Deploying Splunk Securely with Ansible Config Management – Part 1

Intro

More times than not I have seen corporations struggle with config management and it is key for concise mitigation and remediation plan. Interfacing with a variety of Splunk customers the corporations whom do implement a config management system usually have a different tactic on how to manage Splunk while doing it in a secure fashion. In this series of blog posts which will hopefully walk you through a simple deployment of Ansible all the way to the most complex use-cases I have seen. I will first be covering how Ansible can be leverage to manage a simple Splunk deployment on your own hosts. Part 2 we will cover how this can be done in a larger scale with EC2 …

» Continue reading

Generating Elliptical Curve Certs for Splunk

Intro

Very often we get questions about generating stronger Cert/Keys for Splunk. Specifically from users who run a vulnerability scanner against their Splunk instance. By default, Splunk ships with a 1024 bit strength RSA Cert. This is the same certificate authority cert across all Splunk binaries. Splunk recommends customers use their own CA and cert/key pair in the securing Splunk documentation. It is good practice to sign certs by your own CA.

I recommend an EC (Elliptical Curve) key/pair. For more about EC have a look here. Here are a few pros and cons of using EC certs:

Pros

  • Perfect Forwarding Secrecy (PFS) support
  • Shorter Keys which are as Strong as RSA key but are easier on the
» Continue reading

Sharing the Splunk Cloud Love

                                                                   Exhibit A

                                                                   Exhibit B

 

Tough to beat a reference like that!

However, I’m pleased to say that for Splunk Cloud…we just came pretty close. :-)

First this blog post by Cesar-Lopez Nataren of Mindtouch, titled “Mindtouch’s Path to Splunk Cloud Enlightenment.”  Some nuggets:

  • “The user interface for tweaking the dashboards was so phenomenally
» Continue reading

Cisco Security Suite 3.0.3 now includes Cisco Sourcefire

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support for Cisco Sourcefire.  Information from your eStreamer server (e.g. Defense Center) is visualized including:

  • Intrusion events
  • Sensor information
  • Policy information
  • Hosts
  • Flow summaries
  • File / Malware events
  • Correlation events

So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)
  • Cisco Sourcefire

Also, with each release, we incorporate more feedback about documentation.  Documentation can be found within the Cisco Security Suite app itself and on the Documentation tab on http://apps.splunk.com/app/525/.

Be sure to check out Splunk Answers as well for community …

» Continue reading

Cisco Security Suite 3.0.2 now includes Cisco IronPort Email Security Appliance (ESA) Data

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support to Cisco IronPort Email Security Appliance (ESA).  A new add-on has been published that provides Common Information Model compliant field extractions and tags for data from Cisco ESA.  So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)

Also, with each release, we incorporate more feedback about documentation.  So, in addition to documentation found within the Cisco Security Suite app itself, a subset of “getting started” documentation has been published under the Documentation tab on http://apps.splunk.com/app/525/.

 

Stay tuned, there …

» Continue reading

Cisco Security Suite 3.0.1 – Now with ISE

The Cisco Security Suite was recently updated to work with Splunk 6.  As mentioned in the previous release, one release is not enough to get all the Cisco security related information integrated into the suite.  With version 3.0.1 of the Cisco Security Suite, Cisco Identity Services Engine (ISE) has been added.  Over 20 ISE-related dashboards have been integrated into the suite.

Cisco with ISE

 

 

ISE is really powerful and adds a lot of additional data that can be correlated.  For instance, say you have an IP address from somewhere in your environment.  ISE can tell you which user is using that IP, what type of device the user is using, the posture of the device, and much more.  Therefore, in …

» Continue reading

Introducing the Cisco Security Suite for Splunk 6

I know.  I normally blog about Microsoft stuff.  Recently, however, I’ve been helping out on another project – updating the Cisco Security Suite to be compatible with Splunk 6.  The Cisco Security Suite is the most downloaded app on Splunkbase behind the *Nix and Windows apps and exposes Cisco specific information about your Cisco specific security devices.

We had many aims for this project, aside from just upgrading everything to work with Splunk 6.  We wanted it to use the Technology Add-ons that you may already have from a deployment of Enterprise Security.  If you were considering an upgrade to Enterprise Security in the future (and you should – it’s awesome), then we wanted the data you have already …

» Continue reading

Splunk and The Top 10 CIO Priorities for State and Local Goverment

On November 5, 2013, National Association of State Chief Information Officers (NASCIO) released a member service document representing the top 10 state CIO priorities for 2014. The list presents no surprises as state CIOs try to do more with less extracting the most value out of every dollar, providing constituent services, protecting customer data and preventing data breaches.  The list is almost a mirror image of the benefits our customers are seeing with Splunk. I won’t go through the whole list but lets look at the top three.

Security is the number one priority for state CIOs in 2014:

“Security: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security

» Continue reading

SplunkLive Experience

sl_orlandoAs a CIO in a high tech company, its always great to get the chance to either speak on behalf of the company or hear from customers who are excited about your products. Last week I had both experiences at SplunkLive Orlando. Best was to hear three customers Satcom Direct, Century Link, and PSCU.  Between these, we had a database architect, security architect and VP Technology & Development all share how much of a difference Splunk had made in solving problems they could not have addressed in the past.

Favorite quotes: David from PSCU noted that for security use cases they were able to laser focus on what interested them and eliminate background noise.  Khalid from Century Link noted …

» Continue reading

Tuning Enterprise Security correlation searches

Here’s a nifty ES tuning tip that you might enjoy. We’ll be using some handy macros that are documented at Working_with_Notable_Events_from_Search, if you’d like to read up on the background.

What’s the most expensive, valuable, and constrained resource in a security team?

Human attention.

How many security analysts are there?

| `notable_owners` | stats count | eval sec_analysts=(count-1)

How long does it take them to forensically analyse an incident? We can get some hints by looking at the amount of review activity… Audit > Incident Review Audit and Audit > Suppression Audit are of course useful, but you can also do this sort of thing:

| `incident_review` | search status_default=false | timechart span=1day count by reviewer usenull=f

“Forensically analyze” …

» Continue reading