IBM Global Technology Services Service Profile Managed Security Services Managed Security Services Helping to strengthen your defenses through service delivery best practices
1 2 5 Overview Deployment 3Service Delivery 4Support and Reporting Next Steps A brief summary of IBM Managed Security Services and the business challenges addressed A look at the IBM solution, including its capabilities, technical components, and cost How IBM will manage your security assets, monitor your environment, analyze event data and handle security incidents Our customer portal, problem management and the query and reporting tools that can help you manage your security environment Steps you can take and resources you can explore to learn more about IBM Managed Security Services
1. Overview The need for protection Enterprises of all sizes struggle in an ongoing battle to defend against online attackers that can strike at any moment. Whether it s a virus or denial-of-service attack or unauthorized database access, successful security attacks wreak havoc by disrupting business operations, reducing workforce productivity, damaging the infrastructure and harming reputation and brand value. Liabilities associated with inadequate security management are becoming more severe, ranging from resources required to remedy the breach, costly downtime and potential loss of business to penalties for regulatory noncompliance. While IT security threats continue to evolve, organizations face shrinking budgets, competing priorities and more complex environments. Today s IT security departments need to deliver a higher level of protection at a significantly reduced cost. However, organizations managing their own information security often lack the inhouse resources required to protect online systems on a 24x7x365 basis. Advanced security practices require highly skilled personnel who can be expensive to recruit, hire and retain. In addition, implementing and managing security solutions can divert IT resources from other critical initiatives, including preventing the next attack. IBM Managed Security Services IBM Managed Security Services for customer premises equipment (see Table 1) are designed to provide around-the-clock, near-real-time monitoring and management of security technology from a variety of vendors, helping you protect the value of your existing security investments while reducing the complexity and cost of your security operations. These managed services can be employed individually or in combination to help organizations: Improve security posture and mitigate risks to business operations 1 Overview 1 2 3 4 5 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 1
Reduce the cost of security management Simplify management and reduce complexity Address critical skill shortages Support compliance management. IBM also offers a comprehensive range of hosted managed security services as well as a Managed Distributed Denial of Service (DDoS) Protection solution. By combining offerings from IBM s full portfolio of complementary managed services, you can increase both your cost savings and your security intelligence. That s because IBM s global security operations infrastructure is designed to integrate data from multiple managed security services, helping you to Firewall Management 24x7 firewall monitoring, escalation, incident reporting, and remediation assistance. Managed Security Information and Event Management (SIEM) Provides 24x7 expert monitoring and response for Check Point NGX / R71 and later Cisco Juniper Netscreen customer SIEM tools. IBM Q1 Labs QRadar HP ArcSight Unified Threat Management 24x7 management with support for comprehensive UTM product features (firewall, IPS/ Managed Secure Web Gateway Ongoing protection of critical web-based transactions. IDS, anti-virus, anti-spam, web filtering, SSL VPN). BlueCoat SG (Proxy) BlueCoat AV (w/ SG) IBM Proventia Network Multi- Function Security Check Point UTM-1, Edge and IP Appliance Cisco ASA, ISR Juniper SSG, ISG + IDP, SRX Palo Alto Networks Fortinet FortiGate Managed Protection Services 24x7 protection and live, expert management, monitoring and escalation for enterprise networks and endpoints. Vulnerability Management Services Ongoing security scans that help identify and prioritize vulnerabilities found Intrusion Detection and Prevention Management 24x7 threat monitoring, escalation, incident reporting, and on network devices, operating systems, web applications and databases. remediation assistance. IBM Network Intrusion Prevention System IBM Security Server Protection Cisco IDS, IPS, IDP McAfee Intrushield, M Series IPS SourceFire Check Point IPS-1 Juniper IDP Table 1. IBM Managed Security Services (customer premises equipment) and device support 2 1 Overview 1 2 3 4 5 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps
