1 / 35

End to End Security Auditing April 2007

End to End Security Auditing April 2007. Monitoring your enterprise Assessing the risks. AGENDA. Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary. Increasing Requirements Hundreds of compliance initiatives

rey
Download Presentation

End to End Security Auditing April 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. End to End Security AuditingApril 2007 Monitoring your enterprise Assessing the risks

  2. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  3. Increasing Requirements Hundreds of compliance initiatives Compliance requirements are increasing in many industries Improved monitoring and control are needed to manage risks and avoid penalties, and lost business Increasing Complexity Disparate technologies and infrastructures fragment and hamper compliance efforts Linking infrastructure-level to business-level compliance is desirable, but challenging Increasing Cost Lack of predictability and visibility across complex infrastructures drives rapid cost inflation Failure to achieve compliance or to prevent security breaches can impose enormous costs Security and compliance challenges • 43% of CFOs think that improving governance, controls and risk management is their top challenge. CFO Survey: Current state & future direction, IBM Business Consulting Services

  4. Assert Process Controls Business Activity Monitoring and CPM CRM and Customer- Facing Systems Business Unit Systems Financial andERP Systems Classify, Analyze, Interpret Business Intelligence Infrastructure, Tools and Applications Document and Archive Records Management, Document Management, Knowledge Management, Content Management and Storage Identify, Audit, Secure and Protect Identity and Access Management, Network Security, and Business Continuity Key Driver: IT Governance and Compliance Sarbanes-Oxley Sarbanes-Oxley IAS IAS Basel II Basel II USA PATRIOT CFR Part 11 UK Companies Law EU DPD GLBA CPM Reporting and Risk Acronym Key CFR = Code of Federal Regulations ERP = enterprise resource planning CPM = corporate performance management EU DPD = European Union Data Protection Directive CRM = customer relationship management IAS = International Accounting Standards “Components of a Logical Compliance Architecture” Gartner, 2005

  5. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  6. IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

  7. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  8. IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

  9. Watch: IBM Tivoli Security Operations Manager for Security Event Monitoring IBM Tivoli Security Operations Manager (TSOM) is a real-time security information and event management (SIEM) platform designed to improve the effectiveness and efficiency of security operations and information risk management. TSOM centralizes and stores security data from throughout the heterogeneous technology infrastructure so that security analysts can: Key Features • Log Management - automated aggregation of security events and audit logs • Correlation - Real-time, cross-device event correlation for incident management and investigation • Regulatory Compliance – reporting and policy monitoring to support regulatory compliance initiatives • Maximize and amplify security operations resources through automation • Integrates Security Operations with other IT Operations groups via Netcool and TEC “TSOM automates the aggregation and correlation process. It mitigates false positives and alerts my team to real threats in a timely manner. The product is more or less what I would have designed and built myself, given four years and a pool of developers.” ~ Communications User of TSOM

