Objective of this chart is to highlight the two types of security event and information management functions. The chart also serves to differentiate between the two. The function on the left serves the IT Security Operations Center, by reporting correlated threats, events and incidents in real-time. In large enterprises, a major challenge is finding and focusing on the critical threat/attacks to the infrastructure. Without a robust event reporting engine, managing operational risk is difficult for the following reasons…. Disparate point products that are widely distributed Multi-vendor point products without common formats or communications Inadequate time to manually examine critical logs No business-relevant context to the data No inherent link between attack data and host susceptibility Lack of automation Security Operations Management product- Tivoli Security Operations Manager (TSOM) offers: IT Threat Mgmt : Ability to manage security attacks on your networks and server infrastructure by alerting operational incidents Aggregation, Correlation: Ability to establish relationships between abnormal events and report them collectively with causality. Real-time Threat & Incident Handling: SOC dashboard: Offers a dashboard that automatically determines an event’s source location and plots it geographically with an enhanced set of 3D views and projections. These maps offer detailed coordinate data and a security analyst can drill down for details. Operational reports: Provides meaningful reports of historic violations or attacks within the infrastructure. ===================== The management function on the right serves the Audit and management community to manage compliance reporting for periodic audit purposes. The solution serves to answer the typical questions that an Auditor may ask, such as: Breach of privacy: Are DBAs accessing confidential information? Are trusted users abusing HR data? Did a disgruntled administrator engage in identity theft? Violation of system policies: Were unauthorized system changes made? Did any root users turn off auditing? When did OS administrators clear the audit logs? Who stopped key system processes without permission? Administrators violating segregation of duties: Did anyone initiate and approve transactions on applications? Did an admin create and approve identity/privileges in system? The Security Internal Audit management solution offered by Tivoli Compliance Insight Manager (TCIM) provides the following functions: Log Continuity: All user information and security events (and ALL logs of any kind) come into the Log Management layer of Consul InSight. Here they are collected and stored. You can perform Google-like search on the depot and retrieve any of the logs. Finally, rich reports on log collection – such as Consul’s Log Continuit Report – are available to prove to auditors that you’re collecting. Privileged User Activity Monitoring: monitors the behavior of People, like Privileged and Trusted Users, Outsourcers and Consultants. Policy Evaluation and enforcement: Translation of user logs from multiple sources into a common, normalized format for analysis, compliance violations against policy modules checked Compliance Dashboard: Answers the questions- what are users doing on my network- are they violating any of my policies? one Enterprise Audit Dashboard can display all activities on the system. Historical Analysis: Allows you to peer over past user activities and analyze violations, provide non-repudiated evidence. Audit reports, exception alerts: Helps audit activity to be conducted from one tool for across the enterprise servers, networks, databases.
Transcript of "2012 ReEnergize the Americas 3B: Gene Rodriguez"