Post on 26-Apr-2018
Copyright © 2013 Splunk Inc.
Alex Eisen Chief Security Expat R&D Eng / Product Security #splunkconf
Hardening Splunk
Legal NoIces During the course of this presentaIon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauIon you that such statements reflect our current expectaIons and esImates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaIon are being made as of the Ime and date of its live presentaIon. If reviewed aVer its live presentaIon, this presentaIon may not contain current or accurate informaIon. We do not assume any obligaIon to update any forward-‐looking statements we may make. In addiIon, any informaIon about our roadmap outlines our general product direcIon and is subject to change at any Ime without noIce. It is for informaIonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaIon either to develop the features or funcIonality described or to include any such feature or funcIonality in a future release.
Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respecDve owners.
©2013 Splunk Inc. All rights reserved.
2
>whoami ! Academia: NSA InformaIon Assurance Scholarship (Comp Sci Masters with InfoSec CNSS/NSTISSI ‘cerIficaIons’)
! Public servant with Department of Defense – ProacIve: Red Team, Network A`acks, Strategy/Policy – ReacIve: Incident Response, Forensics
! Private – ReacIve: Incident Response, Cyber InvesIgaIons, Secure Wireless
! Books (technical editor) – 2009 Reverse DecepIon: Organized Cyber Threat Counter-‐ExploitaIon – 2012 Hacking Exposed: Malware & Rootkits Secrets – 2013 Greyhat ExploitaIon: Legal takedowns?
! Docu
3
Agenda
! PerspecIves (What this is Not About) ! ProdSec Mission & Charter ! PSIRT: Incident Response ! SoVware Assurance ! Secure Deployment: Harderning Splunk During Deployments and Secure AdministraIon for System Operators + SecDevOps
! Capture The Flag Contest & Bug Bounty Hunt ! Visions: metasplunk
4
General Basics
! Decurity is a bipolar opposite of UI/UX ! Splunk Tzu> know y0 data (sources) ! Capability Maturity Models ! Cyberwar (phone ba`eries :) ! Trends
– Vulnerability and Bug stats – Transparency/accountability/responsibility/privacy – Media/idenIty – Crowdsourced bug bounIes
5
ProdSec PerspecIves
! PerspecIves – WHAT THIS IS NOT: HunIng for intrusions on your network…
ê Security markeIng – How to sell Splunk for security use cases OR ê Splunk for security use-‐cases (e.g SIEM for your corp IT NetSecOpsCenter)
– 3 angles ê Of: PentesIng Splunk soVware ê Ing: Guiding/helping customers to deploy, configure, operate Splunk with security in mind in their *very diverse and unique* environments
ê With: Risk analyIcs of all ProdSec vulnerability data (and 24/7 conInuous behavioral monitoring of code access (aka Intellectual Property)
6
Splunk Basics
7
! Analogies: – Securing a distributed OperaIng System – Securing a web server
! Exposure: – Freemium download
ê Anyone can download, rather than access custom expensive hardware appliance (1st world problem)
– SaaS: Publicly facing web vs. on-‐premise
ProdSec Incident Response
9
! Responsible vulnerability disclosure process ! Security Portal website updates
– Vulnerability submission form – Security advisory announcements (i.e. Maintenance releases) – T-‐shirts program
! Customers and customer reps – Support SFDC case # -‐> JIRA SPL issue #
! Severity (Risk) scoring/raIng – CVSSv2 – Internal Splunk schema
! Bug fixing policy (Bug Council)
PSIRT
ProdSec Incident Response
10
Cri6cal High
Medium Low
Informa6onal
! Example: ReflecIve XSS (requires Social Engineering)
Severity Schema:
SoVware Assurance
12
! SecSDLC (Secure Coding Guide, SEI CERT/CC, MSDLC) ! OpenSAMM (BSIMM based) ! DISA ApplicaIon Development STIG ! CerIficaIons:
– Common criteria ê Listed as “under evaluaIon” ê Target compleIon 4-‐6 month aVer General Availability (~Q1 2014) ê FIPS 140-‐2 OpenSSL Module
– SOC2 & ISO27000 on roadmap
Security Development Lifecycle
SoVware Assurance
13
! TesIng categories – Dynamic (OWASP) – StaIc code checkers – StaIc binary analysis (Veracode score for 5.0.2 is 93/100) – Manual penetraIon tesIng – 3rd party soVware vulnerability management – Fuzzing – Independent (3rd Party) assessments
“Or how do we pen test splunk? How security bugs are found?”
Securing / Hardening Splunk
15
! Splunk defaults vs. hardened configuraIons ! Drivers: Compliance or security policies & standards ! Securing Splunk guides on ProdSec Portal ! Fubarn App prototype ! AdministraIon for SysOps
– Server hardening – Network hardening – Splunk server – Splunk apps
! Ideas for training and cerIficaIon ! Bug Bounty / Capture the Flag contests
“How to keep people out of your Splunk systems and pass PCI audits”
Securing / Hardening Splunk
16
! Digital signature for downloads (SHA-‐256 and md5) ! Passwords ! SSL/TLS
– Default cerIficates – Up to 4 pairs of custom CA-‐signed CerIficates – Determining cipherSuites – Proxies and offloading for acceleraIon & terminaIon
! Roles and capabiliIes – E.g. scripted inputs
! Single sign on – LDAP – SAML
Splunk Server
Visions: metasplunk
17
Security minion (Mozilla)
metasplunk
Thread!x (Denim Group)
Splunk target Security testing tools
Next Steps
18
Download the .conf2013 Mobile App If not iPhone, iPad or Android, use the Web App
Take the survey & WIN A PASS FOR .CONF2014… Or one of these bags!
1
2