Getting the Most out of XMA and XUA from the new Security Bundle

Getting the Most out of XMA and XUA from the new Security Bundle HP-36, Chynoweth, November 19, 2014, 9:00 AM Customer Experience, TELUS and TELUS Health Speaker: Scott Uroff, XYPRO Content: Mark Wilson, TELUS Health

Overview Introduction About TELUS Health The Security Bundle XYGATE Merged Audit XYGATE User Authentication Installing the HP provided XMA software Using Scout and DSMSCM Useful Tricks Generating Alerts with XMA Customizing Daily Reporting with XMA Using XUA for RADIUS Authentication

Getting the Most out of XMA and XUA o About TELUS Health

About TELUS and TELUS Health TELUS is Canada s fastest-growing national telecommunications company $11.8 billion of annual revenue 13.5 million customer connections 8.0 million wireless subscribers 3.2 million wireline network access lines 1.45 million Internet subscribers 888,000 TELUS TV customers. TELUS provides a wide range of communications products and services, including wireless, data, Internet protocol (IP), voice, television, entertainment and video, and is Canada's largest healthcare IT provider.

Getting the Most out of XMA and XUA o o XYGATE Merged Audit XYGATE User Authentication

XMA Architecture Overview Safeguard EMS Log Adapters for Enterprise Audit Logging HP ArcSight SIEM XYGATE Filter Processing XMA Database NonStop SQL/MP itp WebServer Plug-Ins Alerts Email EMS Syslog SNMP Custom GUI Clients for XMA XYGATE Report Manager XYGATE Event Monitor

XUA Architecture Overview 100% of NonStop Authentication requests are handled through the Authentication layer Configuration Settings and Authentication Rules Safeguard Users can now access servers through an industry SSO solution. NonStop Programs TACL, OSS, FTP, ODBC, DSM/SCM, SSH, OSM and all others User Authentication Audit Data UserID Info The Authentication layer will trace the user to the associated NonStop user ID for authentication

Getting the Most out of XMA and XUA o o o Installing the HP provided XMA software Useful Tricks Generating Alerts with XMA

Using Scout and DSMSCM Be thankful for what you have and figure out how to use it in your environments. I hope we can provide you the keys to a successful installation and ability to unlock the wonderful benefits of Merged Audit. This is what you need to know Merged Audit HP product is T0928 your first point for support is GCSC. It comes with Marketing product QSN051 free with systems sold after September 2010. The product installed easily. You do have to do it with some thought. Find the space for the audit data to grow. Find the additional support tools to make it a gold standard (Email servers and Enterprise Security Event Monitoring tools). Build some custom reports. Run some interactive reports. Have your security teams build some use cases from their Enterprise security tools. HP ArcSight for example. Nothing is ever easy so where possible arrange for HP installation and support services.

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout. Load it into DSMSCM so that you can keep track of the RVU you are running I like to run the install manually, under my control. So run the obey file from where you placed it. I use $DSMSCM. Stop after install macro and size your SQL database BEFORE running XMA_MANGER the first time. (this requires deciding and editing one or two of the install files) Start your Merged Audit movers pathway via XMA_MANAGER macro

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout.

Using Scout and DSMSCM The things you have to do. Download the latest version from HP Scout.

Using Scout and DSMSCM The things you have to do. Load it into DSMSCM so that you can keep track of the RVU you are running

Using Scout and DSMSCM The things you have to do. I like to run the install manually, under my control. So run the obey file from where you placed it. I use $DSMSCM. Stop after install macro and size your SQL database BEFORE running XMA_MANGER the first time. (this requires deciding and editing one or two of the install files) \DNB1 $DSMSCM E0928AAR 53> run insrun You will be asked a series of questions about the installation of XYGATEMA. You may abort the install process at any prompt by hitting the BREAK key. Prompts that end with a string within angle brackets mean that just hitting the return key will use that default value. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= PLEASE READ THE SOFTDOC AS PART OF THE INSTALLATION PROCESS. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

Using Scout and DSMSCM The things you have to do. Start your Merged Audit movers pathway via XMA_MANAGER macro XYGATEMA Management Main Menu v2.25 * * * * * * * * * * * * * * * * * * * 1: Pathway 2: Movers 3: Database 4: Uninstall X: Exit Selection?2

Useful Tricks Tricks The BIN file from HP is large and a standard WS-FTP creates small file extents. Use a DOS or other FTP client and provide file sizes (i.e. put E0928AAR E0928AAR,991,1000,1000,900) Don t forget code 991 and use SWARCSET (swarcset $dsmscm.rvu.e0928aar,,volume $dsmscm,myid) Decide on your database cleanup time. Watch for performance issues Plan for database maintenance enlist help from your DBA. Protect you XMA FILTERS file once built. I accidently purged one but recovered from another system.