  10. Tivoli Security Operations Dashboard

  11. Tivoli Security Operations schematic

  12. TSOM supports over 255 Event/Log Sources Applications Apache Microsoft IIS IBM WebSphereOracle Database Server Lotus Domino SAP R3 Peoplesoft Operating Systems Logs, Logging Platforms Solaris (Sun) * AIX (IBM) OS/400 (I Series) RedHat Linux SuSE Linux HP/UX Microsoft Windows Event Log (W2K3 DHCP, W2K DHCP, IIS) Microsoft SNMP Trap Sender Nokia IPSO Novell NetWare OpenBSD Tandem Non-Stop OS (HP) Tru64 Tripplight UPS Monitorware SYSLOG KiwiSyslog zOS-Mainframe IDS Consul zAlert Antivirus CipherTrust IronMail McAfee Virus Scan Norton AntiVirus (Symantec) McAfee ePO Trend Micro InterScan Application Security Blue Coat Proxy Nortel ITM (Intelligent Traffic Mgmt) Teros APS Sentryware HiveIBM DataPower(coming soon) Discovery Tools Lumeta IPSonar NMAP Sourcefire RNA Access and Identity ManagementIBM Tivoli Access ManagerIBM Tivoli Identity Manager Microsoft Active Directory CA eTrust Access CA eTrust Secure Proxy Server CA eTrust Siteminder (Netegrity) RSA SecureID RADIUS Oracle Identity Management (Oblix) Sun Java System Directory Server Cisco ACS Wireless Security AirMagnet AirDefense Management Systems TSOM escalates to: IBM Netcool (Micromuse) IBM/Tivoli Enterprise Console Cisco Information Center Remedy ARS HP OpenView CA Unicenter Management Systems Source of events into TSOM: Check Point Provider-1 CiscoWorks IBM Netcool (Micromuse)ISS SiteProtectorISS Fusion Module Juniper Global Pro (Netscreen) Juniper NSM (Netscreen) Tripwire Manager Intrusion, Inc. SecureNet Manager McAfee ePO Nortel Defense Center Sourcefire Defense Center Q1 QRadar Mgmt Server Firewalls Check Point Firewall-1 Cisco PIX CyberGuard Fortinet FortiGate GNATBox Juniper (Netscreen) Linux IP Tables Lucent Brick Microsoft ISA Server Nortel Switched Firewall Stonesoft's StoneGate Secure Computing's Sidewinder Symantec's Enterprise Firewall SonicWALL Sun SunScreen Vulnerability Assessment ISS Enterprise Scanner ISS Internet Scanner Nessus Vigilante QualysGuard Foundstone eEye Retina, REM SPI Dynamics WebInspect nCircle IP360 Harris STAT Tenable Lightning Routers/Switches Cisco Routers Cisco Catalyst Switches Cisco RCMD Foundry Switches F5 Big IP, 3-DNS Juniper JunOS TACACS / TACACS+ Nortel Ethernet Routing Switch 5500, 8300, 8600, 400 series Extreme Networks Policy Compliance Vericept Network Intrusion Detect/Prevention McAfee Intrushield Sourcefire Network Sensor Sourcefire RNA Juniper IDP ISS Proventia G ISS Proventia MISS Proventia ADS ISS RealSecure Network Sensor ISS BlackICE Sentry Cisco Secure IDS SNORT IDS Enterasys Dragon Nortel Threat Protection System (TPS) Intrusion's SecureNetPro Mirage Networks NFR NID Symantec ManHunt ForeScout ActiveScout QRadar Top Layer Attack Mitigator Labrea TarPit IP Angel Lancope StealthWatch Tipping Point UnityOne NDS Arbor Networks PeakflowX Mazu Networks Host-based Intrusion Detect/Prevention ISS Proventia Server & Deskitop ISS Server & OS Sensor Type80 SMA_RT (zOS-Mainframe RACF) PowerTech (iSeries-AS/400) Cisco CSA NFR HID IBM Netcool SSMs Sana Snare Symantec Intruder Alert (ITA) Sygate Secure Enterprise Tripwire McAfee Entercept VPN Juniper SSL VPN Nortel VPN Router (Contivity) Check Point Cisco IOS VPN Cisco VPN 3000 Juniper VPN Nortel VPN Gateway (SSL VPN)

  13. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  14. IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

  15. zAlert Overview zAlert is a real-time threat monitoring for the mainframe which goes beyond conventional configuration notification solutions to encompass prevention, as it can take instant action to stop an attack Description • Monitor sensitive data for misuse • Fix configuration mistakes before others exploit them • Detect and stop security breaches • Lower operational cost associated with Incident Response activities • Feeds events to TSOM Key Benefits Alerts are generated based upon SMF events, JES log events. Actions can be tailored to suit your environment. How it works Platforms OS/390 and z/OS through 1.8 RACF Consul/zAudit

  16. zAlert, the alerts When your mainframe data is crucial enough that you need to know real-time Alerting AND Action! Send WTO to trigger Automated Operations Issue commands autonomously

  17. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  18. IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

  19. Differentiated: • Beyond perimeter to inside • People and policy focused • Depth and breadth • Hard to emulate: • 20 years of expertise built-in • Platform specific know-how across 50+ platforms Consul’s Product Family

  20. What (assess) are people doing in my enterprise? 87% of insider incidents are caused by privileged and technical users.

