tivoli compliance insight manager - ibm · pdf filetivoli compliance insight manager ......

� IBM Confidential

®

IBM Software Group

© IBM Corporation

Titus Tischer, Consul Compliance specialist

Tivoli Compliance Insight Manager –

The Nightmare Of Audit Trail auditing and forensics–

IBM Slovenia Security Day, June 6thIBM Slovenia Security Day, June 6th

2IBM ConfidentialIBM Confidential

About ConsulExperts in security audit and compliance

Recognized by the press and analysts

Chosen by 350+ customers worldwide

• Established in 1986 (20 years old in 2006)• US headquarters in Washington• EMEA headquarters in Delft, The Netherlands

• Most comprehensive solution for monitoring, auditing and reporting on trusted user behavior

• Log management• Database and Application auditing• Mainframe audit and Admin


Consul’s Portfolio: Two integrated Suites

Comprehensive, distributed log management, access monitoring and compliance reporting

Integrated mainframe audit, monitoring, compliance and

administration


“The best way to guard against insider breaches is for companies to monitor

database and network access for unusual activity and set thresholds that represent

acceptable use for different users.”

“The best way to guard against insider breaches is for companies to monitor

database and network access for unusual activity and set thresholds that represent

acceptable use for different users.”

Source: InformationWeek, Feb. 15, 2007

What occurred:

� Employee leaving for competitor

� Accessed database

� Transferred 180 documents to new laptop

Carnegie Mellon CERT Comments:

� “75% of … confidential information thefts studied … were committed by current employees”

� “45% had already accepted a job offer with another company”

CIA Comments:

� “…designers and scientists tend to view their company's intellectual property as their own… and something they want to take with them”

What occurred:

� Employee leaving for competitor

� Accessed database

� Transferred 180 documents to new laptop

Carnegie Mellon CERT Comments:

� “75% of … confidential information thefts studied … were committed by current employees”

� “45% had already accepted a job offer with another company”

CIA Comments:

� “…designers and scientists tend to view their company's intellectual property as their own… and something they want to take with them”

Massive Insider Breach at

DuPontFebruary 15, 2007 – A research chemist who

worked for DuPont for 10 years before

accepting a job with a competitor downloaded

22,000 sensitive documents and viewed 16,706

more …


43% of CFOs think that improving

governance, controls and risk

management is their top challenge.

CFO Survey: Current state & future direction,

IBM Business Consulting Services

� Increasing Requirements

� Hundreds of compliance initiatives

� Compliance requirements are increasing in many industries

� Improved monitoring and control are needed to manage risks and avoid penalties, and lost business

� Increasing Complexity

� Disparate technologies and infrastructures fragment and hamper compliance efforts

� Linking infrastructure-level to business-level compliance is desirable, but challenging

� Increasing Cost

� Lack of predictability and visibility across complex infrastructures drives rapid cost inflation

� Failure to achieve compliance or to prevent security breaches can impose enormous costs

Security and compliance challenges


Known People (un) Intentionally Do Great Harm

� 87% of insider incidents are caused by

privileged or technical users

� Many are inadvertent violations of:

�Change management process

�Acceptable use policy

� Others are deliberate, due to:

�Revenge (84%)

�“Negative events” (92%)

� Regardless, too costly to ignore:

�Internal attacks cost 6% of gross annual revenue

�Costing $400 billion in the US alone Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat

Survey 2005; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.

Who Causes Internal Incidents?

Privileged or technical users (87%)

Other (13%)


IT and Business management’s questions:� Can you monitor if anyone touched or modified sensitive data inappropriately?

� Can you verify if outsourcers are managing systems and data responsibly?

� Can you report on any unauthorized changes to the operating environment?

� Are you alerted when rogue administrative accounts are created?

� Can you investigate incidents on a timely basis?

Your auditors’ questions:� Are application, database, OS and device logs maintained and reviewed?

� Are system administrator and system operator activities logged and reviewed on a regular basis?

� Is all access to sensitive data – including root/administration and DBA access – logged?

� Are automated tools used to review audit records?

� Are security incidents, and suspicious activity analyzed, investigated and remedial actions taken?

