WHITE PAPER. Ensuring Business Continuity Through the Proactive Response to Security Threat Intelligence

Transcription

1 WHITE PAPER Ensuring Business Continuity Through the Proactive Response to Security Threat Intelligence A Joint White Paper Written By: BMC Software and Symantec Corporation June 2004

2 WHITE PAPER Ensuring Business Continuity Through the Proactive Response to Security Threat Intelligence EXECUTIVE SUMMARY As enterprises seek to create a greater degree of business and IT alignment, they must contend with an increasing number of disruptions to their business from security threats. With additional pressure to achieve regulatory compliance with legislation such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA), security management has become not only critical to managing IT infrastructure, but a requirement to run a business. Adding to this the ever-increasing speed of threat propagation around the globe, there is now a strategic imperative for organizations to improve the effectiveness with which they respond to security threats. While security management has significantly matured as an IT discipline, it often remains separate from the mainstream business processes supported by the IT organization. The closer alignment of security and IT operations personnel enables a proactive response to security threat intelligence and makes it possible to achieve a greater level of business continuity. Symantec and Remedy, a BMC Software company, have integrated Symantec DeepSight Alert Services with Remedy Help Desk and Remedy s Action Request System. The solution enables the automated creation of help desk tickets containing the rich security content from DeepSight Alert Services personalized security vulnerability and malicious code alerts. The integration may be extended by Remedy Change Management to ensure efficient routing and workflow management for the resolution of help desk tickets created by DeepSight Alert Services, and to ensure such workflow follows the established change management procedures in your organization. The integration may also be extended by Remedy Asset Management, which assigns specific assets to each ticket. Skills-based routing assigns tickets to the personnel authorized to make the necessary changes on the affected systems. By bringing together the information provided by security early warning systems with the workflow enabled by Remedy IT Service Management Solutions for the Enterprise, you will be able to affect change in your IT infrastructure to more efficiently and more quickly respond to a new security threat. This enables you to minimize the impact of security vulnerabilities and malicious code to your business, preserving the value of your organization. 1

3 CONTENTS The Business Need for Integrating Security and IT Service Management Business Services Management Bridging Security and IT Service Management Symantec DeepSight Alert Services Customized for any environment Actionable mitigation strategics and analysis Timely identification of new vulnerabilities Remedy IT Service Management Solutions for the Enterprise Remedy Help Desk Remedy Asset Management Remedy Change Management Remedy Service Level Agreements Integration of Symantec DeepSight Alert Services, Remedy Help Desk, and Remedy Action Request System Integration of Symantec DeepSight Alert Services and Remedy Help Desk Technical Details Correct assignment of Remedy Tickets Additional form details Extending the Integration with Remedy Asset Management and Remedy Change Management Adding Remedy Asset Management Adding Remedy Change Management Additional Extension Solutions Automated inventory of hardware and software Automated distribution of patches and upgrades Remote control from the service desk Summary Partnering to Enable Effective Business Service Management 2

