Deploying Splunk Securely with Ansible Config Management – Part 1

Intro

More times than not I have seen corporations struggle with config management and it is key for concise mitigation and remediation plan. Interfacing with a variety of Splunk customers the corporations whom do implement a config management system usually have a different tactic on how to manage Splunk while doing it in a secure fashion. In this series of blog posts which will hopefully walk you through a simple deployment of Ansible all the way to the most complex use-cases I have seen. I will first be covering how Ansible can be leverage to manage a simple Splunk deployment on your own hosts. Part 2 we will cover how this can be done in a larger scale with EC2 …

» Continue reading

Splunk Named a Leader in Gartner Magic Quadrant for SIEM…again!

This week Splunk was named a leader in Gartner’s 2014 Magic Quadrant for Security Information and Event Management (SIEM) for the second year in a row. For the MQ, Gartner evaluated Splunk® Enterprise and the  Splunk App for Enterprise Security and also spoke to multiple Splunk customers as part of the process. To read the Gartner report, please register here.

We are very proud of this award, as it reflects the success that you, the security and compliance customers of Splunk, have had with our product. We now have thousands of security and compliance customers across the world using Splunk for a wide range of use cases including log management, incident investigations, forensics, real-time correlations and alerting, advanced …

» Continue reading

Splunk and the latest OpenSSL vulnerabilities

Hi Splunk users,

Last Monday, we became aware of a new set of vulnerabilities announced in OpenSSL. We have reviewed the issues, and have determined that we must update the version of OpenSSL we currently ship to address these issues.

Note: Not all the listed issues are of concern for Splunk. For example, we do not use DTLS.  However,  “SSL/TLS MITM vulnerability (CVE-2014-0224)” is relevant to Splunk and should be addressed.

7/1/14: Update

We have now posted the following releases containing the fixed version of OpenSSL:

  • 5.0.9 - This release contains only the OpenSSL update.
  • 6.0.5 - This release contains a number of fixes including the OpenSSL update.
  • 6.1.2 - This release contains one fix in addition to the OpenSSL update.
» Continue reading

Generating Elliptical Curve Certs for Splunk

Intro

Very often we get questions about generating stronger Cert/Keys for Splunk. Specifically from users who run a vulnerability scanner against their Splunk instance. By default, Splunk ships with a 1024 bit strength RSA Cert. This is the same certificate authority cert across all Splunk binaries. Splunk recommends customers use their own CA and cert/key pair in the securing Splunk documentation. It is good practice to sign certs by your own CA.

I recommend an EC (Elliptical Curve) key/pair. For more about EC have a look here. Here are a few pros and cons of using EC certs:

Pros

  • Perfect Forwarding Secrecy (PFS) support
  • Shorter Keys which are as Strong as RSA key but are easier on the
» Continue reading

Splunk for Healthcare – Splunk attains 2014 ONC-HIT Certification

ONC2014Edition

In my tenure as Healthcare Domain Expert at Splunk, I have seen many Healthcare customers using Splunk for EHR and HIPAA audit reporting. New regulations require you to use Certified technology or “field certify” your solution. So, Splunk felt that the best way to serve our Healthcare Provider customers was to get Splunk software certified.

The specific module certification is 170.314 (d)(3) Audit Reporting. This is the same certification that other  industry solutions have, like FairWarning, IATRIC Security Manager, and P2Sentinel.

What does this mean to you? Healthcare providers can now use the leading technology platform for machine data, log management and operational intelligence without having to get “field certification”. Our customers have found Splunk to be a fraction of …

» Continue reading

Cisco Security Suite 3.0.3 now includes Cisco Sourcefire

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support for Cisco Sourcefire.  Information from your eStreamer server (e.g. Defense Center) is visualized including:

  • Intrusion events
  • Sensor information
  • Policy information
  • Hosts
  • Flow summaries
  • File / Malware events
  • Correlation events

So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)
  • Cisco Sourcefire

Also, with each release, we incorporate more feedback about documentation.  Documentation can be found within the Cisco Security Suite app itself and on the Documentation tab on http://apps.splunk.com/app/525/.

Be sure to check out Splunk Answers as well for community …

» Continue reading

Announcing the Splunk Add-on for Check Point OPSEC LEA 2.1.0

Check Point administrators rejoice, Splunk Add-on for OPSEC LEA 2.1.0 has been released! The free update provides useful improvements to almost every aspect of the add-on.

 

User Interface

The old OPSEC interface has been completely overhauled and streamlined. The interface is no longer stuck in the past and should look right at home on your Splunk 6 search heads.

manage

 

The manage connections page now offers a much more powerful overview of your Check Point connections. As you can see on the screenshot, every connection has a set of metrics available. These differ based upon the connection type. An audit connection displays the timestamp of the last event collected. A normal connection displays throughput over the last 24 hours …

» Continue reading

Final status: Splunk and the Heartbleed vulnerability

Dear Splunk users,

We’re expecting this to be our final blog post about how we’re handling the Heartbleed OpenSSL vulnerability (CVE-2014-0160). For background, here are the previous installments from us:

http://blogs.splunk.com/2014/04/09/splunk-and-the-heartbleed-ssl-vulnerability/
http://blogs.splunk.com/2014/04/10/fix-now-available-splunk-and-the-heartbleed-vulnerability/

What’s been done, products and services

We’ve updated and secured our products and services as follows:·

» Continue reading

Cisco Security Suite 3.0.2 now includes Cisco IronPort Email Security Appliance (ESA) Data

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support to Cisco IronPort Email Security Appliance (ESA).  A new add-on has been published that provides Common Information Model compliant field extractions and tags for data from Cisco ESA.  So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)

Also, with each release, we incorporate more feedback about documentation.  So, in addition to documentation found within the Cisco Security Suite app itself, a subset of “getting started” documentation has been published under the Documentation tab on http://apps.splunk.com/app/525/.

 

Stay tuned, there …

» Continue reading

Fix now available: Splunk and the Heartbleed vulnerability

Dear Splunk users,

This is an update to yesterday’s post on our handling of the OpenSSL Heartbleed vulnerability.  Thank you again for your patience and understanding as we spent the necessary time to prepare and test our fix for this important issue. As I mentioned yesterday, we are working hard to balance getting the fix out to you as quickly as possible while still spending sufficient time testing it to ensure a high quality delivery.

Take me to the fix!

As of now, Splunk Enterprise 6.0.3 is now available for download. This includes universal forwarder builds.

This release contains two fixes for vulnerabilities in OpenSSL:

  • CVE-2014-0160 – OpenSSL 1.0.1 TLS Heartbeat leaks sensitive information (also known as the “Heartbleed”
» Continue reading