Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | todd-newman |
View: | 221 times |
Download: | 0 times |
Prepared by Ted [email protected]
IBM Software Group
®
1
End to End Security Auditing
April 2007
Monitoring your enterpriseMonitoring your enterpriseAssessing the risksAssessing the risks
IBM Software Group
2March 2007 IBM Corporation
AGENDA
Business IssueBusiness IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummary
IBM Software Group
3March 2007 IBM Corporation
43% of CFOs think that improving governance, controls and risk management is their top challenge.
CFO Survey: Current state & future direction, IBM Business Consulting Services
Increasing Requirements Hundreds of compliance initiatives Compliance requirements are increasing in many industries Improved monitoring and control are needed to manage risks
and avoid penalties, and lost business
Increasing Complexity Disparate technologies and infrastructures fragment and
hamper compliance efforts Linking infrastructure-level to business-level compliance is
desirable, but challenging
Increasing Cost Lack of predictability and visibility across complex
infrastructures drives rapid cost inflation Failure to achieve compliance or to prevent security
breaches can impose enormous costs
Security and compliance challenges
IBM Software Group
4March 2007 IBM Corporation
EU DPD
CFR Part 11
Classify, Analyze, Interpret
Business Intelligence Infrastructure, Tools and Applications
Document and ArchiveRecords Management, Document Management, Knowledge Management,
Content Management and Storage
BusinessUnit
Systems
CRM andCustomer-
Facing Systems
FinancialandERP
Systems
Business Activity Monitoring and CPM
Assert Process Controls
Identify, Audit, Secure and Protect
Identity and Access Management, Network Security, and Business Continuity
CPMReporting and Risk
Sarbanes-OxleyBasel IIIASSarbanes-
OxleyBasel IIIAS
UK Companies
Law
USA PATRIOT
Acronym KeyCFR = Code of Federal Regulations ERP = enterprise resource planningCPM = corporate performance management EU DPD = European Union Data Protection DirectiveCRM = customer relationship management IAS = International Accounting Standards
GLBA
Key Driver: IT Governance and Compliance
“Components of a Logical Compliance Architecture” Gartner, 2005
IBM Software Group
5March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummary
IBM Software Group
6March 2007 IBM Corporation
IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings
IBM Software Group
7March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessTivoli Security Operations managerTivoli Security Operations manager zAlertConsul InsightzAuditSummary
IBM Software Group
8March 2007 IBM Corporation
IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings
IBM Software Group
9March 2007 IBM Corporation
Log Management - automated aggregation of security events and audit logs Correlation - Real-time, cross-device event correlation for incident management and investigation
Regulatory Compliance – reporting and policy monitoring to support regulatory compliance initiativesMaximize and amplify security operations resources through automation
Integrates Security Operations with other IT Operations groups via Netcool and TEC
Key Features
IBM Tivoli Security Operations Manager (TSOM) is a real-time security information and event management (SIEM) platform designed to improve the effectiveness and efficiency of security operations and information risk management. TSOM centralizes and stores security data from throughout the heterogeneous technology infrastructure so that security analysts can:
“TSOM automates the aggregation and correlation process. It mitigates false positives and alerts my team to
real threats in a timely manner. The product is more or less what I would have designed and built myself, given four
years and a pool of developers.”
~ Communications User of TSOM
Watch: IBM Tivoli Security Operations Manager for Security Event Monitoring
IBM Software Group
10March 2007 IBM Corporation
Tivoli Security Operations Dashboard
IBM Software Group
11March 2007 IBM Corporation
Tivoli Security Operations schematic
IBM Software Group
12March 2007 IBM Corporation
TSOM supports over 255 Event/Log Sources Access and Identity ManagementIBM Tivoli Access ManagerIBM Tivoli Identity Manager
Microsoft Active Directory
CA eTrust Access
CA eTrust Secure Proxy Server
CA eTrust Siteminder (Netegrity)
RSA SecureID RADIUS
Oracle Identity Management (Oblix)
Sun Java System Directory Server
Cisco ACS
Wireless SecurityAirMagnetAirDefense
