Secure Your Operations through NOC/SOC Integration

IBM Software Group Secure Your Operations through NOC/SOC Integration David Jenkins Security Consultant davidjen@de.ibm.com IBM Corporation

IBM Business/Service Assurance Offering Only Tivoli s suite offers fault, performance and security management Agenda for this presentation: Security Management Challenges Operational Integration Best Practices Tivoli Security Operations Manager (TSOM) Integration Further Resources 2

The problem we solve. 1,200 Events Per Second 72, 000 Events Per Hour 103, 680, 000 Events Per Day 3

Consider this Typical Security Operation Siloed Management Multiple Consoles Manual Correlation Vendor-specific point solutions Virus Host IDS Network IDS Firewall Antivirus Apps Routers Servers Best of Breed Multi-Vendor, Multiple-Domain Environment 4

Issues Day to day: manual analysis of log data wherever it exists, typically using multiple command and control dashboards Cost of expensive Security Experts Operational: Time to resolution Difficult to create problem owner for resolution Expensive Strategic: Siloed Security Management does not encourage Operational Convergence across Discrete Business Units 5

Breadth of Supported Devices Firewalls: Juniper Networks NetScreen Check Point Firewall-1 Cisco PIX CyberGuard Fortinet FortiGate GNATBox Linux IP Tables Lucent Brick Stonesoft's StoneGate Secure Computing's Sidewinder Symantec's Enterprise Firewall SonicWALL Sun SunScreen Vulnerability Assessment: Nessus Vigilante ISS Internet Scanner QualysGuard Foundstone eeye Retina SPI Dynamics WebInspect Harris STAT Routers/Switches: Cisco Routers Cisco Catalyst Switches Nortel Routers TACACS / TACACS+ Policy Compliance: Vericept Network-based Intrusion Detect/Prevention: Intruvert (NAI) Intrushield Sourcefire Network Sensor Juniper Networks NetScreen IDP AirMagnet ISS RealSecure ISS Proventia ISS BlackICE Sentry Cisco Secure IDS SNORT IDS Enterasys Dragon Intrusion's SecureNetPro NFR NID Symantec ManHunt ForeScout ActiveScout Top Layer Attack Mitigator Labrea TarPit IP Angel AirDefense Lancope StealthWatch Tipping Point UnityOne NDS Host-based Intrusion Detect/Prevention: Cisco CSA (Okena) NFR HID Sana Security Primary Response Snare Symantec Intruder Alert (ITA) Sygate Secure Enterprise Tripwire ISS RealSecure Entercept HIDS (NAI) Web Servers: Apache Microsoft IIS BEA WebLogic Server Logs Operating Systems Logs: Solaris (Sun) AIX (IBM) RedHat Linux SuSE Linux HP/UX Microsoft Windows Event Log Nokia IPSO OpenBSD Tripplight UPS Antivirus: CipherTrust IronMail McAfee Virus Scan Norton AntiVirus (Symantec) McAfee epo Trend Micro InterScan Application Security: Blue Coat Proxy Teros APS VPN: Neoteris IVE (NetScreen) Check Point Cisco IOS Nortel Contivity Management Systems: NS escalates to: Remedy ARS HP OpenView IBM/Tivoli CA Unicenter Micromuse Netcool Management Systems: Source of events into NS: NetScreen Global Pro ISS RealSecure SiteProtector Tripwire Manager Intrusion, Inc. SecureNet Manager McAfee epo Symantec ESM Integrated Investigative Tools: NS GeoLocator Service Hostname and WHOIS Lookup Finger NMAP HTTP Probe OS Fingerprint SNMP Probe SMTP Probe RPC Probe NFS Probe CGI Vulnerability Probe Trace Route UDP/TCP Port Scan QualysGuard 6

Security Information and Event Management (SIEM) 7

Gartner s 2006 SIEM Magic Quadrant Ability to Execute Completeness of Vision 8

IBM Software Group Best Practices in Operational Integration Network Operations Security Operations IBM Corporation

IBM Global CEO Study 2006 35 30 25 20 15 10 5 % One-on-one, one-hour interviews with 765 CEOs (2004: 456 survey respondents, 380 interviews) across 20+ industries European Union Respondents by geography (Percent of respondents) U.S./Canada Japan China Australia/NZ India Hong Kong/Taiwan Latin America ASEAN Europe/Non EU Korea Respondents by annual sales/ turnover (US$) (Percent of respondents) Respondents by number of employees (Number of respondents) 35 30 25 20 15 10 500 400 300 200 100 5 % <$500M $500M- $1B 0 <5000 5000-25,000 $1B- $10B >25,000 >$10B 10

Enterprise pressures and opportunities In IBM s interviews with hundreds of CEOs, they said: they must achieve... and want to innovate their... 2004 revenue growth 2006 products/ services/markets cost reduction asset utilization operations (processes & functions) risk management business model 20% 40% 60% 80% 100% 20% 40% 60% 80% 100% IBM Global CEO Study 2004, multiple answers permitted IBM Global CEO Study 2006, point allocations 11

IT Efficiency and Effectiveness are Waning Decrease in Efficiency as IT Spending Shifts to Operations Labor 100% 80% 70% of 2005 CIO Budget is Labor Source: Tivoli Commissioned IDC Study 1Q05 70% of CIO budget is Labor Hardware Services Labor Software 70% of CIO budget is labor Operations labor will be 73% of CIO labor budgets by 2008 Application development will decline at -10% CGR to 2008 $325B in operations labor by 2008 60% 40% 20% 0% 350000 300000 250000 200000 150000 100000 50000 2001 2002 2003 2004 App Development App Supt/Maint IT Operations Source: Gartner Group, IT Spending & Staffing surveys 0 2005 2006 2007 2008 Application development & support labor has dropped from 48% to 34% of IT Labor spend over previous 4 years. Administration Development Operations 12

