Getting the Most out of XMA and XUA from the new Security Bundle



Similar documents
HP NonStop Server Security and HP ArcSight SIEM

NETWRIX EVENT LOG MANAGER

DiskPulse DISK CHANGE MONITOR

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

User Guide. Trade Finance Global. Reports Centre. October nordea.com/cm OR tradefinance Name of document 8/8 2015/V1

There are numerous ways to access monitors:

ORACLE BUSINESS INTELLIGENCE WORKSHOP

Operation Error Management

Deciding When to Deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server White Paper

Installation and configuration of Real-Time Monitoring Tool (RTMT)

SourceAnywhere Service Configurator can be launched from Start -> All Programs -> Dynamsoft SourceAnywhere Server.

NMS300 Network Management System

WhatsUp Gold v11 Features Overview

You may be PCI DSS compliant but are you really secure?

NETWRIX EVENT LOG MANAGER

Plug-In for Informatica Guide

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Workflow Templates Library

Ajera 7 Installation Guide

Info-Alert Guide. Version 7.5

Embedded Document Accounting Solution (edas) for Cost Recovery. Administrator's Guide

WhatsUp Gold v11 Features Overview

Management, Logging and Troubleshooting

Reporting User Guide. Version Oct 2011 Page 1 of 65

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

User Guidance. CimTrak Integrity & Compliance Suite

DDM Distributed Database Manager for SQL and ODBC. Installation and User Guide Version 5.27.xx

XYGATE & PCI COMPLIANCE PCI DSS VERSION 3.0

Results CRM 2012 User Manual

Citrix Access Gateway Plug-in for Windows User Guide

FirewallTM. isecurity. Out-of-the Box. The Network Security Component of. Version 15. Copyright Raz-Lee Security Ltd.

Administrator s Guide

Intellect Platform - The Workflow Engine Basic HelpDesk Troubleticket System - A102

FileMaker 12. ODBC and JDBC Guide

Manual Password Depot Server 8

Audit TM. The Security Auditing Component of. Out-of-the-Box

Novell ZENworks Asset Management

DiskBoss. File & Disk Manager. Version 2.0. Dec Flexense Ltd. info@flexense.com. File Integrity Monitor

IBM Security QRadar Version (MR1) WinCollect User Guide

CSP & PCI DSS Compliance on HP NonStop systems

User s Manual. Management Software for ATS

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

alternative solutions, including: STRONG SECURITY for managing these security concerns. PLATFORM CHOICE LOW TOTAL COST OF OWNERSHIP

FileMaker Server 13. FileMaker Server Help

VMware vrealize Operations for Horizon Administration

NovaBACKUP Storage Server User Manual NovaStor / April 2013

Installation and Administration Guide

ADP Workforce Now V3.0

NETWRIX EVENT LOG MANAGER

System Administrator Training Guide. Reliance Communications, Inc. 603 Mission Street Santa Cruz, CA

Option Network Management Software for UPS UNMS II

Configuration Information

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

SQL EXPRESS INSTALLATION...

RSA Event Source Configuration Guide. Microsoft Exchange Server

Subject: Request for Information (RFI) Franchise Tax Board (FTB) Security Information and Event Management (SIEM) Project.

WhatsUp Gold v16.1 Installation and Configuration Guide

The same as the Bold convention (see above) but with the intent of providing a greater emphasis.

IBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, Integration Guide IBM

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

FileMaker Server 14. FileMaker Server Help

HP A-IMC Firewall Manager

Operation Tools. S&C IntelliTeam CNMS Communication Network Management System. Table of Contents. Overview... 2 Tools. Section Page Section Page

MT4 Multiterminal USER MANUAL

Server Manager Help 10/6/2014 1

FileMaker Server 12. FileMaker Server Help

McAfee Content Security Reporter 2.0.0

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

Configuration Information

WhatsUp Gold v16.3 Installation and Configuration Guide

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

ACR Triad Web Client. User s Guide. Version October American College of Radiology 2007 All rights reserved.

ShoreTel Enterprise Contact Center Using Agent Toolbar

ENABLE LOGON/LOGOFF AUDITING

Configure Single Sign on Between Domino and WPS

ProgressBook ParentAccess Web Site Administration Guide

Adding ObserveIT video audit logs to your SIEM

TSM Studio Server User Guide

STIDistrict Server Replacement

Welcome to MaxMobile. Introduction. System Requirements

RSA Security Analytics

NetFlow Analytics for Splunk

MAS 500 Intelligence Tips and Tricks Booklet Vol. 1

Welcome to MaxMobile. Introduction. System Requirements. MaxMobile 10.5 for Windows Mobile Pocket PC

Hyper-V Protection. User guide

TREENO ELECTRONIC DOCUMENT MANAGEMENT. Administration Guide

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

Release Notes for Websense Security v7.2

WS_FTP Server. User s Guide. Software Version 3.1. Ipswitch, Inc.

Administering Cisco ISE

RSA Security Analytics

IBM Endpoint Manager Version 9.1. Patch Management for Red Hat Enterprise Linux User's Guide

User Guide. Version R91. English

XMailer Reference Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Vantage Report. Quick Start Guide

Network Event Viewer now supports real-time monitoring enabling system administrators to be notified immediately when critical events are logged.

Manual. 3CX Phone System integration with Microsoft Outlook and Salesforce Version 1.0

Transcription:

Getting the Most out of XMA and XUA from the new Security Bundle HP-36, Chynoweth, November 19, 2014, 9:00 AM Customer Experience, TELUS and TELUS Health Speaker: Scott Uroff, XYPRO Content: Mark Wilson, TELUS Health

Overview Introduction About TELUS Health The Security Bundle XYGATE Merged Audit XYGATE User Authentication Installing the HP provided XMA software Using Scout and DSMSCM Useful Tricks Generating Alerts with XMA Customizing Daily Reporting with XMA Using XUA for RADIUS Authentication

Getting the Most out of XMA and XUA o About TELUS Health

About TELUS and TELUS Health TELUS is Canada s fastest-growing national telecommunications company $11.8 billion of annual revenue 13.5 million customer connections 8.0 million wireless subscribers 3.2 million wireline network access lines 1.45 million Internet subscribers 888,000 TELUS TV customers. TELUS provides a wide range of communications products and services, including wireless, data, Internet protocol (IP), voice, television, entertainment and video, and is Canada's largest healthcare IT provider.

Getting the Most out of XMA and XUA o o XYGATE Merged Audit XYGATE User Authentication

XMA Architecture Overview Safeguard EMS Log Adapters for Enterprise Audit Logging HP ArcSight SIEM XYGATE Filter Processing XMA Database NonStop SQL/MP itp WebServer Plug-Ins Alerts Email EMS Syslog SNMP Custom GUI Clients for XMA XYGATE Report Manager XYGATE Event Monitor

XUA Architecture Overview 100% of NonStop Authentication requests are handled through the Authentication layer Configuration Settings and Authentication Rules Safeguard Users can now access servers through an industry SSO solution. NonStop Programs TACL, OSS, FTP, ODBC, DSM/SCM, SSH, OSM and all others User Authentication Audit Data UserID Info The Authentication layer will trace the user to the associated NonStop user ID for authentication

Getting the Most out of XMA and XUA o o o Installing the HP provided XMA software Useful Tricks Generating Alerts with XMA

Using Scout and DSMSCM Be thankful for what you have and figure out how to use it in your environments. I hope we can provide you the keys to a successful installation and ability to unlock the wonderful benefits of Merged Audit. This is what you need to know Merged Audit HP product is T0928 your first point for support is GCSC. It comes with Marketing product QSN051 free with systems sold after September 2010. The product installed easily. You do have to do it with some thought. Find the space for the audit data to grow. Find the additional support tools to make it a gold standard (Email servers and Enterprise Security Event Monitoring tools). Build some custom reports. Run some interactive reports. Have your security teams build some use cases from their Enterprise security tools. HP ArcSight for example. Nothing is ever easy so where possible arrange for HP installation and support services.

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout. Load it into DSMSCM so that you can keep track of the RVU you are running I like to run the install manually, under my control. So run the obey file from where you placed it. I use $DSMSCM. Stop after install macro and size your SQL database BEFORE running XMA_MANGER the first time. (this requires deciding and editing one or two of the install files) Start your Merged Audit movers pathway via XMA_MANAGER macro

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout.

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout.

Using Scout and DSMSCM The things you have to do. Load it into DSMSCM so that you can keep track of the RVU you are running

Using Scout and DSMSCM The things you have to do. I like to run the install manually, under my control. So run the obey file from where you placed it. I use $DSMSCM. Stop after install macro and size your SQL database BEFORE running XMA_MANGER the first time. (this requires deciding and editing one or two of the install files) \DNB1 $DSMSCM E0928AAR 53> run insrun You will be asked a series of questions about the installation of XYGATEMA. You may abort the install process at any prompt by hitting the BREAK key. Prompts that end with a string within angle brackets mean that just hitting the return key will use that default value. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= PLEASE READ THE SOFTDOC AS PART OF THE INSTALLATION PROCESS. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

Using Scout and DSMSCM The things you have to do. Start your Merged Audit movers pathway via XMA_MANAGER macro XYGATEMA Management Main Menu v2.25 * * * * * * * * * * * * * * * * * * * 1: Pathway 2: Movers 3: Database 4: Uninstall X: Exit Selection?2

Useful Tricks Tricks The BIN file from HP is large and a standard WS-FTP creates small file extents. Use a DOS or other FTP client and provide file sizes (i.e. put E0928AAR E0928AAR,991,1000,1000,900) Don t forget code 991 and use SWARCSET (swarcset $dsmscm.rvu.e0928aar,,volume $dsmscm,myid) Decide on your database cleanup time. Watch for performance issues Plan for database maintenance enlist help from your DBA. Protect you XMA FILTERS file once built. I accidently purged one but recovered from another system.

Generating Alerts with XMA Generating EMS Alerts Get the easy FILTERS created. Generate viewpoint alerts from SUPER.SUPER logon

Generating Alerts with XMA Generating Email Alerts Get the easy FILTERS created. Where possible email other critical alerts to staff. Yes the IP address is bogus. ACTION_BEGIN ACTIONTYPE MAIL MAIL_SRV 10.18.475.985 MAIL_IPPROCESS $ztc0 MAIL_PORT 25 MAIL_FROM MergedAuditEvent@TELUS.COM (doesn't need to be valid) MAIL_TO mark.wilson2@telus.com MAIL_SUBJECT ALERT - Security logon event MAIL_TEXT "NODE: (INSTALL.SYSTEMNAME) " "Time: (AUDIT.RECORDLCT) " "Event: (AUDIT.SUBJECTLOGIN) altered (AUDIT.OBJECTNAME) " " (AUDIT.RESULT) " "Outcome: (AUDIT.OUTCOME) (Success = 1; Fail = 3)" MAIL_TEXT_END ACTION_END

Generating Alerts with XMA Generating Syslog Alerts to a SIEM (HP ArcSight) Get the easy FILTERS created. Where possible get the security data off platform to your Enterprise security even monitoring system. It makes the audit teams happy. FILTERDEFBEGIN $CLW-ALL-EVENTS-EXCEPT-EMS!= This FILTER selects All Audits except EMS STATUS ACTIVE! $CLW-ALL-EVENTS-EXCEPT-EMS ACTIONCOLL_BEGIN ACTION_BEGIN ACTIONTYPE IPALERT IPALERT_IPPROCESS $ZTC0 IPALERT_ADDRESS 10.14.295.355 IPALERT_PORT 515 IPALERT_PREFIX local0 <130> XYGATEMA NonStop ALERTSTRING @0 ALERTSTRING @ (SESSION.RECORDSESSIONKEY) ALERTSTRING @ (SESSION.RECORDINSTALLKEY) ALERTSTRING @ (SESSION.SESSIONID). ACTION_BEGIN ACTIONTYPE SETDATA AUDIT.USER_DATA syslog ALERT ACTION_END

Generating Alerts with XMA Generating Custom Alerts Use the FILTSAMP file for examples. Build some custom TACL macros that are triggered by MA to do some fancy work. Share what you ve learned with your peers and us. ACTION_BEGIN ACTIONTYPE RUNCMD MAXCOMPLETIONTIME 120 RUNCMDDEFBEGIN RUN $SYSTEM.TACLMAC.GOXMAMSG RUNCMDDEFEND ACTION_END

Getting the Most out of XMA and XUA o Partitioning the XMA Database

Partitioning the XMA Database ---------------------> $SYSTEM.XYGATEMA.PARSAMP (14/10/30 16:42) <------------- -- *********************************************************************** -- ** File: PARSAMP ** -- ** This file contains samples of the commands used to partition an ** -- ** SQL Table ** -- ** Procedure: ** -- ** ========== ** -- ** 1) Modify the statements below adding the volume name. You may ** -- ** optionally enter values for EXTENTS & MAXEXTENTS. ** -- ** The default for EXTENTS is (16,64). The default unit type is ** -- ** page. The default for MAXEXTENTS is 160. ** -- ** You may add additional ALTER statements if more partitions ** -- ** are desired. ** -- ** NOTE: During XYGATE/MA processing the partition key values ** -- ** assigned are 2-255. The value zero is omitted so that ** -- ** a empty partition can be created. The value 1 is ** -- ** reserved for conversion purposes. ** -- ** 2) Stop your XYGATE/MA pathway via XMA_MANAGER ** -- ** 3) run the macro XMA_LOAD_DEFINES ** -- ** 4) Execute the following command: ** -- ** SQLCI/in PARSAMP,out $S.#XMA.PART/ ** -- ** 5) Adding partitions will invalidate the SQL programs. ** -- ** To remedy the situation do the following: ** -- ** run $<vol>.<subvol>.xma install ** -- ** run XMA_SQLCOMPALL ** -- ** 6) Restart your XYGATE/MA pathway via the XMA_MANAGER ** -- ***********************************************************************

Getting the Most out of XMA and XUA o Using XUA for RADIUS Authentication

Using XUA for RADIUS Authentication Objective Telus wished to move all ID s to use AD Based User IDs in order to keep all user provisioning centralized. Challenge Existing Pathway application using application based user ID s. No source code. Solution Professional Services Developed a simple server to accept application authentication requests and mapped to AD user ID s. XYGATE User Authentication Application authentication requests routed by XUA to the RADIUS server

The XYGATE Report Manager (XRM) XRM is a comprehensive and easyto-use report writer for XMA data Pre-configured reports for out-of-thebox use Modify existing report definitions for custom requirements. Design new reports Perform ad-hoc queries View saved report output Schedule recurring reports Auto-deliver to multiple location options and in multiple format options

The XYGATE Report Manager (XRM) Tabbed pages allow for easy access to common functions Environment information displayed Links to frequents tasks make for easy navigation

The XYGATE Report Manager (XRM) XRM provides a full-function report designer Attributes and Criteria are menu driven with the option for direct input Query columns allow for efficient retrieval of only desired data Query nodes allow for the selection of one, more, or all configured nodes for a single source for audit reporting Retrieved data returns a grid of all audit records for ease of analysis and report design Report columns provide for custom naming, sizing, and wrapping properties of fields Grouping, Sorting, and layout are all customizable.

The XYGATE Report Manager (XRM) XRM provides a full-function report scheduler Frequency, Start date, and Run time allow for any needed schedule Multiple delivery methods and formats are supported Notification, Email, FTP and File types PDF, RTF, HTML, TXT TSV formats

The XYGATE Report Manager (XRM) Sample Report Output in PDF format

The XYGATE Event Monitor (XEM) Similar in design to XRM Event Monitors are like reports Pre-Populated with many useful monitors Edit existing or design new Can run for realtime or historically Links to common tasks

The XYGATE Event Monitor (XEM) Monitors may contain any audit data from XMA All products, some products or one product Selection criteria allows for narrow subject matter Installation Selection allows for the selection of one, more, or all configured nodes for a single source for audit monitoring Define window layouts to suit and fit desktop or command room needs

The XYGATE Event Monitor (XEM) Fully customizable looks and actions Select subset data to differentiate from expected data using criteria Choose text fonts and colors as well as backgrounds for contrast Select from 5 action types Sound, Email, Pop-Up, SNMP, Syslog Include configurable actions

The XYGATE Event Monitor (XEM) Sample XEM Filter Monitor Window SUPER.SUPER failed access attempts are displayed in in red with bold yellow text

XMA Log Adapters o o o HP ArcSight SIEM RSA envision and RSA Security Analytics Others such as Q-Radar, LogLogic, Splunk

XMA Log Adapters Additional Add-On Products and Services for XMA XMA is delivered with 1 log adapter HP ArcSight SIEM SIEM specific log adapters can be added as products RSA envision RSA Security Analytics SIEM specific log adapters can be added through professional services Q-Radar LogLogic Others

XMA Log Adapters Additional Add-On Products and Services for XMA Log Adapters The XYPRO pre-defined Filter Definitions have been designed to select, categorize and format the Merged Audit data so that it is compatible with the configuration of the SIEM that is receiving the data. Step 1. Configure XMA to Collect the Desired Data. Step 2. Determine the Transport Method. Step 3. Apply the Log Adapter to Your FILTERS File. Step 4. Start and Monitor Your MOVERs.

XMA Plug-Ins o o o BASE24 and BASE24 eps HLR AJB

XMA Plug-Ins Additional Add-On Products for XMA XMA is delivered with 4 data mover types Safeguard EMS XYGATE itp WebServer Application specific data mover types can be added as XMA Plug-Ins BASE24 BASE24 eps HLR AJB

XMA Plug-Ins Additional Add-On Products for XMA BASE24 OMF (type E) BASE24 eps Logins/Logoffs/File operations (inserts, updates, deletes, etc.) Sec file updates AULOGD (type K) Logins/Logoffs, security config changes (deletes, inserts, updates) XML based audit configuration

XMA Plug-Ins Additional Add-On Products for XMA HLR AJB dpa_audit_<start date/time>_<close date/time>.log (OSS) Tokens (ResultCode, Domain, Text, Command, CLIP-ACT, ALT-IMSI- DIGITS, GSM-O-CSI-ACTIVE, ECMN- SMS-CSI-ACTIVE, CLIR-AUTH, etc. Audit File (OSS) Connects, disconnects, etc.