Peter Dulay, CISSP Senior Architect, Security BU

CA Enterprise Log Manager 12.5 Peter Dulay, CISSP Senior Architect, Security BU

Agenda ELM Overview ELM 12.5: What s new? ELM to CA Access Control/PUPM Integration CA CONFIDENTIAL - Internal Use Only

Overview

User Activity and Compliance reporting The Business Case The Problem: Are my controls working as expected? The Solution: User Activity & Compliance Reporting Collect & Normalize IT Activity Logs Generate Compliance Reports Verify Controls! Investigate Incidents Automate Proactive Alerting User Activity Log Management is a must! PCI, SOX, HIPAA, FISMA, NERC, SAS-70 mandate organizations to audit and report on IT and User Activity.

CA Enterprise Log Manager Product Overview Consolidate view across all log types and sources Normalize and classify logs to a common model Enrich queries & reports to show business relevance Collect logs from any source securely & reliably Provide Role-based access to each type of log record Archive logs securely for forensics investigations

Value-added CA IAM Integrations CA Enterprise Log Manager Solution Architecture Enterprise Ticketing System (e.g. CA Service Desk) CA Role & Compliance Manager User Activity Metrics for Access Certification Ticket ID Incidents CA Identity Manager Automated Response to Incidents CA DLP CA SiteMinder CA Process Automation Manager Context Incidents Systems & Applications CA Access Control Alerts Logs/Query Drill Down CA Enterprise Log Manager 120+ Supported 3 rd Party Log Sources Network Operations Centre (e.g. CA Spectrum IM) Operating System Hypervisors Database Web/App Server Application(s) Network Devices Physical or Virtual Environments

Distributed, Scalable Architecture...with centralized querying and reporting Distributed collection, centralized view Federated-search allows enterprisewide reporting across many distributed Log Managers Scalability needs are met by stacking or distributing Log Managers New York Log Manager Chicago Log Manager Privileged User Logins Across Enterprise Log Manager Federated Search Log Manager Log Manager Log Manager San Francisco London

Soft Appliance Model...with automatic product update Customer provided hardware from customer preferred vendor Lowest cost and highest support hardware model Install configures minimal, hardened OS plus ELM application and embedded log store Most reliable and most secure installation possible Insert disk to generating reports is less than one hour Fast! CA manages updates to application, OS, agents, and reporting packages via automatic update service Lowest cost maintenance model CA Update Server Updates Log Manager Chicago Log Manager San Francisco Automatic Update Service Application Updates Operating System Updates Reporting Packages New York Log Manager Updates Log Manager Log Manager Log Manager London

Out-of-Box Compliance Reporting...on enterprise IT activity Compliance Packs PCI, SOX, HIPAA, GLBA reports available outof-box FISMA, NIST, ISO, BASEL II reports via update service Report Categories Identity Mgmt Resource Access System Access Configuration Mgmt Host Security Network Security Operational Security System Operations

Multi-dimensional Analysis...with interactive drill-down & filtering Ad-hoc, multi-dimensional investigations Interactive reporting provides quick answers pressing questions Categorized views enables high levels of interaction with data Asset and identity groupings brings business relevance Drag-and-drop building of custom views/dashboards

Control Violation Alerting...for quick identification & remediation Violation Alerting Active notification when potential control violations is discovered in IT logs Examples Use of vendor default accounts Audit policy changes Reset of security logs Multiple failed resource access Membership additions to privileged groups

Agent-less Log Collection Simplifies & expedites deployment Agent-less collection from virtually all log sources No need to install remote agents for most log sources Syslog Tibco Remote File OPSEC LEA ODBC WinRM Windows Server WMI CA Enterprise Log Manager ELM Agent (Windows)

Optional Agent-based Log Collection...with centralized management & update Tiered collection for enhanced scalability Mid-tier agent can collect and filter prior to Log Manager High volume node can filter locally saving bandwidth Secure, reliable log collection Authenticated event sources Guaranteed log delivery Encrypted log transport Central Management Configurations New integrations Code updates Server Remote Agent Server Log Manager Remote Agent ODBC SNMP Syslog Remote Agent OPSEC WMI Remote File

Distributed Log Collection...with filtering at remote sites Primary Data Center Log Manager Log Transfer Distributed Query 25 EPS Log Manager Log Manager 25 EPS 5000 EPS 5000 EPS ELM Agent Server 100 EPS ELM Agent Server 100 EPS Remote Site 3 Remote Site 3 Remote Site 3

