Click here to load reader

Splunk SIEM - cisco.com · PDF fileThe Purpose of this Document The Purpose of this Document This guide describes how to deploy Splunk security information and event

  • View
    218

  • Download
    2

Embed Size (px)

Text of Splunk SIEM - cisco.com · PDF fileThe Purpose of this Document The Purpose of this Document...

  • http://www.cisco.com/go/govsba

  • Splunk SIEM Partner Guide

    Revision: H2CY10

  • The Purpose of this Document

    The Purpose of this Document

    This guide describes how to deploy Splunk security information and event management with Cisco security products.

    Who Should Read This Guide

    This document is for the reader who:

    HasreadtheCisco Security Information and Event Management Deployment Guide and the Internet Edge Deployment Guide.

    WantstoconnectBorderlessNetworkstoaSplunksolution

    WantstogainageneralunderstandingoftheSplunksolution

    HasalevelofunderstandingequivalenttoaCCNA Security certification

    Wantstosolvecomplianceandregulatoryreportingproblems

    Wantstoenhancenetworksecurityandoperations

    WantstoimproveIToperationalefficiency

    Wantstheassuranceofavalidatedsolution

    Related Documents

    Before reading this guide

    Design Overview

    Internet Edge Deployment Guide

    Internet Edge Configuration Guide

    Cisco SIEM Deployment Guide

    Splunk SIEM Partner Guide

    Design Overview

    Internet Edge Configuration Guide

    Foundation DeploymentGuides

    Network ManagementGuides

    SIEM DeploymentGuide

    Design Guides Deployment Guides

    You are Here

    Supplemental Guides

    Internet EdgeDeployment Guide

  • Table of Contents

    ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

    AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

    2010CiscoSystems,Inc.Allrightsreserved.

    Table of Contents

    Cisco SBA for Large AgenciesBorderless Networks . . . . . . . . . . . . . . . . . . . .1

    Agency Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

    Technology Partner Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

    Deploying ArcSight Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

    Collecting Logs, Events, and Correlated Events . . . . . . . . . . . . . . . . . . . . . . . . . . .11

    Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

    Maintaining the SIEM Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

    Common Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

    Example of a Day Zero Attack (Malware-Infected Customer Network) . . .17

    Products Verified with Cisco Cisco SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

    Appendix A: SBA for Large Agencies Document System . . . . . . . . . . . . . . . . .19

  • 1CiscoSBAOverview

    CiscoSBAOverview

    CiscoSmartBusinessArchitecture(SBA)forGovernmentLargeAgenciesBorderlessNetworks(BN)offerspartnersandcustomersvaluablenetworkdesign and deployment best practices; helping agencies deliver superior end-userexperiencethatincludeswitching,routing,securityandwirelesstechnologies combined with the comprehensive management capabilities for the entire system. Customers can use the guidance provided in the architectureanddeploymentguiudestomaximizethevalueoftheirCisconetworkinasimple,fast,affordable,scalableandflexiblemanner.

    Figure1.SplunkIntegratedintoCiscoSBAforLargeAgenciesBorderlessNetworks

    The modular design of the architecture means that technologies can be added when the agency is ready to deploy them. The architecture also providesCisco-testedconfigurationsandtopologieswhichCCNA-levelengineerscanusefordesignandinstallation,andtosupportagencyneeds

    Cisco offers a number of options to provide security management capabili-ties. This guide is focused on our partnership with Splunk to provide an affordable,easy-to-usesecuritymanagementsolution.

  • 2CiscoSBAOverview

    What is Splunk?

    SplunkissoftwarethatprovidesauniqueviewacrossyourentireITinfra-structurefromoneplaceandinrealtime.Splunkenablesyoutosearch,report,monitorandanalyzestreamingandhistoricaldatafromanysource,and speeds investigation of security incidents. Critical systems can be monitored to avoid service degradation or outages and compliance is deliv-eredatlowercost.NewoperationalinsightsaregleanedfromyourITdata.

