SERVICE ORIENTED EVENT ASSESSMENT CLOSING THE GAP OF COMPLIANCE MANAGEMENT



Similar documents
Security Controls What Works. Southside Virginia Community College: Security Awareness

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

1. Thwart attacks on your network.

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

MySQL Security: Best Practices

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

USM IT Security Council Guide for Security Event Logging. Version 1.1

Enforcive /Cross-Platform Audit

The Comprehensive Guide to PCI Security Standards Compliance

Guideline on Auditing and Log Management

CorreLog Alignment to PCI Security Standards Compliance

Automation Suite for. 201 CMR Compliance

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Cybersecurity Health Check At A Glance

Application Monitoring for SAP

White Paper. Sarbanes Oxley and iseries Security, Audit and Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

Analyzing Logs For Security Information Event Management

HIPAA Security: Gap Analysis, Vulnerability Assessments, and Countermeasures

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Information Security Policy

Secret Server Qualys Integration Guide

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

The Value of Vulnerability Management*

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

CloudCheck Compliance Certification Program

SIEM Implementation Approach Discussion. April 2012

McAfee Database Security. Dan Sarel, VP Database Security Products

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Online Lead Generation: Data Security Best Practices

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

How To Manage Log Management

Fortinet Solutions for Compliance Requirements

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

SANS Institute First Five Quick Wins

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Secret Server Splunk Integration Guide

Let s talk about assets in QRadar

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

How IT Can Aid Sarbanes Oxley Compliance

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

INCIDENT RESPONSE CHECKLIST

Cloudbuz at Glance. How to take control of your File Transfers!

Defining, building, and making use cases work

AlienVault for Regulatory Compliance

Standard: Event Monitoring

End-user Security Analytics Strengthens Protection with ArcSight

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

How To Secure Your System From Cyber Attacks

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Automate PCI Compliance Monitoring, Investigation & Reporting

Why The Security You Bought Yesterday, Won t Save You Today

Security: Best Practice and Monitoring

Lecture II : Communication Security Services

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Did you know your security solution can help with PCI compliance too?

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Securing SharePoint 101. Rob Rachwald Imperva

Implementing Database Security and Auditing

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

Information Security Office. Logging Standard

Enforcive / Enterprise Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

IBM Internet Security Systems products and services

Complete Database Security. Thomas Kyte

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Use of Exchange Mail and Diary Service Code of Practice

Best Practices for Database Security

Transcription:

IBM Software Group SERVICE ORIENTED EVENT ASSESSMENT CLOSING THE GAP OF COMPLIANCE MANAGEMENT Dieter Riexinger IT Architect 09.10.2009 2009 IBM Corporation

Agenda Introduction Legal obligations and regulations Who causes internal incidents? Security Event Collection Filtering and correlating events The pain of selecting the right events Service Oriented Event Assessment Event context creation How to catch the barbarian? 2 Event Assessment 09.10.2009

Legal obligations and regulations request protection of assets Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act 3 Event Assessment 09.10.2009

We want to protect our assets from internal and external misuse Internal Users Privileged Users External Users - Firewall - Authentication - Authorization 4 Event Assessment 09.10.2009

Who Causes Internal Incidents? The Barbarian is Inside the Gate : 90% of insider incidents are caused by privileged or technical users Most are inadvertant violations of: Change Management Process Acceptable use policy Account management process Others are deliberate, due to: Revenge Negative Events Regardless, too costly to ignore: Internal attacks cost 6% of gross annual revenue or 9 dollars per employee per day. Privileged or technical users (90%) Other (10%) Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat Survey 2005/6/7/8; CSI/FBI Survey, 2005/6/7; National Fraud Survey; CERT, various documents. 5 Event Assessment 09.10.2009

Security Administrators are faced with a huge number of security events in different formats Security Administrator Intrusion Reports Firewall Events Syslog Files Database Logs Network 6 Event Assessment 09.10.2009