4 THE BUSINESS NEED FOR INTEGRATING SECURITY AND IT SERVICE MANAGEMENT. One of the primary topics on the minds of corporate executives today is compliance with new regulations created by legislation such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA). For companies to comply with these new regulations, they need more structured systems and processes to ensure the accuracy and integrity of financial and personal information. For example, stronger internal controls and reporting capabilities are required for IT systems that process financial and personal data, and policies, procedures, and systems must be continually assessed to minimize out-ofcompliance risk to the organization. As a result, security management has become not only critical to managing IT infrastructure, but a requirement to run a business. you to improve business performance, while actually simplifying the complexity of managing your IT infrastructure and reducing operational costs. Security Management Business Services Service Impact Management IT Service and Applications Management IT Operations and Infrastructure Management By responding to security threats more effectively, real, tangible business value is created by minimizing business disruption and reducing risk to your company s reputation. While security management has significantly matured as an IT discipline, it often remains separate from the mainstream business processes used by the IT organization to manage end user experience, service level agreements, and change management. The impact of security events on the business can be profound as any organization that has fallen prey to an outside intruder or even a major outbreak of a virus can attest. This impact is magnified when individuals other than security team specialists spend time and resources on security management activities, resulting in loss of productivity. The closer alignment of security and IT operations personnel enables a proactive response to security intelligence and makes it possible to achieve a greater level of business continuity. Business Service Management. Creating this type of business and IT alignment is called Business Service Management or BSM. BSM enables you to align your IT resources with the goals of your business (i.e., ensuring business continuity), and makes certain that IT is able to support those goals. Ultimately, BSM enables Bridging Security and IT Service Management. Traditional systems management solutions tell you about the performance, health, and availability of your critical IT infrastructure. IT service management solutions allow you to respond to requests, track and resolve problems, manage changes and assets, and monitor delivery of IT service levels. By adding the security information context, it is now possible to take action more quickly and efficiently to protect your systems from security vulnerabilities and malicious code before they affect the performance, health, and availability of the critical business services provided by the IT infrastructure. For example, a new vulnerability may appear for a database that you have in your environment. What impact will that have on your business? How quickly do you need to act? Does this take precedence over other high-priority tasks already underway? By combining the workflow enabled by the IT change management processes you have already defined with the information provided by security management, you can affect change in your IT infrastructure more efficiently. You will be able to react more quickly to a new security situation by automating the creation of help desk tickets and assigning them to the responsible system administration personnel. This will enable you to minimize 3

5 the impact of vulnerabilities and malicious code to your business and preserve the value of your organization, while providing a record of applied due diligence with regard to securing your information assets. SYMANTEC DEEPSIGHT ALERT SERVICES. Security threats are becoming more sophisticated, severe, and frequent. Recent threats include worms like Blaster and Sasser, which achieved their disastrous goals by exploiting software vulnerabilities. Vulnerability management is therefore a key element in proactively protecting corporate IT systems. Last year 2,636 new vulnerabilities were discovered. 70% of those new vulnerabilities could be exploited easily without sophisticated skills using publicly available tools. This feature of today s security environment has shortened the time between vulnerability disclosure and the development of exploits. While enterprises had as much as six months to analyze the impact of new vulnerabilities and deploy remediation plans in the past, this window of action is now becoming shorter and shorter. For Blaster, it was only 26 days, and with Sasser it was only 18 days. With the increasing incidence of serious vulnerability discoveries and diversity of attack methods today, early warning is becoming a mandatory tool for network and organization security. Having up-to-date, reliable security intelligence and then taking proactive action on it is the key to maintaining normal, secure business operations. Customized for any environment. Symantec DeepSight Alert Services provides thorough, environment-specific vulnerability and malicious code alerts based on the exact system and network configuration of a given enterprise environment. For example, alert sets can be tailored by technology skillset, geographical location, management hierarchy, and line-ofbusiness responsibility. Symantec analysts currently watch 18,000 distinct technology, operating system, and application software product versions of 4,600 products from 2,200 vendors, by tracking information from over 150 authoritative sources. By providing only relevant, actionable information and eliminating the hours spent searching through Web sites and s to gather information, the service enables companies to maximize information technology and security resources, saving time and money. Actionable mitigation strategies and analysis. Symantec DeepSight Alert Services provides not only information regarding the potential threat, but also best practices steps to keep systems protected. An analysis of every vulnerability and malicious code (including worms, viruses, and Trojan horses) is provided along with: The severity of the vulnerability or malicious code, as well as its technical description. The systems and versions that might be affected Impact and symptoms of the attack. Mitigation strategies, including workarounds and available patches. Timely identification of new vulnerabilities. Symantec DeepSight Alert Services sends alerts directly to those with the skill and ability to recognize and fix security problems before they can be exploited. With an average of over 50 new and 65 updated vulnerabilities per week, security professionals can spend hours every day searching through all of the mailing lists and Web sites looking for credible information. DeepSight Alert Services saves time and money by eliminating the need to dedicate valuable staff resources to search for and evaluate the latest vulnerability and malicious code information. Advanced personalization capabilities allow administrators to receive only those alerts that are relevant to their specific environment and choose to receive alerts via Web service, , fax, SMS, or voice. By delivering comprehensive and personalized alerts, Symantec DeepSight Alert Services provides organizations with the timely and actionable information they need to protect enterprise assets. REMEDY IT SERVICE MANAGEMENT SOLUTIONS FOR THE ENTERPRISE. The ability of the IT organization to deliver expected levels of service directly impacts business performance. Systematically maintaining IT asset information, while simultaneously identifying and managing changes to those assets, is critical to optimizing the service levels that 4

