tivoli compliance insight manager - ibm · pdf filetivoli compliance insight manager ......
TRANSCRIPT
� IBM Confidential
®
IBM Software Group
© IBM Corporation
Titus Tischer, Consul Compliance specialist
Tivoli Compliance Insight Manager –
The Nightmare Of Audit Trail auditing and forensics–
IBM Slovenia Security Day, June 6thIBM Slovenia Security Day, June 6th
2IBM ConfidentialIBM Confidential
About ConsulExperts in security audit and compliance
Recognized by the press and analysts
Chosen by 350+ customers worldwide
• Established in 1986 (20 years old in 2006)• US headquarters in Washington• EMEA headquarters in Delft, The Netherlands
• Most comprehensive solution for monitoring, auditing and reporting on trusted user behavior
• Log management• Database and Application auditing• Mainframe audit and Admin
3IBM ConfidentialIBM Confidential
Consul’s Portfolio: Two integrated Suites
Comprehensive, distributed log management, access monitoring and compliance reporting
Integrated mainframe audit, monitoring, compliance and
administration
4IBM ConfidentialIBM Confidential
“The best way to guard against insider breaches is for companies to monitor
database and network access for unusual activity and set thresholds that represent
acceptable use for different users.”
“The best way to guard against insider breaches is for companies to monitor
database and network access for unusual activity and set thresholds that represent
acceptable use for different users.”
Source: InformationWeek, Feb. 15, 2007
What occurred:
� Employee leaving for competitor
� Accessed database
� Transferred 180 documents to new laptop
Carnegie Mellon CERT Comments:
� “75% of … confidential information thefts studied … were committed by current employees”
� “45% had already accepted a job offer with another company”
CIA Comments:
� “…designers and scientists tend to view their company's intellectual property as their own… and something they want to take with them”
What occurred:
� Employee leaving for competitor
� Accessed database
� Transferred 180 documents to new laptop
Carnegie Mellon CERT Comments:
� “75% of … confidential information thefts studied … were committed by current employees”
� “45% had already accepted a job offer with another company”
CIA Comments:
� “…designers and scientists tend to view their company's intellectual property as their own… and something they want to take with them”
Massive Insider Breach at
DuPontFebruary 15, 2007 – A research chemist who
worked for DuPont for 10 years before
accepting a job with a competitor downloaded
22,000 sensitive documents and viewed 16,706
more …
5IBM ConfidentialIBM Confidential
43% of CFOs think that improving
governance, controls and risk
management is their top challenge.
CFO Survey: Current state & future direction,
IBM Business Consulting Services
� Increasing Requirements
� Hundreds of compliance initiatives
� Compliance requirements are increasing in many industries
� Improved monitoring and control are needed to manage risks and avoid penalties, and lost business
� Increasing Complexity
� Disparate technologies and infrastructures fragment and hamper compliance efforts
� Linking infrastructure-level to business-level compliance is desirable, but challenging
� Increasing Cost
� Lack of predictability and visibility across complex infrastructures drives rapid cost inflation
� Failure to achieve compliance or to prevent security breaches can impose enormous costs
Security and compliance challenges
6IBM ConfidentialIBM Confidential
Known People (un) Intentionally Do Great Harm
� 87% of insider incidents are caused by
privileged or technical users
� Many are inadvertent violations of:
�Change management process
�Acceptable use policy
� Others are deliberate, due to:
�Revenge (84%)
�“Negative events” (92%)
� Regardless, too costly to ignore:
�Internal attacks cost 6% of gross annual revenue
�Costing $400 billion in the US alone Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat
Survey 2005; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.
Who Causes Internal Incidents?
Privileged or technical users (87%)
Other (13%)
7IBM ConfidentialIBM Confidential
IT and Business management’s questions:� Can you monitor if anyone touched or modified sensitive data inappropriately?
� Can you verify if outsourcers are managing systems and data responsibly?
� Can you report on any unauthorized changes to the operating environment?
� Are you alerted when rogue administrative accounts are created?
� Can you investigate incidents on a timely basis?
Your auditors’ questions:� Are application, database, OS and device logs maintained and reviewed?
� Are system administrator and system operator activities logged and reviewed on a regular basis?
� Is all access to sensitive data – including root/administration and DBA access – logged?
� Are automated tools used to review audit records?
� Are security incidents, and suspicious activity analyzed, investigated and remedial actions taken?
The Security Audit and Compliance Questionnaire Golden bullets:
8IBM ConfidentialIBM Confidential
Other questions the auditor will ask
� Breach of privacy:
�Are DBAs accessing confidential information?
�Are trusted users abusing HR data?
