In Splunk Enterprise Security, asset and identity data management is essential to fully utilize the platform. An asset is a networked system in a customer organization. And the identity is a set of names that belong to or identify an individual user or user account. Having an accurate, complete list of your organization’s assets and identities is key to any security posture. Without it, you will not be able to answer basic, but important questions surrounding normal activity for your organization.
Having this list will allow you to assess the criticality and legitimacy of an entity on your network.
Ask yourself each of the following questions to identify every asset needed within your organization.
Does that system belong to the organization?
Who owns that system?
Is the system owner different from the application and/or data owner?
What other systems, applications, and network segments should that system be able to communicate with?
Which applications are running on that system?
What applications are supposed to be running on that system?
Have any new applications been installed on that system recently and if so, who installed them?
Has an application recently begun communicating on a new port?
Who is supposed to have access to that system?
Who is supposed to have access to the applications on that system?
Does that user’s activity correspond to the level of access they have been granted?
Is the frequency by which that user accesses that system consistent with how often that user normally accesses it?
Have a user’s privileges recently been elevated?
If so, who elevated those privileges?
Has a system recently downloaded or uploaded a large amount of data outside of the organization?
Is the amount of traffic generated by that system consistent with the amount of traffic generated by that system on previous days and with other systems running similar or the same application?
View this as a checklist. When considering the assets and identities within your organization, these questions should help you identify the right players. Documentation of these questions is important.
Look at Your Logs
Once the critical systems are identified, the answers to these questions will help you to monitor your assets. You can build your reporting to identify data that differs from the normal usage and activity of the systems. When you’re looking to monitor your assets, refer to these logs:
Network traffic logs
Change management logs
Endpoint protection logs
A Quick Guide to Asset Management in Splunk
There are your quick and easy steps to asset and identity management within Splunk. Sometimes, you need to ask yourself a full slate of questions to fully understand the system information around your security posture in Splunk. Kinney Group has years of experience working in Splunk and Splunk Enterprise Security. If you’re looking for help identifying or managing your assets and identities, our services can help.