All Apps and Add-ons

How is the removal of IT data block signing, Audit signing, and Event hashing features in Splunk 6.2 going to affect the Splunk for PCI Compliance App?

gfuente
Motivator

Hello

Reading the Splunk 6.2 release notes:

http://docs.splunk.com/Documentation/Splunk/6.2/releasenotes/Deprecatedfeatures

I found that:

IT data block signing
Audit signing
Event hashing

Has been removed. So as these features are required to comply with the PCI DSS rules, I would like to know how the removal of these features is going to affect to the Splunk for PCI Compliance App:

https://apps.splunk.com/app/1143/

It says that is 6.2 compliant, but the PCI DSS requires this feature...

Regards

1 Solution

jeff
Contributor

jeff
Contributor

marcoscala
Builder

Jeff,

thanks for the update, but this doesn't mention Event hashing... any news about that?! Or this also resolve single event tampering?

Marco

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

Marco,

This new feature computes hashes at the slice level, not at the individual event level. The size of every slice is 128 KB. A slice consists of one or more events. In case of tampering, the system will identify the slice(s) that have been compromised.

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

These features have been deprecated since 5.0 and it is now officially removed. The main reason we have deprecated these because of challenges associated with running in a distributed environment.

We have an item in our roadmap to provide a robust, distributed env compatible data signing feature. We are actively working on this for now. The release vehicle / timeline for the new feature is TBD.

meadowh
New Member

Would be good to know the current status of protecting log fidelity in Splunk:

Does Event Hashing still work in Splunk 6.2??

What about -
IT data block signing
Audit signing?

0 Karma

marcoscala
Builder

Mahamed,
please note that Event Hashing still works in Splunk 6.2. I've just tested it yesterday.

Please also note that removing features that give some kind of certification about data integrity is a mayor problem for many big customers and installations.

As Distributors, we already received lots of really worried emails from Partners that don't know how to manage this with their Customers.

We all do hope that Splunk will come out with some solution in a very near future: TBD is not an answer we can give to our Partners and Customers.

Regards,
Marco Scala

0 Karma

gfuente
Motivator

Good to know it

Thanks for the info Marco

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

Marco,
Yes, we have started working on the new feature and it could very well be introduced in the next version of Splunk. The reason i mentioned the timing is TBD is because we don't announce our release dates and / or the feature lists much in advance. We definitely understand the importance of data integrity features and will come out with a scalable replacement feature pretty soon.

If customers really need to use the existing feature they can do so by using pre-6.2 versions.

lmyrefelt
Builder

And do Splunk do any recommendations on how to / what to "substitute" it with while "waiting" for your solution ?

marcoscala
Builder

This is a major problem for every implementation where data integrity is Mandatory! Also a lot of Security Implementations require that the Solution must guarantee that collected data is not modified.

Is Splunk going to add new features to accomplish the same goal or is leaving the Compliance and Security field?

Marco

0 Karma