bridge IT silos and technologies and gain an end-to-end view of your security landscape (see Figure 1). The end result is more information, correlated by IBM in near real time for deep analysis and faster response to threats. Service features IBM Managed Security Services offer industry-leading tools, technology and expertise combined with flexible, scalable packaging to meet a broad range of requirements. Whether you purchase managed services for one or for multiple device types, your security solution will include: Add Gain Firewall logs Near-real-time identification of connections with known attackers Good Intrusion detection and prevention services Knowledge of the attacks levied against you Better Vulnerability scan results Knowledge of whether the attacks are successful Enhanced Figure 1. Combining IBM Managed Security Services offerings can help increase your analytic capabilities. Operating system and application logs Ability to monitor suspicious internal activities Superior 1 Overview 1 2 3 4 5 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 3
The Virtual Security Operations Center (Virtual SOC) web-based customer portal that provides a single pane of glass through which you can manage your security environment and your IBM services Access to security experts Continuous upgrades and updates Standardized and customizable reporting SSAE 16-certified operations at all of our state-of-the-art Security Operations Centers (SOCs), which are designed for high availability Simplified flat-rate pricing standardized across our core set of services, with pricing tiers that offer the flexibility to select the service levels that best fit your security environment Security intelligence and reports from the global IBM X-Force security research organization. Flexible configuration of service levels With IBM, you gain the flexibility to configure your managed security services to meet your requirements for response time, device availability and cost. You can choose from preconfigured service packages that simplify the buying process, or you can start with the base service and then specify service level options per device, by location or even with device-by-device granularity. For example, per device, your configuration options can include: Retention of log data (one, three, five or seven years) One-time charge or monthly charge for service initiation and device configuration fees Automated analysis and alerting or eyes on monitoring and alerting by an IBM Threat Analyst Alert response times (15-, 30- or 60-minute service levels) Policy Change Request response times (2-, 4-, 8-, 12- or 24-hour service levels) Device health event notification (15-, 30- or 60-minute service levels) Device update application (24-, 48- or 72- hour service levels) 1 Overview 1 2 3 4 5 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 4
Device availability, including options for management of a warm stand-by redundant device and high availability configurations of clustered devices. IBM X-Force Threat Analysis Service Included with all IBM Managed Security Services offerings, and integrated into the customer portal, is the IBM X-Force Threat Analysis Service. This industry-leading security intelligence service helps you proactively manage daily security threats by providing an evaluation of global online threat conditions and detailed analysis tailored for your needs. The X-Force Threat Analysis Service consists of a blend of trusted security intelligence from the IBM Security X-Force research and development organization, threat data collected from IBM s international network of security operations centers and over 30,000 managed or monitored network sensors, agents and devices, and global Internet threats monitored 24x7x365 by IBM s global threat operations center. The global Internet threat level is updated in real time by X-Force personnel and reported using the AlertCon rating system, an indicator designed to measure the level of threat to online assets at a certain point in time. In addition to current AlertCon status, the X-Force Threat Analysis Service provides customized threat information and security news relevant to your platforms, products and business. Detailed information about X-Force Threat Analysis Service reports and the X-Force section of the Virtual SOC portal can be found in Section 4 of this guide. 1 Overview 1 2 3 4 5 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 5
2. Deployment Activating services IBM employs a structured five-phase process to help ensure a smooth implementation of your managed security services (see Figure 2). As a general rule, implementations are completed in 30 to 60 days although small projects may take only a few days while very large projects may be implemented in stages over several months. Initiation. Your assigned Deployment Engineer (DE), who will be your single point of contact during implementation, will review your order with you and establish contact with the various members of your team. Your DE will work with your team to determine a timeline and assess the status of your sites. Planning. During this phase, your DE will work with your team to plan how any new security devices will be placed into your network; how IBM will manage and monitor your security devices and data via various encrypted communication channels; and schedule more definitive installation and service activation dates. Staging. If applicable, your DE will arrange for any new security devices that you have purchased through or provided to IBM to be configured, either remotely or at one of our deployment centers. Your DE will also prepare the management architecture at IBM for your security devices. Integration. In this phase, new security devices are installed and tested for correct functionality, and connectivity is established between your existing devices and the Security Operations Center (SOC). After testing shows that the SOC is able to monitor and manage your security devices, your DE will transition device management to the SOC and demonstrate the Virtual SOC customer portal to your team. 2 Deployment 1 Overview 1 2 3 4 3 Service Delivery 4 Support and Reporting 5 Next Steps 6
