1 / 32

Tivoli Security Operations Manager From Unknown Events to Actionable Intelligence

Tivoli Security Operations Manager From Unknown Events to Actionable Intelligence. Boudhayan Chakrabarty TSOM Support, IBM. Automation. Control. Govern your assets. Build agility into Operations. Only IBM delivers integrated automation across Business & IT Operations.

rad
Download Presentation

Tivoli Security Operations Manager From Unknown Events to Actionable Intelligence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tivoli Security Operations Manager From Unknown Events to Actionable Intelligence Boudhayan Chakrabarty TSOM Support, IBM

  2. Automation Control Govern your assets Build agility into Operations Only IBM delivers integrated automation across Business & IT Operations. Only IBM delivers integrated control across Business & IT Assets. e.g. EAM, IT Asset Mgmt, Change & Config, Access & Identity Mgmt, Data Mgmt. e.g. Enterprise Ops,Service provider Ops, IT Ops, Security Ops, Storage Ops... IBM Service Management (ISM)An Integrated Approach to Getting Business Results Visibility See your business Only IBM delivers integrated visibility across Business & IT Audiences. e.g. Contextual LoB, Compliance, Security, Service, & Domain Dashboards IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  3. The IBM Security Frameworkon-demand protection to stay ahead of outsider and insider threats IBM Security Solutions IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  4. Why do people buy SIEM solutions? "What is your primary reason for adopting a security information/event management solution?" Base: 41 technology decision makers at North American SMBs and enterprises Source: March 24, 2006, Trends “Security Information Management Is Much More Than Just A Fancy IDS” IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  5. Security Operations Challenges • Operational Efficiency - Too much data, too many formats, complex processes • Resource Constraints – Making the most of fixed resources – people, hardware, software • Business Risk - Managing the ripple affect of security breaches to the business • Regulatory Compliance – Support for regulatory and policy initiatives • IT Process Optimization - Cross-silo information sharing (NOC, SOC, Help Desk) IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  6. Virus Typical Security Operation Siloed Management Multiple Consoles Manual Correlation Vendor-specific point solutions Identity & Access Network IDS Antivirus Firewall Routers Servers Apps Multi-Vendor, Multiple-Domain Environment IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  7. Risk Reduction Operational Efficiency Support Regulatory Compliance Tivoli Security Operations Manager (TSOM) • TSOM is an advanced Security Information & Event Management (SIEM) software platform designed to improve the effectiveness, efficiency, and visibility of enterprise security operations • Maximize and amplify security resources through automation • Event Management - automated aggregation of security events • Correlation - Real-time, cross-device event correlation for incident recognition and policy monitoring • Support Regulatory Compliance – reporting and policy monitoring to support regulatory compliance initiatives • Integrates Security Operations with other IT Operations groups via Netcool and TEC IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  8. TSOM Business Benefits • Accelerate identification and remediation of disruptions; • Improve security to reduce business disruption; • Align security activities with business priorities; • Increase customer trust and satisfaction; • Redirect analyst resources to complex problem-solving instead of routine monitoring; • Reduce labor costs by offering a high degree of operational automation; • Optimize time-to-value, with speedy implementation and immediate, out-of-the-box operability; • Improve service levels. IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  9. HOW IS IT DONE • Consolidates Network Security Breaches Data • Displays them in Real Time • Suggests solutions • Takes action on it’s own • Archives them for future reference • Generate reports on schedule or on-demand IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  10. TSOM Components • CMS – Central Management System • EAM – Event Aggregation Module • UCM - Universal Collection Module • Data Base (Oracle or DB2) IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  11. Typical Environment IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  12. TSOM - Architecture IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  13. Input CMS IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  14. Processing OUTPUTS EAM IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  15. Outputs IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  16. Security Operations and Compliance Reporting On Demand or Scheduled! IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  17. Finding the Needle… IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  18. Four Stage Correlation Process • Statistical Threat Analysis • Detecting unknown attacks • Detecting anomalous behavior • Out of the box benefit! • Rules-based Correlation • Detecting misuse • Enforcing security policies • Simple rules to complex, multiphase stateful rules Complimentary techniques for scalable incident recognition and precise policy enforcement Susceptibility Correlation • Raises visibility of threats against susceptible hosts • Reduces noise of threats against non-susceptible hosts Vulnerability Correlation • Mapping of specific detected threats to specific known vulnerabilities IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  19. Atomic Scoring • Calculates a source threat score and a destination threat score using 6 weights. IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  20. Compound Scoring • Measures an attacker’s real-time threat level to the company • Measures an asset’s real-time attack level. • Calculated by using Atomic Score and Event Frequency during a sliding time window. IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  21. Port Scan TSOM Stage 1 – Impact Correlation DMZ How important is the source address and network ? How important is the business asset which has been targeted ? Do we believe that the attack is real ? How serious an attack is it ? First Attack – Port Scan – TSOM analysis event and carries out an Impact Correlation This analysis produces a weighted Threat Value – which TSOM records and remembers Threat Value for event 24342652 = 25 (Low impact) IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  22. CGI-bin scan Port Scan Stage 2 - Statistical Correlation DMZ Threat Value = 25 Statistical Correlation – seen two events totally 75 in last 2 mins, Promote IP Addresses to Level 2 Threat Value = 50 How important is the source address and network ? TSOM How important is the business asset which has been targeted ? Do we believe that the attack is real ? How serious an attack is it ? Second Attack – Hacker sees that port 80 is open and running a web server, so launches a second set of probes to look for vulnerabilities within the web server (i.e. CGI Bin scan) Again an Impact Correlation is carried out .. .. but this is the 2nd event from this host, so now it starts getting noticed by Statistical Correlation IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  23. Serious Web Attack CGI-bin scan Port Scan Web Attack Stage 2 - Statistical Correlation DMZ Threat Value = 25 Statistical Correlation – Now seen 4 attacks in last 5 minutes with Threat Value of 250 - Promote to Level 3 Status ! Threat Value = 50 TSOM Threat Value = 75 Threat Value = 100 Now the hacker has found vulnerabilities and is launching attacks Impact Correlation is carried out on each event and the Statistical Correlation is seeing it is a sustained attack – so promotes address within the GUI, instantly notifying the user that there is an attack in progress IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  24. Four Stage Correlation Process • Statistical Threat Analysis • Detecting unknown attacks • Detecting anomalous behavior • Out of the box benefit! • Rules-based Correlation • Detecting misuse • Enforcing security policies • Simple rules to complex, multiphase stateful rules Complimentary techniques for scalable incident recognition and precise policy enforcement Susceptibility Correlation • Raises visibility of threats against susceptible hosts • Reduces noise of threats against non-susceptible hosts Vulnerability Correlation • Mapping of specific detected threats to specific known vulnerabilities IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  25. Oracle DB Access TSOM Rules: Policy – Dangerous Perimeter Service Watchlist – External Networks Finance Server DMZ Policy – Dangerous Perimeter Service – Certain services should not be accessible from the Internet, for example Oracle Database Access (TCP Port 1521) If Source Watchlist = External Networks AND Event Class = traffic.accept AND Dst Port = 1521 THEN Policy Violation AND Exposure IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  26. Worm TSOM Rules: Susceptibility – Possible Worm Infection Finance Server DMZ Susceptiblity – Possible Worm Infection – Is the Worm propogation destined for a system which has vulnerabilities. If Event Class = attack.worm AND Dst Port has Vulnerability THEN Possible Worm Infection AND Exposure IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  27. TSOM Dashboard Frequency IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  28. TSOM Technical Benefits • Correlate Security Data • Enforcing security policies and real-time detection of violations • Recognizing and handling business relevant incidents • Security or Compliance Reporting • Software Platform for SOC • Supporting audit and regulated compliance initiatives • Managing data within a complex multi-vendor infrastructure • Optimizing limited security resources IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  29. Device Support • Applications • Apache • Microsoft IIS • IBM WebSphereOracleLotus Domino • SAP R3 • IBM DB2 (coming soon) • Operating Systems Logs, Logging Platforms • Solaris (Sun) * • AIX (IBM) • RedHat Linux • SuSE Linux • HP/UX • Microsoft Windows Event Log • (W2K3 DHCP, W2K DHCP, IIS) • Microsoft SNMP Trap Sender • Nokia IPSO • Novell NetWare • OpenBSD • Tru64 • Tripplight UPS • Monitorware SYSLOG • KiwiSyslog • zOS-Mainframe IDS • Antivirus • CipherTrust IronMail • McAfee Virus Scan • Norton AntiVirus (Symantec) • McAfee ePO • Trend Micro InterScan • Application Security • Blue Coat Proxy • Nortel ITM (Intelligent Traffic Mgmt) • Teros APS • Sentryware HiveIBM DataPower(coming soon) Discovery Tools Lumeta IPSonar NMAP Sourcefire RNA Access and Identity ManagementIBM Tivoli Access ManagerIBM Tivoli Identity Manager CA eTrust Access CA eTrust Secure Proxy Server CA eTrust Siteminder (Netegrity) RSA SecureID RADIUS Oracle Identity Management (Oblix) Sun Java System Directory Server Cisco ACS Wireless Security • AirMagnet • AirDefense • Management Systems • TSOM escalates to: • IBM Netcool (Micromuse) • IBM/Tivoli Enterprise Console • Cisco Information Center • Remedy ARS • HP OpenView • CA Unicenter • Management Systems • Source of events into TSOM: • Check Point Provider-1 • CiscoWorks • IBM Netcool (Micromuse)ISS SiteProtector • Juniper Global Pro (Netscreen) • Juniper NSM (Netscreen) • Tripwire Manager • Intrusion, Inc. SecureNet Manager • McAfee ePO • Nortel Defense Center • Sourcefire Defense Center • Q1 QRadar Mgmt Server • Firewalls • Check Point Firewall-1 • Cisco PIX • CyberGuard • Fortinet FortiGate • GNATBox • Juniper (Netscreen) • Linux IP Tables • Lucent Brick • Microsoft ISA Server • Nortel Switched Firewall • Stonesoft's StoneGate • Secure Computing's Sidewinder • Symantec's Enterprise Firewall • SonicWALL • Sun SunScreen • Vulnerability Assessment • Nessus • Vigilante • ISS Internet Scanner • QualysGuard • Foundstone • eEye Retina, REM • SPI Dynamics WebInspect • nCircle IP360 • Harris STAT • Tenable Lightning • Routers/Switches • Cisco Routers • Cisco Catalyst Switches • Cisco RCMD • Foundry Switches • F5 Big IP, 3-DNS • Juniper JunOS • TACACS / TACACS+ Nortel Ethernet Routing Switch 5500, 8300, 8600, 400 series Extreme Networks Policy Compliance Vericept Network Intrusion Detect/Prevention McAfee Intrushield Sourcefire Network Sensor Sourcefire RNA Juniper IDP ISS RealSecure ISS Proventia G, M ISS BlackICE Sentry Cisco Secure IDS SNORT IDS Enterasys Dragon Nortel Threat Protection System (TPS) Intrusion's SecureNetPro Mirage Networks NFR NID Symantec ManHunt ForeScout ActiveScout QRadar Top Layer Attack Mitigator Labrea TarPit IP Angel Lancope StealthWatch Tipping Point UnityOne NDS Arbor Networks PeakflowX Mazu Networks Host-based Intrusion Detect/Prevention Type80 SMA_RT (zOS-Mainframe RACF) PowerTech (iSeries-AS/400) Cisco CSA NFR HID IBM Netcool SSMs Sana Snare Symantec Intruder Alert (ITA) Sygate Secure Enterprise Tripwire ISS Server Sensor McAfee Entercept VPN Juniper SSL VPN Nortel VPN Router (Contivity) Check Point Cisco IOS VPN Cisco VPN 3000 Juniper VPN Nortel VPN Gateway (SSL VPN) Over 300 and Growing! IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  30. TSOM Product Differentiators • Security Operations enterprise features • Security Domain – security data segmentation • Roles, granular permissions for different classes and abilities of users • Multiple, overlapping IP address ranges on single system • High Availability capabilities • Best out of the Box experience • Statistical correlation - Doesn’t require extensive rule writing or customization for immediate value from of the system • Rules based, Vulnerability, & Susceptibility correlation capabilities • Unique, Powerful Visualization and Investigation Capabilities • PowerGrid • Innovative data manipulation capability for powerful and immediate visualisation, could be used in RAD/Webtop data manipulations. • GeoServer • Innovative geographical capability which could have application in many network management functions • Diagnostic Tools • Delivers a customizable tool kit that allows the operator to investigate incidents quickly from a single screen IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  31. TSOM Product Differentiators • Scalability • Greater number of Events per Second on the same hardware • Statistical Based Correlation requires less processing • Real Time Dashboard • Works like a SOC operators thinks • Investigation • Helps the operator quickly determine what’s going on • Incident Management • Tightly integrated with security not just a gateway to Remedy • Breadth & depth of supported devices • Device support exists for most devices and is easy to configure for others • Agentless focused architecture • Get the most out of standard based, agentless protocols for fast & easy deployment • Use agents where required, or for critical management system connections IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

  32. TCIM User Activity Monitoring Policy Evaluation and enforcementCompliance DashboardHistorical AnalysisAudit reports, exception alerts Audit Mgmt Compliance Audit and Reporting Tivoli Security Operations Manager (TSOM) ISS IT Threat Management Aggregation, Correlation Real-time Threat & Incident Handling SOC dashboard Operational reports SOC Incident Handling and Response TCIM and TSOM = TSIEM Complementary, first class IT Security Management for improvingoperational resiliency and reliability for heterogeneous IT environments and processes IBM Tivoli Security Operations Manager, TUG Conference, Pune 2009

More Related