Saviynt Security Manager V1.

0
Splunk Integration & Administration Guide



Edition notice
Note: This edition applies to version 1.0 of Saviynt Security Analyzer and to all subsequent releases
and modifications until otherwise indicated in new editions.

Copyright Saviynt Inc. 2016

Saviynt Security Manager v1.0: Splunk Integration & User Guide

2


Contents
1. Introduction to Saviynt Security Analyzer ................................
4
2. Description of the Application .........................................
4
3. Pre-Requisites 4
.......................................................
3.1 Supported OS Platforms .................................................................................................................... 4
3.2 Connectivity and Firewalls consideration ........................................................................................ 4
3.3 Supported Splunk versions ............................................................................................................... 4
3.4 Splunk Application .............................................................................................................................. 4
4. Installation and Configuration 5
..........................................
4.1 Installing the Saviynt application ...................................................................................................... 5
4.1.1 Not Connected to the Internet ................................................................................................ 5
4.1.2 Connected to the Internet ....................................................................................................... 8
4.2 Creating Cross Account Role ARN .................................................................................................. 9
4.3 Importing Data .................................................................................................................................... 9
4.3.1 Importing Data for the first time .............................................................................................. 9
5. AWS Dashboard ....................................................
12
5.1 AWS Controls .................................................................................................................................... 12
5.2 Understanding the graphs ............................................................................................................... 13
5.2.1 Bubble Graph .......................................................................................................................... 13
5.2.2 High Risk Summation ............................................................................................................ 16
5.2.3 Pie Charts ............................................................................................................................... 17
6. Analytics ..........................................................
20
6.1 Creating New Analytics ................................................................................................................... 20
7. AWS IAM Users .....................................................
22
7.1 List of AWS IAM Users .................................................................................................................... 22
7.2 Account Detail ................................................................................................................................... 23
7.3 Associated AWS Object .................................................................................................................. 24
7.4 Search ................................................................................................................................................ 24
8.AWS Objects .......................................................
25
9. Upgrade to Saviynt Premium .........................................
26
10. Contact Us ........................................................
28

Saviynt Security Manager v1.0: Splunk Integration & User Guide

3


1. Introduction to Saviynt Security Analyzer
Saviynt Security Analyzer provides a single pane of glass for managing security across AWS services
and cloud infrastructure ecosystem, enabling businesses to accelerate the migration of mission-critical
workloads and data to cloud. With over 250 security controls and risk signatures available out of box
and more that can be user-defined, Saviynt Security Analyzer enables you to continuously monitor the
effectiveness of AWS security posture. This document aims to provide detailed instructions for
installation, configuration, and use of the Saviynt Application for Splunk.

2. Description of the Application

The app connects to the organization's AWS environment, imports data from there, and monitors the
effectiveness of AWS security posture.

3. Pre-Requisites

The following components must be installed and configured on your Splunk infrastructure for the
Saviynt App to function correctly.

3.1 Supported OS Platforms

The Saviynt application for Splunk is Platform Independent.

3.2 Connectivity and Firewalls consideration

Make sure that Splunk environment is connected to the Internet and firewall is not blocking the
connectivity to your AWS environment.

3.3 Supported Splunk versions

This version of the Saviynt App has been tested on Splunk 6.2, 6.3, 6.4 and 6.5 versions.

3.4 Splunk Application

Splunk should be configured in your enterprise before the Saviynt application can be used. If you dont
have Splunk, go to the Splunk website to download it.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

4


4. Installation and Configuration

4.1 Installing the Saviynt application

4.1.1 Not Connected to the Internet

If your Splunk Enterprise server and client do not have Internet connectivity, you must download apps
from Splunkbase and copy them over to your server.
From a computer connected to the Internet, browse Splunkbase for the Saviynt Security
Analyzer app. Download the Saviynt Security Analyzer app.

Once unzipped, copy it to your Splunk Enterprise server.

Copy it in your $SPLUNK_HOME/etc/apps directory.

Go to $SPLUNK_HOME/etc/apps. The file splunk_app_saviynt_aws.tar.gz should be present.

Untar and ungzip your app, using a tool like tar -xvf (on *nix) or WinZip (on Windows).