Closeout. Your DE will wrap up any final deployment items and host or arrange an introductory call with the SOC team that will provide your 24x7x365 security services. From this point, your primary contact will be with the SOC, with your DE available to you for final outstanding issues and transition questions. Establishing baseline policies Unless otherwise requested, IBM deploys new devices and agents with a standard baseline policy developed by the IBM Security Operations Center. IBM baseline policies generally reflect the default policy recommendations of the respective product vendors. This includes which signatures Design Outputs Managed Security Services deployment and integration process Initiate Figure 2. IBM s established process for deploying and integrating your devices into our management infrastructure is designed to ensure a smooth implementation of your managed security services. are enabled and which responses are configured for each signature. However, based on trends and emerging threats Plan Stage Close SOC Inputs detected by IBM security analysts, baseline policies may also include deviations from vendor recommendations. 2 Deployment 1 Overview 1 2 3 4 3 Service Delivery 4 Support and Reporting 5 Next Steps 7
For existing devices and agents, IBM recommends that you replace existing policies with IBM baseline policies when you migrate to the SOC for management. This can help eliminate past misconfigurations that created security holes and replace outdated or ineffective tuning with a consistent baseline across all managed devices. For clients who have multiple devices and agents of the same model, version or operating system, IBM shares policies wherever possible. Shared policies provide consistency in security coverage, allow for faster deployment of new signatures and other policy changes and help facilitate efficient auditing. Roles and responsibilities: IBM security operations To effectively and efficiently manage each client s security infrastructure and ensure the proper skills are leveraged across operations, IBM has divided the SOC team into three primary groups: Threat Analysts operate 24x7x365 and focus directly on actionable events that are filtered through to the Virtual SOC operations console. These analysts monitor multiple data sources, respond to alerts, and investigate and escalate security incidents. The Device Management Team operates 24x7x365, with responsibility for managing device health and availability. These security experts work with clients to resolve device issues, perform maintenance and upgrades, implement policy changes and provide technical support. The Service Assurance and Standards Team monitors processes for quality control, conducts training and performs planning and operational project management. 2 Deployment 1 Overview 1 2 3 4 3 Service Delivery 4 Support and Reporting 5 Next Steps 8
Responding to a security incident: who is in charge? While it is IBM s responsibility to monitor your supported security environment, manage the health of your devices and analyze events and alerts, your Computer Security Incident Response Team (CSIRT) is responsible for verifying and acting on actual incidents whether escalated by the SOC or your own IT staff. Your Incident Response Team should be guided by your organization s Computer Security Incident Response Plan (CSIRP), which provides a map for dealing with a security attack. It should define the roles and responsibilities of all respondents, establish authority for making major decisions and define communications flows and notification procedures. During your response, it is critical that your team and the SOC staff remain in close communication. For its part, the SOC will continue to provide assistance and offer recommendations where appropriate until the incident is resolved and closed. Roles and responsibilities: client IT security team To help ensure your success in using IBM Managed Security Services, it is critical that you assign staff to effectively execute on the following security responsibilities. How an organization staffs these roles depends on its size. For small organizations, a single person could potentially perform all of these responsibilities. In large organizations, multiple individuals may be needed to fulfill these responsibilities: Interacting with the managed security service through the customer portal to review device status, open tickets, security incidents and X-Force threat information Documenting customer networks, devices, servers and other assets Reviewing device policies and initiating change requests Determining when escalations both within the client organization and to the SOC are necessary Responding to SOC-initiated escalations and coordinating appropriate internal resources. 2 Deployment 1 Overview 1 2 3 4 3 Service Delivery 4 Support and Reporting 5 Next Steps 9
