacy &

Security (partner)

15
Splunk Spanning 5+ Regulations
– Ohio State Univ: 63k+ students, 32k+ employees, 14 colleges
– FERPA, HIPAA, PCI, FISMA, GLBA
– Very diverse, heterogeneous IT infrastructure
– Centralized logging of all security events for compliance and security
– Retain 700GB/day from thousands of sources for 92 days

– FIS: 30k+ employees, technology provider to banking industry.

– FFIEC, GLBA, SOX, PCI, SSAE 16. All require log monitoring.
– Prior solutions were cumbersome and not very useful
– With Splunk, advanced investigations, many reports & dashboards,
proactive monitoring & alerting
– Splunk used for IT Ops, App Dev, capacity planning

16
PCI, HIPAA and Security/IT Ops
• The old way: Slow, manual, inefficient process
– One of the world’s largest food & drug retailers with 1600+ stores
and 185k+ employees
– Much of the information needed for compliance was missing
– Manual correlation of data across thousands of machines and
servers
– Too many tools deployed in their environment

• The Splunk way: Better compliance, security, and operational

efficiencies
– Centralized logging of all required machine data and full visibility
– Retain 300GB/day from 10k+ sources for 90 days
– Fast searching, reporting, and analytics
– Was able to retire multiple SIEMs
– Use Splunk for security, IT ops, and business analytics

17
Case Studies in Appendix

Cover HIPAA, NERC, SOX, ISO, SSAE 16

Demos
• CIS Critical Security Controls mapped to:
- Splunk Enterprise Security
- CIS CSC App for Splunk
- Splunk User Behavior Analytics
• Splunk App for PCI Compliance
 Demo Time
Splunk
Traditional SIEM

Recorded demos of Splunk Enterprise Security and Splunk App for PCI Compliance:
Splunk.com > Videos > Apps
Critical Security Controls: Formerly SANS 20
• Formerly maintained by NSA, consortium+SANS, and now Center for
Internet Security (CIS)
• Why good?
– Covers people, process, technology
– Covers overall IT Security (not just specific industry or type of sensitive data)
– Very specific/prescriptive and focuses on most critical controls
– Real-world practitioners and the private sector helped write it
– Kept up-to-date with the changing times!
• A great starting point for customer who is clueless about what they
need to do for IT security or compliance
We wrote a book…

http://www.splunk.com/goto/Top20CSC
Splunk Helps You Meet All 20 of the CIS CSC
VERY HIGH HIGH/MED
1 Hardware Inv 8 Malware Defense

2 Software Inv 11 Secure Net Config

Index Data

3 Secure Host Config

9 Net Limits

4 Vuln Management
Report & Search & 5 Control Privs
Analyze Investigate

HIGH 12 Boundary Defense

7 Email & Web
MEDIUM
18 Secure Apps Monitor, Add 10 Data Recovery
Alert, Knowledge
Remediate
15 Secure Wireless 17 Skills Assessment

MED/LOW
6 Audit Logs
13 Data Protection

14 Controlled Access
20 Pen Testing
Verification Execution Verification & Execution Support 16 Acct Monitoring

19 Incident Response
Technical Best Practices
Splunk Best Practices Specific to Compliance
• Work closely with audit before starting
• Measureable in machine data? > Determine data source > Write search/alert/report
• Measure processes? (reviewing reports, closing incidents, etc)

• Data enrichment
• External lookups of asset, identity and network information
• Why? Narrow down searches and reports to in-scope, high-criticality
employees/assets, etc

• Put text description of the control(s) at the top of the dashboard

25
 Splunk Best Practices Specific to Compliance cont.
• Use RBAC to control who can see/do what with machine data

• Configure data retention time per index for compliance requirements

• Consider a TSIDX retention policy to reduce storage space 33-66%

• Run searches on indexed data to ensure no PII or sensitive info

• Use data integrity control feature if data integrity is required

26
 Other Splunk Best Practices
• Use Tech Add-Ons on Splunkbase

• Try to use the Common Information Model

• Modularize components
• Saved searches, macros, event types, tags
• Why? Re-use (overlapping controls) and changes only made in one place

27
 Other Splunk Best Practices cont.
For speed and scale use:
• Scheduled searches

• Data summarization esp if search covers long time periods:

• Report acceleration
• Summary indexes
• Data model acceleration (High Performance Analytics Store (HPAS)/TSIDX files))

• Key-Value (KV) Store

• See session PPT: David Veuve – How to Scale: _raw to tstats

28
 Popular Compliance Search
• Detect when critical system stops sending logs > 60 min

• Detail at Splunk.com > Solutions > Security, Compliance

& Fraud > Security and Fraud Use Cases

1. Create Lookup File

29
 Popular Compliance Search cont…
2. Add Lookup definition

30
 Popular Compliance Search cont…
3. Search
| metadata type=hosts index=criticalsystems
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
|eval last60=relative_time(now(),”-60m@m")

4. Visualize
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged
31
 Takeaways
• Log mgmt and review is typically required (Splunk!)

