Risk Analysis With Enterprise Security 3.1

    The Risk Analysis Framework was introduced as a new feature in Splunk App for Enterprise Security 3.1, and provides users with the ability to utilize a risk scoring system for assigning varying levels of risk to a multitude of different assets and identities.

    In the context of the Risk Analysis Framework- assets, identities, and anything else you would consider assigning a risk score to, is referred to as a Risk Object. Risk Objects are categorized under different Risk Object Types. For example, if ‘brians_laptop’ was our Risk Object it would be categorized under the ‘system’ Risk Object Type. Out of the box, Enterprise Security 3.1 comes configured with 3 different risk object types: ‘system’ for assigning risk …

» Continue reading

Updated Keyword App

Last year I created a simple app called Keyword that consists of a series of form search dashboards that perform Splunk searches in the background without having to know the Splunk search language. You can read about the original app here and see how it easy it is to use. This year, I added some dashboards for the Rare Command, but I didn’t think it was newsworthy to blog about it.

Then, Joe Welsh wrote a blog entry about using the cluster command in Splunk, which allows you to find anomalies using a log reduction approach. Joe’s example using Nagios is easy to follow and gives the novice a useful approach to get rare events. So, using this approach, I …

» Continue reading

Deploying Splunk Securely with Ansible Config Management – Part 1

Intro

More times than not I have seen corporations struggle with config management and it is key for concise mitigation and remediation plan. Interfacing with a variety of Splunk customers the corporations whom do implement a config management system usually have a different tactic on how to manage Splunk while doing it in a secure fashion. In this series of blog posts which will hopefully walk you through a simple deployment of Ansible all the way to the most complex use-cases I have seen. I will first be covering how Ansible can be leverage to manage a simple Splunk deployment on your own hosts. Part 2 we will cover how this can be done in a larger scale with EC2 …

» Continue reading

Splunk Named a Leader in Gartner Magic Quadrant for SIEM…again!

This week Splunk was named a leader in Gartner’s 2014 Magic Quadrant for Security Information and Event Management (SIEM) for the second year in a row. For the MQ, Gartner evaluated Splunk® Enterprise and the  Splunk App for Enterprise Security and also spoke to multiple Splunk customers as part of the process. To read the Gartner report, please register here.

We are very proud of this award, as it reflects the success that you, the security and compliance customers of Splunk, have had with our product. We now have thousands of security and compliance customers across the world using Splunk for a wide range of use cases including log management, incident investigations, forensics, real-time correlations and alerting, advanced …

» Continue reading

Splunk and the latest OpenSSL vulnerabilities

Hi Splunk users,

Last Monday, we became aware of a new set of vulnerabilities announced in OpenSSL. We have reviewed the issues, and have determined that we must update the version of OpenSSL we currently ship to address these issues.

Note: Not all the listed issues are of concern for Splunk. For example, we do not use DTLS.  However,  “SSL/TLS MITM vulnerability (CVE-2014-0224)” is relevant to Splunk and should be addressed.

7/1/14: Update

We have now posted the following releases containing the fixed version of OpenSSL:

  • 5.0.9 - This release contains only the OpenSSL update.
  • 6.0.5 - This release contains a number of fixes including the OpenSSL update.
  • 6.1.2 - This release contains one fix in addition to the OpenSSL update.
» Continue reading

Generating Elliptical Curve Certs for Splunk

Intro

Very often we get questions about generating stronger Cert/Keys for Splunk. Specifically from users who run a vulnerability scanner against their Splunk instance. By default, Splunk ships with a 1024 bit strength RSA Cert. This is the same certificate authority cert across all Splunk binaries. Splunk recommends customers use their own CA and cert/key pair in the securing Splunk documentation. It is good practice to sign certs by your own CA.

I recommend an EC (Elliptical Curve) key/pair. For more about EC have a look here. Here are a few pros and cons of using EC certs:

Pros

  • Perfect Forwarding Secrecy (PFS) support
  • Shorter Keys which are as Strong as RSA key but are easier on the
» Continue reading

Splunk for Healthcare – Splunk attains 2014 ONC-HIT Certification

ONC2014Edition

In my tenure as Healthcare Domain Expert at Splunk, I have seen many Healthcare customers using Splunk for EHR and HIPAA audit reporting. New regulations require you to use Certified technology or “field certify” your solution. So, Splunk felt that the best way to serve our Healthcare Provider customers was to get Splunk software certified.

The specific module certification is 170.314 (d)(3) Audit Reporting. This is the same certification that other  industry solutions have, like FairWarning, IATRIC Security Manager, and P2Sentinel.

What does this mean to you? Healthcare providers can now use the leading technology platform for machine data, log management and operational intelligence without having to get “field certification”. Our customers have found Splunk to be a fraction of …

» Continue reading

Cisco Security Suite 3.0.3 now includes Cisco Sourcefire

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support for Cisco Sourcefire.  Information from your eStreamer server (e.g. Defense Center) is visualized including:

  • Intrusion events
  • Sensor information
  • Policy information
  • Hosts
  • Flow summaries
  • File / Malware events
  • Correlation events

So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)
  • Cisco Sourcefire

Also, with each release, we incorporate more feedback about documentation.  Documentation can be found within the Cisco Security Suite app itself and on the Documentation tab on http://apps.splunk.com/app/525/.

Be sure to check out Splunk Answers as well for community …

» Continue reading

Announcing the Splunk Add-on for Check Point OPSEC LEA 2.1.0

Check Point administrators rejoice, Splunk Add-on for OPSEC LEA 2.1.0 has been released! The free update provides useful improvements to almost every aspect of the add-on.

 

User Interface

The old OPSEC interface has been completely overhauled and streamlined. The interface is no longer stuck in the past and should look right at home on your Splunk 6 search heads.

manage

 

The manage connections page now offers a much more powerful overview of your Check Point connections. As you can see on the screenshot, every connection has a set of metrics available. These differ based upon the connection type. An audit connection displays the timestamp of the last event collected. A normal connection displays throughput over the last 24 hours …

» Continue reading

Final status: Splunk and the Heartbleed vulnerability

Dear Splunk users,

We’re expecting this to be our final blog post about how we’re handling the Heartbleed OpenSSL vulnerability (CVE-2014-0160). For background, here are the previous installments from us:

http://blogs.splunk.com/2014/04/09/splunk-and-the-heartbleed-ssl-vulnerability/
http://blogs.splunk.com/2014/04/10/fix-now-available-splunk-and-the-heartbleed-vulnerability/

What’s been done, products and services

We’ve updated and secured our products and services as follows:·

» Continue reading