3. Service Delivery Security Operations Center IBM s global network of interconnected Security Operation Centers (SOCs) serves as the principle delivery arm for all Managed Security Services. Each of the SOCs is located within a hardened IBM facility that provides industry-standard security protocols for both physical and logical security. IBM SOCs carry SSAE16 (Statement on Standards for Attestation Engagements, number 16) certifications and are operated according to governance standards from organizations such as ISO and the Federal Financial Institutions Examination Council (FFIEC) as well as IBM s own stringent IT security standards. A common technology architecture and an integrated managed security services network enables all SOCs to function as a single cohesive operation known as a Virtual Security Operations Center (Virtual SOC) with any SOC able to see all managed and monitored devices. Standardized hardware and software plus common policies and procedures enforce uniform management and monitoring of client devices as well as globally managed SLAs and change control. With the Virtual SOC structure, a full staff of security specialists is available 24 hours a day during the business week, with a more limited staff on weekends and holidays (see Figure 3). Additionally, each SOC has visibility into every other. Through the use of web cams, voice over IP, and a digital SOC engineer dashboard, SOC engineers may act and feel as if each SOC is right next door regardless of how many thousands of miles away they actually may be located. Global SOC activity is orchestrated from a centralized command and control center 10 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Security Operations Center Staffing 1st shift 2nd shift 3rd shift Atlanta, GA, United States Brisbane, Australia Brisbane, Australia Boulder, CO, United States Brussels, Belgium Hortolandia, Brazil Bangalore, India Bangalore, India Southfield, MI, United States Tokyo, Japan located in Atlanta, Georgia. Here, workload balancing, managed device failover and event correlation and analysis occur. The Atlanta facility also serves as IBM s Global Threat Operations Center (GTOC). Here, threat information is correlated, global trends identified, and daily briefings for the various government agencies IBM supports including the U.S. Department of Homeland Security, the Information Technology Information Sharing and Analysis Center (IT-ISAC) and the U.S. Federal Bureau of Investigation (FBI) are conducted via conference call every morning. Wroclaw, Poland Heredia, Costa Rica Figure 3. Globally integrated security operation centers (SOCs) and around-the-clock staffing enable 24x7x365 security management and monitoring. 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11 11
Device management A key component of IBM Managed Security Services is the remote device management capability, which enables SOC personnel to conduct essential daily activities such as troubleshooting, configuration management, log management, installation of upgrades and overall device monitoring (see Figure 4). Through remote monitoring, the SOC is able to detect connectivity failures or other abnormal issues that could adversely affect your security and business operations. Customer location Security devices Command & Control Device Management Health Monitoring Event Stream Internet or VPN Security Operations Center (SOC) Device monitors X-Force Protection System SOC analysts Figure 4. This high-level view of the Managed Security Services architecture shows the data flow between the managed devices at the customer location and the SOC. If an event makes it impossible to manage a device via an in-band connection, IBM works with your designated personnel to identify the causes of the outage and determine whether the loss of connectivity represents a larger incident that could affect security or operations. IBM issues a trouble ticket and tracks the problem through resolution. 12 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Policy tuning and policy changes Typically after two to four weeks of steady state operations, your managed devices will have produced enough event data for policy tuning. Your analysts can evaluate this data to identify opportunities to better align the standard baseline policies established by IBM at service initiation with your network traffic. This effort can help reduce false positives and the amount of data analysis required to monitor your network, helping focus incident response on real events. Whether requested as the result of initial tuning decisions, because of changes in the threat landscape or in response to actual events, policy changes for devices managed by IBM are considered to be standard requests, with implementation time frames determined by contracted service levels. Policy change requests for example, a firewall policy change or an intrusion detection signature change are submitted via the Virtual SOC portal as tickets and executed by a SOC engineer. The ticketing system helps to track your policy changes over time and helps ensure that they are implemented correctly. Updates and patches New security content and signatures, as well as product enhancements, firmware updates and bug fixes release on a monthly basis at a minimum and more frequently as necessary, based on the current Internet threat environment. Emergency updates may be made available within 24 hours of a new vulnerability being discovered. All updates and associated communications are coordinated with the client through the ticketing system in the Virtual SOC. Security content updates typically contain new signature information and minor updates to the device. They do not include changes to the device operating system or to hardware drivers and as such they generally do not impact the monitored 13 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 3 Service Delivery 1 2 3 4 5 6 7 8 9 10 11
