The Compliance Challenge
Reporting on firewall, access control and application logs and machine data to demonstrate compliance controls is difficult and costly. Each of these systems generate logs in different formats and locations. Each auditor request involves a different, manual procedure. But the requirement to limit access to production systems has an even bigger impact. System administrators and developers are denied access to production systems to analyze logs and configurations, limiting their ability to respond to operations and security incidents.
Bring powerful indexing, search, alerting and reporting to the challenges of change management. With Splunk you can search, alert and report on machine data from virtually any source. Meet compliance requirements from audit trail collection and reporting, to file integrity monitoring with a single solution. Generate any compliance report in seconds. And you’ll overcome the operational impact of demands to restrict production system access by giving developers and application support secure, read-only access to the machine data they need without touching production systems.
In 2014, the Department of Defense (DoD) introduced the Risk Management Framework(RMF) to help federal agencies better manage the many risks associated with operating an information system. It is clear that a compliance-only oriented approach is not enough for a robust security posture, especially in the face of today’s threats. The core premise behind RMF is that systems carry an inherent risk based on many factors including criticality, sensitivity, and the evolving threat landscape and preaches an approach where it is a continuous process more than a one-time execution for accreditation.
RMF is a paradigm shift for agencies from the traditional Certification and Accreditation (C&A). Change is not always seamless, and there are always challenges.
The NIST SP800-37 publication offers guidance on RMF over a discrete set of 6 steps:
- Categorize – your systems based on impact assessment which is detailed in the FIPS Publication 199
- Select – baseline controls that apply to the system tailoring guidance based on risk assessment
- Implement – apply the controls and document their deployment
- Assess – determine the control’s effectiveness and the extent to which they have been implemented correctly
- Authorize – determine risk and if acceptable, approve operation
- Monitor – continuously observe, track changes and reassess effectiveness
Splunk is a cost effective, flexible, and integrated solution that can help meet a variety of compliance requirements and beyond. Splunk, in particular, can be leveraged to assist agencies in facilitating and enabling their RMF process, specifically with Steps 4 (Assess) and 6 (Monitor).
With Splunk, federal agencies have better access to their data and can interpret it to ensure agency transparency. Additionally, audits are made much simpler with quick generation of reports and dashboards that offer an instant, real-time view into implementations and their effectiveness.
Some of the specific ways Splunk helps agencies embrace RMF include:
- Continuous monitoring of security controls and their effectiveness
- Audit trail collection and reporting
- Help determine acceptability of security controls in terms of risk
- Enable assessment of implementation and effectiveness of controls
- Collect, retain, search, alert and report on logs from all assets and activities
Assets to help leverage best practices
In 2017, the Presidential Cybersecurity Executive Order was released, calling for assessments that require gathering data from across the agencies and correlating them to demonstrate implementation of security controls and asses gaps if they exist.
The most important step in complying with the requests in the EO is to automate the data gathering and correlation process. Given an agency’s environment and that transformation initiatives are here to stay, here is a list of pointers to consider in a solution:
- Flexibility: The solution must offer a framework that includes all the organization’s business process entities and be able to adapt to changes.
- Scalability: Must account for growth, including the ability to quickly incorporate new activities, users and processes.
- Central Management and Federated Access: Must provide centralized management through a single interface to ensure consistent, easy management and self-reporting, and organization-wide access to stakeholders through role-based access control.
- Data Source Agnostic: Must quickly interface with any and all data sources required to monitor, assess and meet compliance demonstration and reporting requirements.
- Extensibility: Must go beyond compliance and seamlessly enable proactive security measures to enhance information protection against any threats—internal and external. Data collected once should be usable across the organization, beyond security and IT, extending return on investment (ROI).
- Real-Time Architecture: Must aggregate log data and other relevant information from across the agency in real time to achieve accurate situational awareness and alert on deviations from desired outcomes.
- Customization: Must be able to query and build inquisition mechanisms and visualizations reflecting stakeholders’ needs and a changing environment to effect quick decisions.
Splunk is a leader in compliance and security solutions. It is extensively used in government agencies and has been selected as the Data Integration Solution for the Continuous Diagnostics and Monitoring (CDM) program for 25 Federal Civilian Government Agencies. Chances are someone in your agency is already using or considering using Splunk. Let us know how we can help. With short timeframes for compliance, a proven solution would be your ticket to success.
ASSETS TO HELP LEVERAGE BEST PRACTICES
- Tech Brief: Splunk and the Cybersecurity Framework
- Video: Working Smarter: NIST with Ron Ross
- Solution Brief:Managing Compliance in Federal Agencies
- Archived Webinar: Cybersecurity Executive order: Leveraging Splunk to Support the NIST Framework