The Security Audit and Compliance Questionnaire Golden bullets:


Other questions the auditor will ask

� Breach of privacy:

�Are DBAs accessing confidential information?

�Are trusted users abusing HR data?

�Did a disgruntled administrator engage in identity theft?

� Violation of system policies:

�Were unauthorized system changes made?

�Did any root users turn off auditing?

�When did OS administrators clear the audit logs?

�Who stopped key system processes without permission?

� Administrators violating segregation of duties:

�Did anyone initiate and approve transactions on applications?

�Did an admin create and approve identity/privileges in system?


Database Auditing questions:

� “I need to see all DBA activity, and check against change requests”� (CISO, Global banking firm)

� “We don’t want another product, we need an integrated solution to address the databases within our existing compliance framework”

� (CISO, Fortune 100 retailer)

� “We are not interested in regular user behavior, we need to see what the DBA did”� (CISO, Fortune 100 retailer)

� “We need to see not only end-user logon but detailed DBA activity”� (IT Security, International Bank)

� “We want to be able to track DBA activity versus change requests”� (IT Security, Pension Management and Employee Services Firm)

� “I want to integrate all security relevant events in one audit application”� (VP/CTO, Electricity and Gas Distributor)

� “My DBAs don’t know how the data is organized, yet they have full administrative access. I need to see what they did”

� (VP/CTO, Electricity and Gas Distributor)


I Need to Collect Logs but it’s Too Hard

� Thousands of points across the enterprise generating event logs

� Regulators and auditors require you to capture and retain these log files

� Internal and external threats mean you need to investigate activities

� Time and cost constraints means it must be fast and affordable

Your enterprise How to collect the logs?

Cap

ture

Cap

ture

Cap

ture


Comprehensive Log Management

Capabilities:

� Secure, reliable log capture from any platform

� Full support for native log collection (Syslogs, audit trails, SNMP, LDAP, Active Directory, etc.)

� Store in an efficient, compressed depot

� Access data when needed

� Search across all logs

� Reports to prove complete collection

Implementation time: plug and play.Implementation time: plug and play.

Benefits:

� Reduce costs by automating and centralizing collection

� Save time by decreasing the length of audits

Cap

ture

Cap

ture

Cap

ture


Log Continuity Report

Log Continuity ReportInstant proof to auditors and regulators that your log management program is complete and continuous.


Investigate

Depot Investigation ToolInformation at your fingertips, with easy to use search


Today’s Audit and Compliance Challenge

People:• Privileged users• Outsourcers• Consultants

Behavior:• Mistakes, human error• Sabotage of data or systems• Theft/release of information assets• Introduction of bad code • Installation of unauthorized software

These actions may result in lengthy outages, lost business, lost customers, legal liability or audit deficiencies – at cost of 6% of annual revenue.

These actions may result in lengthy outages, lost business, lost customers, legal liability or audit deficiencies – at cost of 6% of annual revenue.

Systems and• Applications• Databases• OS’s• Mainframes• Devices

Information:• Customer data• Patient files• Financial info• HR record

Co

mp

reh

en

dC

om

pre

hen

d


Consul InSight Monitors User Behavior for Compliance

Consul InSight compares what should occur (policy) versus what does occur (behavior), providing a continuous compliance gap analysis.

Consul InSight compares what should occur (policy) versus what does occur (behavior), providing a continuous compliance gap analysis.

Compare “Desired” Versus “Actual” behavior

What are People Doing on My Network?C

om

pre

hen

dC

om

pre

hen

d


How do I make sense of all this?C

orr

ela

teC

om

pre

hen

dC

om

pre

hen

d


After Log Capture, Translation is NextC

orr

ela

te

Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris

Windows

expert

z/OS

expert

AIX

expert

Oracle

expert

SAP

expert

ISS

expert

FireWall-1

expert

Exchange

expert

IIS

expert

Solaris

expert

Co

mp

reh

en

dC

om

pre

hen

d



orr

ela

te


Windows

expert

z/OS

expert

AIX

expert

Oracle

expert

SAP

expert

ISS

expert

FireWall-1

expert

Exchange

expert

IIS

expert

Solaris

expert

Co

mp

reh

en

dC

om

pre

hen

d


Now all Logs in Your Enterprise in a Single Language

Consul InSight saves your information security and compliance staff time and money by automating monitoring across the enterprise.