• Splunk enables faster, better, cheaper compliance

• Splunk is a single platform to help across multiple regulations

32
 What Now?
• App Showcase: “Splunk for Compliance & Anti-Fraud” booth

• Session: “Avoid Fines and Save Money! Automating

Regulatory Compliance with Qmulos” Thurs, 2:35-3:20 PM

• Web site: Information, Solution Guide, CIS book, demo

Ø Splunk.com > Solutions > Security, Compliance and Fraud > Compliance

• Contact sales team at Splunk.com > Contact Us

33
Q&A
THANK YOU
Appendix
 External Compliance Regulations
Reg Type Who Applies To Protects How Penalties
Every financial services firm, • 12 broad technical • Fines up to
• Credit cardholder
retailer, or service provider who requirements, each $500k/violation
Industry, information
PCI issues, accepts, captures, stores,
• Ex: CCN, magnetic stripe
with sub-reqs • Suspension of credit
Global
transmits, or processes credit card • The most IT-specific card capabilities
data
data regulation • Varies by brand
• Protected Health
Any healthcare provider, hospital, • Fines up to $1.5M
Information (PHI) • The “Security Rule”
company, or government agency that per year per
Govt, • Ex: medical records number, gives guidance
HIPAA stores, manages or communicates
medical diagnosis of a • Recommend NIST
provision
US
any employee health related • Possible criminal
condition, procedure codes 800-66
information prosecution by DOJ
on claim forms
• Consumer's Personally
Any company that provides a range • The “Safeguards Rule” • Enforced by multiple
Identifiable Information (PII)
Govt, of financial products and services to section of the Act federal agencies
GLBA consumers (banks, brokerages,
• Examples: Full name, SSN,
• ISO 27002 is often • DOJ fine up to $100k
US
date & place of birth, drivers
insurance, etc) starting point per violation
license
• NIST standards (esp
• Censure by Congress
Federal agencies or any external 800 series). Also DIST
Govt, Federal information and • Negative publicity
FISMA agencies or contractors working on and FIPS.
• Reduced federal
US information systems
their behalf • Little of reg is directly
funding
applicable to IT
 External Compliance Regulations cont.
Reg Type Who Applies To Protects How Penalties
• Few IT specifics. Sections 302 and 404
• SEC fines up to $5M per
The accuracy (internal system controls) are interpreted to
Publicly-traded person and higher per firm
Sarbanes- Govt, and integrity of apply to IT.
company on U.S • Imprisonment up to 20
Oxley US financial • Law does call out “timely monitoring and
stock exchange years
statements response” to issues and auditing access
• Loss of exchange listing
• Many orgs use COBIT, COSO, and SAS 70
All electrical
• NERC penalties up to $1M a
Industry, utilities in the U.S.
The electrical • Critical Infrastructure Protection (CIP) day
NERC US / and several
• Must submit a mitigation
grid section of the standards
Canada provinces in
plan and execute it
Canada
EU Data Consumer
• Few IT specifics
All organizations privacy and • GDPR: Fines up to greater
Protection • GDPR replaces EU Data Directive in ~2 yrs
Govt, EU doing business in Personally of 4% of company’s
Directive / • Articles on data security and breach
the EU Identifiable turnover or $20M EUR
GDPR notification
Information (PII)
Other US regs: State Data Privacy laws (over 35 states), FERPA (student education records), OCC/OTS (banking)
 Frameworks / Standards
NIST 800 Written by US govt, it is guidance on security topics to comply with FISMA. 9 steps. Also HIPAA guidance.

COBIT Intl IT governance framework that emphasizes regulatory compliance. Written by ISACA.

ISO 27000 Intl best-practice recommendations on information security management. 12 sections.

ITIL Intl set of concepts and best practices for IT service mgmt, dev, ops. Security based on ISO 27001.

CIS Critical
Security Intl, independent list of top 20 security controls for effective cyber defense. Formerly SANS 20.
Controls
SSAE 16 U.S./AICPA guidance to auditors when assessing internal controls of a service/outsourcing organization. Type I and II.

COSO Intl frameworks and guidance on enterprise risk management, internal control and fraud deterrence

HITRUST CSF U.S. security framework for the healthcare industry. Leverages other regs/standards like HIPAA, NIST, ISO, PCI, COBIT.
Splunk Benefits vs Traditional SIEMs
Better, faster, cheaper compliance
Splunk Compliance/Security Use Cases
Splunk Can Complement OR Replace an Existing SIEM

Logging/ Compliance & Monitoring/

Ad-hoc Search/ Security Detection/
Investigations Reporting Alerting
(continuous monitoring)
 Use Case 4 – Find Advanced, Hidden Threats
Sources Example Correlation - Spearphishing
User Name
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-
00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1
,,, [email protected] , Please open this attachment with payroll information,, ,2013-08-
09T22:40:24.975Z
Email Server Rarely seen email domain