Event Management Systems collect, format and correlate security events Deactivate infected or attacked systems Block attacking systems Investigate user activity Security Administrator Correlate alarms Format Events Network 7 Event Assessment 09.10.2009

Filter Rules and Correlation Rules show events which require further investigation. Which one to pick? Mid-size production environment Offline-Analysis Statistics Reporting > 100 million events per day > 5 million Events stored in central security database ~250 Events Online-Analysis 8 Event Assessment 09.10.2009

Processing and forwarding unknown events keeps the include and exclude pattterns up-to-date. Event Monitoring Client Sensor (Syslog, Event Log, ) Include Pattern Exclude Patterns Processing Unknown Events Event Correlation and Analysis 9 Event Assessment 09.10.2009

The security operator s success depends on selecting the right event Success Rate Random Sample Simple Rules Behavioural Checks Context Creation Approach 10 Event Assessment 09.10.2009

Immediate reaction on critical events is key to prevent misuse of access rights. 17:54:03.00: User us0815 logged in with privileged access on host obaserver1.company.com 1. Identify user 2. Determine user status and role 3. Security classification of host 4. Access assessment 5. Contact 6. History analysis Disaster revealed the next day... 11 Event Assessment 09.10.2009

Access to multiple data source is required for a comprehensive assessment. Change Data Data Access Change-ID Hostname Description Person 5 x HR Data Change-45 messaging.company.com Install patch Oliver James 2 x Event Data Change-47 obaserver1.company.com Delete db instance #23 John Admin 1 x Change Data Asset Data User ID Management 1 x Problem Ticket System Asset-id;hostname;owner;os;sla System login real_name 1 x Brokering System Asset-86; obaserver1.company.com; J. Admin;Unix;8x13 Asset-87; online.banking.com;jason;unix;24x7 Asset-88; messaging.banking.com;windows;8x5 Windows Unix delivery7 stephansec Oliver James Stephan Verne 1 x Asset Data 1 x SOX Liste Unix us0815 John Admin 1 x User ID Management System HR Data Event Data Person-ID Name Telefon Event-ID Hostname Event description Person-17 Oliver James 2457 Event-123 obaserver1.company.com us0815 logged in on obaserver1.company.com Person-18 John Admin 3526 Event-124 Messaging.company.com 3 x false password by george27 Person-19 Michael Jones 3334 Event-125 obaserver1.company.com us0815 performed a 'sudo on host obaserver1.company.com. 12 Event Assessment 09.10.2009

Manual context establishment can be a time consuming and error prone task Database Problem Management Manual context establishement and assessment Database Change Management Event Investigator Asset Management Security Event System HR Application CSV File Database Database 13 Event Assessment 09.10.2009

Solution architecture Stakeholder Application Layer Business Process Layer Security Cockpit IT Compliance Management Processes Service Layer Data Layer 14 Event Assessment 09.10.2009

The Component Model Expert system Security Cockpit Configuration and personalization XML Configuration GUI (SWT) Web service Proxy client Event based relationship evaluation Application Server CRUDS CRUDS CRUDS CRUDS CRUDS CRUDS Event archive MySQL Problem (*) IBM TRM (DB2) IBM TSCM (DB 2) MySQL Changes (*) Slaphapi * import 15 Event Assessment 09.10.2009

Our solution supports users in all incident processing phases Security Cockpit Data pre-analysis Context creation Contextevaluation Solution Suspicious Security event Event based Relationship assessment Expert system Filter CRUDS CRUDS Security Events Change HR Asset Problem Event data history Security Event Management System Enterprise data sources Incident archive 16 Event Assessment 09.10.2009

First prototype promises improved reaction on security events with regards to time and contents. Security event assessment is mandatory part of compliance management Helps to reduce risk of unauthorized access Event context creation is an essential part of the process Our prototype improved the event reaction time and quality of investigations during the pilot phase Next steps include further automation of event assessment, for example by integrating patterns of behaviour in the context of change management 17 Event Assessment 09.10.2009

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information