6 support your business goals. By effectively managing IT changes, assets, and service levels and going beyond consolidated service desk capabilities to deliver proactive IT support you can reduce the occurrence of IT failures, improve service levels and customer satisfaction, and reduce fixed and variable costs. Remedy Service Level Agreements. Automates the entire range of service level agreement (SLA) processes from defining SLAs and monitoring compliance to collecting and analyzing performance data, addressing problem areas, and continually refining the services offered. With Remedy IT Service Management solutions you can: Deliver IT service levels that exceed expectations by appropriately identifying priorities and effectively responding to events. Respond quickly to changes in your business environment and execute IT changes successfully. Maximize the effectiveness of your support organization and provide your users efficient service. Manage the cost of IT services including enterprise assets, change requests, and service level agreements. Remedy Help Desk. Provides geographically distributed help desks even those in different countries the ability to submit, monitor, and manage help desk cases, change requests, and asset records for maximum effectiveness and efficiency. Remedy Asset Management. Provides the ability to track and manage enterprise assets and their changing relationships throughout the entire asset life cycle. Remedy Change Management. Provides a system of scoping, planning, scheduling, implementing, and tracking changes that need to be completed within an organization. Furthermore, all Remedy applications are built on the highly adaptable Action Request System (AR System ) platform, a comprehensive development environment that enables you to easily adapt to meet those unique business needs that may not be directly covered by the standard functionality. INTEGRATION OF SYMANTEC DEEPSIGHT ALERT SERVICES, REMEDY HELP DESK, AND REMEDY ACTION REQUEST SYSTEM. With the time from vulnerability disclosure to exploit continuing to shrink, enterprises have even less time to patch or mitigate these system flaws. In January 2003, the Slammer worm targeted a vulnerability that was 6 months old. More recent threats like the Blaster worm in August 2003 and the Sasser worm in May 2004 targeted vulnerabilities only 26 and 18 days old respectively. The speed of exploit has changed the model for vulnerability management. It is more critical than ever to have a streamlined process for becoming informed and mitigating these potential threats. Combining an early warning service like Symantec DeepSight Alert Services with a trouble ticket system like Remedy facilitates that streamlined response, closing the gap between awareness and action. 1. New vulnerability is found. 2. Personalized alert integrates via Web services. 3. Security specialist (Alerts Manager) reviews alert. 4. Remedy Help Desk ticket created. 5