�Did a disgruntled administrator engage in identity theft?
� Violation of system policies:
�Were unauthorized system changes made?
�Did any root users turn off auditing?
�When did OS administrators clear the audit logs?
�Who stopped key system processes without permission?
� Administrators violating segregation of duties:
�Did anyone initiate and approve transactions on applications?
�Did an admin create and approve identity/privileges in system?
9IBM ConfidentialIBM Confidential
Database Auditing questions:
� “I need to see all DBA activity, and check against change requests”� (CISO, Global banking firm)
� “We don’t want another product, we need an integrated solution to address the databases within our existing compliance framework”
� (CISO, Fortune 100 retailer)
� “We are not interested in regular user behavior, we need to see what the DBA did”� (CISO, Fortune 100 retailer)
� “We need to see not only end-user logon but detailed DBA activity”� (IT Security, International Bank)
� “We want to be able to track DBA activity versus change requests”� (IT Security, Pension Management and Employee Services Firm)
� “I want to integrate all security relevant events in one audit application”� (VP/CTO, Electricity and Gas Distributor)
� “My DBAs don’t know how the data is organized, yet they have full administrative access. I need to see what they did”
� (VP/CTO, Electricity and Gas Distributor)
10IBM ConfidentialIBM Confidential
I Need to Collect Logs but it’s Too Hard
� Thousands of points across the enterprise generating event logs
� Regulators and auditors require you to capture and retain these log files
� Internal and external threats mean you need to investigate activities
� Time and cost constraints means it must be fast and affordable
Your enterprise How to collect the logs?
Cap
ture
Cap
ture
Cap
ture
11IBM ConfidentialIBM Confidential
Comprehensive Log Management
Capabilities:
� Secure, reliable log capture from any platform
� Full support for native log collection (Syslogs, audit trails, SNMP, LDAP, Active Directory, etc.)
� Store in an efficient, compressed depot
� Access data when needed
� Search across all logs
� Reports to prove complete collection
Implementation time: plug and play.Implementation time: plug and play.
Benefits:
� Reduce costs by automating and centralizing collection
� Save time by decreasing the length of audits
Cap
ture
Cap
ture
Cap
ture
12IBM ConfidentialIBM Confidential
Log Continuity Report
Log Continuity ReportInstant proof to auditors and regulators that your log management program is complete and continuous.
13IBM ConfidentialIBM Confidential
Investigate
Depot Investigation ToolInformation at your fingertips, with easy to use search
14IBM ConfidentialIBM Confidential
Today’s Audit and Compliance Challenge
People:• Privileged users• Outsourcers• Consultants
Behavior:• Mistakes, human error• Sabotage of data or systems• Theft/release of information assets• Introduction of bad code • Installation of unauthorized software
These actions may result in lengthy outages, lost business, lost customers, legal liability or audit deficiencies – at cost of 6% of annual revenue.
These actions may result in lengthy outages, lost business, lost customers, legal liability or audit deficiencies – at cost of 6% of annual revenue.
Systems and• Applications• Databases• OS’s• Mainframes• Devices
Information:• Customer data• Patient files• Financial info• HR record
Co
mp
reh
en
dC
om
pre
hen
d
15IBM ConfidentialIBM Confidential
Consul InSight Monitors User Behavior for Compliance
Consul InSight compares what should occur (policy) versus what does occur (behavior), providing a continuous compliance gap analysis.
Consul InSight compares what should occur (policy) versus what does occur (behavior), providing a continuous compliance gap analysis.
Compare “Desired” Versus “Actual” behavior
What are People Doing on My Network?C
om
pre
hen
dC
om
pre
hen
d
16IBM ConfidentialIBM Confidential
How do I make sense of all this?C
orr
ela
teC
om
pre
hen
dC
om
pre
hen
d
17IBM ConfidentialIBM Confidential
After Log Capture, Translation is NextC
orr
ela
te
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windows
expert
z/OS
expert
AIX
expert
Oracle
expert
SAP
expert
ISS
expert
FireWall-1
expert
Exchange
expert
IIS
expert
Solaris
expert
Co
mp
reh
en
dC
om
pre
hen
d
18IBM ConfidentialIBM Confidential
After Log Capture, Translation is NextC
orr
ela
te
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windows
expert
z/OS
expert
AIX
expert
Oracle
expert
SAP
expert
ISS
expert
FireWall-1
expert
Exchange
expert
IIS
expert
Solaris
expert
Co
mp
reh
en
dC
om
pre
hen
d
19IBM ConfidentialIBM Confidential
After Log Capture, Translation is NextC
orr
ela
te
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windows
expert
z/OS
expert
AIX
expert
Oracle
expert
SAP
expert
ISS
expert
FireWall-1
expert
Exchange
expert
IIS
expert
Solaris
expert
Co
mp
reh
en
dC
om
pre
hen
d
20IBM ConfidentialIBM Confidential
After Log Capture, Translation is NextC
orr
ela
te
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windows
expert
z/OS
expert
AIX
expert
Oracle
expert
SAP
expert
ISS
expert
FireWall-1
expert
Exchange
expert
IIS
expert
Solaris
expert
Co
mp
reh
en
dC
om
pre
hen
d
21IBM ConfidentialIBM Confidential
Now all Logs in Your Enterprise in a Single Language
Consul InSight saves your information security and compliance staff time and money by automating monitoring across the enterprise.