Management SystemsTSOM escalates to:IBM Netcool (Micromuse)IBM/Tivoli Enterprise ConsoleCisco Information CenterRemedy ARSHP OpenView CA Unicenter
Management SystemsSource of events into TSOM:Check Point Provider-1CiscoWorksIBM Netcool (Micromuse)ISS SiteProtectorISS Fusion ModuleJuniper Global Pro (Netscreen)Juniper NSM (Netscreen)Tripwire ManagerIntrusion, Inc. SecureNet ManagerMcAfee ePONortel Defense CenterSourcefire Defense CenterQ1 QRadar Mgmt Server
ApplicationsApacheMicrosoft IIS IBM WebSphereOracle Database ServerLotus DominoSAP R3PeoplesoftOperating Systems Logs, Logging PlatformsSolaris (Sun) *AIX (IBM) OS/400 (I Series)RedHat Linux SuSE Linux HP/UX Microsoft Windows Event Log(W2K3 DHCP, W2K DHCP, IIS)Microsoft SNMP Trap SenderNokia IPSONovell NetWare OpenBSDTandem Non-Stop OS (HP)Tru64Tripplight UPSMonitorware SYSLOG KiwiSyslogzOS-Mainframe IDSConsul zAlert AntivirusCipherTrust IronMail McAfee Virus Scan Norton AntiVirus (Symantec) McAfee ePO Trend Micro InterScan
Application SecurityBlue Coat ProxyNortel ITM (Intelligent Traffic Mgmt)Teros APSSentryware HiveIBM DataPower(coming soon)Discovery ToolsLumeta IPSonar NMAPSourcefire RNA
Network Intrusion Detect/PreventionMcAfee Intrushield Sourcefire Network SensorSourcefire RNAJuniper IDPISS Proventia GISS Proventia MISS Proventia ADSISS RealSecure Network SensorISS BlackICE SentryCisco Secure IDS SNORT IDSEnterasys Dragon Nortel Threat Protection System (TPS)Intrusion's SecureNetPro Mirage NetworksNFR NID Symantec ManHunt ForeScout ActiveScout QRadarTop Layer Attack Mitigator Labrea TarPitIP AngelLancope StealthWatch Tipping Point UnityOne NDSArbor Networks PeakflowX Mazu NetworksHost-based Intrusion Detect/PreventionISS Proventia Server & DeskitopISS Server & OS SensorType80 SMA_RT (zOS-Mainframe RACF) PowerTech (iSeries-AS/400)Cisco CSA NFR HID IBM Netcool SSMsSanaSnareSymantec Intruder Alert (ITA)Sygate Secure EnterpriseTripwire McAfee EnterceptVPNJuniper SSL VPNNortel VPN Router (Contivity)Check PointCisco IOS VPNCisco VPN 3000Juniper VPNNortel VPN Gateway (SSL VPN)
FirewallsCheck Point Firewall-1 Cisco PIX CyberGuardFortinet FortiGate GNATBoxJuniper (Netscreen)Linux IP Tables Lucent Brick Microsoft ISA ServerNortel Switched FirewallStonesoft's StoneGate Secure Computing's Sidewinder Symantec's Enterprise FirewallSonicWALLSun SunScreen
Vulnerability AssessmentISS Enterprise ScannerISS Internet ScannerNessusVigilante QualysGuardFoundstoneeEye Retina, REMSPI Dynamics WebInspect nCircle IP360Harris STATTenable Lightning
Routers/SwitchesCisco Routers Cisco Catalyst Switches Cisco RCMDFoundry SwitchesF5 Big IP, 3-DNSJuniper JunOSTACACS / TACACS+Nortel Ethernet Routing Switch 5500, 8300, 8600, 400 seriesExtreme Networks
Policy ComplianceVericept
IBM Software Group
13March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertzAlertConsul InsightzAuditSummary
IBM Software Group
14March 2007 IBM Corporation
IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings
IBM Software Group
15March 2007 IBM Corporation
zAlert is a real-time threat monitoring for the mainframe which goes beyond conventional configuration notification solutions to encompass prevention, as it can take instant action to stop an attack
• Monitor sensitive data for misuse • Fix configuration mistakes before others exploit them • Detect and stop security breaches• Lower operational cost associated with Incident Response activities• Feeds events to TSOM
Alerts are generated based upon SMF events, JES log events. Actions can be tailored to suit your environment.
Key BenefitsKey Benefits
How it worksHow it works
DescriptionDescription
PlatformsPlatforms OS/390 and z/OS through 1.8RACFConsul/zAudit
zAlert Overview
IBM Software Group
16March 2007 IBM Corporation
When your mainframe data is crucial enoughthat you need to know real-time
Alerting AND Action!Send WTO to trigger Automated Operations
Issue commands autonomously
When your mainframe data is crucial enoughthat you need to know real-time
Alerting AND Action!Send WTO to trigger Automated Operations
Issue commands autonomously
zAlert, the alerts
IBM Software Group
17March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightConsul InsightzAuditSummary
IBM Software Group
18March 2007 IBM Corporation
IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings
IBM Software Group
19March 2007 IBM Corporation
Consul’s Product Family
• Differentiated:– Beyond perimeter to inside– People and policy focused– Depth and breadth
• Hard to emulate:– 20 years of expertise built-in– Platform specific know-how
across 50+ platforms
IBM Software Group
20March 2007 IBM Corporation
What (assess) are people doing in my enterprise?
