patching,*alerfng,*byod*and* more:*managing*security*in ... · agenda! lifebeforesplunk*...
TRANSCRIPT
Copyright © 2013 Splunk Inc.
Marquis Montgomery, CISSP, SSCP, GSEC Senior Security Architect, CedarCrestone #splunkconf
Patching, AlerFng, BYOD and More: Managing Security in the Enterprise with Splunk Enterprise
Meet CedarCrestone, Inc.
2
! Founded in 1981; based in Atlanta, Georgia ! ERP ConsulFng & Managed Services Provider
– Specialists in ê Oracle ApplicaFons ConsulFng ê Strategy and AnalyFcs Services ê Hosted & Remote Managed Services ê ImplementaFon & Technical SoluFons with a focus on EBS, PeopleSoX, Business Intelligence, Workday
– By the numbers ê Host 700 different PeopleSoX environments / mulFple versions ê HosFng over 700 Oracle database instances ê 1500+ servers / network devices ê 53 hosted customers
Industry-‐focused consulFng, technical, and managed services for the deployment, management, and opFmizaFon of applicaFons and technology
Meet Marquis
! Senior Security Architect and Interim Manager, Managed Services Security
! 8 years coding experience ! Primary responsibiliFes include
– Engineering enterprise technical security controls – Chief Splunker – AutomaFon / Web App Development (Ruby on Rails) – Incident Response Lead
3
Agenda
! Life before Splunk ! BYOD and the Patching Problem ! IntegraFng Splunk Enterprise with the CMDB ! Firewall and IDP IP Address IdenFficaFon ! Key Takeaways ! Q&A
4
Life Before Splunk
Life Before Splunk
6
! Previously had a tradi0onal SIEM – many bugs, lost a lot of logs – other issues were: – Gejng the right data out (retrieval) was painful – Example: SIEM provided canned reports
ê Data points, but no “context” – Last hour 50 failed logins, “Yes, but??” ê Canned reports don’t answer the quesFons: – “So what?” – “Is this bad or good?” – “Who’s doing this?” – “Why is this happening?” – “How does this compare to ‘X’ months ago?”
! No way to collect PeopleSoA log data while suppor0ng mul0ple versions
! Significant product bugs and QA issues
Life Before Splunk
7
Splunk Enterprise solved all of these issues for us, and brought along some compelling new ways to work with our data…
BYOD and the Patching Problem
BYOD and the Patching Problem
9
! CedarCrestone has always been a “Bring Your Own Device” environment (20+ years, and counFng)
! CedarCrestone is entrusted with sensiFve informaFon in many business applicaFons and databases owned by its clients
! One major tenant of good informaFon security is proper OS and applicaFon patching (SANS Top 20 Controls)
! How do we ensure employee-‐owned machines are properly patched, even when they are at home or on a client site?
BYOD and the Patching Problem
10
! A brief explanaFon of Secunia PSI (www.secunia.com)
! A brief explanaFon of Secunia CSI (www.secunia.com)
! Custom Development (Ruby and Rails)
! Splunk DB Connect
BYOD and the Patching Problem
11
! We had to get creaFve with Secunia PSI, some custom development, and Splunk Enterprise to solve this problem
BYOD and the Patching Problem
12
Metric Risk What we look for % Employees Patched Unpatched Machines Secunia Score % Employees Encrypted Data Loss OS Sejngs % Employees With AV Malicious Code Installed Programs % Employees Without DLP Data Loss Installed Programs
! Reported to business units and execuFves monthly
Let’s Explore some Data
13
DEMO
IntegraFng Splunk with the CMDB
IntegraFng Splunk With the CMDB
15
! Most Enterprises have a CMDB or an asset management database to help organize IT assets like servers, applicaFons and network devices
! The CedarCrestone security team referenced this type of informaFon regularly when invesFgaFng events in Splunk
! Wouldn’t it be nice if Splunk Enterprise showed us all the relevant info from asset management and CMDB automa&cally?
How to – IntegraFng With the CMDB
16
! Use Splunk DB Connect to explore your CMDB/Asset Database and develop SQL that returns the info you care about
! Create a saved search that runs on an interval, and pipe the results of your DB Connect search to the outputlookup command to generate a constantly updated lookup table
! Create an automaFc lookup that runs your lookup table against the data you are exploring, and enjoy details from the CMDB as fields in your search if they exist
Let’s Explore some Data
17
DEMO
Firewall and IDP IP Address IdenFficaFon
Firewall and IDP IP Address IdenFficaFon
19
! Problem: When exploring firewall and IDP data in Splunk, you have to deal with idenFfying a mountain of IP addresses on your own
! SoluFon: Use Splunk DB Connect and lookup tables to generate your own up to date list of IP addresses and descripFons
! Enjoy having your Splunk events automaFcally tagged with fields from your asset database as you invesFgate, correlate, and explore your data
Let’s Explore some Data
20
DEMO
Key Takeaways
Key Takeaways
22
! Splunk Enterprise ships with many useful and interesFng ways to explore, correlate, analyze and report on your data
! Take advantage of some of the useful search knowledge tools like DB Connect and lookup tables to enhance the convenience of exploring data in Splunk
! Think outside of the box and get creaFve – Splunk Enterprise has the power and flexibility to allow you to do what you need to
What’s Next
23
! ValidaFon of PC encrypFon sejngs (custom agent reporFng to Splunk)
! Merging asset, patching, and vulnerability management systems for trend analysis and outliers
! Tracking user acceptance of our custom “Security Portal”
Copyright © 2013 Splunk Inc.
Marquis Montgomery, CISSP, SSCP, GSEC Senior Security Architect, CedarCrestone [email protected] @trademarq
Thank You!