Saviynt Security Manager v1.0: Splunk Integration & User Guide

5


Once you see the splunk_app_saviynt_aws at the location $SPLUNK_HOME\etc\apps, login
to Splunk Enterprise and enter your credentials

Go to Settings Server Controls and click on Restart Splunk.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

6


(Note: It is necessary to restart Splunk before using it for the first time after downloading the
application)

After the Splunk has been restarted, go to the Saviynt App for AWS.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

7


4.1.2 Connected to the Internet

If Splunk Enterprise server or client machine is connected to the Internet, the app browser can be
navigated from the home page.

Click the + sign below your last installed app to go directly to the app browser. Search for
Saviynt Security Analyzer. You can also click the gear next to Apps to go to the apps
manager page.
Click on browse more apps to go to the app browser. Search for Saviynt Security
Analyzer.
Download and Install the app.
Restart Splunk.
Once Splunk Enterprise has been restarted, the Saviynt Security Analyzer app is now
installed and will be available from Splunk Home.

Important: If Splunk Web is located behind a proxy server, you might have issues accessing
Splunkbase. To solve this problem, set the you need to set the HTTP_PROXY environment variable.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

8


4.2 Creating Cross Account Role ARN
The instruction to create the Cross Account Role ARN is accessible here:

http://saviynt.com/wp-content/uploads/2016/11/Saviynt_Splunk_Integration_Guide.pdf

You will need this Role ARN to import the data from AWS account.

4.3 Importing Data

4.3.1 Importing Data for the first time

Click on the Import Data link.

Enter the Contact Information and AWS connection details. Please note that Company name
cannot be changed later. Enter the cross-account role ARN created and AWS account ID.

Once the details have been entered, click on the Save & Test Connection button. The following
dialog box appears.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

9


Click on the Yes button to confirm data import. This imports the data and populates the data on
AWS dashboard and other tabs.

For future data re-imports, you can either follow the previous steps, or click on the Re-
Evaluate Risks button on the Home page, or schedule import to run as job at a particular time by
enabling and scheduling pre-existing search Scheduling for importdata as shown below

Enable the search and then schedule it after checking Schedule this search checkbox.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

10


Saviynt Security Manager v1.0: Splunk Integration & User Guide

11


5. AWS Dashboard

5.1 AWS Controls

An AWS Control is a procedure or a policy that ensures that the data in the AWS environment of an
organization is reliable and in compliance with applicable laws & regulations. These controls help you
implement common scenarios for potential conflicts for an AWS Object (such as VPC, EC2, etc).
Saviynt provides a comprehensive range of AWS controls to detect and/or prevent various access and
security violations occurring in your environment.

The AWS controls provided by Saviynt are divided into three different categories:
Risk Signatures

Compliance Control-
Category Analytics Name Occurrence Description Risk Recommendations
Violation Type
Detects
CloudFormation Is recommended to
AWS Best CloudFormation
CloudFormation templates with No Often Basic Medium add Output sections to
Practices templates with No
Output Sections CF templates
Output Sections
Detects it is recommended to
CloudFormation
CloudFormation not to Echo passwords
AWS Best templates with
CloudFormation Basic templates with High and keep encrypted
Practices Password
Password passwords in CF
Violations
Violations templates
Detects
CloudFormation It is recommended to
CloudFormation
AWS Best templates with not to use Open RDP
CloudFormation Basic templates with High
Practices Open RDP Port Port Security groups in
Open RDP Port
Security Groups CF templates
Security Groups

Preventative Controls

Saviynt Security Manager v1.0: Splunk Integration & User Guide

12
 Category Type Analytics Name Description Actions Risk

Preventative
Workloads with open Detects Workloads with open
Notify via Email, SNS Notification , Stop
Premium Internet access via Internet access via Security Medium

control - EC2
Security Groups Groups
EC2 instances
Preventative Security Groups with Detects Security Groups with Notify via Email, SNS Notification , Stop
Premium High
control - EC2 open SSH Ports open SSH Ports EC2 instances
Workloads with open
Preventative Detects Workloads with open Notify via Email, SNS Notification , Stop
Premium SSH access via Security High
control - EC2 SSH access via Security Groups EC2 instances
Groups

Saviynts analytics also provide an administrator with the risk level (high, medium, or low) for a violation.

As the AWS Dashboard gets populated, you will see various AWS analytics, such as EC2, VPC, S3
Buckets related to the AWS account.

5.2 Understanding the graphs

5.2.1 Bubble Graph

To see the number of security violations in the different AWS objects related to the account, scroll down
to the following screen on the Home page.

On this chart, hovering over any of the bubbles gives the number of instances and violations on the
object.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

13


Click on the bubble for any of the AWS analytics listed on the right. For example, if you click on the
brown colored EC2 bubble on the chart, the following screen should appear:

Saviynt Security Manager v1.0: Splunk Integration & User Guide

14



This page provides following information:
Analytics Name: This field contains the name of the control created for AWS. The application
provides around 150 out-of-the-box controls
Description: This field gives a brief description of the control
Category: The AWS category under which the analytics is included
Conflict Count: The number of violations occurring for the specific control
Risk: The risk level of the violations (can be high, medium or low)
Last Run: The last run time of the control
Recommendations: Provides the recommendations for the administrators to remediate the
violationsClick on any row to get more information about the violations for a particular
analytics.

Click on any Analytics and it will show you the details of violations associate with the particular
Analytics

Saviynt Security Manager v1.0: Splunk Integration & User Guide

15


5.2.2 High Risk Summation

Click on the Home button and scroll down to the section High Risk Summation.

This bar graph gives the conflict count for various analytics. Hover over the bar corresponding to any
of the analytics and click on it.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

16


5.2.3 Pie Charts

Scroll down further to get various pie charts, which give an insight into the current AWS ecosystem
and actual or potential occurring violations.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

17


The below example explains the pie chart titled Open Access on EC2 Security Groups. Hovering
over any section of the pie chart gives the number of violations and the percentage it represents for
the total number of violations for open access on EC2 security groups.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

18


Click on the section of the pie chart. The following screen should appear.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

19


6. Analytics

Click on the Analytics tab on the top.

The following screen should appear. It provides a list of analytics under different AWS categories, their
descriptions and the number of conflicts occurring. Click on anyone of them to see the list of violations
in that particular analytics along with the details.

6.1 Creating New Analytics

Click on the Create New Analytics tab to create a customized AWS analytics that is currently not
included in the controls provided by Saviynt.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

20


Once the details are entered and the request is created, an email is sent to Saviynts support team.
The process to include the new analytics is initiated within 24 hours.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

21


7. AWS IAM Users

7.1 List of AWS IAM Users

Click on the AWS IAM Users Tab on the top.

The following screen should appear:

This shows a list of all active IAM users associate with the AWS account.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

22


7.2 Account Detail

Click on any account name and it gives the details of the account for the particular user.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

23


7.3 Associated AWS Object
Click on the Associated AWS Object tab

7.4 Search
To search for a specific users account, use the applications search functionality by entering the user
name in the search field.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

24


8.AWS Objects

Click on the AWS Objects tab on the top. The following screen should appear:

This screen provides a list of the AWS objects and their criticalities (very low, low, medium, high, very
high, none).

Saviynt Security Manager v1.0: Splunk Integration & User Guide

25


9. Upgrade to Saviynt Premium

To upgrade to the Premium application for access to many more risk signatures and preventative
controls and to Import data for more than one AWS account. More details for premium features are
available at:

http://saviynt.com/saviynt-security-analyzer/

Click on the Get Premium Application button on the top right corner of the Home page.

The following payment screen appears:

Enter the number of accounts in your AWS environment and your Splunk ID.
There are two modes of payment:
Pay Now: Pay the amount for subscription via PayPal or any other major credit card
Invoice Me: Upon clicking on the Invoice Me button, the following box appears:

Saviynt Security Manager v1.0: Splunk Integration & User Guide

26


Once a request is submitted, you will be contacted by a Saviynt team member to confirm and
process the request.

Saviynt Security Manager v1.0: Splunk Integration & User Guide

27


10. Contact Us

For any issues of questions regarding the app, scroll down to the bottom of the home page.

Click on contact us to open the following window:

Saviynt Security Manager v1.0: Splunk Integration & User Guide

28