Copyright 2013 Splunk Inc. Hardening Splunk. Alex Eisen Chief Security Expat R&D Eng / Product Security #splunkconf

Transcription

1 Copyright 2013 Splunk Inc. Hardening Splunk Alex Eisen Chief Security Expat R&D Eng / Product Security #splunkconf

2 Legal NoIces During the course of this presentaion, we may make forward- looking statements regarding future events or the expected performance of the company. We cauion you that such statements reflect our current expectaions and esimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in this presentaion are being made as of the Ime and date of its live presentaion. If reviewed aver its live presentaion, this presentaion may not contain current or accurate informaion. We do not assume any obligaion to update any forward- looking statements we may make. In addiion, any informaion about our roadmap outlines our general product direcion and is subject to change at any Ime without noice. It is for informaional purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaion either to develop the features or funcionality described or to include any such feature or funcionality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respecdve owners Splunk Inc. All rights reserved. 2

3 >whoami! Academia: NSA InformaIon Assurance Scholarship (Comp Sci Masters with InfoSec CNSS/NSTISSI cerificaions )! Public servant with Department of Defense ProacIve: Red Team, Network A`acks, Strategy/Policy ReacIve: Incident Response, Forensics! Private ReacIve: Incident Response, Cyber InvesIgaIons, Secure Wireless! Books (technical editor) 2009 Reverse DecepIon: Organized Cyber Threat Counter- ExploitaIon 2012 Hacking Exposed: Malware & Rootkits Secrets 2013 Greyhat ExploitaIon: Legal takedowns?! Docu 3

4 Agenda! PerspecIves (What this is Not About)! ProdSec Mission & Charter! PSIRT: Incident Response! SoVware Assurance! Secure Deployment: Harderning Splunk During Deployments and Secure AdministraIon for System Operators + SecDevOps! Capture The Flag Contest & Bug Bounty Hunt! Visions: metasplunk 4

5 General Basics! Decurity is a bipolar opposite of UI/UX! Splunk Tzu> know y0 data (sources)! Capability Maturity Models! Cyberwar (phone ba`eries :)! Trends Vulnerability and Bug stats Transparency/accountability/responsibility/privacy Media/idenIty Crowdsourced bug bounies 5

6 ProdSec PerspecIves! PerspecIves WHAT THIS IS NOT: HunIng for intrusions on your network ê Security markeing How to sell Splunk for security use cases OR ê Splunk for security use- cases (e.g SIEM for your corp IT NetSecOpsCenter) 3 angles ê Of: PentesIng Splunk sovware ê Ing: Guiding/helping customers to deploy, configure, operate Splunk with security in mind in their *very diverse and unique* environments ê With: Risk analyics of all ProdSec vulnerability data (and 24/7 coninuous behavioral monitoring of code access (aka Intellectual Property) 6

7 Splunk Basics! Analogies: Securing a distributed OperaIng System Securing a web server! Exposure: Freemium download ê Anyone can download, rather than access custom expensive hardware appliance (1 st world problem) SaaS: Publicly facing web vs. on- premise 7

8 ProdSec Incident Response Team

9 ProdSec Incident Response! Responsible vulnerability disclosure process! Security Portal website updates Vulnerability submission form Security advisory announcements (i.e. Maintenance releases) T- shirts program! Customers and customer reps Support SFDC case # - > JIRA SPL issue #! Severity (Risk) scoring/raing CVSSv2 Internal Splunk schema! Bug fixing policy (Bug Council) PSIRT 9

10 ProdSec Incident Response Severity Schema: Cri6cal High Medium Low Informa6onal! Example: ReflecIve XSS (requires Social Engineering) 10

11 ProdSec SoVware Assurance

12 SoVware Assurance Security Development Lifecycle! SecSDLC (Secure Coding Guide, SEI CERT/CC, MSDLC)! OpenSAMM (BSIMM based)! DISA ApplicaIon Development STIG! CerIficaIons: Common criteria ê Listed as under evaluaion ê Target compleion 4-6 month aver General Availability (~Q1 2014) ê FIPS OpenSSL Module SOC2 & ISO27000 on roadmap 12

13 SoVware Assurance Or how do we pen test splunk? How security bugs are found?! TesIng categories Dynamic (OWASP) StaIc code checkers StaIc binary analysis (Veracode score for is 93/100) Manual penetraion tesing 3 rd party sovware vulnerability management Fuzzing Independent (3 rd Party) assessments 13

14 ProdSec Securing Splunk

15 Securing / Hardening Splunk How to keep people out of your Splunk systems and pass PCI audits! Splunk defaults vs. hardened configuraions! Drivers: Compliance or security policies & standards! Securing Splunk guides on ProdSec Portal! Fubarn App prototype! AdministraIon for SysOps Server hardening Network hardening Splunk server Splunk apps! Ideas for training and cerificaion! Bug Bounty / Capture the Flag contests 15

16 Securing / Hardening Splunk! Digital signature for downloads (SHA- 256 and md5)! Passwords! SSL/TLS Default cerificates Up to 4 pairs of custom CA- signed CerIficates Determining ciphersuites Proxies and offloading for acceleraion & terminaion! Roles and capabiliies E.g. scripted inputs! Single sign on LDAP SAML Splunk Server 16

17 Visions: metasplunk Security testing tools Splunk target Security minion (Mozilla) metasplunk Threadfix (Denim Group) 17

18 Next Steps 1 Download the.conf2013 Mobile App If not iphone, ipad or Android, use the Web App 2 Take the survey & WIN A PASS FOR.CONF2014 Or one of these bags! 18

19 THANK YOU