1 / 31

Tivoli SecureWay Risk Manager Enterprise Console 3.7

Tivoli SecureWay Risk Manager Enterprise Console 3.7. Joe Hamblin Principle Systems Engineer. Types of Threats. #1 Threat Viruses. #1 Threat Unauthorized Access. Threats. External Threats Hacking Web Servers and Databases with sensitive information Virus Threats

paul-fleming
Download Presentation

Tivoli SecureWay Risk Manager Enterprise Console 3.7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tivoli SecureWay Risk ManagerEnterprise Console 3.7 Joe Hamblin Principle Systems Engineer

  2. Types of Threats #1 Threat Viruses #1 Threat Unauthorized Access

  3. Threats • External Threats • Hacking Web Servers and Databases with sensitive information • Virus Threats • Denial of Service on Applications (Inventory, Spare-parts, Pricing) • Internal Threats • Accessing Human-Resource information • Accessing confidential files/documents • Perpetrating Fraud

  4. Worldwide Lost Revenue from Threats > 2.5% of U.S GDP* Lost revenue spurred by viruses and computer threats will amount to $266 billion Denial of Service attacks, Computer viruses from Melissa…to...Love Bug this spring, will cost businesses around the globe more than $1.5 trillion this year. Denial of Service Attacks on Yahoo, Ebay resulted in several million dollars revenue loss every day *The 2000 InformationWeek Global Information Security Survey was completed by 4,900 security professionals spanning 42 countries and six languages.

  5. Enterprise Security - Islands of Management Intrusion DetectionConsole Web Server Remote Consoles Firewall Console UNIX/NT Console Server Intranet Router Console Server Anti-Virus Console CorporateNetwork

  6. What is Enterprise Risk Management ? An fundamental approach to managing enterprise risks by leveraging the collective intelligence and capability of diverse security systems deployed in the Enterprise It is not about a specific technology or product - It is about managing the business risks as an overall security management solution Servers Desktops IDS Appliance Database Manager Tivoli SecureWay Risk Manager Mainframe Router Web Farm Firewall Directory

  7. Tivoli SecureWay Risk Manager - Enterprise Solution Firewall Management Intrusion Management Web Server Management Vulnerability Management VirusManagement AUTOMATION User Interface Proven Infrastructure Enterprise Scalable Distributed Correlation ENTERPRISE RISK MANAGEMENT TEC3.7 EVENT MANAGEMENT

  8. Common Alert Format Firewall Alerts IDEF Firewall Adapter Event Management IDEF Network/Host Alerts Intrusion Detection Adapter Application Alerts IDEF Application Adapter

  9. Architecture Files, Processes etc TEC Server Native Alerts Native Format Event Management TEC Rules (Correlation) for Risk Manager Risk Manager Adapter IDEF Alert Event Database TMA Managed Node Secure Framework Communications

  10. Enterprise Risk Management - Features • CENTRAL CONSOLE for managing alerts across Firewalls, Networks, IDS, Hosts, Desktops, Anti-Virus • CENTRAL CORRELATION • Reduce/Eliminate False Positives • Identify Threat & Distributed Attack Patterns • EASY & CONCISE Alert Reporting

  11. Scalability TEC events TEC Manager To TEC or AIM Filter Engine Rule Engine Local program Alert Database TEC Manager TEC Manager Filter Engine Rule Engine Filter Engine Rule Engine From event sources From event sources

  12. Tivoli SecureWay Risk Manager R 3.7 Tivoli Web IDS ISS RealSecure Cisco Secure IDS Tivoli Network IDS WebSphere, Microsoft IIS,Domino, Apache, Netscape Web Servers CheckPoint FW-1 Cisco PIX Firewall Tivoli Scanner Tivoli SecureWay Risk Manager 3.7 AIX, Solaris Win NT/2000 Servers SNMP Adapter NetView/HP OpenView Symantec Norton AntiVirus ISS Host IDS Cisco Routers Symantec Norton AntiVirus Tivoli IDEF Toolkit

  13. Realtime Web Intrusion Detection System • WebIDS (Web Intrusion Detection System) that detects and monitors attacks on Web Servers • Supports Netscape/iPlanet, Microsoft IIS, Domino, Apache • Bi-monthly update of Signatures

