Why You Want Splunk-PAM integration
Let’s explore the generic advantages of integrating SIEM with PAM, and look at the specific integration of Splunk with the WALLIX Bastion privileged access management solution.
To sort out the acronyms quickly:
SIEM stands for “security information and event management.” SIEM solutions digest logs from multiple security systems like firewalls and network appliances to provide real-time analysis of potential threats. A good SIEM solution can see patterns and correlations in events in ways that are impossible for a human being to spot. Although Splunk is arguably more than just a standard SIEM, it is often effectively used as a “SIEM plus”…
PAM relates to “privileged access management,” also known as “privileged account management.” PAM is about ensuring that only administrators with proper access rights can log into back-end systems. PAM is also about tracking privileged account sessions when admins might be adding, deleting, or editing user accounts or other settings.
How do SIEM and PAM work together?
There are several integration scenarios, but the most compelling one has PAM functioning as a sort of magnifying glass to show the detail of a security alert that involves a privileged account.
A SIEM solution should be able to flag a security event where someone changed a system configuration in a suspicious way (e.g., at an odd time of day, by a user whose account was set up 10 minutes beforehand, from an odd IP address, and so forth). However, the SIEM report alone may not give security managers enough details on the privileged user’s true actions. A PAM/SIEM solution that’s truly integrated should be able to show the security team what actually happened.
The key word here is “should.” One of the reasons that PAM-SIEM integration is needed derives from a well-understood problem with SIEM. SIEM is hard to do right. SIEM systems can be difficult to implement and require a fair amount of upkeep. Without the right setup, SIEM can generate huge reporting volumes that are difficult to parse. False positives can obscure real threats.
The other “should” reflect PAM’s ability to provide useful detail of the security event. Not every PAM solution does it well.
What can you do? In some sectors, like finance, you have to use SIEM to be compliant. You’re obligated to log everything within the scope and review the reports of the logs. Quite often, this is not an optimal or even productive use of time. It’s unlikely that an individual or a team can look through hundreds of pages of reports daily and be able to categorically say there were no breaches to compliance. That’s where SIEM and PAM integration comes in handy.
Splunk and WALLIX Integration
Integrating the right kind of PAM solution with SIEM can make a big difference. The benefit of Splunk and PAM integration (or Splunk PAM authentication) is the ability to zero in on suspicious events and quickly get a clear understanding of whether it’s a real threat.
Splunk and the WALLIX Bastion PAM solution integrate very well.
When WALLIX is integrated with Splunk, a security manager can go from a security event that’s been flagged to a highly detailed summary of the privileged account session associated with the event. (Not all security events have associated privileged account sessions, but some of the biggest security threats come from privileged accounts.)
At a glance, the security manager will know who logged in to what system. WALLIX also provides an actual video of the session, so the manager can see exactly what the admin did during the privileged session. If something bad happened, the manager will know the specifics right away.
Integrating PAM and SIEM takes more than just software, however. You have to have policies and practices aligned as well.
Here are 10 steps to help achieve full Splunk/WALLIX Integration:
- Create a useable and understandable security policy based on compliance and business needs.
- Ensure that all employees and third parties read, understand, and agree to the security policy.
- Enforce the policy. There is no point in having a policy if it’s not enforced.
- Create a policy of least privileged access.
- Use workflows to ensure only authorized and approved access to critical data systems.
- Monitor and record all sessions related to privileged data and critical systems with WALLIX and Splunk.
- Notify all users connecting to the monitored systems that they are being recorded and possibly watched (Four Eyes principle) in real-time.
- Systematically audit the connections of critical systems using Splunk.
- In case of a breach flagged by Splunk, use the WALLIX recording to understand if the breach was accidental or malicious.
- Learn from any breach and strengthen the policy, and reduce access further if needed.
Time to Implement
These 10 steps might seem intimidating, but they don’t have to be. Yes, it will take time to plan and implement any PAM/SIEM integration, but it won’t require rebuilding everything. You can deploy WALLIX in a matter of hours. The WALLIX Bastion can be quickly and easily deployed because it is agentless. It is a Bastion, therefore only connections established through WALLIX are recorded and monitored. This reduces the scope for privacy and compliance issues in terms of personal email and internet usage.
Potential Impediments to Workflows
In our experience, some security managers have reacted to the idea of policy-driven PAM-SIEM integration by saying, “My Admins won’t like that.” However, if the PAM-SIEM integration is done the right way, it should not have much impact on the actual admin workflow.
In the case of a Splunk-WALLIX integration, admins report that they much prefer the improved workflow:
- Everyone can still use the tools they like, including Putty, WinSCP, and home-grown products.
- No one needs to remember IP addresses or passwords.
- WALLIX provides a point for single-sign-on (SSO) and remote admin credentials for servers, network devices, databases, and applications.
- WALLIX can help protect admins with recordings that show exactly what work was done during change requests and emergencies.
Training & Administration
Training staff can be difficult with some SIEM-PAM integrations but with Splunk/WALLIX, it’s not an issue. WALLIX is simple to administer, with most users having just two tabs: Preferences and Authorizations.
- Preferences are for changing passwords and email, etc.
- Authorizations allow the user to simply click on the device(s) to which they want to connect. When an employee or contractor leaves, there is just one place to disable their account. Therefore, the ex-employee threat is reduced to a single point of the audit.
WALLIX provides a full audit trail of the username, the remote account, the duration, and the protocol used for every privileged session. As the user is authenticated with their own account, generic accounts can be used once more on remote devices. This helps with cleaning up unused or old system accounts. WALLIX is a single source of authentication. It connects to the remote devices and provides the credentials needed to authenticate and establish the session.