Secure Splunk

Transcript

Secure Intro

Hi, I'm Raffy, I'm Splunk's Chief Security Strategist. I've worked here at Splunk for the last nine months, and I'm in the Product Management Group, developing applications for security and compliance. I've been in this space for, probably, the last seven years. I've dealt a lot with log management and log analysis. Today I'm going to show you a demo of Splunk's security features, and then I'm going to dive in and show you hands on how to use some of those security features on a daily basis.

"Once you start indexing data, you'll need to keep it safe and secure. Splunk provides secure data handling, granular access controls and integration with your existing security solutions."

Secure Access and Transport

Animation_01a: Display a network diagram showing a Splunk index w servers in a corporate network sending data to that index.

"Here's a common set-up. You need to send data from servers and network devices in the DMZ through a firewall to your Splunk server in your corporate network."

"Splunk uses SSL over TCP to secure your data. All your data, from any source travels over a single port through the firewall, making it easy."

"Your browser-to-Splunk communication uses SSL over HTTP, securing all user sessions."

Role-based Access Control

"Of course, you also need the ability to control the actions users can take and what data they can access."

"Splunk's flexible roles system allows for many different classes of users - all with different configurable permissions."

"Use the pre-configured roles, or build your own. Notice that the admin can do anything, but a role I built for a security analyst only grants permission to look at security data. Our auditors can search anything, but can't configure the system."

"You can granularly control actions as well as access to specific types and sources of data. There are more than 60 access control points you can use to build your own roles and permissions."

Server Based Access Control


"In some environments, like multi-tenant services, you may need to physically control access to data. With Splunk's data routing you can send select data to a physically separate servers to control access."

Single Sign On

"I really like how Splunk can integrate with other authentication systems like my LDAP, active directory or other SSO solutions."

Audit trail

"Splunk logs all activities including searching, reporting and administrative actions. So it's easy to provide an audit trail and prove who's done what."

"This is a great way to ensure integrity of your system and be notified when any changes do occur."

"We'll save this search of Splunk's internal index for admin user activities. Now I'll create an alert once an hour notifying us of any new admin activities on our server."

Data Signing

"Splunk signs individual events and block signs streams of events with a PKI encrypted MD5 hash."

"The integrity of your data is obvious. Here there's an event that no longer matches the signature."

"And here you see a gap within a stream of events. The biggest challenge to the admissibility of IT data as evidence is missing records. Splunk ensures the integrity of your data unlike more primitive data signing approaches."

"With Splunk's ability to securely handle your data, safely provide access and integrate with your other security systems -- you finally have a way to tap into the tremendous information hidden in your IT data. Secure all your IT data with Splunk. And get a better night's sleep."


Secure Advanced Demo Intro

All right. So, now that we've seen a demo of Splunk's security features, let me show you a couple of ways on how to hands-on work with these features. The first one I want to show you is working with the audit trail. Right now, it's kind of in textual form and it's sort of hard to figure out what has happened on the system. I like to every now and then use some reports to look at who used the system at what time and kind of get a feeling for what's going on.

The second thing I want to show you has to do with the data signing. Again, interactively you can verify whether the integrity of your IT data has been preserved, but I like to generate an alert that looks at the integrity and whenever something goes wrong actually sends me an email of something failing in the system.

So, let's dive in and look how we can do that.


Secure Adv PT1

I want to look at how you can work with the audit records in the system from a reporting standpoint and not just a raw event. So I'm just going to get all the original audit records back, and you see here, this looks pretty complicated. But some of the things I usually want to do is I just want to see what are the users that logged into the system. I can use the filter drop down here and I can just click on "report on this field," and I'll basically get a simple report. If I change this to a column graph, it shows me what were the top users on the system.

Right now I'm looking over the last 60 minutes. I see Josh did a lot of work here, followed by Raffy, and then the Zen guest. This is one way to look at the top users. I can also switch this over to say count over time, and I want to change this to a line graph to make it a little better visible what happened.

And I see, again, over the last 60 minutes all the activity. And if I actually go and split this by the user, you will see multiple lines now for different users executing searches or activities on the system here. And if I change this to the last seven days, for example, you will see that the activity over the last seven days for all of these users, what time they were active and you can start auditing things like, was anyone active at midnight, or at strange times during the day, or what was happening.

What you see here right now is per day you see an activity line, and you see that before June 2nd nothing happened because the system was not running. I want to get just a little more granular and I'm going to say in the search language here, "Span=1 hour."

What this does is it gets the granularity down, and what you see now is based on the hour how much activity did I have, and I see there was a lot of activity here at 1:00 on the 3rd of June, by the guest user. This might have been a little bit strange because I had three and a half thousand things that were executed. I can now go in and from this graph investigate what really happened.

Secure Conclusion

Now that you've seen how Splunk secures your IT data, go download it, and make sure you stay secure.