Using Splunk to Support Continuous Monitoring of Compliance Controls
The Federal Information Security Management Act of 2002 (FISMA) and the associated NIST standards are driving all federal agencies to adopt a security risk management approach. Specific IT controls from NIST's 800-53 become the IT controls grail for Federal Agencies and NIST's 800-37 document drives a risk-based approach to prioritization of work to be performed modeled on the principals of confidentiality, integrity and availability (CIA). The Office of Management and Budget (OMB) is charged with overseeing FISMA compliance using an audit process that prescribed grades to agencies indicating their level of FISMA compliance.
FISMA compliance and the underlying NIST documentation required each agency to:
- Inventory agency information systems
- Categorize information systems
- Define minimum security controls
- Establish an on-going risk assessment process
- Develop system security plans (SSP) for each information system
- Conduct regular certification and accreditation of the systems
- Provide on-going monitoring of information systems
The goal of FISMA is to verify through annual audit that agencies can respond to changes in the IT architecture both foreseen and unforeseen in an efficient, consistent, and prioritized manner based on asset information and information risk.
The FISMA Compliance Challenge and Coming Changes
Federal agencies have come along way since the 'D' and 'F' grades given to agencies when FISMA was passed in 2002. The 2009 OMB report indicates, all agencies continue to show performance improvements with most agency audits in the ninetieth percentile for compliance. Yet FISMA compliance is still checklist driven and infections continue to pop-up from time to time. According to Congresswoman Diane Watson, "Congress and other government agencies are now under a cyber attack an average of 1.8 billion times a month."
FISMA will shift agencies to real-time threat monitoring of the federal IT infrastructure. Continuous monitoring has already been implemented at the Department of State, which according to a recent Government Computer News (GCN) article has, "...significantly improved its security posture while lowering the cost..."
Splunk Provides Continuous Monitoring of FISMA Risk-Based Controls
- Splunk can monitor data-streams in real-time and search terabytes of historical data to continuously monitor data coming in ASCII text from any data source. Splunk can monitor changes to files that can indicate system 'configuration drift' against a baseline.
- Splunk's search language lets you search for what you're looking for across terabytes of data and includes statistical functions that allow you to create statistical averages, look for outliers, and continuously monitor and measure your state of compliance.
- Splunk's ability to accept and store knowledge from users as metadata tags means that data and system classifications can be used to drive reports and dashboards supporting metrics for KPIs relating to 800-53 v3 controls.
- Splunk's 'look-up' feature allows you to pull data from an asset management database that may contain contextual information about hosts such as security classifications, system owner information, and up-time requirements. Part or all of this information in reports and dashboards presented to users.
- Splunk can be tailored to scale, while supporting role-based access to dashboards, reports, and allowing direct drill-down into the supporting data. Dashboards and visualizations update in real-time making Splunk ideal for NOC or SOC operations.
With Splunk, agencies can meaningfully operationalize FISMA compliance by continuously monitoring security of all data generated by the IT architecture with complete situational awareness in real time.