utilizing novell compliance management platform for continuous controls testing and monitoring
DESCRIPTION
Compliance used to be a periodic and mostly manual project driven by audit dates and deadlines. But those days are gone. Security threats to IT systems are real and constant. In this session, you will be guided through the architecture of Novell Compliance Management Platform and will learn how to set up continuous compliance for a particular set of IT controls.Highlights of the session include instructions on how to:1. Select controls for continuous compliance2. Set up data collection from IT systems under scrutiny3. Integrate identity information into collected security data4. Set up detection mechanisms (correlation rules)5. Define actions (remediation rules) and reportsTRANSCRIPT
Utilizing Novell® Compliance Management Platform for Continuous Controls Testing and Monitoring
Mark van ReijnTechnology Specialistidfocus/[email protected]
© Novell, Inc. All rights reserved.2
Agenda
Organizational risk management– It's all about balance
Information security controls and standards– COSO, CobiT, ISO/IEC 2700x
Novell® Compliance Management Platform (CMP) components and architectureBringing it together in 4 steps
– Select controls– Collect data– Setup detection mechanisms– Define actions and reports
© Novell, Inc. All rights reserved.3
About the Session Level
Getting from business babble to tech talk
• Some affinity with regulations and governance frameworks assumed
• Familiarity with Novell® Compliance Management Platform Products assumed
– Especially Novell Sentinel™
• Technical Content (solution pack)is available online
Organizational Risk Management
© Novell, Inc. All rights reserved.5
Risk Management:What Is It?
How much risk are you willing (or allowed) to take?
• Some risk is necessary in order to make a profit
– Eliminating all risk is too costly in terms of time and resources
• Balance between probability and impact
• Identify acceptable risks versus risks that need to be mitigated
• Only some critical environments might try to evade all risks
– For example, where human life is at stake
© Novell, Inc. All rights reserved.6
Risk Management:What Is It? (cont.)
How can Organizations prioritize their risks?• Assess the risks and determine their dimensions
– Probability between 1-99%– Impact on critical factors such as cost or time (or health)
• Plot risk dimensions on a chart– The line indicates the boundary
of acceptable risks– Develop a response for
all others High
Impact of Risk
Pro
babi
lity
of O
ccur
renc
e
Low
Low
High Critical Risk
Low-level Risk
Medium-level Risk
© Novell, Inc. All rights reserved.7
Risk Management:When?
Most Organizations have some sort of RiskManagement in place
• This may be internally or externally imposed
– Regulations
– Standards framework
• Often for high financial risks or key projects
Information Security Controls and Standards
© Novell, Inc. All rights reserved.9
Control Frameworks and Standards
Many regulations and governance frameworks deal with risk management
• COSO
– Organizational governance
– Business ethics
– Risk control model
– Financial reporting
© Novell, Inc. All rights reserved.10
Control Frameworks and Standards
Only a subset of most frameworks and regulationsrelate to IT
• CobiT
– Control framework for IT governance
– Link business goals to IT goals
– Define KPI from targets
• ISO/IEC 27002
– Code of practice for information security management
© Novell, Inc. All rights reserved.11
Risk Managementis often linked to IT Security
Obligatory Quote:
“All Security Involves Trade-offs”Bruce Schneier
© Novell, Inc. All rights reserved.12
Steps Towards Control Monitoring
• Get organized– Understand control objectives– Classify and prioritize systems and applications– Implement an Identity and Access Management program
• Determine appropriate control levels– Reasonable– Enforceable– Auditable
• Determine control types– Protective– Detective– Corrective
• Envision Integration
Novell® Compliance Management Platform (NCMP)Components and Architecture
© Novell, Inc. All rights reserved.14
Automation and ValidationSupporting Governance, Risk Management, and Compliance
Identity and Access Management
• Roles, rules, work-flows, and approval processes
• Identity integration and life-cycle management
• Authorization and access
• ESSO
Security Information and Event Management
• Audit and reporting
• Activity monitoring
• Event correlation
• Validation and remediation
© Novell, Inc. All rights reserved.15
Compliance Management PlatformSecurity, Access and Provisioning Challenges
Secure Web Access
User Provisioning
Security InformationManagement
Challenges
© Novell, Inc. All rights reserved.16
Solutions
Compliance Management PlatformModular Product Set
Tightly integrated compliance and governance solutions
Novell®
Access Manager
Novell®
Identity Manager
Novell® Sentinel™
© Novell, Inc. All rights reserved.17
Novell® Sentinel™
Novell Identity Manager
RemediateMonitor
Report
Workstationsand Servers
Security Devices Applications
Network Infrastructure Databases
Logs Logs
LogsLogs
Logs IdentityData
Replace manual processeswith automated IT controls,monitoring and reporting
© Novell, Inc. All rights reserved.18
What is Novell® Sentinel™ Anyway?
Sentinel is a system for:
Security Information and event management• Sentinel gathers security events, and then normalizes,
displays, correlates, stores and reports on them to support both manual and automated security and business process management.
• Sentinel attempts to turn data into actionable information via normalization, graphical displays, addition of business relevance information,and correlation.