networks, or require a maintenance window. The SOC applies these content updates automatically unless customers specify otherwise. The update process starts within a specific number of hours from the timestamp of the official release from the device vendor, as outlined by your service level agreement. For IBM security products, there is a regular monthly X-Press Update (XPU) release immediately following the Microsoft monthly patch release. IBM also releases emergency XPUs as needed to address zero-day exploits and other urgent security issues. For firmware updates, the SOC reviews each release as it is announced by the respective vendor to determine the criticality of the update. If the firmware release addresses a significant security vulnerability in the product, the SOC creates a ticket with specific details and works with you to schedule a maintenance window to perform the update. If, upon investigation, the SOC judges a firmware update to be non-critical, the update will be treated as optional. Event monitoring and analysis IBM Security Services are dedicated to providing customers with the highest level of protection services to help address vulnerabilities and guard against Internetbased threats. The first line of defense is the X-Force Protection System (XPS), a proprietary IBM tool that handles the collection, archiving and analysis of all logs and events monitored by the SOC (see Figure 4). A security event is defined as the output of a security device or application. Examples of security events include alerts from intrusion detection/prevention sensors (IDPS) or logs from firewalls. The XPS correlation engine employs sophisticated statistical analysis and rules-based correlation to filter out real events from noise in the data coming from these devices (see Figure 5). IBM s highly skilled SOC analysts continuously monitor and evaluate the 14 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
filtered event data in near real time to identify security incidents. These analysts correlate across multiple data sources and types, including X-Force security intelligence and a customer s security posture. As part of initial event triage, SOC analysts draw on their in-depth knowledge of vulnerabilities and attack vectors to quickly eliminate false alarms. SOC analysts are also trained to uncover events that are more difficult to identify, such as low and slow security incidents as well as advanced persistent threats. Potential alerts IBM X-Force Protection Service (XPS) databases and logic engines are referenced and the data analyzed by our industry-leading expert system Alerts generated by XPS Events eliminated and validated by analysts Filtered by your customized IT profile Events eliminated and validated by analysts Prioritized events with solutions requiring client action Virtual SOC portal updated Events eliminated and validated by analysts IBM-monitored and IBM-managed client devices 1 billion 150,000 300 6 Figure 5. IBM employs multiple tiers of analysis by both expert systems and skilled analysts to filter out noise and prioritize events based on your environment. 15 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Incident management Events that cannot be immediately dismissed trigger a comprehensive review of vulnerability data, past security incidents, customer network diagrams, and realtime cross-correlation of global attack trends. SOC analysts employ a six-phase methodology to thoroughly investigate anomalous or suspicious activity. Phase 1: Intelligence and attack analysis IBM X-Force intelligence provides the basis for the initial triage of events. Using information about how the exploits work, SOC analysts correlate activity patterns with signature severity to associate the behavior with known attacks. This allows the SOC analyst to determine the potential risks associated with the events. Phase 2: Source and target investigations This investigation varies based on whether the source and target machines are internal or external to a customer s network. For internal machines, the SOC crossreferences against monitored network diagrams, critical server information and, when available, vulnerability scan data. For external machines, analysts cross-reference against the X-Force black list IP blocks, known attackers and past investigations and escalations. Phase 3: Incident classification and prioritization Not all investigations of suspicious activity result in the declaration of a security incident: the majority of events are classified as non-actionable. These events are triggered by malicious traffic in the customer environment for example, the presence of mass worm traffic on a network but the targeted networks and servers are not vulnerable to the exploits. Unless a customer server is infected and actively propagating a worm, there is no need for action, and the event is not escalated. 