87% of insider incidents are caused by privileged and technical users.87% of insider incidents are caused by privileged and technical users.
IBM Software Group
21March 2007 IBM Corporation
Tracking through various logs
IBM Software Group
22March 2007 IBM Corporation
Next find the Expert for the log
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windowsexpert
z/OSexpert
AIXexpert
Oracleexpert
SAPexpert
ISSexpert
FireWall-1expert
Exchangeexpert
IISexpert
Solarisexpert
IBM Software Group
23March 2007 IBM Corporation
W7 Methodology
Who did What type of action on What? When did he do it and Where, From Where and Where To?
We do the hard work, so you don’t have to!!We do the hard work, so you don’t have to!!
IBM Software Group
24March 2007 IBM Corporation
Unique ability to monitor user behavior Enterprise compliance dashboard Compliance management modules and regulation-
specific reports Broadest, most complete log and audit trail capture
capability W7 log normalization translates your logs into
business terms Easy ability to compare behavior to regulatory and
company policies
Key Features
Consul InSight Security Manager provides an enterprise security compliance dashboard with in-depth privileged user monitoring capabilities, all powered by a comprehensive log and audit trail collection capability
Assessing compliance: Consul InSight Security Manager
IBM Software Group
25March 2007 IBM Corporation
Compliance DashboardCompliance DashboardLogs after W7 – Billions of log files summarized on one overview graphic!
IBM Software Group
26March 2007 IBM Corporation
Compliance Modules
IBM Software Group
27March 2007 IBM Corporation
Insight Event SourcesOperating Systems VersionCA ACF2 through zAudit ACF2 8.0CA eTrust Access Control for AIX 5.0CA eTrust Access Control for HP-UX 5.0CA eTrust Access Control for Solaris 5.0CA eTrust Access Control for Windows 4.10CA Top Secret for VSE/ESA 3.0CA Top Secret for z/OS via z/Audit 5.2Hewlett-Packard HP NonStop (Tandem) SafeGuard D42Hewlett-Packard HP-UX audit trail 10.2, 11iHewlett-Packard HP-UX syslog 10.2, 11iHewlett-Packard OpenVMS 7.3.2Hewlett-Packard Tru64 4.0, 5.1, 5.1BIBM AIX audit trail 4.x, 5.1, 5.2, 5.3IBM AIX syslog 4.x, 5.1, 5.2, 5.3IBM OS/400 journals 4.5, 5r1-r2-r3IBM z/OS RACF - excl. DB2 through zAudit RACF Lite R10 to 1.7IBM z/OS RACF through (already) installed zAudit RACF R10 to 1.7IBM z/OS ACF2 -excl. DB2 through zAudit ACF2 Lite R10 to 1.7IBM z/OS RACF through (already) installed zAudit ACF2 R10 to 1.7IBM z/OS TopSecret - excl. DB2 through zAudit Lite R10 to 1.7Microsoft Windows security event log NT4, 2000, 2003, XPNovell Novell Netware 4, 5, 6, 6.5 (via Nsure Audit)Novell Novell Nsure Audit 1.0.1, 1.0.2, 1.0.3Novell Novell Suse Linux 8.2, 9.xRed Hat Linux syslog 6.2,7.2,8.0,9.0, ES 4, Fedora CoreStratus VOS 13.x, 14.x, 15.xSUN Solaris audit trail (32 bit & 64 bit) 7, 8, 9, 10SUN Solaris syslog 7, 8, 9, 10
User Information SourcesHewlett-Packard HP HP-UX 10.2,11iIBM IBM AIX 4.x, 5.1, 5.2, 5.3IBM IBM OS/400 4.5, 5.1, 5.2, 5.3IBM IBM z/OS R10 to 1.7Microsoft Microsoft NT Domain Windows NT4, 2000, 2003Microsoft Microsoft Active Directory Windows 2000, 2003SUN Solaris 7, 8, 9, 10
Authentication SourcesBMC Identity Manager on AIX / Oracle via ODBC 3.2.0.3CA eTrust (Netegrity) SiteMinder (from Windows) 5.5IBM Tivoli Access Manager 4.1RSA Authentication Server (Ace) 6.0
Mail servers and GroupWareIBM Lotus Domino (Notes) on Windows Max. of 3000 users 5.0, 6.0, 6.5Microsoft Exchange Server Max. of 3000 users 2000, 2003
Proxy ServersBlue Coat Systems ProxySG series SGOS 3.2.5
Web ServersMicrosoft Internet Information Server (IIS) on Windows 4.0, 5.0, 6.0SUN iPlanet Web Server on Solaris 4.0, 6.0
VPNCisco VPN Concentrator 3000 (via Syslog) 4.1
Vulnerability ScannersISS System Scanner (from Windows) 4.2
