Upload
harry-mclaren
View
176
Download
1
Embed Size (px)
Citation preview
Copyright © 2016 Splunk Inc.
Splunk User Group EdinburghDeployment & SecuritySeptember 2016
2
Introduction - Harry McLaren● Alumnus of Edinburgh Napier● Security Consultant at ECS – Role: Splunk Professional Services & Enablement Lead– Specialism: SIEM & Splunk Architecture
Global Splunk Partner Revolution Award - 2016
3
4
Agenda
• Housekeeping: Overview & House Rules
• Presentation: Deployment Best Practices
• Group Discussion: Deployment Challenges & Solutions
• Presentation: Security Best Practices
• Group Discussion: Security Challenges & Solutions
• Group Discussion: Favourite Use Cases [Optional]
5
[Splunk Official] User Group“The overall goal is to create an authentic, ongoing
user group experience for our users, where they contribute and get involved”
● User Lead
● Technical Discussions
● Sharing Environment
● Build Trust (With Community & Splunk)
● No Sales!
6
What Do You Want From A User Group?
Deployment Best Practices
8
Complex ArchitectureIndexer
UniversalForwarder
Search Head
Cluster Management
ForwarderManagement
Heavy Forwarder
9
Planning & Design ● High Level Design & Environment Diagram
● High Availability / Load Balancing – Minimum Number of Nodes (SHC x3 / IXC x2-3)– Forwarder Based (AutoLB), Search Heads (Persistent Sessions via Load Balancer)
● Hardware & Storage Requirements – Availability / Retention / Archiving
● Development / Staging Environment
● Environment Orchestration & Configuration – Version Control, Configuration Management, Access Management, Packaging
10
Pre-Implementation● Raise Required Changes (Network, Identity, Architecture)
● Validate Connectivity & System Access
● Download Binaries / Licences / Apps– Splunk Software & Splunk Licenses
● Ensure DNS Records Function– IP Addresses Should Be Avoided In Config (Use DNS Records)
● Forwarder Deployment – Engage with Platform Teams– Develop Automation Script (Requires deploymentsclient.conf with DNS Entry)
11
Implementation● Build Sequence– Management Layer > Indexer Layer > Search Layer
● Data Source On-boarding Process– Use Case Identification, Data Source Profiling, Develop, Test & Deliver (RTL)
● Utilise Splunk Apps & Add-ons (Free & Premium) – Unix App, Windows Infrastructure App, VM Ware App, Apache App, Etc.
● Bundle Search Objects Into Custom Apps – Breakdown by Business Unit, Grouped Use Cases, Etc.
● Use Splunk Documentation & Splunk Answers for Guidelines
12
Post-Implementation● Update Designs / Diagrams (Delivered Implementation)
● Training & Knowledge Sharing – Education Courses (Free / Paid), Community Support & Partner Training
● Identify Splunk Champions – Technical & Business
● Build Business Value– Identify Secondary User Cases
● Build Entitlement Framework– Cost Centre Clawback, Shared Financial Burden, Shared Responsibility
13
Any Questions?
Deployment Challenges & Solutions(Group Discussion)
15
Deployment Challenges & Solutions● Example Challenges / Solutions:– Source Data Access ‣ Early SME Engagement & EventGen App?
– Hardware Challenges‣ Develop Deployment Config in the Cloud?
● Discussion Time Limit: 15mins
Security Best Practices
17
Pre-Install Hardening & Validation● Secure Operating System Pre-Installation
● Industry Standard Guidelines – Centre For Internet Security (CIS) - Security Benchmarks
● Create Splunk Specific User/Group with Relevant Permissions – Ensure Splunk Doesn’t Run as ‘Administrator’ or ‘Root’
● Verify Integrity of Binaries (Checksum Hash / Signature)
18
Implementation Hardening● User Authentication & Role-Based Access Control
● Transport Encryption & Authentication (TLS)
● Secure Password Deployment– Shared splunk.secret / Hashed Passwords in Deployment Apps
● Access Control Lists– Simple IP/DNS Whitelisting or Blacklisting
● Disable Unnecessary Splunk Components (Splunk Web / REST Port)
● Configuration Change Monitoring via Splunk
19
Monitoring Environment (Security & IT Ops)● Collect Local Operating System Hosts Logs / Report on Anomalies – Security, Access, Application, Configuration, Patching & Performance
● Forward All Splunk’s Internal Logs into Indexers
● Splunk Crafted Reporting for ‘Splunk’ (Previously: Splunk on Splunk)– Indexing Performance, Search Performance, Search Activity, Missing Forwarders
● Report On Users Attempting to Search Restricted Indexes
● Use Data Integrity Checking & Monitor Exceptions
20
Any Questions?
Security Challenges & Solutions(Group Discussion)
22
Security Challenges & Solutions● Example Security Challenges:– Easier Implementation of Transport Encryption (TLS)?‣ Scripted Certification Generation & Deployment via App
– How to Segment Data?‣ According to Business Unit or Use Case (via Indexes)
● Discussion Time Limit: 15mins
Favourite Use Cases(Group Discussion)
24
Favourite Use Cases● Example Use Cases:– Self Healing with ServiceNow Integration with Ansible– IT Operational Monitoring with IT Service Intelligence (Glass Tables) – Malicious Behaviour Detection with Entropy Analysis on DNS Logs
● Discussion Time Limit: 15mins
25
Updates Announced at .conf 2016● Introducing Splunk Enterprise 6.5 - Available Now
‣ Splunk ML Toolkit – a guided workbench and SPL extensions to help you create and operationalize your own custom analytics based on your choice of algorithms.
‣ Tables, a new feature that lets you create and analyse tabular data views without using SPL.
‣ Hadoop Data Roll give you another way to reduce historical data storage costs while keeping full search capability.
● New Releases (General Availability October 2016):– Splunk Enterprise Security [Minor Release]– Splunk IT Service Intelligence [Major Release]– Splunk User Behaviour Analytics [Major Release]
26
Get Involved!● Splunk User Group Edinburgh– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html
● Splunk’s Slack Group– Register via www.splunk402.com/chat – Channel: #edinburgh
● Present & Share at the User Group?Connect:‣ Harry McLaren | [email protected] | @cyberharibu | harrymclaren.co.uk‣ ECS | [email protected] | @ECS_IT | ecs.co.uk
Thank You