Generating Alerts with XMA Generating EMS Alerts Get the easy FILTERS created. Generate viewpoint alerts from SUPER.SUPER logon

Generating Alerts with XMA Generating Email Alerts Get the easy FILTERS created. Where possible email other critical alerts to staff. Yes the IP address is bogus. ACTION_BEGIN ACTIONTYPE MAIL MAIL_SRV 10.18.475.985 MAIL_IPPROCESS $ztc0 MAIL_PORT 25 MAIL_FROM MergedAuditEvent@TELUS.COM (doesn't need to be valid) MAIL_TO mark.wilson2@telus.com MAIL_SUBJECT ALERT - Security logon event MAIL_TEXT "NODE: (INSTALL.SYSTEMNAME) " "Time: (AUDIT.RECORDLCT) " "Event: (AUDIT.SUBJECTLOGIN) altered (AUDIT.OBJECTNAME) " " (AUDIT.RESULT) " "Outcome: (AUDIT.OUTCOME) (Success = 1; Fail = 3)" MAIL_TEXT_END ACTION_END

Generating Alerts with XMA Generating Syslog Alerts to a SIEM (HP ArcSight) Get the easy FILTERS created. Where possible get the security data off platform to your Enterprise security even monitoring system. It makes the audit teams happy. FILTERDEFBEGIN $CLW-ALL-EVENTS-EXCEPT-EMS!= This FILTER selects All Audits except EMS STATUS ACTIVE! $CLW-ALL-EVENTS-EXCEPT-EMS ACTIONCOLL_BEGIN ACTION_BEGIN ACTIONTYPE IPALERT IPALERT_IPPROCESS $ZTC0 IPALERT_ADDRESS 10.14.295.355 IPALERT_PORT 515 IPALERT_PREFIX local0 <130> XYGATEMA NonStop ALERTSTRING @0 ALERTSTRING @ (SESSION.RECORDSESSIONKEY) ALERTSTRING @ (SESSION.RECORDINSTALLKEY) ALERTSTRING @ (SESSION.SESSIONID). ACTION_BEGIN ACTIONTYPE SETDATA AUDIT.USER_DATA syslog ALERT ACTION_END

Generating Alerts with XMA Generating Custom Alerts Use the FILTSAMP file for examples. Build some custom TACL macros that are triggered by MA to do some fancy work. Share what you ve learned with your peers and us. ACTION_BEGIN ACTIONTYPE RUNCMD MAXCOMPLETIONTIME 120 RUNCMDDEFBEGIN RUN $SYSTEM.TACLMAC.GOXMAMSG RUNCMDDEFEND ACTION_END

Getting the Most out of XMA and XUA o Partitioning the XMA Database

Partitioning the XMA Database ---------------------> $SYSTEM.XYGATEMA.PARSAMP (14/10/30 16:42) <------------- -- *********************************************************************** -- ** File: PARSAMP ** -- ** This file contains samples of the commands used to partition an ** -- ** SQL Table ** -- ** Procedure: ** -- ** ========== ** -- ** 1) Modify the statements below adding the volume name. You may ** -- ** optionally enter values for EXTENTS & MAXEXTENTS. ** -- ** The default for EXTENTS is (16,64). The default unit type is ** -- ** page. The default for MAXEXTENTS is 160. ** -- ** You may add additional ALTER statements if more partitions ** -- ** are desired. ** -- ** NOTE: During XYGATE/MA processing the partition key values ** -- ** assigned are 2-255. The value zero is omitted so that ** -- ** a empty partition can be created. The value 1 is ** -- ** reserved for conversion purposes. ** -- ** 2) Stop your XYGATE/MA pathway via XMA_MANAGER ** -- ** 3) run the macro XMA_LOAD_DEFINES ** -- ** 4) Execute the following command: ** -- ** SQLCI/in PARSAMP,out $S.#XMA.PART/ ** -- ** 5) Adding partitions will invalidate the SQL programs. ** -- ** To remedy the situation do the following: ** -- ** run $<vol>.<subvol>.xma install ** -- ** run XMA_SQLCOMPALL ** -- ** 6) Restart your XYGATE/MA pathway via the XMA_MANAGER ** -- ***********************************************************************

