Published on March 4, 2014
Best Practices for Federal Compliance ’ Dan O’Donnell, CISSO
About this talk Using Splunk to satisfy U.S. Gov’t NISPOM auditing reqs. (and maybe a little DCID/CNSS/ICD) Audit multiple events, across multiple platforms Goal 1: Show how one organization uses Splunk for auditing. Goal 2: Start a dialog - maybe a community. Non-goal: to be an expert source ’ 2
About the Speaker Dan O’Donnell, CISSO - 8 yrs RAND; 5 yrs NBC - IANAP (Fortran 77) Who/what is RAND.org? - FFRDC; non-partisan think tank on public policy: health, education, mil, etc. - many PhD scientists, engineers, social scientists, economists Splunk users - Between 3-10, depending… ’ 3
What Are NISPOM, DCID? NISPOM = National Industrial Security Program Ops Manual - Chapter 8: computers and networks - Chapter 8-602: what we care about for auditing with Splunk - ISFO: Industrial Security Field Operations Manual DCID 6/3, being replaced by ICD - Equivalent (sort of) for military and IC shops ’ 4
Ch.8 Significant Requirements Ch.8-602 mandates several things, but we’ll only discuss… ‣ auditing of specific logs and trails ‣ PL-1: 1 of 5, with 1 being lowest ‣ISLs are more specific Auditing monitors computers for intrusive patterns and behavior. ’ 5
Acronyms DSS: Defense Security Service NISPOM: National Industrial Security Program Ops Manual ISL: Industrial Security Letters SRO: Security Relevant Objects ISSO/ISSM: Information Systems Security Officer/Mgr ISFO: Industrial Security Field Operations DISA: Defense Information Systems Agency STIG: Security Technical Implementation Guide ICD (DCID): Intelligence Community Directive ’ 6
Why Use a Log Aggregator Time efficiency! Audit frequency (mandated) = weekly Time Requirements 1 machine ~ :10 minutes 100 machines ~ 1,000 minutes ~ 2 days per week Conclusion: Auditing does not scale. Also: log aggregator “remembers” the search strings. ’ 7
Why Use Splunk as Log Aggregator? Labor efficiency = $ efficiency System Comparison: We looked at 6 systems, including making our own. Splunk did all four OS platforms – no other commercial product did this. Splunk: superior to what we could do on our own, and less costly. Splunk: modifiable, and on our own hardware. Nominally approved by DSS ODAA (v3.4), summer 2009 YMMV – check with your ODAA or equivalent ’ 8
Recommendations Richard Bejtlich: network security, awareness, and APT - “Federal security is the most frustrating…” - “Splunk is really awesome…” and - “Splunk is remarkably cheap for an enterprise app…” - YouTube: BSDconferences talk, April 21, 2009 - http://taosecurity.blogspot.com/ ’ 9
Intro to NISPOM (1) NISPOM Chapter 8, Section 602 a, b, c, d - ISL 2007-01, Data, metadata to capture - 2 general categories Identification and Authentication (I&A) Security Relevant Objects (SRO) ‣ Prohibited file or directory activity ’ 10
Platforms ’ 11
Intro to NISPOM (2): Info to Capture Date/Time stamp User or agent Resources involved Action involved ’ 12
Intro to NISPOM (3): I&A I&A: Identification and authentication Login success Logout success Login attempts that fail – bad username or password Login attempts to lockout – 5 attempts within :15min Account lockouts Password changes User authentication changes: sudo, su, admin ’ 13
Intro to NISPOM (4): SRO SRO: Security Relevant Objects - Windows types; *nix types OS executables OS config files System management and maintenance executables Audit system and data Security-related software ’ 14
ISL #44 ’ 15
ISL #45 ’ 16
Windows Event IDs Ultimate Windows Security - Windows: simplest and easiest - This list isn’t all, but most. - This is “XP family”. - Win7 is totally different. ’ 17
SROs in *nix In general: /bin /usr/bin /sbin /usr/sbin Audit systems – BSM; Snare /var/audit /etc/security ; syslog Avware (required) Disk utilities “Lemme es’plain… No, it is too difficult.” “Let me sum up…” ’ 18
Auditable Events & Objects: Summary Summary of: WinXP, Server 2003, *nix, OSX, *BSD ’ 19
Streams Windows Solaris System Events Security Events Application Events (coming) Syslog BSM (converted to text) OSX, TrustedBSD, FreeBSD Linux Syslog Seclog Snare log (merged into syslog) ’ Syslog Seclog BSM (converted to text) 20
Streams to Capture in Splunk ’ 21
Configuring Streams: Win, linux Windows: easy to config, easy to interpret. Configure file size for maximum. Configure persistence for “long” Linux: moderately hard to config, fairly hard to interpret Syslog Snare – use the IA “one button config for NISPOM” or make your own. Check with your ISSP or DSS Rep., or DSS Academy. ’ 22
Configuring Streams: Unix, OSX, BSD Solaris: moderately hard to config; hard to interpret Syslog BSM (converted) OS X: hard to config; hard to interpret Syslog Seclog OpenBSM (converted to text) *BSD: moderately hard to config; hard to interpret BSM part is the same in OS X, sort of ’ 23