  21. Tracking through various logs

  22. Next find the Expert for the log Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris Windows expert z/OS expert AIX expert Oracle expert SAP expert ISS expert FireWall-1 expert Exchange expert IIS expert Solaris expert

  23. W7 Methodology Whodid Whattype of actionon What? Whendid he do it and Where, From WhereandWhere To? We do the hard work, so you don’t have to!!

  24. Assessing compliance: Consul InSight Security Manager Consul InSight Security Manager provides an enterprise security compliance dashboard with in-depth privileged user monitoring capabilities, all powered by a comprehensive log and audit trail collection capability Key Features • Unique ability to monitor user behavior • Enterprise compliance dashboard • Compliance management modules and regulation-specific reports • Broadest, most complete log and audit trail capture capability • W7 log normalization translates your logs into business terms • Easy ability to compare behavior to regulatory and company policies

  25. Compliance Dashboard Logs after W7 – Billions of log files summarized on one overview graphic! Compliance Dashboard

  26. Compliance Modules

  27. Insight Event Sources Operating Systems Version CA ACF2 through zAudit ACF2 8.0 CA eTrust Access Control for AIX 5.0 CA eTrust Access Control for HP-UX 5.0 CA eTrust Access Control for Solaris 5.0 CA eTrust Access Control for Windows 4.10 CA Top Secret for VSE/ESA 3.0 CA Top Secret for z/OS via z/Audit 5.2 Hewlett-Packard HP NonStop (Tandem) SafeGuard D42 Hewlett-Packard HP-UX audit trail 10.2, 11i Hewlett-Packard HP-UX syslog 10.2, 11i Hewlett-Packard OpenVMS 7.3.2 Hewlett-Packard Tru64 4.0, 5.1, 5.1B IBM AIX audit trail 4.x, 5.1, 5.2, 5.3 IBM AIX syslog 4.x, 5.1, 5.2, 5.3 IBM OS/400 journals 4.5, 5r1-r2-r3 IBM z/OS RACF - excl. DB2 through zAudit RACF Lite R10 to 1.7 IBM z/OS RACF through (already) installed zAudit RACF R10 to 1.7 IBM z/OS ACF2 -excl. DB2 through zAudit ACF2 Lite R10 to 1.7 IBM z/OS RACF through (already) installed zAudit ACF2 R10 to 1.7 IBM z/OS TopSecret - excl. DB2 through zAudit Lite R10 to 1.7 Microsoft Windows security event log NT4, 2000, 2003, XP Novell Novell Netware 4, 5, 6, 6.5 (via Nsure Audit) Novell Novell Nsure Audit 1.0.1, 1.0.2, 1.0.3 Novell Novell Suse Linux 8.2, 9.x Red Hat Linux syslog 6.2,7.2,8.0,9.0, ES 4, Fedora Core Stratus VOS 13.x, 14.x, 15.x SUN Solaris audit trail (32 bit & 64 bit) 7, 8, 9, 10 SUN Solaris syslog 7, 8, 9, 10 User Information Sources Hewlett-Packard HP HP-UX 10.2,11i IBM IBM AIX 4.x, 5.1, 5.2, 5.3 IBM IBM OS/400 4.5, 5.1, 5.2, 5.3 IBM IBM z/OS R10 to 1.7 Microsoft Microsoft NT Domain Windows NT4, 2000, 2003 Microsoft Microsoft Active Directory Windows 2000, 2003 SUN Solaris 7, 8, 9, 10 Authentication Sources BMC Identity Manager on AIX / Oracle via ODBC 3.2.0.3 CA eTrust (Netegrity) SiteMinder (from Windows) 5.5 IBM Tivoli Access Manager 4.1 RSA Authentication Server (Ace) 6.0 Mail servers and GroupWare IBM Lotus Domino (Notes) on Windows Max. of 3000 users 5.0, 6.0, 6.5 Microsoft Exchange Server Max. of 3000 users 2000, 2003 Proxy Servers Blue Coat Systems ProxySG series SGOS 3.2.5 Web Servers Microsoft Internet Information Server (IIS) on Windows 4.0, 5.0, 6.0 SUN iPlanet Web Server on Solaris 4.0, 6.0 VPN Cisco VPN Concentrator 3000 (via Syslog) 4.1 Vulnerability Scanners ISS System Scanner (from Windows) 4.2 Application Packages Version Misys OPICS 5, 6, 6.1 SAP R/3 on Windows Number of applications 4.6, 4.7 SAP R/3 on HP-UX Number of applications 4.6, 4.7 SAP R/3 on AIX Number of applications 4.6, 4.7 SAP R/3 on Solaris Number of applications 4.6, 4.7 Databases IBM DB2 on z/OS through zAudit Lite 7.x, 8.x IBM UDB on Windows 8.2 IBM UDB on Solaris 8.2 IBM UDB on AIX 8.2 Microsoft SQL Server application logs 6.5, 7.0, 2000 Microsoft SQL Server trace files 2000, 2005 Oracle database server on Windows 8i, 9i, 10g Oracle database server on Solaris 8i, 9i, 10g Oracle database server on AIX 8i, 9i, 10g Oracle database server on HP-UX 8i, 9i, 10g Oracle database server FGA on Windows 9i, 10g Oracle database server FGA on Solaris 9i, 10g Oracle database server FGA on AIX 9i, 10g Oracle database server FGA on HP-UX 9i, 10g Sybase ASE on Windows 12.5, 15 Sybase ASE on Solaris 12.5, 15 Sybase ASE on AIX 12.5, 15 Sybase ASE on HP-UX 12.5, 15 Firewalls Check Point FireWall-1 (via SNMP) 4.1, NG, NGX Cisco PIX (from AIX) 6.0 – 6.3.3 Cisco PIX (from Windows) 6.0 – 6.3.3 Cisco PIX (via SNMP) 6.0 – 6.3.3 Cisco PIX (via Syslog) 6.0 – 6.3.3 Symantec (Raptor) Enterprise Firewall (via SNMP) 6.0, 6.5, 7.0 Symantec (Raptor) Enterprise Firewall (via Syslog) 6.0, 6.5, 7.0 IDS, IPS ISS RealSecure (alerts) via SNMP 6.0 ISS RealSecure (operational messages, Windows) 6.0 McAfee IntruShield IPS Manager (via Syslog) 1.9 Snort (Open Source) IDS (via Syslog) 2.1.3, 2.2.0, 2.3.3 Routers Cisco Router (from AIX) IOS 12.x Cisco Router (from Windows) IOS 12.x Cisco Router (via SNMP) IOS 12.x Cisco Router (via Syslog) IOS 12.x Switches Hewlett-Packard ProCurve switch (via SNMP) Managed units, 2500 series & up Virus Scanners McAfee ePolicy Orchestrator (ePO) 3.5.2 TrendMicro ScanMail for Domino on Windows 5.3 TrendMicro Scanmail for MS Exchange 5.3 TrendMicro ServerProtect 5 for NT 5.3 Symantec AntiVirus Corporate Edition for Windows 9.0

