Both Chris Mishaga, Senior Security Engineer for L-3 Communications, and Sean Wilkerson, Senior Security Engineer for Aplura, have implemented countless SIEMs, SIMs and SEMs for large federal agencies. But when they started using Splunk to meet the log centralization component of FISMA compliance, they thought maybe there was a way to bring Splunk into the security fold as well.
Why? Federal agencies typically have three challenges when dealing with traditional SIEMs or Log collection tools.
1) Most rely on a database backend, which means they can only ingest a limited set of data formats out of the box and then custom parsers need to be written each time they import a new data source.
2) There’s a limit to how much data these systems can typically handle. Some can’t store more than 7 days worth of data at a time. That’s fine for organizations with a 24 hour SOC looking for known security issues. Not so great for uncovering what you don’t know, or for long-term trend analysis. And there’s also the compliance component that could require you to report on events from months or years ago.
3) They are slow to search all of this data and generating reports can take hours. Add to this the sheer cost of these approaches —the product cost, but also implementation costs, specialized personnel costs, appliance and storage costs, ongoing consulting and maintenance as data formats and environments change, not to mention the 3 to 6-month period it takes to get the systems up and running–and they become prohibitively expensive.
And then there’s Splunk. Both Chris and Sean found Splunk to be flexible, cost-effective, easy-to-use, and in both cases, people were already using the free version of the product, so there wasn’t a steep learning curve, or much of an internal selling process to get people to use Splunk.
Chris and Sean built searches and alerts in Splunk to specifically emulate SIM functionality for their respective environments. Using Splunk Alerts, they knew when problems occurred and could drill down quickly to solve them.
“Splunk is the way forward,” said Chris. “It helps you find the needle in a haystack.”
They built dashboards specifically for FISMA compliance, NIST 800-53 control monitoring and to monitor firewall reports for top sources, top protocols and combinations of sources and destinations. Threshold based triggers give them a full view of their security posture. Further, Chris was able to correlate firewall, IDS and host events to assess vulnerabilities and gain situational awareness.
“Splunk automates much of what you would do manually with a SIEM. It does in seconds what used to take hours.”
But I’m sure you’d rather hear Sean and Chris speak about their experiences versus my interpretation—and next week you’ve got your chance.
Check them out at the SANS Log Management Summit. Chris will be speaking on Innovative Uses of Log Management for Compliance on Monday, April 6 at 3:00 pm. And Sean will be speaking Tuesday, April 7 at 11:10 am on Log Management: Beyond Compliance. Plus Splunker John Topp will be there for a Lunch and Learn on Monday at 12:15 pm and the Vendor Shootout at 4 pm on Tuesday. Be sure to drop by to ask questions. Haven’t registered for the Summit yet? Here’s a little incentive—you can use this discount code: Splunk10 to get 10% off the cost of registration.
Can’t make it to the Log Summit? Sean recently spoke on Log Centralization for Security at the Columbia Area Linux Users Group. You can download his presentation here, read a peer review here, or you can catch his video to learn more about his experiences implementing SIEMs and implementing Splunk.