Getting the Most out of XMA and XUA o Using XUA for RADIUS Authentication

Using XUA for RADIUS Authentication Objective Telus wished to move all ID s to use AD Based User IDs in order to keep all user provisioning centralized. Challenge Existing Pathway application using application based user ID s. No source code. Solution Professional Services Developed a simple server to accept application authentication requests and mapped to AD user ID s. XYGATE User Authentication Application authentication requests routed by XUA to the RADIUS server

The XYGATE Report Manager (XRM) XRM is a comprehensive and easyto-use report writer for XMA data Pre-configured reports for out-of-thebox use Modify existing report definitions for custom requirements. Design new reports Perform ad-hoc queries View saved report output Schedule recurring reports Auto-deliver to multiple location options and in multiple format options

The XYGATE Report Manager (XRM) Tabbed pages allow for easy access to common functions Environment information displayed Links to frequents tasks make for easy navigation

The XYGATE Report Manager (XRM) XRM provides a full-function report designer Attributes and Criteria are menu driven with the option for direct input Query columns allow for efficient retrieval of only desired data Query nodes allow for the selection of one, more, or all configured nodes for a single source for audit reporting Retrieved data returns a grid of all audit records for ease of analysis and report design Report columns provide for custom naming, sizing, and wrapping properties of fields Grouping, Sorting, and layout are all customizable.

The XYGATE Report Manager (XRM) XRM provides a full-function report scheduler Frequency, Start date, and Run time allow for any needed schedule Multiple delivery methods and formats are supported Notification, Email, FTP and File types PDF, RTF, HTML, TXT TSV formats

The XYGATE Report Manager (XRM) Sample Report Output in PDF format

The XYGATE Event Monitor (XEM) Similar in design to XRM Event Monitors are like reports Pre-Populated with many useful monitors Edit existing or design new Can run for realtime or historically Links to common tasks

The XYGATE Event Monitor (XEM) Monitors may contain any audit data from XMA All products, some products or one product Selection criteria allows for narrow subject matter Installation Selection allows for the selection of one, more, or all configured nodes for a single source for audit monitoring Define window layouts to suit and fit desktop or command room needs

The XYGATE Event Monitor (XEM) Fully customizable looks and actions Select subset data to differentiate from expected data using criteria Choose text fonts and colors as well as backgrounds for contrast Select from 5 action types Sound, Email, Pop-Up, SNMP, Syslog Include configurable actions

The XYGATE Event Monitor (XEM) Sample XEM Filter Monitor Window SUPER.SUPER failed access attempts are displayed in in red with bold yellow text

XMA Log Adapters o o o HP ArcSight SIEM RSA envision and RSA Security Analytics Others such as Q-Radar, LogLogic, Splunk

XMA Log Adapters Additional Add-On Products and Services for XMA XMA is delivered with 1 log adapter HP ArcSight SIEM SIEM specific log adapters can be added as products RSA envision RSA Security Analytics SIEM specific log adapters can be added through professional services Q-Radar LogLogic Others

XMA Log Adapters Additional Add-On Products and Services for XMA Log Adapters The XYPRO pre-defined Filter Definitions have been designed to select, categorize and format the Merged Audit data so that it is compatible with the configuration of the SIEM that is receiving the data. Step 1. Configure XMA to Collect the Desired Data. Step 2. Determine the Transport Method. Step 3. Apply the Log Adapter to Your FILTERS File. Step 4. Start and Monitor Your MOVERs.

XMA Plug-Ins o o o BASE24 and BASE24 eps HLR AJB

XMA Plug-Ins Additional Add-On Products for XMA XMA is delivered with 4 data mover types Safeguard EMS XYGATE itp WebServer Application specific data mover types can be added as XMA Plug-Ins BASE24 BASE24 eps HLR AJB

XMA Plug-Ins Additional Add-On Products for XMA BASE24 OMF (type E) BASE24 eps Logins/Logoffs/File operations (inserts, updates, deletes, etc.) Sec file updates AULOGD (type K) Logins/Logoffs, security config changes (deletes, inserts, updates) XML based audit configuration

XMA Plug-Ins Additional Add-On Products for XMA HLR AJB dpa_audit_<start date/time>_<close date/time>.log (OSS) Tokens (ResultCode, Domain, Text, Command, CLIP-ACT, ALT-IMSI- DIGITS, GSM-O-CSI-ACTIVE, ECMN- SMS-CSI-ACTIVE, CLIR-AUTH, etc. Audit File (OSS) Connects, disconnects, etc.