Security Information and Event Management

Transcription

1 Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London

2 Welcome Conference Moderator Phillip H. Griffin ISSA Web Conference Committee 2

3 Agenda The Truth & Reality of a SIEM Implementation Candy Frances Alexander, CISSP CISM - Chief Information Security Officer, Long Term Care Partners Data Governance in Today s World Peter Kohler - Optim, Guardium, and Discovery Business Unit Executive - IBM Cloud Automation Protocols for SIEM Erin Connor - Director, EWA-Canada Open Panel with Audience Q&A Closing Remarks 3

4 The Truth & Reality of a SIEM Implementation Candy Alexander, CISSP CISM 4

5 Topics Background Requirements Typical challenges Doing it the right way If I were to do it all over again 5

6 Background Jumped into the SIEM game 3 years ago Requirements were defined as Compliance monitoring (HIPAA, FISMA) Identify security posture Central security management console (central view) Audit evidence/artifacts Incident response/investigations IT optimalization Security Maturity Level: Evolving Common challenges Multiple Stakeholders without clear expectations Getting IT involved (i.e. care and feed) Where does it really fit? Has it hurt or helped? 6

7 Requirements Understand what YOU need the tool to do Regulatory Scalability Learn what you don t know Factor in vendor support/training Understand what the TOOL needs you to do Skills FTE/PTE? Budget to grow on? 7

8 Challenges Who needs a Project manager? Security maturity of Program Evolving Program = people/culture challenges Implementation Program = technology challenges Well Established Program = skill levels, resources Business Value 8

9 Doing it the right way No matter what, before you begin Get common agreement Use sound project management methodologies 9

10 If I were to do it all over again NO matter what, this is one of the biggest investments and implementations that you will undertake Look at your options In-house (mature security programs with a huge scope) Out-source (any level of maturity with a smaller scope or resources) * Hybrid (any level of maturity with smaller resources but want/need to keep in house) 10

11 Question and Answer Candy Alexander, CISSP CISM Chief Information Security Officer Long Term Care Partners 11

12 Data Governance in Today s World Peter Kohler Data Governance Business Unit Executive 12

13 The Challenges Around Data Governance Application Redundancies Application Portfolio Rationalization Sunset legacy applications Reduce operational IT spend Rampant Data Growth Cost effectively support your information retention policies while controlling data growth. Meet SLA s Reduce operational IT spend Information Security Protect and enable secure sharing of information 84% of security breaches come from internal sources, from non-production. Average Costs and Fines for a Data Breach $6.6M Information Compliance Reduce brand reputation risks and audit deficiencies 63% IT executives rate compliance with regulations a top challenge. Sources: CIO Magazine survey 2007;

14 Protecting Information Security & Privacy Across the Enterprise Define policies Classify & define data types Discover where sensitive data resides Discover & Define De-identify confidential data in non-production environments Safeguard sensitive data in documents Protect enterprise data from both authorized & unauthorized access Secure & Protect Assess database vulnerabilities Monitor and enforce database access Audit and report for compliance Monitor & Audit Information Governance Core Disciplines Quality Management Lifecycle Security & Privacy

15 Securing and Protecting Your Information Supply Chain Protecting the data across the enterprise, both internal and external threats Knowing who s accessing your data when, how and why Monitoring and reporting on database access for audit purposes Test/Dev Discover & Define Monitor & Audit Secure & Protect

16 Complete Business Object Challenge for Retention and Masking Referentially-intact subset of data across related tables and applications; includes metadata Provides historical reference snapshot of business activity Federated object support across enterprise data stores Payments

17 De-identify Data in Non-Production Environments without Impacting Test & Development Mask or de-identify sensitive data elements that could be used to identify an individual Ensure masked data is contextually appropriate to the data it replaced, so as not to impede testing Data is realistic but fictional Masked data is within permissible range of values Support referential integrity of the masked data elements to prevent errors in testing JASON MICHAELS ROBERT SMITH Personal identifiable information is masked with realistic but fictional data for testing & development purposes.

18 Real-Time Database Monitoring DB2 Non-invasive architecture Outside database Minimal performance impact (2-3%) No DBMS or application changes Cross-DBMS solution 100% visibility including local DBA access Enforces separation of duties (SoD) Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders Granular, real-time policies & auditing Who, what, when, how Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.) 18

19 Protect Sensitive Data Values within Documents Redact (or remove) sensitive unstructured data found in documents and forms, protecting confidential information while supporting the need to share critical business information Support compliance with industry-specific and global data privacy requirements or mandates Leverage an automated redaction process for speed, accuracy and efficiency Ensure hidden source data (or metadata) within documents is redacted as well Prevent unintentional disclosure by using role-based masking to confidently share data Ensure multiple file formats are support, including PDF, text, TIFF and Microsoft Word documents Redact Full Name & Street Address

20 Question and Answer Peter Kohler - Optim, Guardium, and Discovery Business Unit Executive - IBM pkohler@us.ibm.com 20

21 SIEM and Automation Protocols Erin Connor Director EWA-Canada

22 Overview Issues & Answers for Security Automation Security Content Automation Protocol Common Language Elements Operational Elements SCAP Content & Scanning On the Automation Horizon Why Automation Protocols Over the Automation Horizon

23 Issues for Security Automation Proprietary information and formats across products Incompatible information across technologies Information collection is costly and error prone Inefficient use of resources managing configurations, vulnerabilities and patches Same or similar problems when systems connected into networks and events start happening Doesn t scale well as networks grow and the number of desirable and undesirable events multiply

24 Answers for Security Automation Standard Language Using the same name for the same object in all instances Lends itself to the use of automated tools, reducing manual requirements increases accuracy in reporting and subsequent response Valuable human resources can be tasked to more difficult problems

25 Security Content Automation Protocol (SCAP) Initial foray into automation protocols to deal with configuration and patch issues Seven Underlying Standards Validation Program to test and verify that scanning tools properly implement and understand the language defined by the six standards, and can properly execute SCAP content

26 SCAP Common Language Elements Common Platform Enumeration (CPE ) defines a structured naming scheme for information technology systems, platforms, and packages Common Configuration Enumeration (CCE ) defines unique identifiers for system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools Common Vulnerabilities and Exposures (CVE ) comprises a dictionary of publicly known information security vulnerabilities and exposures (configuration issue)

27 SCAP Operational Elements extensible Configuration Checklist Description Format (XCCDF) defines a specification language for writing security checklists, benchmarks, and related kinds of documents representing a structured collection of security configuration rules for some set of target systems Open Vulnerability Assessment Language (OVAL) an information security community effort to standardize how to assess and report upon the machine state of computer systems, i.e., how to query configuration, vulnerability, etc., status of a target Common Vulnerability Scoring System (CVSS) provides an industry standard for assessing the severity of computer system security vulnerabilities thereby allowing comparison and prioritization of response Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions, i.e., non-automated manual checks

28 SCAP Content Four Tiers identifying the form of the content: I Prose checklist II Non-standard (non-scap) machine readable III SCAP expressed but not validated (should work in validated tool) IV validated SCAP content (will work in validated tool) Tier IV content (OMB & NIST) for: WinXP, WinVista (and associated WinFWs), IE 7 - FDCC Win7, Win7 FW & IE8 - USGCB RHEL 5 Desktop (Beta USGCB) National Vulnerability Database U.S. government repository of standards based vulnerability management data represented using SCAP Validated SCAP Tools -

29 SCAP Scanning Internet Router DMZ Firewall Web Servers Application Servers Database Systems Intranet DNS Server Mail Server Web Servers Desktop Systems Desktop Systems Desktop Systems SCAP Scanner SCAP Scanner

30 Validated SCAP Tool Vendors

31 On the Automation Horizon Event Management Automation Protocol Being developed to do for event management what SCAP has been able to do for configuration and vulnerability management Builds on another set of standards, including: Common Event Expression (CEE ) provide a standardized way for computer events to be described, logged, and exchanged allowing for more efficient enterprise-wide log management, correlation, aggregation, auditing, and incident handling Common Attack Pattern Enumeration and Classification (CAPEC) - objective to provide a publicly available catalogue of attack patterns along with a comprehensive schema and classification taxonomy Malware Attribute Enumeration and Characterization (MAEC) - a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artefacts, and attack patterns

32 Why Automation Protocols? SCAP provides the ability to use standardized tools to determine and report baseline configurations in the network in real time, i.e., not only discover what is there but individual hardened status on an ongoing basis EMAP will provide a standardized language for network attached systems to report what is happening As more and more system vendors implement SCAP and EMAP compatible interfaces and information reporting: SIEM vendors will be able to concentrate on enhancing analysis and correlation capabilities rather than keeping up-to-date with changes system vendors may make to proprietary event information reporting formats End users will be able to decide among SIEM tools based on comparison of analysis and reporting capabilities, and not whether the tools speak the same language as the devices on their networks Up-to-date configuration status can affect the importance of a network event, e.g., probes against systems known to have up-to-date mitigations may be in the category Of Interest rather than Panic!

33 Over the Automation Horizon From Public/Private Collaboration Efforts for Enterprise Security Automation presented at Software Assurance Forum 27 September 2010

34 Over the Automation Horizon Automation Protocol initiatives underway or proposed, including: Enterprise Remediation Automation Protocol Enterprise System Information Protocol Enterprise Compliance Automation Protocol Threat Analysis Automation Protocol Software Assurance Automation Protocol Incident Management Automation Protocol Longer term goal to get to the point where network managers can respond to events in real time by changing policies and configurations from a central management point

35 Questions Erin Connor EWA-Canada, Director x1214

36 References/Resources Selected Standards: Security Content Automation Protocol (SCAP) Common Platform Enumeration (CPE) Common Configuration Enumeration (CCE) Common Vulnerabilities & Exposures (CVE) extensible Configuration Checklist Description Format (XCCDF) Open Vulnerability Assessment Language (OVAL) Common Vulnerability Scoring System (CVSS) Open Checklist Interactive Language (OCIL) CWE Common Event Expression (CEE) Common Attack Pattern Enumeration and Classification (CAPEC) Malware Attribute Enumeration and Characterization (MAEC) Asset Reporting Format (ARF)

37 References / Resources Automation Content Federal Desktop Core Configuration United States Government Configuration Baseline (USGCB) Conferences NIST Annual Security Automation Conference Autumn time frame, 2011 not yet formally announced, Software Assurance Forum semi-annual Spring and Autumn forums National Vulnerability Database (NVD)

38 Question and Answer Erin Connor - Director, EWA-Canada econnor@ewa-canada.com 38

39 Panel Discussion Phillip H. Griffin - ISSA Web Conference Committee Candy Frances Alexander, CISSP CISM - Chief Information Security Officer, Long Term Care Partners Peter Kohler - Optim, Guardium, and Discovery Business Unit Executive - IBM Erin Connor - Director, EWA-Canada

40 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 40

41 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. 41