Application Packages VersionMisys OPICS 5, 6, 6.1SAP R/3 on Windows Number of applications 4.6, 4.7SAP R/3 on HP-UX Number of applications 4.6, 4.7SAP R/3 on AIX Number of applications 4.6, 4.7SAP R/3 on Solaris Number of applications 4.6, 4.7
DatabasesIBM DB2 on z/OS through zAudit Lite 7.x, 8.xIBM UDB on Windows 8.2IBM UDB on Solaris 8.2IBM UDB on AIX 8.2Microsoft SQL Server application logs 6.5, 7.0, 2000Microsoft SQL Server trace files 2000, 2005Oracle database server on Windows 8i, 9i, 10gOracle database server on Solaris 8i, 9i, 10gOracle database server on AIX 8i, 9i, 10gOracle database server on HP-UX 8i, 9i, 10gOracle database server FGA on Windows 9i, 10gOracle database server FGA on Solaris 9i, 10gOracle database server FGA on AIX 9i, 10gOracle database server FGA on HP-UX 9i, 10gSybase ASE on Windows 12.5, 15Sybase ASE on Solaris 12.5, 15Sybase ASE on AIX 12.5, 15Sybase ASE on HP-UX 12.5, 15
FirewallsCheck Point FireWall-1 (via SNMP) 4.1, NG, NGXCisco PIX (from AIX) 6.0 – 6.3.3Cisco PIX (from Windows) 6.0 – 6.3.3Cisco PIX (via SNMP) 6.0 – 6.3.3Cisco PIX (via Syslog) 6.0 – 6.3.3Symantec (Raptor) Enterprise Firewall (via SNMP) 6.0, 6.5, 7.0Symantec (Raptor) Enterprise Firewall (via Syslog) 6.0, 6.5, 7.0
IDS, IPSISS RealSecure (alerts) via SNMP 6.0ISS RealSecure (operational messages, Windows) 6.0McAfee IntruShield IPS Manager (via Syslog) 1.9Snort (Open Source) IDS (via Syslog) 2.1.3, 2.2.0, 2.3.3RoutersCisco Router (from AIX) IOS 12.xCisco Router (from Windows) IOS 12.xCisco Router (via SNMP) IOS 12.xCisco Router (via Syslog) IOS 12.xSwitchesHewlett-Packard ProCurve switch (via SNMP) Managed units, 2500 series & upVirus ScannersMcAfee ePolicy Orchestrator (ePO) 3.5.2TrendMicro ScanMail for Domino on Windows 5.3TrendMicro Scanmail for MS Exchange 5.3TrendMicro ServerProtect 5 for NT 5.3Symantec AntiVirus Corporate Edition for Windows 9.0
IBM Software Group
28March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditzAuditSummary
IBM Software Group
29March 2007 IBM Corporation
IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings
IBM Software Group
30March 2007 IBM Corporation
Security event audit and monitoring for the mainframe environment. Automatic detection of exposures through status auditing.
• Increase transparency • Lower cost of event collection and analysis• Identify security weaknesses• Decrease chance of costly security breaches
z/OS through 1.8 for any ESM
zAudit looks across your various mainframe systems, measuring and auditing status and events. The technology provides standard and customized reports, and real-time alerts on policy exceptions or violations that indicate a security breach or weakness.
Key BenefitsKey Benefits
How it worksHow it works
DescriptionDescription
PlatformsPlatforms
zAudit at a glance
IBM Software Group
31March 2007 IBM Corporation
z/OS Status Audit
IBM Software Group
32March 2007 IBM Corporation
z/OS User Events via zAudit
IBM Software Group
33March 2007 IBM Corporation
AGENDA
Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummarySummary
IBM Software Group
34March 2007 IBM Corporation
Network-centric Attacks, Misconfigs and MisuseSecurity Data OverloadMitigation of Security Incidents
Security Operations IT Security Internal Audit
User-centric policy violations Privileged user audit and monitoringRegulatory Compliance reporting
User Persona:
Problem:
Product:
Consul InSightTivoli Security Operations Manager (TSOM)
Solution:Incident Management
Security Event Mgmt (SEM)
User Activity Monitoring
Security Info Mgmt (SIM)
Tivoli Security Operations Manager and Consul InSight
IBM Software Group
35March 2007 IBM Corporation
Next Steps:
Manage it For MeHelp Me Do ITWhat should I do
For more information contact:Joanie Gines zTivoli Sales Operation and Strategy:
Ted Anderson Security Specialist: