SIEM, an integrated approach to Security and Compliance Management Debashish Jyotiprakash Systems Engineer - APAC

COBIT DS5.5 Security Testing, Surveillance and Monitoring PCI DSS Requirement 10 Track and monitor all access to network resources and cardholder data ISO 17799:2005 10.10.2 Monitoring system use AS/ANZ ISO/IEC 17799:2001 9.7 Monitoring system access and use HIPAA Security Rule 164.308(a)(1) Information System Activity Review CMS Acceptable Risk Safeguards AU-6 Audit Monitoring, Analysis, and Reporting FISMA / NIST SP800-53 AU-6 Audit Monitoring, Analysis, and Reporting ACSI 33 (Australian Government) 3.7 Audit Analysis Compliance Is King Common Requirement Is User and Access Monitoring

COBIT

DS5.5 Security Testing, Surveillance and Monitoring

PCI DSS

Requirement 10 Track and monitor all access to network resources and cardholder data

ISO 17799:2005

10.10.2 Monitoring system use

AS/ANZ ISO/IEC 17799:2001

9.7 Monitoring system access and use

HIPAA Security Rule

164.308(a)(1) Information System Activity Review

CMS Acceptable Risk Safeguards

AU-6 Audit Monitoring, Analysis, and Reporting

FISMA / NIST SP800-53

AU-6 Audit Monitoring, Analysis, and Reporting

ACSI 33 (Australian Government)

3.7 Audit Analysis

Corporate Data Must Be Protected New Threat Vectors Expose Blind Spots in Network SIEM SAN Web Server (Internal Users) App Servers Database Servers S/W Load Balancing SAN DMZ Web Servers Trusted Network FTP Drop Load Balancing Internet Users Wireless New threat vectors create a porous perimeter, inhibiting traditional SIEM approaches focused on network devices Public DNS Server Network-focused SIEM provides limited visibility of host platforms and applications Trusted Business Partners Employees (Inside) Organized Crime Traditional Vector

Security and Compliance Management Solution Overview Security Point Products Configuration Assessment Security Management (SIEM) Delegated Administration Exception Management Delta Reporting Entitlement Reporting Log Management Privileged User Monitoring Change Detection Control and Audit System Configurations Monitor and Manage User Activity Manage and Enforce Change Controls Governance & Business Alignment Secure Comply Operationalize Reactive Managed Automated Organizational Focus Process Maturity Security Point Products Secure | Reactive Provide the foundation for security and compliance Increase in complexity and management needs Security Management Tools Comply | Managed Help prove compliance through reporting Improve decision-making with metrics Reduce point product complexity through event data integration (real-time and historical) Security Process Automation Operationalize | Automated I ntegrates management tools / operational silos Streamlines security and compliance processes Allows security to leverage IT operations Governance & Business Alignment Security delivered as a service Leverages IT service management Most cost effective model / approach

Security Point Products

Secure | Reactive

Provide the foundation for security and compliance

Increase in complexity and management needs

Security Management Tools

Comply | Managed

Help prove compliance through reporting

Improve decision-making with metrics

Reduce point product complexity through event data integration (real-time and historical)

Security Process Automation

Operationalize | Automated

I ntegrates management tools / operational silos

Streamlines security and compliance processes

Allows security to leverage IT operations

Governance & Business Alignment

Security delivered as a service

Leverages IT service management

Most cost effective model / approach

Security and Compliance Management Customer Analysis Audit Monitor Control Harden systems through secure configuration Understand the security and risk posture Satisfy compliance mandates Distributed, multi-vendor environments Business alignment and policy exceptions Configuration drift Evolving best practices and vulnerabilities Reduce risks of privileged user access Protect sensitive corporate data Quickly resolve threats Satisfy compliance mandates Invisibility of privileged user activity Large volume of user-generated events Excessive privileged access rights Lack of integration Manage planned and unplanned changes to production systems Proactively apply security when making changes Satisfy compliance mandates Impractical or ineffective change auditing Restricting permissions without impeding service delivery Inability to relate changes to change authorizations Monitor and Manage User Activity Control and Audit System Configuration Manage and Enforce Change Control Goals Challenges Our Approach NetIQ Solution NetIQ Solution NetIQ Solution

Control and Audit System Configuration At a glance view of your compliance posture with critical information organized by relevance Risk by Platform: Quickly identify risk by platform and platform type. Risk by Group: Quickly identify risk by business defined functional groups. Focus on the most business-critical servers first during remediation. Ranked risk by System: Quickly identify the least compliant systems. Ranked risk by Issue: Quickly identify the most common compliance issues.

