Tivoli Security Information and Event Manager V1.0 Summary Security information and event management (SIEM) is a primary concern of the CIOs and CISOs in many enterprises. They need to centralize security-relevant events and analyze the consolidated data to obtain valuable security insights for their organizations. IBM offers two SIEM complementary perspectives for the security information on the network: o A real-time, network event-oriented management dashboard that facilitates attack recognition and incident management o An information analysis dashboard to assess how well an organization adheres to its security and governance policies IBM Tivoli Security Information and Event Manager V1.0 is comprised of two products: IBM Tivoli Security Operations Manager V4.1 and IBM Tivoli Compliance Insight Manager V8.5. These products work closely together to help you realize the full promise of enterprise SIEM. Now you can centralize log collection and event correlation across your enterprise, and leverage an advanced compliance dashboard to link security events and user behavior to your corporate policies. Tivoli Security Information and Event Manager delivers a comprehensive foundation for addressing your SIEM requirements. As a result, IT organizations can lower their exposure to security breaches; collect, analyze, and report on compliance events; and manage the complexity of heterogeneous technologies and infrastructures. This includes support for several hundred applications, host operating systems, security products, network infrastructure, desktops, and mainframe systems. Introduction The Tivoli Security Information and Event Manager (TSIEM) bundle consists of specialized mature components that handle both the security information management (SIM) and the security event management (SEM) operations. In this package, you will find two products: Tivoli Security Operations Manager, which handles SEM; and Tivoli Compliance Insight Manager, which handles SIM. We have packaged these two products into a single offering for convenience and affordability. Customers seek SIEM solutions to address the compliance and operational needs of the enterprise, and they seek a solution that does not compromise their ability to attain these goals. The SIM component is implemented to validate access policy, audit access, and report on compliance status, based mostly on historical data on internal user operations. The SIM components also provide the capability to collect and manage the audit and security logs for compliance proof. The SEM components are targeted for use in the Security Operations Center (SOC) to continuously track and analyze real time external threats against IT resources. Reports and dashboards from
both of these component solutions are presented to the administration to track the overall SIEM status and health of the IT deployment. Product Overview TSIEM technologies allow customers to start with simple deployments focused on log aggregation and simple reporting, and expand into full policy focused user reporting for compliance initiatives with auditor ready reporting, and real-time correlation for incident management and network policy monitoring. Tivoli Security Information and Event Manager also provides interoperability with other critical IT operations and Tivoli and IBM platforms, including Netcool Omnibus, IBM ISS Proventia solutions, z/os, AIX, WebSphere, DB2, iseries, Lotus Domino, Tivoli Access Manager, Tivoli Identity Manager, and Tivoli Enterprise Console, among others. Why you bought TSIEM Better overall pricing: TSIEM offers you a better-priced way of obtaining both Tivoli Compliance Insight Manager and Tivoli Security Operations Manager or for upgrading from one product to both products. Upgrade path to IBM SIEM solution: As we develop our product range, the TSIEM offering enables customers to upgrade to other product offerings and options in this product range. What you can do with TSIEM Security Information Management Who uses it? Audit and Compliance officers benefit from using Tivoli Compliance Insight Manager because it offers them a reliable, verifiable, and automated approach to monitoring their organization s compliance posture. What can they do? They can automate log management and compliance reporting. Tivoli Compliance Insight Manager provides tools to control and monitor the collection of audit logs and audit events from IT infrastructure in a reliable and verifiable way. Compliance modules and reporting Tivoli Compliance Insight Manager provides specific and targeted compliance reporting, enabling the CISO, SO, and audit officers to easily monitor the organization s compliance. The compliance modules provide: A template set of classifications (a grouping in Tivoli Compliance Insight Manager terminology) that are in the vocabulary of the regulation or standard. A template policy that defines the controls that need to be monitored in terms of the classifications defined in the template. A set of reports, defined to show the monitoring of the controls defined in the regulation. Documentation