16 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Only after careful examination and analysis of the data is an event classified as a security incident requiring action and prioritized according to the severity of the threat. IBM employs the following incident categories to help guide subsequent actions: Malicious code: A virus, worm, Trojan or other code-based entity that has successfully infected or compromised an internal system, and has begun propagating within internal networks or systems Probes and scans: Reconnaissance activities on a network intended to discover systems and facilitate network mapping Denial of service: An attack that impairs the use of networks, systems, or applications by exhausting connection and bandwidth resources; both denial of service (DoS) and distributed denial of device (DDoS) attacks fall into this category Unauthorized access: Unauthorized logical access to a network, system, application, data, or other resource, including root compromises, unauthorized data alterations and website defacements Inappropriate use: Violations of acceptable use policies, such as peer-topeer file sharing applications and other misuses or abuses of resources Trend analysis: Anomalous activity within a standard event stream for a given device that requires a historical review of an event stream, which is not typically performed in real time. 17 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
After classification, the SOC analyst prioritizes the incident by correlating three factors (see Figure 6). Security incidents are assigned to one of three priority levels: Priority 1: Incidents at this level are actionable, high-risk events that have the potential to cause severe damage to customer environments. Priority 1 events require customers to take immediate defensive actions. System or data compromises, worm infections and propagation, massive denial of service (DOS) attacks, and similar incidents are assigned this priority level. Priority 2: This is the lowest level of actionable incidents. Priority 2 incidents Attack severity Figure 6. SOC analysts prioritize incidents based on three criteria. require customers to take actions within 12 to 24 hours of notification by the SOC. Incidents such as unauthorized local Incident priority Security intelligence category Analyst investigation and correlation scanning activity and attacks targeted at specific servers or workstations are assigned this priority level. 18 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Priority 3: Incidents in this category involve activity on a network or server that is not directly actionable. Discovery and vulnerability scanning, information gathering scripts and other reconnaissance probes are assigned this priority level. Phase 4: Incident escalation Once an incident has been identified, classified and prioritized, IBM escalates it to your authorized security staff for handling. Contracted service levels determine how quickly security incidents will be escalated, with service level options for 15-, 30- or 60-minute response times. Customers can set preferences for preferred methods of notification for example, telephone, mobile phone, email or via the portal. During a Priority 1 security incident escalation, IBM will attempt to reach the designated customer contact until successfully notified or all escalation contacts have been exhausted. Phase 5: Countermeasure recommendations After reaching an authorized contact during a Priority 1 security incident escalation, the SOC analyst will recommend appropriate actions to thwart or contain the attack. The countermeasures available to the SOC and clients vary based on the services and platforms managed by IBM at the affected site. A list of countermeasures and their associated properties is detailed in Table 2. Countermeasure Type IBM Default Action Requires Authorization Platforms Reactive Block No Yes IBM IDS/ IPS Kill No Yes All network and host IDS/IPS ISP notification Yes No All Firewall policy or ACL change No Yes IBM IDS/ IPS or managed firewall Table 2. SOC analysts will work with you to determine actions you can take to thwart or contain an attack. 19 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
Important note: The client Incident Response Team is responsible for verifying and acting on SOC-escalated incidents, in accordance with the organization s Computer Security Incident Response Plan (CSIRP). As your team executes your CSIRP, it is critical that you and the IBM SOC staff remain in close communication. For its part, the SOC will continue to provide assistance and offer recommendations where appropriate. If your organization lacks a robust CSIRP or an emergency response capability, IBM offers security consulting services that can address your particular needs. Phase 6: Documentation The final stage of any security incident escalation is documentation. All aspects of the activity and attack are documented within a security incident ticket and report. Ticketing and reporting information is available to customers in real time via the Virtual SOC customer portal. 20 3 Service Delivery 1 Overview 2 Deployment 4 Support and Reporting 5 Next Steps 1 2 3 4 5 6 7 8 9 10 11