7 The starting point for the integration between Symantec DeepSight Alert Services and Remedy IT Service Management solutions for the Enterprise is consistent with Symantec DeepSight Alert Services as a standalone solution. The process begins with the identification of a new vulnerability that is personalized for your environment. In the second step, however, instead of sending the alert to an employee s address, the alert is delivered directly into the Remedy Action Request System via a direct Web services communication. This is accomplished by importing the DeepSight Alert Services Web services client into the Remedy Action Request System. This integrated Web services client then pulls vulnerability and malicious code alerts directly from the DeepSight Web services server into the Remedy Action Request System. The detailed alert information provided by Symantec DeepSight Alert Services can now be used to populate a Remedy Help Desk ticket, either automatically or manually in accordance with how you choose to configure the integration. Through AR System workflow, the ticket can then be dispatched to the responsible parties (as you determine the appropriate escalation path) and the DeepSight vulnerability or malicious code alert content can then be tracked as a normal business IT task until completion. For example, you could choose to first dispatch tickets created by DeepSight Alert Services to security personnel for further review or directly to level 2 support personnel who are on call 24x7. Remedy Help Desk allows you to eliminate unnecessary costs by synchronizing and automating problem resolution of duplicate ticket submissions. For example, if six different tickets are created for six different groups of IT assets that are affected by the same Symantec DeepSight Alert Services alert, you can indicate which tickets are duplicates and link them to an original incident so that the security specialist only needs to review, ensure validity, set priority, and add comments once the other tickets are processed and resolved automatically in the same fashion. Why is it important that the integration supports your established IT escalation procedures? Integrating timely security guidance into an existing, well-understood, and well-documented IT service management hierarchy reduces the cost of security, security breaches, and organizational fatigue. It automatically extends the impact of security information contained in the help desk ticket to any authorized entity, line of business, or geography that the organization deems necessary. Furthermore, because the information provided in each notification is a standalone resource for use in identification, mitigation, and remediation, the assigned IT resource is equipped to go to work quickly. He/she does not require further research of the problem in order to begin taking action on the security information contained in the ticket. The task is tracked, as a matter of course, by the organization s own Remedy Help Desk implementation. Because the organization is receiving the information about a vulnerability or the first indications of malicious code, IT organizations are able to act proactively to remove the threat of compromise. INTEGRATION OF SYMANTEC DEEPSIGHT ALERT SERVICES AND REMEDY HELP DESK TECHNICAL DETAILS. As previously mentioned, Symantec DeepSight Alert Services integrates directly to the subscriber s Action Request System via a secure Web services connection. A record is created in the AR System forms delivered with the DeepSight Alert Services integration. Two Remedy Forms are installed, one for Vulnerability alerts and the other for Malicious Code alerts. DeepSight Web Services Remedy Web Service Client Vulnerability and Malicious Code Alert Forms DeepSight Console Queue Manual push to create Automated create Help Desk Ticket Help Desk Ticket 6

8 The first step is to configure DeepSight Alert Services to send alerts directly into the Remedy Action Request System. This is accomplished by creating Vulnerability and Malicious Code Monitors. These Monitors can be personalized so that only alerts relevant to your network technologies, that have reached a predefined criticality threshold are sent to Remedy for follow-up. A console view for Security Alert Management displays both ticket queues. A push capability exists to create Remedy Help Desk (or Remedy Change Management) tickets. AR System workflow provides notification to the correct group or individual when the help desk ticket is created. The option to use the console queue permits an organization to define a role for an Alerts Manager whose task it is to monitor the Symantec DeepSight Alert Services queue. Based on your organization s preference, the Alerts Manager can manually push the record in the queue to the Remedy Help Desk application to create a ticket. Next, the DeepSight Alert Services/Remedy Action Request System integration must be configured. Once the DeepSight Alert Services Forms have been imported into Remedy, the Remedy Web services component must be configured to retrieve the alerts from the DeepSight Web services server. This communication is accomplished over a secure https connection. The integrated Web services client is then configured to retrieve the alerts, as defined in the DeepSight Alert Services Monitors, automatically at regularly scheduled intervals. The console view provides information in a compact format that permits the Alerts Manager to monitor and react to alerts as they are received. This is the default view when the Alerts Manager logs into the AR System application installed by the Symantec DeepSight Alert Services integration. When a row in the table listing is highlighted in red, it signifies that the record has been previously used to create a help desk or change request ticket in the Remedy application. This saves the Alerts Manager the effort of having to open all the table entries to determine if they have been acted upon. The Alert record itself contains either the related help desk or change request Ticket ID with a button to view that record in a read-only mode. The automated option permits your organization to automatically create a Remedy Help Desk ticket when a 7