IT Silos: Architectural Complexity Exposes Organizational Complexity Security experts and tools Network experts and tools Application experts and tools Database experts and tools Mainframe experts and tools Storage Experts And tools Unix Experts And tools Availability Management Security and Compliance Management. Release Management Change Management Information Mgmt. Labor Cost www Sense Isolate Diagnose Take Evaluate Time Action 13

NOC and SOC Differences Perspective: Used to be.lock Down vs. Availability New focus on Business Impact vs. System Impact has changed all that. Problem-solving Techniques: NOC objective black and white situations up or down. SOC subjective.context.why is it up or down shades of grey. Tools: Requires tools that process, analyze and handle event data differently 14

The Solution: Focus on the end goal The end goal for both IT and security operations is business and service assurance Transcends IT silos ( NOC/SOC/Help Desk) Requires convergence at: - Organizational level (i.e. common first level response) - System level (i.e. integrated ticketing and workflow) - Asset level (i.e. shared sensors and criticality information) Requires responses based on the business impact, not cause Improves problem resolution and time to mitigation 15

Typical Operations model NOC Level 1 Operations SOC Level 1 Workflow Ticketing Level 2 Level 2 Workflow Ticketing Level 3 Level 3 NOC Management SOC Management 16

Organizational Convergence Converged Operations Network Operations Level 1 Security Operations Level 2 Level 2 Shared Workflow Shared Ticketing Level 3 Level 3 Incident Analysis Joint SLA to Business 17

Converged Systems As an event unfolds it may need to be re-classified from networkrelated to security-related and vice versa This requires system integration as well as integrated procedures There should be a single ticketing and workflow system that allows the teams to collaborate, review, annotate and take action on events Historical views of prior events or problems should also be consolidated a past configuration error could be related to a current security error A common knowledge base will assist Level 1 in making a correct diagnosis Converged reporting can reduce compliance costs and increase operational excellence across the board Include periodic (monthly/quarterly?) results reporting process under the Service Level Agreement 18

Converged Sensors and Asset Inventories Companies build the NOC before they build a SOC Leverage all those deployed sensors! Build on top of existing network monitoring and leverage existing ticketing systems do not build a security island Both NOC and SOC need asset inventories Provide perspective into the importance, location and status of the asset Assets have an associated business criticality and risk regardless of whether they suffer a network problem or a security problem Converged asset inventories provide a business level perspective and ensure the appropriate level of response Respond based on the business impact, not the cause 19

Conclusions and Bottom Lines The driving force for both IT and Security operations is business process availability This driver transcends silos and requires convergence Converged NOC/SOC operations means convergence at: The organizational level common Level 1 response The system level integrated ticketing and workflow The asset level shared history and criticality information Operational models must be flexible enough to adapt to a changing market 20

Points for discussion How big is each NOC / SOC before integration, what is the natural limit for outsourcing? Are there other formal ways to classify the structure of different growing models than a joint SLA to the Business? How do we assess the physical properties as a whole, such as its robustness or damages or vulnerability to malicious attack? How to quantify the interaction between network operations of different character, how do we model network evolution? How much difficulty do you see in this model? Why is convergence important to you? 21

IBM Software Group About Tivoli Security Operations Manager (TSOM) IBM Corporation

The TSOM Solution Risk Reduction Operational Efficiency Intelligent dashboard to manage complex security environments Communicates critical security information throughout the IT organization Real-time, cross-device event correlation to improve incident recognition Integrated asset weighting to assist with prioritization of investigations Integrated incident investigation and automated remediation Audit and Compliance Customizable reporting for audit, trending and compliance 23

Consolidated View via Main Dashboard Dom ain Eve nt Clas s Event Class Freque ncy Frequency Freque ncy 24

Centralized Reporting On Demand or Scheduled 25

New Integration Capabilities b/t Netcool and TSOM 1. Escalate raw or correlated security events to Netcool Omnibus 2. View security metrics via Netcool dashboards 3. Leverage of a Universal Collection Layer 4. TSOM device support for Netcool SSMs 5. TSOM support for Micromuse Portal for integrated solutions 6. Security Knowledgebase (for common first line support) Network Operations Security Operations 26

IBM Software Group Conclusions and Further Resources Network Operations Security Operations IBM Corporation

Tivoli s Business/Service Assurance Offering Only Tivoli s suite offers fault, performance and security management Operational Integration Converge security operations with IT operations to ensure business and service uptime Invest in one vendor who understands your infrastructure holistically 28

The Right Strategy Security as a Option Security is an add-on Challenging integration Not cost effective Cannot focus on core priority Security as part of a System Security is built-in Intelligent collaboration Appropriate security Direct focus on core priority 29

Further Resources Tivoli Webinar: NOC/SOC Integration an Overview Johna Till Johnson, Nemertes Research and Jim Alderson, IBM http://www.micromuse.com/events/webinars/sm_30-nov-2005.html Tivoli Webinar: NOC/SOC integration for Service Providers Andreas Antonopoulos, Nemertes Research and Jim Alderson, IBM http://www.micromuse.com/events/webinars/secure_operations_23mar2006.html Issue Paper: Integrating Event Response Andreas Antonopoulos, Nemertes Research http://www.micromuse.com/downloads/pdf_lit/wps/nemertes_issue_paper_integr ating_event_response.pdf 30

Innovation That Matters IBM Software Group Tivoli software Thank You David Jenkins davidjen@de.ibm.com 31