4. Support and Reporting Virtual SOC customer portal The Virtual SOC customer portal is a webbased portal that serves as a centralized command center for monitoring and controlling security devices under IBM management. It is available online 24x7x365 from a desktop or handheld device. The portal may be used to submit policy change requests, create tickets, generate reports and view security events and logs from managed devices at a single location. With the Virtual SOC portal (see Figure 7): Consolidated security views enable monitoring and control of all managed security services via a centralized command center and the viewing of all security events and logs through a single tabbed interface. Powerful query and reporting options allow ad hoc queries and reports for security devices, security events, service level agreement activity and other parameters as well as customized standard reports. Event/log archives provide online event/ log storage accessible via the Virtual SOC portal and offline archiving in the forensically sound IBM Managed Security Services archive system. A granular permissions system allows you to determine who can access the portal, what each user sees, what each user can change, and who is authorized to contact the SOC. Integrated trouble ticketing and workflow provides a trouble ticket workflow system for the creation, assignment and tracking of ticket status. Integrated X-Force security intelligence includes real-time integrated X-Force security intelligence feeds and research tools. 21 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 4 Support and Reporting 1 2 3 4 5 6 7
Problem management and resolution The process for managing security incidents is detailed in Section 3 of this guide. Service incidents problems outside of standard service operations that cause, or may cause, a reduction in service quality or a security compromise are addressed by a separate team of SOC specialists. Both types of incidents are tracked end-to-end via the integrated ticketing system. Service incidents classified by customers as major (Severity 1) pose a risk to critical business processes, such as revenue generation, or result in an outage to a system, network or key application that Figure 7. The Virtual SOC portal provides a single point of access to all aspects of Managed Security Services delivery. 22 4 Support and Reporting 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 1 2 3 4 5 6 7
impacts IT service delivery. Major incidents are handled with an expedited process designed to restore normal operations as quickly as possible. SOC incident management specialists work with the customer through resolution of the problem, and at any time customers can escalate problem handling to the SOC team lead or shift manager. Trouble tickets can be opened for lower priority incidents either by automated systems and monitoring functions, by SOC personnel or by customer security contacts. These problems are routed to the appropriate SOC operations support teams for resolution. X-Force security intelligence Included with all IBM Managed Security Services, and integrated into the Virtual SOC portal, is the IBM X-Force Threat Analysis Service. This industry-leading security intelligence service helps you proactively manage daily security threats by providing an evaluation of global online threat conditions and detailed analysis tailored for your needs. Figure 8 shows a typical client view of the X-Force Threat Analysis home page on the Virtual SOC portal, which provides at-a-glance access to: Current Security Assessment: a summary of the important events and product releases that could impact your network security Vulnerabilities: a customized matrix that shows the number of vulnerabilities, by category, over the last 90 days and since your last portal login as well as trends across all available vulnerability data 23 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 4 Support and Reporting 1 2 3 4 5 6 7
AlertCon 5-Day Forecast: an assessment of the current and anticipated threat level of online attacks, ranging from AlertCon 1 (regular vigilance required) to AlertCon 4 (catastrophic threat imminent or ongoing) Alerts/Advisories: a timely compilation of breaking information on new threats from both IBM and from US-CERT Worms & Viruses: the top three worms and viruses active on the Internet Security News: an aggregated view of the top security news stories compiled by XFTAS, with links to a news archive. Figure 8. The X-Force Threat Analysis Service home page provides an at-a-glance view of vulnerability trends, Internet security status and your customized security assessment. 24 4 Support and Reporting 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 1 2 3 4 5 6 7
