Utilizing Novell Compliance Management Platform for Continuous Controls Testing and Monitoring

  • 765 views
Uploaded on

Compliance used to be a periodic and mostly manual project driven by audit dates and deadlines. But those days are gone. Security threats to IT systems are real and constant. In this session, you will …

Compliance used to be a periodic and mostly manual project driven by audit dates and deadlines. But those days are gone. Security threats to IT systems are real and constant. In this session, you will be guided through the architecture of Novell Compliance Management Platform and will learn how to set up continuous compliance for a particular set of IT controls.

Highlights of the session include instructions on how to:
1. Select controls for continuous compliance
2. Set up data collection from IT systems under scrutiny
3. Integrate identity information into collected security data
4. Set up detection mechanisms (correlation rules)
5. Define actions (remediation rules) and reports

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
765
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
58
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Utilizing Novell Compliance ® Management Platform for Continuous Controls Testing and Monitoring Mark van Reijn Technology Specialist idfocus/mvreijn@idfocus.nl
  • 2. Agenda Organizational risk management – It's all about balance Information security controls and standards – COSO, CobiT, ISO/IEC 2700x Novell Compliance Management Platform (CMP) ® components and architecture Bringing it together in 4 steps – Select controls – Collect data – Setup detection mechanisms – Define actions and reports 2 © Novell, Inc. All rights reserved.
  • 3. About the Session Level Getting from business babble to tech talk • Some affinity with regulations and governance frameworks assumed • Familiarity with Novell Compliance Management ® Platform Products assumed – Especially Novell Sentinel ™ • Technical Content (solution pack) is available online 3 © Novell, Inc. All rights reserved.
  • 4. Organizational Risk Management
  • 5. Risk Management: What Is It? How much risk are you willing (or allowed) to take? • Some risk is necessary in order to make a profit – Eliminating all risk is too costly in terms of time and resources • Balance between probability and impact • Identify acceptable risks versus risks that need to be mitigated • Only some critical environments might try to evade all risks – For example, where human life is at stake 5 © Novell, Inc. All rights reserved.
  • 6. Risk Management: What Is It? (cont.) How can Organizations prioritize their risks? • Assess the risks and determine their dimensions – Probability between 1-99% – Impact on critical factors such as cost or time (or health) • Plot risk dimensions on a chart – The line indicates the boundary High C rit i ca Probability of Occurrence lR of acceptable risks M is k ed – Develop a response for iu m -le vHigh all others el R Lo is w k -le ve l R is k Low Low Impact of Risk 6 © Novell, Inc. All rights reserved.
  • 7. Risk Management: When? Most Organizations have some sort of Risk Management in place • This may be internally or externally imposed – Regulations – Standards framework • Often for high financial risks or key projects 7 © Novell, Inc. All rights reserved.
  • 8. Information Security Controls and Standards
  • 9. Control Frameworks and Standards Many regulations and governance frameworks deal with risk management • COSO – Organizational governance – Business ethics – Risk control model – Financial reporting 9 © Novell, Inc. All rights reserved.
  • 10. Control Frameworks and Standards Only a subset of most frameworks and regulations relate to IT • CobiT – Control framework for IT governance – Link business goals to IT goals – Define KPI from targets • ISO/IEC 27002 – Code of practice for information security management 10 © Novell, Inc. All rights reserved.
  • 11. Risk Management is often linked to IT Security Obligatory Quote: “All Security Involves Trade-offs” Bruce Schneier 11 © Novell, Inc. All rights reserved.
  • 12. Steps Towards Control Monitoring • Get organized – Understand control objectives – Classify and prioritize systems and applications – Implement an Identity and Access Management program • Determine appropriate control levels – Reasonable – Enforceable – Auditable • Determine control types – Protective – Detective – Corrective • Envision Integration 12 © Novell, Inc. All rights reserved.
  • 13. Novell Compliance Management Platform (NCMP) ® Components and Architecture
  • 14. Automation and Validation Supporting Governance, Risk Management, and Compliance Identity and Access Security Management Information and Event Management • Roles, rules, work- flows, and approval • Audit and reporting processes • Activity monitoring • Identity integration and life-cycle • Event correlation management • Validation and • Authorization remediation and access • ESSO 14 © Novell, Inc. All rights reserved.
  • 15. Compliance Management Platform Security, Access and Provisioning Challenges Secure Web Access User Provisioning Challenges Security Information Management 15 © Novell, Inc. All rights reserved.
  • 16. Compliance Management Platform Modular Product Set Tightly integrated compliance and governance solutions Novell ® Access Manager Novell ® Identity Manager Solutions Novell Sentinel ® ™ 16 © Novell, Inc. All rights reserved.
  • 17. Novell Sentinel ® ™ Network Infrastructure Logs Logs Databases Report Replace manual processes Logs with automated IT controls, Logs Security Applications Devices monitoring and reporting Monitor Remediate Workstations Logs Identity and Servers Data Novell Identity Manager 17 © Novell, Inc. All rights reserved.
  • 18. What is Novell Sentinel Anyway? ® ™ Sentinel is a system for: Security Information and event management • Sentinel gathers security events, and then normalizes, displays, correlates, stores and reports on them to support both manual and automated security and business process management. • Sentinel attempts to turn data into actionable information via normalization, graphical displays, addition of business relevance information, and correlation. 18 © Novell, Inc. All rights reserved.
  • 19. Sentinel Process Summary ™ Collect ➔ Normalize ➔ Monitor ➔ Respond ➔ Report 19 © Novell, Inc. All rights reserved.
  • 20. Novell Sentinel Components ® ™ Collector managers and collectors Correlation engine Sentinel control center Active views dashboards iTRAC incident remediation system Data repository iSCALE message bus 20 © Novell, Inc. All rights reserved.