Consul InSight saves your information security and compliance staff time and money by automating monitoring across the enterprise.
Translate logs to “English”
Co
rrela
te
The Consul InSightTM Suite
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Co
mp
reh
en
dC
om
pre
hen
d
22IBM ConfidentialIBM Confidential
Translate Logs into English - Consul’s W7Methodology
1. Who did
2. What type of action
3. on What file/data
4. When did he do it and
5. Where
6. from Where
7. Where toWe do the hard translation work,
so you don’t have to!!
We do the hard translation work, so you don’t have to!!
Co
mp
reh
en
dC
om
pre
hen
d
23IBM ConfidentialIBM Confidential
Sophisticated Log Interpretation and Correlation
Co
mp
reh
en
dC
om
pre
hen
dCapabilities:
� W7 normalization
� Interpret EVERY log (Syslog and native logs) into English
� Compare billions of log entries to baseline policy
Out of the box log normalization!Out of the box log normalization!
Benefits:
� Interpret and monitor all logs with fewer and less expensive resources
� More quickly detect and solve security problems
24IBM ConfidentialIBM Confidential
Comply with rigorous regulatory requirements
Compliance DashboardLogs after W7 – Billions of log files summarized on one overview graphic!
25IBM ConfidentialIBM Confidential
W& Eventlist
W7 EventlistNote!: Mike Bonfire, a DBA, is reading the payroll
26IBM ConfidentialIBM Confidential
Full Audit and Compliance Reporting
Capabilities:
� Hundreds of reports
� Compliance modules
� Real-time alerts
� Custom reports
Benefits:
� Reduce length and effort required for audits
� Reports in an instant, saving time
� Reduce risk of insider threat:
� Info protection
� Change control
� User management
Co
mm
un
icate
Co
mm
un
icate
28IBM ConfidentialIBM Confidential
Regulation specific modules with tailored reports to jumpstart your
compliance efforts – saving you staff time and reducing audit costs
29IBM ConfidentialIBM Confidential
Operational Change Control
Operational Change Control ReportSee a summary of all the operational changes made by different groups
30IBM ConfidentialIBM Confidential
Eventlist
Event ListZoom in into the all actions that IT admin did on the financial Server and see the creation of the user account of Chin055
31IBM ConfidentialIBM Confidential
EventDetail
An Event Detail Report Even drill down into that specific event and see all the event details, and we can even go to the raw log-file
32IBM ConfidentialIBM Confidential
IBM z/OS Suppoort
� Include z/OS events into InSight reports
�z/OS, RACF, CA-ACF2, CA-Top Secret, DB2
� Translate MVS jargon into InSight’s compliance language
� Auditors no longer need z/OS expertise to monitor activities
33IBM ConfidentialIBM Confidential
Solution: The Consul InSight Suite -- The 3 C’s
1. Capture – Comprehensive Log Management
2. Correlate – Sophisticated Log Interpretation
3. Communicate – Full Audit and Compliance Reporting
Technology
34IBM ConfidentialIBM Confidential
The Consul Difference
� Collect all native logs
�Syslogs, audit trails, SNMP, LDAP, Active Directory, etc.
�OS depth, including zSeries, AIX, Solaris, Windows, Linux, etc.
�Oracle, DB2, MSSQL, Sybase and UDB
� Secure, reliable and compressed log storage
� Verify that all logs are collected via log continuity reporting
� Drill down reporting capability for root cause analysis
� Self auditing
� W7 log normalization translates your logs into English
� Correlation of logs allows for sophisticated policy enforcement and notification of business violations
� Regulation specific compliance reporting
Comprehensive log collection, user monitoring and
compliance reporting solution
Comprehensive log collection, user monitoring and
compliance reporting solution
35IBM ConfidentialIBM Confidential
About ConsulExperts in security audit and compliance
Recognized by the press and analysts
Chosen by 350+ customers worldwide
• Established in 1986 (20 years old in 2006)• US headquarters in Washington• EMEA headquarters in Delft, The Netherlands
• Most comprehensive solution for monitoring, auditing and reporting on trusted user behavior
• Log management• Database and Application auditing• Mainframe audit and Admin
36IBM ConfidentialIBM Confidential
How can Tivoli’s SIEM Solution Help?