Rarely visited web site

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
Web Proxy User Name

User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type
Endpoint ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers
Logs Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type"" Rarely seen service

All three occurring within a 24-hour period

Time Range
 Splunk App for Enterprise Security
Pre-built searches, alerts, reports, dashboards, workflow, and more

Alerts & Dashboards & Reports Incident Investigations & Management

Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
43
 Splunk App for PCI Compliance
Pre-built searches, alerts, reports, dashboards, workflow, and more

Compliance Overview Scorecards and Reports

Incident Review and Management Asset and Identity Aware

44
Splunk Enterprise Security (ES) Helps. Big Time.
We have a free app for CIS
PCI DSS v3.1: 12 Main Requirements
Splunk directly does #10. Measures #1-8 and #10-11

47
47
 Leading Utility Complying with NERC and SOX

Splunk is the unified compliance platform

– Wanted one system for Windows, Linux, Cisco and logs
– Needed holistic view into all data
– With Splunk, easy to import obscure logs, flexible, RBAC
– Replaced multiple tools and reduced contractors needed
Used compliance controls as driver for
purchasing consolidated logging solution and
charting advanced correlation

48
Dignity Health Improves HIPAA Compliance
Splunk closes HIPAA compliance gaps
– Search data to instantly assess reports of ePHI
leakage
– Meet HIPAA’s explicit log collection and
“Splunk is the CHW standard for centralized monitoring requirements
event logging for HIPAA. It is a critical tool for
monitoring access to information critical to – Complete data visibility across systems to
our business, and most importantly to the respond to patient complaints
privacy of our patients.”
– Reduce level of exposure and risk of violations
 Netsmart – ISO and SSAE 16
• The old way: Slow, difficult compliance process
– Netsmart is a SaaS provider to health care organizations
– Siloed logs, no unified view, no easy way to investigate
incidents or correlate
– ISO and SSAE 16 compliance reporting was difficult
– Managing appropriate log access for IT staff was tedious
“Splunk has enabled us to be
more proactive in managing • The Splunk way: Fast ISO and SSAE16 compliance
our IT environment”
– Troubleshooting, incident detection, and reporting
- Dir. Security & Compliance
requirements correlation, and reporting much faster
– Use the Splunk App for Enterprise Security to automate
ISO compliance
– Comply with data retention & log review requirements

50
Splunk Maps in Four Ways to Compliance
VERIFICATION: Ingest data from 3rd
party sources, prove you are meeting
this control
EXECUTION: Satisfy the control
entirely with Splunk
VERIFICATION/EXECUTION: Splunk
cannot execute entirely, but can do
some of it, still need ingest of 3rd
party
SUPPORT: Usually policy or
procedure, Splunk useful tool for
staff.
Can they help me become more “compliant”?
• There’s meaningful overlap. PCI and NERC-CIP are good examples…
• PCI: Malware. Default passwords. Audit logs.
• CIP: Known ports and services. Patch management. Security Event Monitoring.
Recent scan
activity

Data useful for

inclusion in
CMDB/Asset
Export this data to asset/CMDB
via DB Connect
Software

Identities

Network Devices

Servers
Connect to CMDB
 Is CMDB Being
Updated from Scans?
 Correlate fields
found in machine
data with CMDB
fields
 Put DHCP logs in
Splunk, just like CSC
1 says. They have
hostname, MAC,
ipaddress…
Correlate DHCP logs
against CMDB by
MAC, find
unauthorized
devices
Stream data has ip,
mac, useragent from
devices seen on
network
 Use useragent data +
ipaddress from Stream
or proxy to find
devices/browsers
surfing that are not
approved.
Track multiple vendors
for malware defense,
aggregate their
information.
Drill down into specific
malware found on
endpoints or servers.
 Understand when
systems are not being
updated with new
malware signatures
We don’t talk about the
ES reports
enough…check out all
of these malware
reports…
Here’s all the clients
that need attention.
Check out the four
different vendors on
one report…
CSC 5 “Execution” Example

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\UsbStor
USB ports are a
common malware
Set that to “4” to disable USB.
threat vector. Have the
forwarder watch this
[WinRegMon://hklm_usb]
entry for changes…
disabled=0
hive =
\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlS
et\\Services\\UsbStor\\.*
proc = .*
type = set|create|delete|rename
CSC 5 “Execution” Example

…look for USB activity

where there shouldn’t
be.
 1

2 3

4
 Splunk App for PCI Compliance
• Measures effectiveness and status of PCI compliance technical controls

• Meets PCI requirements around log retention/review, and continuous monitoring

• Fast ability to get to cause of non-compliance or answer auditor data requests

• Covers up to PCI DSS v3.1 standards

• Built, tested, documented, and supported by Splunk; not a free app

PCI DSS v3.1: 12 Main Requirements
Splunk directly does #10. Measures #1-8 and #10-11

73
Splunk FISMA App

74