Any-Log Capability...for complete log collection and search Unstructured and custom log capture Logs from undefined and custom sources can now be collected without pre-processing or parsing Match feature finds the answer through volumes of raw events Parsing wizard enables key custom logs to be normalized and classified quickly Critical logs can now flow directly into out-of-box reports

A Sampling of the 400+ out-of-the-box Reports Identity Management Reports Account Management by Account Account Management by Host Account Management by Log Name Account Management by Action Account Creations by Account Account Creations by Host Account Creations by Business Critical Hosts Account Creations by Log Name Account Deletions by Account Account Deletions by Host Account Deletions by Log Name Password Changes by Account Password Changes by Host Password Changes by Log Name Group Management by Performer Group Management by Host Group Management by Log Name Group Management by Action Group Creation by Performer Group Creation by Host Group Creation by Log Name Group Deletion by Performer Group Deletion by Host Group Deletion by Log Name Group Membership Changes by Account Group Membership Changes by Group Group Membership Changes by Host Group Membership Changes by Log Name Resource Access Reports Resource Access by Account Resource Access by Host Resource Access by Log Name Resource Access by Action Resource Access by Resource Name Resource Access by Business Critical Hosts System Access Reports System Access by Account System Access by Host System Access by Log Name System Access by Action SU Access by Account System Access at Night by Account System Access on Weekends by Account System Access by Default Account System Access by Disabled Accounts System Access by Business Critical Hosts Network Security Reports Firewall Activity by Source Address Firewall Activity by Destination Address Firewall Activity by Source Port Firewall Activity by Destination Port Firewall Activity by Firewall Firewall Activity by Log Name Firewall Activity by Result Host Security Reports Virus Activity by Host Virus Activity by Virus Name Vulnerabilities by Host Vulnerabilities by Vulnerability Name Configuration Management Reports Configuration Audit Failures by Host Configuration Audit Failures by Audit Name Configuration Change by Host Configuration Change by Log Name Investigation Reports Investigate User by Category Investigate Host by Category Operational Security Reports System Startup/Shutdown by Host Security Log Cleared by Host SIM Operations Reports Collection Monitor by Log Manager Alert Monitor by Alert Name Alert Monitor by Host Check ELM Support page for the most current list: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentid=3da7cecb-4f05-4a45-91a4-22db8c294972&productid=8238

A Sampling of the 100+ Supported Log Sources out-of-the-box Sources Categories Sources Categories Web Server/Application Server Example Security Management Systems/Antivirus Examples Virtualization Example Access Management Anti-X/Endpoint Protection Business Management/Enablement Certificate Management Compliance Management Content Management Databases Data Center Management Data Loss Prevention Data Transport Service Directory Firewall Identity Management Intrusion Detection and Prevention Systems Log Management Mail Server Network Device Network Management Network Services and Utilities Operating Systems Proxy Server Secure Application Gateway Security Management Systems Security Content Management Security Management Systems/Antivirust Service Assurance Manager Storage Management Unified Communications Unified Computing Virtualization Web Server/Application Server Wireless Access Point Apache Web Server Microsoft IIS McAfee Vulnerability Manager ISS Internet Scanner SunONE Web Server RedHat JBoss Application Server Oracle WebLogic Server McAfee epolicy Orchestrator Microsoft Forefront security Office Communications Server Microsoft Forefront for SharePoint Server Microsoft Office SharePoint Server Trend Micro Control Manager IBM Proventia Management Site Protector Microsoft Operations Manager Cisco Security Agent VMware ESX Server VMware ESXi MS Hyper-V Microsoft System Center Virtual Machine Manager VMWare vcenter Server Citrix XenApp Citrix Xen Server Check ELM Certification Matrix for the most current list: https://support.ca.com/irj/portal/anonymous/phpdocs?filepath=0/8238/8238_certmatrix.html

ELM 12.5 What s New? Note: ELM 12.5 went GA in Dec 10

CA ELM 12.5 Key Features Marquee Use Case Customer Needs Features Log Correlation Incident Tracking Detect risky behavior and suspicious actions through complex patterns of IT activity logs in near realtime. Advanced pattern matching log correlation engine 200+ unique, out-of-box correlation rules Intuitive log correlation rule interface to customize existing rules or define new rules Enhanced incident management interface with help desk and event management integration Minor features: Feature Type Details Data Integrity & Tamper Detection Hierarchical Tagging of Reports & Queries New Feature Enhancement Digitally sign event logs for tamper-proofing Tamper Detection to find changes made to logs Arrange reports in a hierarchical manner such that the control objectives are arranged within the respective Regulation with reports mapped to those objectives