Case Analysis: Windows Windows XP to Vista, including Server About 14 of 114 events are audited: success and fail Configure Events files Increase size (default 2MB -> 600MB), increase persistence Snare can be used Active Directory (AD) spews log entries. Filtering with clever Splunk search strings can improve SNR. Potential Problem: Active Directory and unix, linux, OSX ’ 24
Case Analysis: Linux Syslog: raw syslog is straightforward. Seclog: raw seclog is straightforward. Snare: Freeware, from Intersect Alliance NISPOM config can be 1-touch, but “roll your own” may be better. Output is text, merges into syslog. Output is text strings, searchable with Splunk. Problem: interpretation of output Splunk lookup tables as a solution? ’ 25
Case analysis: Snare Snare necessary for linux Hooks into auditd. Recommended by DSS Academy. Snare can be used with Windows. Increases detail and complexity. Not yet ready for Win7. Snare can be used with Solaris. Data and detail equivalent to BSM. Complexity slightly reduced since Snare outputs to text. Complexity increase as minimal Snare docs don’t include output interp. ’ 26
Snare config ’ 27
Case analysis: Solaris Syslog is easy; BSM is hard. About BSM: Flags: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl Log file is binary: Splunk can’t handle it. Rotate regularly, export to text. Documentation Sun docs, man pages Hal Pomeranz SysAdmin magazine article Sun BSM similar to BSM on OSX, FreeBSD, TrustedBSD. Snare works on Solaris ’ 28
Case Analysis: OS X Syslog, seclog are easy. BSM (harder than Solaris): Same flags: lo,ad,-fr,-fw,-fc,-fd,-fm,-cl Requires script to rotate BSM binary, export to text. Rotation frequency; retention period (1 yr.) ParseAuditLog (PAL) script Diffs between OSX 10.6 and earlier 10.6.x has OpenBSM v1.1, with more functionality than earlier 1.0. ’ 29
Case Analysis: BSM Small but powerful Generates big binary files, but very compressible Very configurable, including “make your own masks” ~380 total events (x4); <50% are audited; (x 1/4) Diffs between Solaris, OSX, *BSD History of OpenBSM Interpretation of output (BSM output is Splunk input) 20100731123015.not_terminated; 20100731123015.20100731133015 ’ 30
BSM Audit Classes ’ 31
BSM Configs OpenBSM v1.1 etc/security/audit_control ’ 32
BSM Output Lookup tables candidate??? ’ 33
Case Analysis: network appliances Splunk and (most): routers, firewalls, switches, ips/ids Mandated to audit these too. NISPOM and DSS don’t tell us what or how to audit. ’ 34
Splunk Inputs (redux) Windows OSX, FreeBSD Sys.Evt, Sec.Evt Syslog, Seclog BSM audit log (converted) Linux Network appliances Syslog, Seclog Snare audit log Logs from firewalls, ips/ids Solaris Active Directory logs Syslog BSM audit log (converted) ’ (lots of kruft to filter) 35
Auditable Objects | Splunk inputs ’ 36
Overall Audit Table ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ’ 37
Issues or Potential Problems Active Directory, *nix, and UID/GID conflicts Unique search string (saved search) for 100s of events??? Lookup tables to convert Snare and BSM Active Directory and SNR (Signal to Noise Ratio) AD spews a large volume of data – filtering requires knowledge and finesse AD and duplicate records ’ 38
Remaining Outputs Interpretation to actual intelligence Metrics Other Splunk capabilities Re-architect? ’ 39
Questions? ’ 40
... the 6th Annual Splunk Users’ Conference and learn how to gain real-time business ... .conf2015 has everything you ... © 2005-2016 Splunk Inc. All ...
Splunk Inc. provides the leading platform for Operational ... fluid user experience designed to provide insights from your big data without ...
... understand patterns over time and create ad hoc reports and dashboards for compliance. ... The First Splunk Users’ Conference, ... Splunk Federal ...
View 181 Federal It Compliance posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn?
.Conf 2012 Promo: Splunk on ... deployment with the Splunk on Splunk app at Splunk's World User Conference ... Splunk at a Large Federal ...
... we evaluate the documentation and support you offer to your app's users. To learn more about the Splunk App ... Splunk App for PCI Compliance ...
Documentation; Splunk Answers; ... Splunk ® User Behavior Analytics ... Splunk ® App for PCI Compliance Splunk ...
Splunk to Host First Worldwide Users' Conference Inaugural Event in San ... network engineers ... The 2010 Splunk Worldwide Users' Conference comes at a ...
... and the insight the business needs to optimize ads and networks. They’ve used Splunk ... Splunk Users’ Conference, ... The Washington Post and ...