© Novell, Inc. All rights reserved.19
Sentinel™ Process Summary
Collect ➔ Normalize ➔ Monitor ➔ Respond ➔ Report
© Novell, Inc. All rights reserved.20
Novell® Sentinel™ Components
Collector managers and collectors
Correlation engine
Sentinel control center
Active views dashboards
iTRAC incident remediation system
Data repository
iSCALE message bus
© Novell, Inc. All rights reserved.21
Novell® Sentinel™ Architecture
CorrelationSentinel
Control CenterRemediationWorkf-low Repository
ChannelsSubscribe
Publish
Collector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalizetaxonomy business
relevance exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
© Novell, Inc. All rights reserved.22
Novell® Sentinel™ Architecture
CorrelationSentinel
Control CenterRemediationWorkf-low Repository
ChannelsSubscribe
Publish
Collector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalizetaxonomy business
relevance exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
© Novell, Inc. All rights reserved.23
Novell® Sentinel™ Architecture
CorrelationSentinel
Control CenterRemediationWorkf-low Repository
ChannelsSubscribe
Publish
Collector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalizetaxonomy business
relevance exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
© Novell, Inc. All rights reserved.24
Novell® Sentinel™ Architecture
CorrelationSentinel
Control CenterRemediationWorkf-low Repository
ChannelsSubscribe
Publish
Collector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalizetaxonomy business
relevance exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
© Novell, Inc. All rights reserved.25
Novell® Sentinel™ Architecture
CorrelationSentinel
Control CenterRemediationWorkf-low Repository
ChannelsSubscribe
Publish
Collector Manager
Collectors Collectors
Collector Manager
Collectors Collectors
Parse-normalizetaxonomy business
relevance exploit detection
VPN
Host IDS
Network IDS Antivirus
Firewall
Custom Events
RDBMSBusiness Apps
DomainControllerMainframe
LaptopsWorkstations
ServerVulnerability
Mgmt
Patch MgmtAsset Mgmt
IdentityMgmt
Security Perimeter Referential IT Sources Operating Systems Application Events
External Event Sources
Event Sources
Data Collection
Communication Channel
Data Processing
Bringing It Together
© Novell, Inc. All rights reserved.27
Four Steps Towards Control Automation
Select the desired controls to monitor– Largely dependent on regulations and risk management
Identify and collect the needed information– Security logs, Identity information
Identify and implement detection mechanisms– Typically, correlation rules in Sentinel
Define actions and reports– Without some form of incident management or mitigation the
previous steps are useless
1
2
3
4
© Novell, Inc. All rights reserved.28
1. Select Controls
Common Threats
• Non-person accounts (typically un-managed)
– Standard accounts
– Privileged users*
– Service accounts
• Contingency workers, temp workers
• Misconfiguration
• Data exposure
© Novell, Inc. All rights reserved.29
2. Identify and Collect Information
• Depending on the control or regulation, systems may or may not be in scope
– Epic example: financial systems are in scope for Sox– The list of systems will follow from the selected controls
• Collecting event data is not enough– Need business relevance and context
• Sentinel will enrich events with external information– Asset data– Identity data– Other business information
© Novell, Inc. All rights reserved.30
DeptLocationDPDIPSPSIPEvent Name
Product Name
PIX Firewall – standard syslog format
Dragon IDS - Data Items separated by pipes
2004-08-20 16:12:56|doldrgn1|dragonserver|10.10.10.240|11711|10.10.10.241|1031|I|---AP---|6| tcp,sp=11711,dp=1031,flags=---AP---|
9/10/04 5:05:29 PM, 10.10.10.1 %PIX-6-106015: Deny TCP (no connection) from20.97.173.18/2182 to 10.10.10.10/63228 flags SYN RST PSH ACK on interface outside
PIX Firewall
Atlanta
Chicago
Finance
IS
Normalization and Context
© Novell, Inc. All rights reserved.31
Taxonomy
© Novell, Inc. All rights reserved.32
3. Detection Mechanisms
• Violation of policy and / or suspicious activity should be detected
• Correlate normalized events
• For example, check account names for authentication events against a blacklist
• These rules are the true implementation of corporate policy (business rules)
© Novell, Inc. All rights reserved.33
4. Define Actions and Reports
• When violations are detected, actions or incidents may be triggered
• Actions can be fully automated– Novell® Sentinel™ triggers account disable in Identity Manager
• Actions may require manual intervention– Sentinel triggers workflow in Identity Manager which asks for a
human decision• Incidents ensure registration of the event and the
subsequent handling process• Reports can include violations, incident management
data or overviews of regular critical events
© Novell, Inc. All rights reserved.34
Novell® Sentinel™
Compliance Management Platform Actions
• LDAP Remediation
– Provides a method to update the Identity Vault through correlation/remediation
> Not limited to Novell® Identity Vault – can update any LDAP directory
• SOAP Remediation
– Provides a method to update the Identity Vault through correlation/remediation
> Not limited to Novell Identity Vault, can update any SOAP end-point
© Novell, Inc. All rights reserved.35
ITRAC Incident Management
Manual activity Automatic activity
Stage 1: Assign a user or role to the activity
Stage 2: Perform data collection
Start
Check UserAssignments
Assign User
Accept Incident
Verify IncidentAssignment
Confirm StartData Collection
Data Collection
ConfirmStart Com
Confirm EndData Collection
© Novell, Inc. All rights reserved.36
Report Types
High Level
Trends
Detailed
© Novell, Inc. All rights reserved.37
Reporting - Data Categories
Data access
Network access
Authentication
Authorization
User/group management
Password management
Patch management
Scanning activity (AV / VA)
Data integrity (transport) – VPN, etc...
Summary
© Novell, Inc. All rights reserved.39
Getting to Compliance Automation
• Get organized on compliance• Determine appropriate control levels• Determine control types• Envision Integration• Follow four-step implementation of monitoring
1. Select the desired controls to monitor2. Identify and collect the needed information3. Identify and implement detection mechanisms4. Define actions and reports
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.