  28. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  29. IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

  30. zAudit at a glance Security event audit and monitoring for the mainframe environment. Automatic detection of exposures through status auditing. Description • Increase transparency • Lower cost of event collection and analysis • Identify security weaknesses • Decrease chance of costly security breaches Key Benefits zAudit looks across your various mainframe systems, measuring and auditing status and events. The technology provides standard and customized reports, and real-time alerts on policy exceptions or violations that indicate a security breach or weakness. How it works Platforms z/OS through 1.8 for any ESM

  31. z/OS Status Audit

  32. z/OS User Events via zAudit

  33. AGENDA Business Issue Watch/Monitor vs. Assess Tivoli Security Operations manager zAlert Consul Insight zAudit Summary

  34. Tivoli Security Operations Manager and Consul InSight Security Operations IT Security Internal Audit User Persona: Network-centric Attacks, Misconfigs and Misuse Security Data Overload Mitigation of Security Incidents User-centric policy violations Privileged user audit and monitoring Regulatory Compliance reporting Problem: Incident Management Security Event Mgmt (SEM) User Activity Monitoring Security Info Mgmt (SIM) Solution: Consul InSight Tivoli Security Operations Manager (TSOM) Product:

  35. Next Steps: For more information contact: Joanie Gines zTivoli Sales Operation and Strategy: Ted Anderson Security Specialist: Jgines@us.ibm.com 212.745.2044 Ted.anderson@us.ibm.com 651.204.7036

More Related