Month after month, security teams spend countless hours manually tagging individual systems to keep track of compliance, despite having a single source of truth for the system boundaries. I found myself asking why, while thinking their system data should tell its own story. While on a customer site, I implemented a way to automate monthly Federal Information Security Management Act (FISMA) reporting with a dynamic tagging approach.
Let me set the stage – though I’m sure you can picture it. An organization was putting a lot of people hours into mapping FISMA boundaries every month. For context on how much information must be mapped, think of a “boundary” as a container with every component of an information system that is tied to the regulatory framework. For FISMA, that’s a lot.
This organization, like most, was seeking some improved efficiency when tackling the long list of control mapping. The only solution to date was throwing more resources and hours at it. As far as I knew, there was no existing approach to automating this task.
While diving into Q-Compliance, one of their Splunk Administrators called me up after spending some time creating systems and tags. The request was simple, albeit desperate. “Is there some way to automate this tagging process?!” I knew where to start the search, so like any good consultant, said “let me figure it out for you.”
Many Splunk solutions are readily available in the Splunk User Group or online community, but this time I couldn’t find anything. After a thorough review among Qmulos Professional Services team members, I was further convinced a solution to this problem didn’t exist. But it should!
Creating something from scratch usually isn’t necessary, but this was the perfect opportunity to make multiple stakeholders extremely happy. The compliance team would have hundreds of systems easily mapped. The Qmulos Administrator wouldn’t have to manually do the work. And, the Splunk/Linux Administration team wouldn’t have to support the requests for extra work hours for creating the content.
Now I needed to figure out how to create something that didn’t already exist in Splunk. I did some creative thinking, and laid out a plan for dynamic system tagging. Automating FISMA control mapping, I decided and proved, is doable almost entirely within Splunk.
My solution involved the following steps, executed with a custom written script:
1. Pull updated FISMA control list using Splunk and write it to a file
2. Read that file and, using a custom python script, write out a new file with event types and tags Splunk can use
3. Tell Splunk to reload the configurations updated in step 2
4. Run the process on a monthly basis
After a couple of test rounds, we got this process rolling and made a real-world example of ‘working smarter, not harder.’ This solution created a significantly more efficient process. It also freed up quite a few of the customer’s resources. And perhaps best of all, upper management was pleased they did not have to routinely check in on the project status. Now that is a win!
The way I laid this out seems simple, but it did take some effort up front. It is important to have some data modeling wherewithal to know how you’re manipulating the information. And as noted, some python background is important too. But, the most important part of the process was stepping back and writing out those steps in plain language before diving into any coding.
The customer realized exceptional gains because the dynamic tagging took an already easy-to-use feature of Q-Compliance – system tagging defining FISMA boundaries – and empowered the customer to automate that step across hundreds of boundaries.
If you ever face a new challenge someone hasn’t already solved, I encourage a thoughtful approach. Write out the steps you need to resolve the issue in the order they must be done before writing a single line of code. Think about what can be done with Unix or Python or both together. Troubleshoot along the way, get input from teammates, and keep being creative – your discovery can save a lot of headaches for a lot of people down the road!
Unique organizations require unique solutions. If you are in need of a custom compliance solution like this one, Qmulos has your answer. Contact us today for more information and to start building your path to compliance automation.