Key to the compliance and audit reporting is the definition of policy. Tivoli Compliance Insight Manager provides template policies in the compliance modules and also the capability for the customer to define policies by using the built-in policy definition tools. Device support By providing wide support for major pieces of IT infrastructure such as network nodes, operating systems, applications and database, and z/os support, we can monitor the compliance of these platforms and the overall compliance of the organizations using these infrastructure components. Security Event Management Who uses it The Security Operations Center is the main consumer and user of SEM capabilities. However, the reports on security risk status and threat health of the IT resources are also essential for Security Officers and CIOs. What can they do The SEM components allow operators to collect, parse, aggregate, filter, categorize, correlate, and analyze real-time security threat data from a wide set of different sources throughout the enterprise. It helps operators understand and distill the disparate security event data into business relevant alerts, which can be analyzed from a single location and quickly tracked through to resolution. SEM helps in identifying weak areas in the security of the IT deployment, and quickly reports on the status of the systems, for further use in compliance audits. Correlation One main advantage of the SEM solution is the capability to create rules that reflect how the company wants to handle particular security events, depending on geographic location, resource importance, source of the event, network topology, relationship with other events, frequency, and a myriad of other policy combinations. Notifications, alerts, and forwarding of events can also be configured according to these rules. Analysis After the data is correlated, the operator can get different views of how the security events are affecting the IT resources; for example, by network, by functional group, by detail, and by many other groupings. When interesting vulnerabilities are found, the operator can drill down into the affected resources to troubleshoot the source of the problem using a set of common tools available from a convenient central location. All these operations can be tracked with an internal ticketing system. Reporting The end goal is to assess and report on the security health of these IT implementations. The SEM solution offers a customizable set of views and dashboards that provide operators an at-a-glance view of the vulnerability status for the resources that are most relevant to them. Additionally, there is a large set of preconfigured reports to provide executives and administrators with security threat snapshots of the systems, for further use in compliance reporting. Device support The main reduction in cost achieved by a SEM solution resides in its ability to converge data from disparate resources and with different formats and syntax. Manual collection and analysis of this data would quickly prove to be ineffective and
costly. Therefore, being able to collect, parse, normalize, and categorize security event data from over 200 different devices is of great benefit for large organizations. How to install TSIEM Servers Because TSIEM bundles two existing products together, the TSIEM package consists of two sets of installation CDs: one set for Tivoli Compliance Insight Manager and another set for Tivoli Security Operations Manager. The products can be installed in any order. Each product requires its own server, and each server must be installed on its own dedicated system. For information on installing each product, see: Tivoli Compliance Insight Manager V8.5 Quick Start Guide, located on the Tivoli Compliance Insight Manager V8.5 Quick Start CD Tivoli Security Operations Manager V4.1 Quick Stat Guide, located on the Tivoli Security Operations Manager V4.1 Quick Start CD Typical Configuration Event Sources Points of Presence IBM Tivoli SIEM Install Output Applications TCIM Compliance Dashboard Databases Reports Mainframe Collectors Retrieve Log-files Operating Systems Operational Dashboard IDS & IPS TSOM Third party integration Firewalls alerts
Integration potential The integration between event management and information management is alluring. Being able to react in real time and offer an operational dashboard and ultimately filter information upwards to the compliance dashboard, presenting correlated events in a compliance perspective, provides customers with the all round view they need of their compliance posture. Integration options Sending auditable, correlated events from Tivoli Security Operations Manager to Tivoli Compliance Insight Manager: In this instance, Tivoli Security Operations Manager is configured to correlate certain auditable events (such as changes to policy in firewalls), or denial of service attacks, and to send those events to Tivoli Compliance Insight Manager. Tivoli Compliance Insight Manager will then report on those events in the compliance and audit reports and also keep the events in the depot for future reporting, investigation, or audit purposes. Sending alerts from Tivoli Compliance Insight Manager to Tivoli Security Operations Manager for further action: In this instance, Tivoli Compliance Insight Manager is configured to send an alert to Tivoli Security Operations Manager. The contents of the alert are the 7Ws of the event that triggered the alert. Tivoli Security Operations Manager is then configured to raise a ticket to have this alert recorded and resolved. For more detailed integration information, see the TSIEM documentation available on the information center for each product: Tivoli Security Operations Manager http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.netcool_ som.doc/welcome.htm Tivoli Compliance Insight Manager http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itcim.do c/welcome.htm (C) Copyright IBM Corp. 2008. All Rights Reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, AIX, DB2, Domino, iseries, Lotus, Netcool, Proventia, Tivoli, Tivoli Enterprise Console, WebSphere, and z/os are trademarks or registered trademarks of International Business Machines in the US and/or other countries. Other company, product, or service names may be trademarks or service marks of others.