SERVICE ORIENTED EVENT ASSESSMENT CLOSING THE GAP OF COMPLIANCE MANAGEMENT

Transcription

1 IBM Software Group SERVICE ORIENTED EVENT ASSESSMENT CLOSING THE GAP OF COMPLIANCE MANAGEMENT Dieter Riexinger IT Architect IBM Corporation

2 Agenda Introduction Legal obligations and regulations Who causes internal incidents? Security Event Collection Filtering and correlating events The pain of selecting the right events Service Oriented Event Assessment Event context creation How to catch the barbarian? 2 Event Assessment

3 Legal obligations and regulations request protection of assets Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act 3 Event Assessment

4 We want to protect our assets from internal and external misuse Internal Users Privileged Users External Users - Firewall - Authentication - Authorization 4 Event Assessment

5 Who Causes Internal Incidents? The Barbarian is Inside the Gate : 90% of insider incidents are caused by privileged or technical users Most are inadvertant violations of: Change Management Process Acceptable use policy Account management process Others are deliberate, due to: Revenge Negative Events Regardless, too costly to ignore: Internal attacks cost 6% of gross annual revenue or 9 dollars per employee per day. Privileged or technical users (90%) Other (10%) Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat Survey 2005/6/7/8; CSI/FBI Survey, 2005/6/7; National Fraud Survey; CERT, various documents. 5 Event Assessment

6 Security Administrators are faced with a huge number of security events in different formats Security Administrator Intrusion Reports Firewall Events Syslog Files Database Logs Network 6 Event Assessment

7 Event Management Systems collect, format and correlate security events Deactivate infected or attacked systems Block attacking systems Investigate user activity Security Administrator Correlate alarms Format Events Network 7 Event Assessment

8 Filter Rules and Correlation Rules show events which require further investigation. Which one to pick? Mid-size production environment Offline-Analysis Statistics Reporting > 100 million events per day > 5 million Events stored in central security database ~250 Events Online-Analysis 8 Event Assessment

9 Processing and forwarding unknown events keeps the include and exclude pattterns up-to-date. Event Monitoring Client Sensor (Syslog, Event Log, ) Include Pattern Exclude Patterns Processing Unknown Events Event Correlation and Analysis 9 Event Assessment

10 The security operator s success depends on selecting the right event Success Rate Random Sample Simple Rules Behavioural Checks Context Creation Approach 10 Event Assessment

11 Immediate reaction on critical events is key to prevent misuse of access rights. 17:54:03.00: User us0815 logged in with privileged access on host obaserver1.company.com 1. Identify user 2. Determine user status and role 3. Security classification of host 4. Access assessment 5. Contact 6. History analysis Disaster revealed the next day Event Assessment

12 Access to multiple data source is required for a comprehensive assessment. Change Data Data Access Change-ID Hostname Description Person 5 x HR Data Change-45 messaging.company.com Install patch Oliver James 2 x Event Data Change-47 obaserver1.company.com Delete db instance #23 John Admin 1 x Change Data Asset Data User ID Management 1 x Problem Ticket System Asset-id;hostname;owner;os;sla System login real_name 1 x Brokering System Asset-86; obaserver1.company.com; J. Admin;Unix;8x13 Asset-87; online.banking.com;jason;unix;24x7 Asset-88; messaging.banking.com;windows;8x5 Windows Unix delivery7 stephansec Oliver James Stephan Verne 1 x Asset Data 1 x SOX Liste Unix us0815 John Admin 1 x User ID Management System HR Data Event Data Person-ID Name Telefon Event-ID Hostname Event description Person-17 Oliver James 2457 Event-123 obaserver1.company.com us0815 logged in on obaserver1.company.com Person-18 John Admin 3526 Event-124 Messaging.company.com 3 x false password by george27 Person-19 Michael Jones 3334 Event-125 obaserver1.company.com us0815 performed a 'sudo on host obaserver1.company.com. 12 Event Assessment

13 Manual context establishment can be a time consuming and error prone task Database Problem Management Manual context establishement and assessment Database Change Management Event Investigator Asset Management Security Event System HR Application CSV File Database Database 13 Event Assessment

14 Solution architecture Stakeholder Application Layer Business Process Layer Security Cockpit IT Compliance Management Processes Service Layer Data Layer 14 Event Assessment

15 The Component Model Expert system Security Cockpit Configuration and personalization XML Configuration GUI (SWT) Web service Proxy client Event based relationship evaluation Application Server CRUDS CRUDS CRUDS CRUDS CRUDS CRUDS Event archive MySQL Problem (*) IBM TRM (DB2) IBM TSCM (DB 2) MySQL Changes (*) Slaphapi * import 15 Event Assessment

16 Our solution supports users in all incident processing phases Security Cockpit Data pre-analysis Context creation Contextevaluation Solution Suspicious Security event Event based Relationship assessment Expert system Filter CRUDS CRUDS Security Events Change HR Asset Problem Event data history Security Event Management System Enterprise data sources Incident archive 16 Event Assessment

17 First prototype promises improved reaction on security events with regards to time and contents. Security event assessment is mandatory part of compliance management Helps to reduce risk of unauthorized access Event context creation is an essential part of the process Our prototype improved the event reaction time and quality of investigations during the pilot phase Next steps include further automation of event assessment, for example by integrating patterns of behaviour in the context of change management 17 Event Assessment