Log Correlation Overview Supported Rule Templates: Simple Rule Counting Rule State Transition Rule Correlation Content: 200+ correlation rules supporting needs around: Compliance Threat Management Infrastructure Management Ease to create new or modify existing rules. Rule test Out-of-the-box Correlation Content

Log Correlation Sample Correlation Use Cases Failed Logins: Multiple failed logins from the same user account (or identity) to any host or application that has been followed by a successful login to that host or application within a specified time period Failed Resource Access: Multiple failed resource access attempts from the same user account (or identity) on any set of resources within a specified time period Privilege Escalation & Misuse: A user account (or identity) was first added to privileged group, and then that same user account (or identity) experienced a failed login attempt within a specified time period SoD: A user account (or identity) who submitted a certain purchase order was also the same user (or identity) that approved that same purchase order. Rogue Users: A user account was created on an identity-managed system but outside of the IAM (user provisioning) framework. This can be detected by failing to correlate the account creation log generated by the managed system with the account creation log on the user provisioning system. Network Security: Multiple dropped firewall events from the same source IP address to any destination IP address occurred within a specified time period, followed by an accept by firewall.

Incident Tracking Overview Incident Management: Incident notification templates Easy to update & merge incidents Incident Notification Methods: Create Helpdesk Tickets Send Email Generate SNMP traps (v2 & v3) Execute Business Process Incident Dashboard: Out-of-the-box dashboards Easy to customize See Incident History Priority, Status, Description, Remediation can be changed and saved.

Incident Tracking Standard controls to view/edit incident details View a list of all incidents, Update/Merge/Close Incidents View a list of event related to a given incident

Data Integrity Overview Digital Signature: Digitally sign log data using industry standard hash algorithm SHA-256. Tamper Detection: Detect tamper to log data by validating event log databases to prove that no tampering has occurred. ELM 12.5 supports the following methods to validate archives: Validate Now: On demand method to allow user to run validation test on log data on a given ELM server node in the federation Scheduled job: A scheduled job to run periodically to check for tampering of log data and notify user if tampering is detected Log Archive Import: Validate log data integrity when log archives are imported on ELM Server from an external storage system or another ELM Server.

Compliance Dashboards ELM provides a high Level activity compliance summary dashboard for PCI, SOX, HIPPA, etc.

Miscellaneous Enhancements Hierarchical Report Tags ELM 12.5 provides color-coded dials that can be used in dashboards & reports

Upgrade Strategy ELM customers can seamlessly upgrade to CA ELM r12.5. Following upgrade paths are supported: ELM 12.0 SP3 ELM 12.5 ELM 12.1 ELM 12.5 Product upgrade via subscription service is done directly from product Web UI and NO professional service engagement is required. Progress bar showing upgrade progress in real time for each component

CA Access Control/PUPM Integration - Overview - Use case - Screenshots

Integration Overview Integration Highlights Out-of-the-Box Content for CA Access Control (62 Reports, 211 Queries) View ELM Reports from AC UI (available AC r12.5+) User Session Tracking Effective User ID Monitoring High volume, scalable log collection (5000 events/sec sustained per ELM Server) Primary Method of Collection: Version Method of Collection Value CA Access Control r12 SP1+ Tibco log sensor Scalable Agentless Collection that is easy to configure. (Takes 10 min to configure ELM log collection for 100 AC end points) Backward Compatibility to enable AC r8 migration to new AC releases (r12 SP1+) Version Method of Collection Value CA Access Control R8.0 SP1, r12 CA Access Control R8.0 SP1, r12 Selogrd log sensor Audit irecorder Migrate AC UNIX customers using selogrd-selogrcd for collecting AC logs over to ELM agentlessly. Backward compatibility to enable Windows AC end points to send logs to ELM Server directly.

AC-ELM Integration Architecture Security Administrator Manage Policies Policy Reports Privileged Account Management Access Policy Deployment Policy Reports Access Request CA Access Control Enterprise Manager IT User Audit Reports Access Filtering Policy Agent-based Log Collection Agent-less Log Collection CA Enterprise Log Manager Active Directory Enterprise LDAP Database Web Server Router Switch Storage App server Custom Application Database Web Server Storage App server Custom Application Virtualization Linux Unix Windows

Key Use Cases Access Control Generate user activity reports mapped to specific compliance requirement Report on shared account activity by mapping shared account activity to specific user Report on end-to-end user sessions Report on Keyboard logs Report and investigate user activity from AC UI PUPM (specific) Report of user activity performed by target system between password checkout and checkin.

Access Control Reports

thank you