Consul InSight saves your information security and compliance staff time and money by automating monitoring across the enterprise.

Translate logs to “English”

Co

rrela

te

The Consul InSightTM Suite


Co

mp

reh

en

dC

om

pre

hen

d


Translate Logs into English - Consul’s W7Methodology

1. Who did

2. What type of action

3. on What file/data

4. When did he do it and

5. Where

6. from Where

7. Where toWe do the hard translation work,

so you don’t have to!!

We do the hard translation work, so you don’t have to!!

Co

mp

reh

en

dC

om

pre

hen

d


Sophisticated Log Interpretation and Correlation

Co

mp

reh

en

dC

om

pre

hen

dCapabilities:

� W7 normalization

� Interpret EVERY log (Syslog and native logs) into English

� Compare billions of log entries to baseline policy

Out of the box log normalization!Out of the box log normalization!

Benefits:

� Interpret and monitor all logs with fewer and less expensive resources

� More quickly detect and solve security problems


Comply with rigorous regulatory requirements

Compliance DashboardLogs after W7 – Billions of log files summarized on one overview graphic!


W& Eventlist

W7 EventlistNote!: Mike Bonfire, a DBA, is reading the payroll


Full Audit and Compliance Reporting

Capabilities:

� Hundreds of reports

� Compliance modules

� Real-time alerts

� Custom reports

Benefits:

� Reduce length and effort required for audits

� Reports in an instant, saving time

� Reduce risk of insider threat:

� Info protection

� Change control

� User management

Co

mm

un

icate

Co

mm

un

icate


Compliance Modules


Regulation specific modules with tailored reports to jumpstart your

compliance efforts – saving you staff time and reducing audit costs


Operational Change Control

Operational Change Control ReportSee a summary of all the operational changes made by different groups


Eventlist

Event ListZoom in into the all actions that IT admin did on the financial Server and see the creation of the user account of Chin055


EventDetail

An Event Detail Report Even drill down into that specific event and see all the event details, and we can even go to the raw log-file


IBM z/OS Suppoort

� Include z/OS events into InSight reports

�z/OS, RACF, CA-ACF2, CA-Top Secret, DB2

� Translate MVS jargon into InSight’s compliance language

� Auditors no longer need z/OS expertise to monitor activities


Solution: The Consul InSight Suite -- The 3 C’s

1. Capture – Comprehensive Log Management

2. Correlate – Sophisticated Log Interpretation

3. Communicate – Full Audit and Compliance Reporting

Technology


The Consul Difference

� Collect all native logs

�Syslogs, audit trails, SNMP, LDAP, Active Directory, etc.

�OS depth, including zSeries, AIX, Solaris, Windows, Linux, etc.

�Oracle, DB2, MSSQL, Sybase and UDB

� Secure, reliable and compressed log storage

� Verify that all logs are collected via log continuity reporting

� Drill down reporting capability for root cause analysis

� Self auditing

� W7 log normalization translates your logs into English

� Correlation of logs allows for sophisticated policy enforcement and notification of business violations

� Regulation specific compliance reporting

Comprehensive log collection, user monitoring and

compliance reporting solution

Comprehensive log collection, user monitoring and

compliance reporting solution


About ConsulExperts in security audit and compliance

Recognized by the press and analysts

Chosen by 350+ customers worldwide

• Established in 1986 (20 years old in 2006)• US headquarters in Washington• EMEA headquarters in Delft, The Netherlands

• Most comprehensive solution for monitoring, auditing and reporting on trusted user behavior

• Log management• Database and Application auditing• Mainframe audit and Admin


How can Tivoli’s SIEM Solution Help?