  14. Network Intrusion Detection Feature • Intelligent Packet Filter that makes determinations at the both the low (TCP/IP) and high (SMB/WWW, etc) protocol levels. • Small footprint and fast engine including support of 100Mbps networks. • Over 200 signatures with bimonthly update service • Signature Updates require NO binary changes • Supports # of Network Interfaces & Protocols

  15. Network Vulnerability Scanner • Locate and Identify Network Servers • Determine Potential Vulnerabilities • TCP: HTTP, FTP, SMTP, POP, IMAP, NNTP, telnet, r*commands, SSH, DNS and more DNS, tcpmux, netstat, and more • UDP: NTP, DNS, echo, RPC, SNMP, RIP, TFTP, bootp … and more • Site Policy Definition • what ports should be visible or active • Vulnerability Checks • Scans monitored on TEC Console • TDS Guide for Risk Assessment Management

  16. Release 3.7: Management Features • Centralized Monitoring and Reporting of Intrusion Detection, Firewall, Anti-Virus and OS Alerts • Centralized correlation of Intrusion Detection and Firewall Alerts • Distributed Event correlation over a hierarchical TEC environment • Historical Reporting • Tasks for Incident management and Response to diagnose and respond to Attacks

  17. Enterprise Risk Management Decision Support Guide • Continuous security improvement by easily identifying security "hot spots" in an enterprise network. • Integrated analysis of data retrieved from Tivoli SecureWay Risk Manager and other Tivoli enterprise products (Inventory database, Network management database) • TDS Guides for Enterprise Intrusion Detection, Risk Assessment, Firewall and Virus Management

  18. Enterprise Risk Management Guide Multi-dimensional, interactive analysis: slice, dice, filter, drill through to detail Change Scope, Save History, Add Bookmarks Scheduled publishing to WEB

  19. Single Console View of Alerts 763 Events Very cryptic event with specific CGI test info

  20. Correlation Goal: Present 1 Event per attack 1 Event per attack Attack type, location of attacker and web server

  21. Correlation Demo Association with individual events (attack history) is preserved CRITICAL ALERT

  22. An Open Platform • Open Standards • The Common Intrusion Detection Framework (CIDF) • The Common Vulnerabilities and Exposures (CVE) • The Intrusion DetectionExchange Format (IDEF) • Tivoli Ready Products • Checkpoint (Firewall-1 and VPN-1) • Symantec Norton AntiVirus • Axent (ESM, ITA) • ISS RealSecure

  23. Conclusion • To defend against attacks,intrusions of any kind requires an the “Big Picture” Enterprise View • Enterprise Risk Management is a unique to defend against threats • An approach that enables customers to proactively identify and defend against threats by upgrading their security policies

  24. TMA Enterprise Architecture

  25. Console Console tec_task EVENT Master (tec_server) tec_reception tec_rule tec_dispatch Event Cache Reception Buffer RIM Tec_dispatch places a copy of event with any changes made by rules into the event repository via the RIM process, sends a control signal to tec_task to execute any task or programs called for, and sends an abbreviated version of the event to the Console for display Tec_dispatch places a copy of event with any changes made by rules into the event repository via the RIM process, Tec_dispatch places a copy of event with any changes made by rules into the event repository via the RIM process, sends a control signal to tec_task to execute any task or programs called for, Tec_rule then processes the event through the rule base. It is important to note that ALL correlation is done with events in the Event Cache. If the event is not dropped, a copy is placed in the Event Cache and it is made available to tec_dispatch Tec_dispatch pulls the event from tec_rule and sends a control signal via tec_master to tec_reception to update the status to PROCESSED. This allows you to determine if an event has made it through the rules simply by checking the reception log. The event is then pulled in to tec_rule. TEC is primarily a pull process. Each process pulls the event from the previous one When an event is received tec_reception puts a copy in the reception buffer and places copy in the RDBMS via the RIM. It is important to note that the event is stored in a QUEUED state initially. The TEC server is comprised of 5 main processes Status = QUEUED Status = PROCESSED RDBMS tec_t_evt_rec_log tec_t_evt_rep

  26. AIM Architecture TEC events Availability Intermediate Manager To TEC or AIM Filter Engine TEC Rule Engine Local program TEC Events Full logic capabilities… Leverage current investment and skills in TEC rules From Aim From other event sources

  27. Tivoli Risk Manager Console GUI

  28. Single Console View of Alerts 763 Events Very cryptic event with specific CGI test info

  29. Questions & (Hopefully :-) Answers?

More Related