  • 21. Novell Sentinel Architecture ® ™ Sentinel Remediation Correlation Control Center Workf-low Repository Subscribe Channels Publish Parse-normalize Collector Manager Collector Manager taxonomy business relevance exploit detection Collectors Collectors Collectors Collectors External Event Sources VPN Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 21 © Novell, Inc. All rights reserved.
  • 22. Novell Sentinel Architecture ® ™ Sentinel Remediation Correlation Control Center Workf-low Repository Subscribe Channels Publish Parse-normalize Collector Manager Collector Manager taxonomy business relevance exploit detection Collectors Collectors Collectors Collectors External Event Sources VPN Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 22 © Novell, Inc. All rights reserved.
  • 23. Novell Sentinel Architecture ® ™ Sentinel Remediation Correlation Control Center Workf-low Repository Subscribe Channels Publish Parse-normalize Collector Manager Collector Manager taxonomy business relevance exploit detection Collectors Collectors Collectors Collectors External Event Sources VPN Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 23 © Novell, Inc. All rights reserved.
  • 24. Novell Sentinel Architecture ® ™ Sentinel Remediation Correlation Control Center Workf-low Repository Subscribe Channels Publish Parse-normalize Collector Manager Collector Manager taxonomy business relevance exploit detection Collectors Collectors Collectors Collectors External Event Sources VPN Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 24 © Novell, Inc. All rights reserved.
  • 25. Novell Sentinel Architecture ® ™ Sentinel Remediation Correlation Control Center Workf-low Repository Data Processing Subscribe Channels Communication Channel Publish Parse-normalize Collector Manager Collector Manager taxonomy business Data Collection Collectors Collectors Collectors Collectors relevance exploit detection External Event Sources VPN Host IDS Firewall Event Sources Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 25 © Novell, Inc. All rights reserved.
  • 26. Bringing It Together
  • 27. Four Steps Towards Control Automation 1 Select the desired controls to monitor – Largely dependent on regulations and risk management 2 Identify and collect the needed information – Security logs, Identity information 3 Identify and implement detection mechanisms – Typically, correlation rules in Sentinel 4 Define actions and reports – Without some form of incident management or mitigation the previous steps are useless 27 © Novell, Inc. All rights reserved.
  • 28. 1. Select Controls Common Threats • Non-person accounts (typically un-managed) – Standard accounts – Privileged users* – Service accounts • Contingency workers, temp workers • Misconfiguration • Data exposure 28 © Novell, Inc. All rights reserved.
  • 29. 2. Identify and Collect Information • Depending on the control or regulation, systems may or may not be in scope – Epic example: financial systems are in scope for Sox – The list of systems will follow from the selected controls • Collecting event data is not enough – Need business relevance and context • Sentinel will enrich events with external information – Asset data – Identity data – Other business information 29 © Novell, Inc. All rights reserved.
  • 30. Normalization and Context PIX Firewall – standard syslog format 9/10/04 5:05:29 PM, 10.10.10.1 %PIX-6-106015: Deny TCP (no connection) from 20.97.173.18/2182 to 10.10.10.10/63228 flags SYN RST PSH ACK on interface outside Dragon IDS - Data Items separated by pipes 2004-08-20 16:12:56|doldrgn1|dragonserver|10.10.10.240|11711|10.10.10.241|1031|I|---AP---|6| tcp,sp=11711,dp=1031,flags=---AP---| Product Event SIP SP DIP DP Location Dept Name Name Atlanta Finance Chicago IS 30 © Novell, Inc. All rights reserved.
  • 31. Taxonomy 31 © Novell, Inc. All rights reserved.
  • 32. 3. Detection Mechanisms • Violation of policy and / or suspicious activity should be detected • Correlate normalized events • For example, check account names for authentication events against a blacklist • These rules are the true implementation of corporate policy (business rules) 32 © Novell, Inc. All rights reserved.
  • 33. 4. Define Actions and Reports • When violations are detected, actions or incidents may be triggered • Actions can be fully automated – Novell Sentinel triggers account disable in Identity Manager ® ™ • Actions may require manual intervention – Sentinel triggers workflow in Identity Manager which asks for a human decision • Incidents ensure registration of the event and the subsequent handling process • Reports can include violations, incident management data or overviews of regular critical events 33 © Novell, Inc. All rights reserved.
  • 34. Novell Sentinel ® ™ Compliance Management Platform Actions • LDAP Remediation – Provides a method to update the Identity Vault through correlation/remediation > Not limited to Novell Identity Vault – can update any LDAP directory ® • SOAP Remediation – Provides a method to update the Identity Vault through correlation/remediation > Not limited to Novell Identity Vault, can update any SOAP end-point 34 © Novell, Inc. All rights reserved.
  • 35. ITRAC Incident Management Stage 1: Assign a user or Stage 2: Perform data role to the activity collection Check User Confirm End Verify Incident Data Collection Assignments Assignment Start Accept Confirm Start Incident Data Collection Confirm Start Com Assign User Data Collection Manual activity Automatic activity 35 © Novell, Inc. All rights reserved.
  • 36. Report Types High Level Detailed Trends 36 © Novell, Inc. All rights reserved.
  • 37. Reporting - Data Categories Data access Network access Authentication Authorization User/group management Password management Patch management Scanning activity (AV / VA) Data integrity (transport) – VPN, etc... 37 © Novell, Inc. All rights reserved.
  • 38. Summary
  • 39. Getting to Compliance Automation • Get organized on compliance • Determine appropriate control levels • Determine control types • Envision Integration • Follow four-step implementation of monitoring 1. Select the desired controls to monitor 2. Identify and collect the needed information 3. Identify and implement detection mechanisms 4. Define actions and reports 39 © Novell, Inc. All rights reserved.
  • 40. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.