… must demonstrate compliance with

regulations

… must protect intellectual property and ensure privacy properly

… must manage security operations and threats

effectively and efficiently

CISO/Audit

Security Technical

CFI/CIO

You need to run the business, but you…


IBM Tivoli SIEM Meets Your Business Needs

� Security compliance dashboard and reporting

� Compliance dashboard

� Regulatory reporting

� User behavior auditing:

� Privileged user monitoring and audit (PUMA)

� Database and application auditing

� Operating system and mainframe auditing

� Security Operations Management

� Security operations dashboard and incident mgt

� Log management and reporting

� Real time event correlation

� Integration with IT Operations

Can’t demonstrate compliance with

regulations

Can’t protect intellectual property and ensure

privacy properly

Can’t manage security operations effectively and

efficiently

Market Problem Tivoli SIEM Solution Capabilities

1

2

3

4

5

6

78

9


Network-centric Attacks, Misconfigs and Misuse

Security Data Overload

Mitigation of Security Incidents

Security Operations IT Security Internal Audit

User-centric policy violations (WHO?)

Privileged user audit and monitoring

Regulatory Compliance reporting

User Persona:

Problem:

Product:

Consul InSightTivoli Security Operations Manager (TSOM)

Solution:Incident Management

Security Event Mgmt (SEM)

User Activity Monitoring

Security Info Mgmt (SIM)

Tivoli Security Operations Manager and Consul InSight


Frequency

IBM Tivoli TSOM – Manage Security Operations


IBM Tivoli TCIM – Demonstrate Compliance


You Need Reports to CommunicateC

om

mu

nic

ate

Co

mm

un

icate

time

activity


2007

Event Sources � Oracle financials� mySAP business suite� DB2 Viper� Informix

Event Sources� Tivoli Identity Manager:

event source � Tivoli Access Manager

for e-business, � Tivoli Access Manager

for Operating Systems� IBM SIEM Realtime

correlated Events

Event Sources� Tivoli Federated Identity Manager� Tivoli Directory Server � Tivoli Configuration Manager

Compliance Module� ISO 27001 update

Next release of

IBM SIEM Compliance Dashboard

Enhanced reporting

Automated Report Distribution

Toolkits for building indexers

Agentless i-Series Collect

Tivoli Integration

*integration broader than

event source

Next releases of IBM SIEM Security Ops Dashboard

Improved event processing, filtering, and correlation architecture

Simplified, centralized device configuration

Dashboard - customizable, higher performance

Localized Language versions & Internationalization support

Improved Incident investigation, case management

IBM CCMDB integration for incident investigations

2008

Event Source focus � Storage management� DB2, AME, CICS, IMS� Change and configuration

management ( CCMDB*)� Content management� Security policy compliance

integration (status audit)*

IBM’s SIEM Roadmap

Realtime Event Sources� ISS Proventia Product Line� ISS SiteProtector� IBM zSecure Alert

PCI Report Pack

Realtime Event Sources � IBM SIEM Policy Violations

Ongoing� Continued Realtime

Event Source integration with IBM and 3rd party products

� Extended correlation rules & security content

� Additional Reports

Next releases of IBM

SIEM

Security Ops Dashboard

Tivoli Common UI

Device Support Wizard

MRO Service Desk integration & ticketing gateway

Addl Dashboard displays

Security Baseline Triggers

Expanded CMDB support

Next releases of IBM

SIEM

Compliance Dashboard

Enhanced User Management

On-going Tivoli Integration

Addl. compliance modules

Improved Scalability and platform support

NLS support

Compliance Module� COBIT

Compliance Module� PCI� ITIL


The IBM Tivoli SIEM Solution

Event Sources Points of Presence IBM Tivoli SIEM Install Output

Collectors

TSOM CMS Server

Compliance Dashboard

Reports

Retrieve Log-files

Third party integration

alerts

Applications

Databases

Operating Systems

IDS & IPS

Firewalls

Mainframe

TSOM EAMs

TCIM Enterprise Server(optional)

TCIM Standard Servers

TCIM Standard Servers(optional)

Operational Dashboard

TCIM Standard Servers(optional)


The next generation IBM Tivoli SIEM Solution

tivoli compliance insight manager - ibm · pdf filetivoli compliance insight manager ......

Documents