Email notification of threat assessments and alerts As an XFTAS customer, you can subscribe to daily newsletters that provide insightful information about the day s issues, emerging threat trends and their impact, and a tailored list of vulnerabilities, threats, and news articles that pertain to your business. You can also subscribe to a customizable daily threat assessment e-mail that includes IBM protection advisories and daily AlertCon status, which indicates the current threat state of the Internet. Standard and customized reports IBM provides a robust reporting and query engine that you can use to help facilitate day-to-day security operations, including research, vulnerability assessment, threat mitigation, and workload prioritization. There are also reports that can help you manage your IBM services and address audit compliancy requirements. IBM provides normalized data from your IBM services and devices managed and monitored by IBM. Reports are available 24x7x365 through the Virtual SOC portal Report Dashboard (see Figure 9). IBM provides several industrystandard report templates that you can customize by device, device group or time frame to match your requirements. In addition, you can save your report criteria and schedule reports to automatically run hourly, daily, weekly, monthly or yearly. You can view report data directly in the portal or export reports and email them to your security community in HTML, CSV, PDF or other commonly supported formats. 25 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 4 Support and Reporting 1 2 3 4 5 6 7
To help you work more efficiently, the report templates are organized into the following groups: General Service Related: Overview of events and incidents and overall service performance IDS/IPS Sensors: Detailed event metrics and overall attack trends detected by sensors Vulnerability Management: Enterprise and PCI vulnerability data for clients using the Hosted Vulnerability Management Service Figure 9. The Report Dashboard section of the Virtual SOC portal gives you ready access to all standard and customized reports on your security environment and security services. 26 4 Support and Reporting 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 1 2 3 4 5 6 7
Firewall: Detailed data related to network traffic, protocol usage, connections, target IPs, rule utilization, and suspicious host correlation Log Management: System activity data for clients using the Hosted Security Event and Log Management Service Alerts: Summaries of potential security issues and corresponding counts Content Management: URL filtering (what was blocked by category, by client and source IP) and anti-virus reports Compliance Reports: Documentation of performance in meeting regulatory, industry and legal standards. As a best practice, IBM recommends that clients regularly run and review event count reports, in particular event counts by IP source address, by event name and by sensor. Together these reports can help you quickly determine whether attacks are coming from within or outside of your organization, what systems may be compromised, which types of attacks are most prevalent, and which devices may need additional policy tuning. 27 1 Overview 2 Deployment 3 Service Delivery 5 Next Steps 4 Support and Reporting 1 2 3 4 5 6 7
5. Next steps IBM specialists can work with you to create a business case that demonstrates how IBM Managed Security Services can help you improve your security posture and mitigate risks to business operations while reducing the cost and complexity of security management. Contact us If you would like to speak with an IBM Security Services representative to discuss your security management requirements and objectives, contact us directly by calling 1-877-426-3287. Mention code 609CG98W (U.S. and Canada only). Or you can email us to request a response from an IBM specialist. Learn more Read about the issues facing IT security executives today and how IBM can help you address your most significant challenges. Download the IBM Security Services Cyber Security Intelligence Index to learn more about the threats facing your organization today. Read the Forrester report Surviving the Technical Security Skills Crisis for an analyst view on the role of managed security services in helping to close the skills gap. Share the Chief Information Security Officer (CISO) report A new standard for security leaders from the IBM Center for Applied Insights. 28 1 Overview 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 1 2
Financing from IBM IBM Global Financing can help you acquire the IT solutions that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize an IT financing solution to suit your business goals, enable effective cash management, and improve your total cost of ownership. IBM Global Financing is your smartest choice to fund critical IT investments and propel your business forward. For more information, visit: ibm.com/financing For more information For more information about IBM Security Services, visit our web page: ibm.com/services/security Follow us 29 1 Overview 2 Deployment 3 Service Delivery 4 Support and Reporting 5 Next Steps 1 2
Copyright IBM Corporation 2014 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America January 2014 IBM, the IBM logo, ibm.com, AlertCon, Proventia, Q1 Labs, QRadar and X-Force are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. IBM Global Financing offerings are provided through IBM Credit LLC in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates and availability are based on a client s credit rating, financing terms, offering type, equipment and product type and options, and may vary by country. Non-hardware items must be one-time, non-recurring charges and are financed by means of loans. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice and may not be available in all countries. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Please Recycle SEO03083-USEN-01