Splunk Siem

  • View
    214

  • Download
    0

Embed Size (px)

Text of Splunk Siem

  • 8/22/2019 Splunk Siem

    1/20

    Splunk SIEMPartner Guide

    Revision: H1CY11

  • 8/22/2019 Splunk Siem

    2/20

    The Purpose of this Document

    The Purpose of thisDocument

    This guide describes how to deploy Splunk security information and eventmanagement with Cisco security products.

    Who Should Read This Guide

    This document is for the reader who:

    Has read the Cisco Security Information and Event ManagementDeployment Guide and the Internet Edge Deployment Guide.

    Wants to connect Borderless Networks to a Splunk solution

    Wants to gain a general understan ding of the Splunk solution

    Has a level of understan ding equivalent to a CCNA

    Security certification Wants to solve compliance and regulatory reportin g problems

    Wants to enhance network security and operations

    Wants to improve IT operational efficiency

    Wants the assurance of a validated solution

    Related Documents

    Before reading this guide

    Design Overview

    Internet Edge Deployment Guide

    Internet Edge Configuration Guide

    Cisco SIEM Deployment Guide

    You are Here

  • 8/22/2019 Splunk Siem

    3/20

    Table of Contents

    ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS

    DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

    DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITA-

    TION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

    DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL

    OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY

    DEPENDING ON FACTORS NOT TESTED BY CISCO.

    Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and gures included in the document are shown for illustrative purposes

    only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unied Communications SRND (Based on Cisco Unied Communications Manager 7.x)

    2010 Cisco Systems, Inc. All rights reserved.

    Table of Contents

    Cisco Smart Business Architecture Borderless Networks or Enterprise 1

    Business Benefts 3

    Technology Par tner Solution Overview 4

    Deploying ArcSight Express 6

    Collecting Logs, Events, and Correlated Events 11

    Generating Reports 13

    Maintaining the SIEM Solution 15

    Common Troubleshooting Tips 16

    Example o a Day Zero Attack (Malware-Inected Customer Network) 17

    Products Verifed with Cisco Smart Business Architecture 18

    Appendix A: SBA or Enterprise Organizations Document System 19

  • 8/22/2019 Splunk Siem

    4/20

    1Cisco SBA Overview

    Cisco SBA Overview

    Cisco Smart Business Architecture (SBA)Borderless Networks (BN) forEnterprise Organizations offers partners and customers valuable networkdesign and deployment best practices; helping organizations deliversuperior end-user experience that include switching, routing, security andwireless technologies combined with the comprehensive managementcapabilities for the entire system. Customers can use the guidance providedin the architecture and deployment guiudes to maximize the value of theirCisco network in a simple, fast, affordable, scalable and flexible manner.

    Figure 1 Splunk Integrated into Cisco SBABN for EnterpriseOrganizations

    The modular design of the architecture means that technologies can beadded when the organization is ready to deploy them. The architecture alsoprovides Cisco-tested configurations and topologies which CCNA-levelengineers can use for design and installation, and to support organizationalneeds

    Cisco offers a number of options to provide security management capabili-ties. This guide is focused on our partnership with Splunk to provide anaffordable, easy-to-use security management solution.

  • 8/22/2019 Splunk Siem

    5/20

    2Cisco SBA Overview

    What is Splunk?

    Splunk is software that provides a unique view across your entire IT infra-structure from one place and in real time. Splunk enables you to search,report, monitor and analyze streaming and historical data from any source,and speeds investigation of security incidents. Critical systems can bemonitored to avoid service degradation or outages and compliance is deliv-ered at lower cost. New business insights are gleaned from your IT data.

    Splunk can index any time-stamped ASCII text with none of the t ypicaldevice support and new version restrictions seen from other products thataccept log data. If new versions of Cisco data sources are released, Splunkmakes the data sources available to you indexed and ready for use. Youchoose when and where to use the new data. Splunk also accepts multi-lineapplication data without the need for translators or connectors.

    Figure 2 Splunk for Cisco Security Real-Time Dashboard

    Business Benefts

    Splunk helps its customers make better business decisions by takingmachine generated data and applying a forensics and analytics approach tosecurity and event management as well as IT operations management.

    Any time-stamped ASCII text machine generated data can be indexedwith Splunk, including custom application logs.

    Splunks search language includes analytical commands used to create

    tables, counts, charts, and other objects that help make data compelling.

    Time charts and other graphical trending elements used in dashboardsthat can provide executives with a risk management picture customizedto your data and your business requirements.

    Splunkbase provides apps and add-ons to improve the user experienceand provide out-of-the-box solutions to use cases.

    Splunk breaks down barriers between the IT operations and securityteams, resulting in faster problem resolution.

    Security and application data can be viewed in context, and data trendsexamined, so that key performance indicators (KPIs) can be established

    and outliers identified.

    Security Benefts

    Splunk supports a forensics approach to security event management.Looking for patterns in log data from Cisco security devices and viewingthem in context of other log data provides a comprehensive view of whatshappening in your IT architecture. Using Splunk, the security team can har-ness their knowledge to model attack vectors and attack patterns based onconditions that might be see in log data can be modeled in Splunk.

    Examples:

    Review the series of events documented in log data that take place fromthe moment a piece of malware is downloaded into the environment.

    Set Splunk to report on levels of traffic between hosts or network seg-ments that do not ordinarily communicate with each other.

    Augmentation of a data loss prevention system (DLP) by monitoring emailtraffic levels between individuals and the amount or size of attachmentssent.

    Depending on the environment, each of these scenarios can include one ormore Cisco security solutions.

  • 8/22/2019 Splunk Siem

    6/20

    3Cisco SBA Overview

    Splunk does not force the user to make compromises on what data thesecurity team can collect due to either schema or scalability issues. Whena search across data sources is constructed, the user can save, run, andsend the search results and graphical reports to others in PDF format on ascheduled basis. The search can also become a security dashboard ele-ment for display. Existing Splunk customers use this display in their securityoperations center.

    Figure 3 Drill Down from Graph to Report to Log Data

    To add additional context to security events, Splunk has the ability to con-nect to external sources of data and pull this data into reports or dashboardsin Splunk. Augmenting security data with information from an asset databaseabout the asset owner, email, phone number, location, or department canhelp decrease response times. Asset databases also may contain informa-tion about asset classifications, priority, or whether the host has personalinformation on it. This information can also be displayed in Splunk.

    Splunk breaks down silo barriers between the IT operations and the

    security teams resulting in faster problem resolution.

    Direct drill-down from any part of a dashboard to the underlying logsspeeds security investigations (Figure 3).

    Additional information from other data sources such as personnel data-bases, Active Directory, or asset management databases can be pulledinto Splunk to add context to security and operations events.

    Search results from a security investigationwhether from single ormultiple log sourcescan immediately be turned into condition that can

    be monitored in real-time.

    IT Operations Benefts

    Understanding the effect of security i

Search related