9 Malicious Code or Vulnerability alert is received. The Alerts Manager designates the criteria for automatic ticket creation. For example, you can elect to automatically create a ticket for Malicious Code alerts based on Risk Level (1-5) and Severity (0-10). For Vulnerability alerts, the urgency setting (0-10) determines the level at which tickets will be automatically created. potential problems. These forms show the summary, technical details, mitigation, and URL links that can point the Alerts Manager to additional information. From here, the Alerts Manager can create a help desk or change request ticket manually. The Alerts Manager is also able to re-categorize the Item field, should he want to revise the default categorization as it was received from the integration. Correct assignment of Remedy tickets. The integration with Symantec DeepSight Alert Services can be configured to automatically assign a help desk ticket to the correct group or individual. This requires you to define CTI (Category/Type/Item) entries in the Remedy Help Desk and/or Remedy Change Management configurations that match the CTI values used in the Vulnerability and Malicious Code alert forms. This CTI designation must then have workflow that assigns the tickets to a group or individual. EXTENDING THE INTEGRATION WITH REMEDY ASSET MANAGEMENT AND REMEDY CHANGE MANAGEMENT. Building on the integration described in the previous two sections, significant additional business benefits can be created by also deploying Remedy Asset Management and Remedy Change Management in conjunction with the Symantec DeepSight Alert Services and Remedy Help Desk integration. Adding Remedy Asset Management. Remedy Asset Management provides organizations the ability to track and manage enterprise assets and their changing relationships throughout the entire asset life cycle. Combined with Remedy Help Desk, Change Management, and Service Level Agreements, the asset data repository enables service desks to improve problem resolution rates and manage change requests. It manages contract and company information, integration among assets, and provides information on the total cost of asset ownership. The linkage between these elements provides an accurate view of an organization s infrastructure for complete risk assessment/abatement and service-level management. After the Remedy Help Desk ticket has been created with the DeepSight Alert Services alert content, it can then be linked to asset records maintained in Remedy Asset Management so that the relevant IT assets may be assigned to the ticket. Additional form details. The Malicious Code and Vulnerability forms provide further details to assist the Alerts Manager in the review of For example, assume that the alert pertains to a particular release level of a particular operating system. The DeepSight Alert Services-generated ticket may then be linked to the specific IT assets that are running the operating system at the specified release level. Since the IT asset record will contain additional information such as the name and contact information for the administrator(s) 8

10 responsible for the affected systems, this information can be added to the ticket and the ticket dispatched to only those individuals who have the appropriate access authority to the systems and are best positioned to carry out the remediation activities as quickly as possible. Furthermore, the ticket may be broken up into multiple tickets, and each assigned to one administrator or group of administrators so that the tickets for each asset or set of assets can be tracked and monitored to completion on an individual basis to their completion. Adding Remedy Change Management. Remedy Change Management addresses the need for constant and rapid change in the IT environment. It enables you to assess the impact, risk, and resource requirements associated with changes, and then use your assessment to create plans and automate approval functions to implement those changes. It not only handles scheduling and task assignments, but also enables change plan performance review and process improvements. For example, before a Remedy Help Desk ticket generated by Symantec DeepSight Alert Services is routed to assigned administrators for remediation, you may decide that it is necessary for a security specialist to review the ticket, ensure that it is a valid concern for the organization, check and reset the priority if necessary, and add additional comments that would be of benefit to the administrator responsible for resolving the problem. Remedy Change Management provides an automated change process framework that allows unique security management change request templates to be created and stored. When a security breach occurs, pre-defined steps and task dependencies established for security specialists to follow ensure the response to security threats is accurate and timely. Remedy Change Management prevents security-related IT events from disrupting business operations. ADDITIONAL EXTENSION SOLUTIONS. Additional solutions from Remedy, Symantec, and our partners may be added to further extend the value of the Symantec DeepSight Alert Services and Remedy Help Desk integration. Automated inventory of hardware and software. As has been previously discussed, the use of an IT asset store provides significant benefit to creating targeted help 1. New vulnerability is found. 2. Personalized alert integrates via Web services. 3. Security specialist (Alerts Manager) reviews alert. 4. Remedy Help Desk ticket created. 8. Patch applied or fix enabled; ticket closed. 7. IT personnel notified and reviews task. 6. Remediation task assigned. 5. Asset assigned through Remedy Asset Management. Enabled by Remedy Change Management 9