Monitor and Manage User Activity At a glance view of real-time events and incidents Dashboard view: Instantly identify areas of concern and focus on possible attacks

Monitor and Manage User Activity Real-time monitoring of critical systems for suspicious activity Trending: Identify trends by viewing activity over time to help identify emerging attacks or risks

Monitor and Manage User Activity Real-time monitoring of changes to critical information and privileged accounts Consolidated logging of events: Ability to consolidate logs from operating systems, applications and network devices. Detailed Change logging: Quickly see the “what, when and by whom” for critical changes. Dramatically reduce the risk of insider attack, a key area of concern for enterprises.

Cost of Quality Service

Introducing NetIQ ® Aegis™ The Control & Automation Platform for IT Processes NetIQ Aegis is a software platform that models, automates, measures and improves run books and ITIL-based processes, bringing control and automation to IT Operations Aegis ITIL Process (macro) Run Books (micro) Automate Model Measure Improve

3. NetIQ Aegis gathers configuration information via Secure Configuration Manager and correlated events and opens a ticket for event 1. NetIQ Security Manager detects an attack on a host system 5. NetIQ Aegis documents event and vulnerability analysis as part of security manager event record 7. NetIQ Aegis checks that the remediation ticket is closed within a defined period of time, if not it will escalate NetIQ Aegis Security Manager 2. Alert triggers NetIQ Aegis workflow to alert necessary security and business stakeholders 4. NetIQ Secure Configuration Manager runs an analysis on the system for known vulnerabilities 6. If no response is received within a defined time from the security team, NetIQ Aegis escalates to a higher level of management Respond to attacks and integrate remediation and analysis 7 1 2 Secure Configuration Manager 3 4 5 6 Saved: 20 minutes Saved: 45 minutes Saved: 10 minutes Saved: 5 minutes Saved: 5 minutes Saved: 10 minutes Ticketing System Stakeholder Security Team Total Time Saved: 95 Minutes

8. Remedy ticket is closed and NetIQ Aegis has NetIQ Secure Configuration Manager conduct final scan to confirm remediation 3. NetIQ Aegis queries NetIQ Secure Configuration Manager for a list of user entitlements 1. Configuration Assessment detects change 5. Stakeholders choose remediation and NetIQ Aegis creates a change ticket 7. NetIQ Aegis has NetIQ Secure Configuration Manager perform a vulnerability scan 2. NetIQ Aegis queries ticketing system to see if change was planned and authorized 4. Business stakeholders and admin team notified 6. NetIQ Aegis elevates priority on system for both NetIQ Secure Configuration Manager and NetIQ Security Manager 9. Optionally increase frequency of scans on that system in the future Respond to configuration changes and ensure protection of critical hosts NetIQ Aegis Administration 1 2 Stakeholder Secure Configuration Manager 6 8 Saved: 15 minutes Saved: 15 minutes Saved: 15 minutes Saved: 20 minutes Saved: 25 minutes Saved: 15 minutes Saved: 5 minutes Saved: 15 minutes 5 4 3 7 Ticketing System Security Manager Total Time Saved: 120 Minutes

3. NetIQ Aegis sends email to administrator to alert them of change with supporting details 1. Privileged users makes a change to a critical component, such as adding a share to a sensitive file server 5. Change is rejected and ticket is raised to remediate NetIQ Aegis Security Manager 2. NetIQ Security Manager detects change and initiates workflow through NetIQ Aegis to check ticketing system for authorization of change 4. Administrator and optionally business asset owner review change and decide whether to allow or remediate 6. NetIQ Aegis runs optional configuration check on system from NetIQ Secure Configuration Manager for every system that user has access to Monitor privileged-user activity and identify suspicious behavior 1 Secure Configuration Manager Saved: 45 minutes Saved: 15 minutes Saved: 15 minutes Saved: 10 minutes 3 2 6 5 4 Ticketing System Administrator Privileged User Total Time Saved: 85 Minutes

Repetitive Process Automation Driving Security IT Efficiencies IT Process Automation Helpdesk Systems Enterprise Bus People Business Processes Monitoring Systems Messaging SLA’s Reports Provisioning IT Events Managed Technologies VoIP and IP Telephony Network Infrastructure Security Systems Active Directory Databases & Applications Services & Hardware Custom Applications Servers & Desktops Virtualization Technology Compliance Security Administration Operations