… must demonstrate compliance with
regulations
… must protect intellectual property and ensure privacy properly
… must manage security operations and threats
effectively and efficiently
CISO/Audit
Security Technical
CFI/CIO
You need to run the business, but you…
37IBM ConfidentialIBM Confidential
IBM Tivoli SIEM Meets Your Business Needs
� Security compliance dashboard and reporting
� Compliance dashboard
� Regulatory reporting
� User behavior auditing:
� Privileged user monitoring and audit (PUMA)
� Database and application auditing
� Operating system and mainframe auditing
� Security Operations Management
� Security operations dashboard and incident mgt
� Log management and reporting
� Real time event correlation
� Integration with IT Operations
Can’t demonstrate compliance with
regulations
Can’t protect intellectual property and ensure
privacy properly
Can’t manage security operations effectively and
efficiently
Market Problem Tivoli SIEM Solution Capabilities
1
2
3
4
5
6
78
9
38IBM ConfidentialIBM Confidential
Network-centric Attacks, Misconfigs and Misuse
Security Data Overload
Mitigation of Security Incidents
Security Operations IT Security Internal Audit
User-centric policy violations (WHO?)
Privileged user audit and monitoring
Regulatory Compliance reporting
User Persona:
Problem:
Product:
Consul InSightTivoli Security Operations Manager (TSOM)
Solution:Incident Management
Security Event Mgmt (SEM)
User Activity Monitoring
Security Info Mgmt (SIM)
Tivoli Security Operations Manager and Consul InSight
41IBM ConfidentialIBM Confidential
You Need Reports to CommunicateC
om
mu
nic
ate
Co
mm
un
icate
time
activity
42IBM ConfidentialIBM Confidential
2007
Event Sources � Oracle financials� mySAP business suite� DB2 Viper� Informix
Event Sources� Tivoli Identity Manager:
event source � Tivoli Access Manager
for e-business, � Tivoli Access Manager
for Operating Systems� IBM SIEM Realtime
correlated Events
Event Sources� Tivoli Federated Identity Manager� Tivoli Directory Server � Tivoli Configuration Manager
Compliance Module� ISO 27001 update
Next release of
IBM SIEM Compliance Dashboard
Enhanced reporting
Automated Report Distribution
Toolkits for building indexers
Agentless i-Series Collect
Tivoli Integration
*integration broader than
event source
Next releases of IBM SIEM Security Ops Dashboard
Improved event processing, filtering, and correlation architecture
Simplified, centralized device configuration
Dashboard - customizable, higher performance
Localized Language versions & Internationalization support
Improved Incident investigation, case management
IBM CCMDB integration for incident investigations
2008
Event Source focus � Storage management� DB2, AME, CICS, IMS� Change and configuration
management ( CCMDB*)� Content management� Security policy compliance
integration (status audit)*
IBM’s SIEM Roadmap
Realtime Event Sources� ISS Proventia Product Line� ISS SiteProtector� IBM zSecure Alert
PCI Report Pack
Realtime Event Sources � IBM SIEM Policy Violations
Ongoing� Continued Realtime
Event Source integration with IBM and 3rd party products
� Extended correlation rules & security content
� Additional Reports
Next releases of IBM
SIEM
Security Ops Dashboard
Tivoli Common UI
Device Support Wizard
MRO Service Desk integration & ticketing gateway
Addl Dashboard displays
Security Baseline Triggers
Expanded CMDB support
Next releases of IBM
SIEM
Compliance Dashboard
Enhanced User Management
On-going Tivoli Integration
Addl. compliance modules
Improved Scalability and platform support
NLS support
Compliance Module� COBIT
Compliance Module� PCI� ITIL
43IBM ConfidentialIBM Confidential
The IBM Tivoli SIEM Solution
Event Sources Points of Presence IBM Tivoli SIEM Install Output
Collectors
TSOM CMS Server
Compliance Dashboard
Reports
Retrieve Log-files
Third party integration
alerts
Applications
Databases
Operating Systems
IDS & IPS
Firewalls
Mainframe
TSOM EAMs
TCIM Enterprise Server(optional)
TCIM Standard Servers
TCIM Standard Servers(optional)
Operational Dashboard
TCIM Standard Servers(optional)