    Splunkcanindexanytime-stampedASCIItextwithnoneofthetypicaldevice support and new version restrictions seen from other products that acceptlogdata.IfnewversionsofCiscodatasourcesarereleased,Splunkmakesthedatasourcesavailabletoyouindexedandreadyforuse.Youchoose when and where to use the new data. Splunk also accepts multi-line application data without the need for translators or connectors.

    Figure2.Splunk for Cisco Security Real-Time Dashboard

    Agency Benefits

    Splunk helps its customers make better operational decisions by taking machine generated data and applying a forensics and analytics approach to security and event management as well as IT operations management.

    Anytime-stampedASCIItextmachinegenerateddatacanbeindexedwithSplunk,includingcustomapplicationlogs.

    Splunk ssearchlanguageincludesanalyticalcommandsusedtocreatetables,counts,charts,andotherobjectsthathelpmakedatacompelling.

    Timechartsandothergraphicaltrendingelementsusedindashboardsthatcanprovideexecutiveswithariskmanagementpicturecustomizedtoyourdataandyouroperationalrequirements.

    Splunkbaseprovidesappsandadd-onstoimprovetheuserexperienceandprovideout-of-the-boxsolutionstousecases.

    SplunkbreaksdownbarriersbetweentheIToperationsandsecurityteams,resultinginfasterproblemresolution.

    Securityandapplicationdatacanbeviewedincontext,anddatatrendsexamined,sothatkeyperformanceindicators(KPIs)canbeestablishedand outliers identified.

    Security Benefits

    Splunk supports a forensics approach to security event management. LookingforpatternsinlogdatafromCiscosecuritydevicesandviewingthemincontextofotherlogdataprovidesacomprehensiveviewofwhatshappeninginyourITarchitecture.UsingSplunk,thesecurityteamcanhar-ness their knowledge to model attack vectors and attack patterns based on conditions that might be see in log data can be modeled in Splunk.

    Examples:

    Reviewtheseriesofeventsdocumentedinlogdatathattakeplacefromthe moment a piece of malware is downloaded into the environment.

    SetSplunktoreportonlevelsoftrafficbetweenhostsornetworkseg-ments that do not ordinarily communicate with each other.

    Augmentationofadatalosspreventionsystem(DLP)bymonitoringemailtrafficlevelsbetweenindividualsandtheamountorsizeofattachmentssent.

    Dependingontheenvironment,eachofthesescenarioscanincludeoneormore Cisco security solutions.

  • 3CiscoSBAOverview

    Splunk does not force the user to make compromises on what data the securityteamcancollectduetoeitherschemaorscalabilityissues.Whenasearchacrossdatasourcesisconstructed,theusercansave,run,andsendthesearchresultsandgraphicalreportstoothersinPDFformatonascheduled basis. The search can also become a security dashboard ele-mentfordisplay.ExistingSplunkcustomersusethisdisplayintheirsecurityoperations center.

    Figure3.DrillDownfromGraphtoReporttoLogData

    Toaddadditionalcontexttosecurityevents,Splunkhastheabilitytocon-necttoexternalsourcesofdataandpullthisdataintoreportsordashboardsinSplunk.Augmentingsecuritydatawithinformationfromanassetdatabaseabouttheassetowner,email,phonenumber,location,ordepartmentcanhelpdecreaseresponsetimes.Assetdatabasesalsomaycontaininforma-tionaboutassetclassifications,priority,orwhetherthehosthaspersonalinformation on it. This information can also be displayed in Splunk.

    SplunkbreaksdownsilobarriersbetweentheIToperationsandthesecurity teams resulting in faster problem resolution.

    Directdrill-downfromanypartofadashboardtotheunderlyinglogsspeedssecurityinvestigations(Figure3).

    Additionalinformationfromotherdatasourcessuchaspersonneldata-bases,ActiveDirectory,orassetmanagementdatabasescanbepulledintoSplunktoaddcontexttosecurityandoperationsevents.

    Searchresultsfromasecurityinvestigationwhetherfromsingleormultiplelogsourcescanimmediatelybeturnedintoconditionthatcanbe monitored in real-time.

    IT Operations Benefits

    UnderstandingtheeffectofsecurityissuesontheITope

Search related