11 desk tickets generated by Symantec DeepSight Alert Service alerts; however, ensuring that your IT asset store is complete, current, and accurate represents a substantial challenge to your IT staff. Solutions that enable the autodiscovery of hardware and software assets simplify such tasks and increase the value of Remedy Asset Management when used with Symantec DeepSight Alert Services. Automated distribution of patches and upgrades. Patch management solutions allow for the further streamlining of IT workflow processes when you need to take action on a Remedy Help Desk ticket that has been generated by Symantec DeepSight Alert Services. These types of solutions enable you to shorten the time to action on the ticket through automation, thus minimizing the manual intervention necessary to resolve the ticket, and reducing the potential for human error and accidentally overlooked systems. Remote control from the service desk. Even though you may have linked the help desk ticket to a specific asset, the location of that asset may be difficult to reach on short notice, such as a server in a remote office with no local IT support personnel. If a Symantec DeepSight Alert Services alert generates a ticket for such an asset, remote control solutions can be employed so that immediate action can be taken rather than waiting on someone to be dispatched to the remote office. SUMMARY. As enterprises seek to create a greater degree of business and IT alignment, one key area of focus is to improve the effectiveness with which they respond to potential security threats. While security management has significantly matured as an IT discipline, it often remains separate from the mainstream business processes used by the IT organization. The closer alignment of security and IT operations personnel enables the proactive response to security information and makes it possible to achieve a greater level of business continuity. in your IT infrastructure more efficiently and you will be able to respond to a new security situation more quickly. This will enable you to minimize the impact of security vulnerabilities and malicious code on your business and preserve the value of your organization. PARTNERING TO ENABLE EFFECTIVE BUSINESS SERVICE MANAGEMENT. In October 2003, BMC Software, Remedy, and Symantec Corporation formed a strategic alliance that brings together industry-leading security and enterprise management solutions to extend the delivery capabilities of Business Service Management (BSM). The combined solution benefits customers through faster response and resolution to new security vulnerabilities and exploits by leveraging existing business best practices, improved alignment of security and IT support personnel, and enhanced prioritization of security and IT resources, leading to a reduction in security-related business interruptions. Symantec is a BMC Software Global Alliance Partner and BMC Software s BSM Foundation Partner for Security. Symantec is also a Remedy Technology Alliance Partner. BMC Software is a Symantec Global Strategic Alliance Partner. These are the highest software alliance levels for all three companies. Together, BMC Software, Remedy, and Symantec collaborate through joint product integration, marketing, endorsement, and recommendation of each other s products and field engagement to ensure the highest levels of customer satisfaction at all times. By bringing together the information provided by security management with the workflow and processes enabled by IT service management, you will be able to affect change 10

12 ABOUT BMC SOFTWARE. BMC Software, Inc. [NYSE:BMC], is a leading provider of enterprise management solutions that empower companies to manage IT from a business perspective. Delivering Business Service Management, BMC Software solutions span enterprise systems, applications, databases, and service management. Founded in 1980, BMC Software has offices worldwide and fiscal 2003 revenues of more than $1.3 billion. For more information about BMC Software, visit ABOUT SYMANTEC. Symantec is the global leader in information security providing a broad range of software, appliances, and services designed to help individuals, small and midsized businesses, and large enterprises secure and manage their IT infrastructure. Symantec's Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in more than 35 countries. More information is available at BMC Software, the BMC Software logos, and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation Symantec Corporation. All other registered trademarks or trademarks belong to their respective companies BMC Software, Inc. All rights reserved. 6/04