Deze presentatie gaat over de integratie van SIEM (Security Incident en Event Management) en IAM (Identity en Access Management). SIEM geeft inzicht in de activiteiten van gebruikers, maar ontbeert de kennis van access en entitlement policies om beveiligingsincidenten in hun context te kunnen plaatsen. IAM heeft juist veel kennis van access en entitlement policies maar biedt geen goed inzicht in de daadwerkelijke activiteiten van gebruikers. Een goede integratie van deze twee technologieën stelt SIEM in staat de juiste exception monitoring te doen en IAM om op basis van handelingen van gebruikers Access en Entitlement Policies scherper bij te stellen en af te dwingen.
How to Troubleshoot Apps for the Modern Connected Worker
SIEM & IAM
1. Identity & Access Management Congres, Heliview
André van Winssen, 28 mei 2013
SIEM & IAM
2. 2
Who am I
• André van Winssen
• 20+ years in IT
• Oracle and Security consultant
• Sometimes too involved in application projects
– but then I don’t mind
3. Company profile
• Actief vanaf 1991
• Financieel gezond
• 95 medewerkers
• + 100 projecten succesvol
• + 1000 jr Oracle en Java kennis
• 3 ACE Directors en 2 ACEs aan boord
• 2 Agile Masters
• Oracle Platinum partner
– Database - BPM
– SOA - OEM
– ADF - Webcenter
4. 4
• The Changing Enterprise Security Model
• Current IT initiatives
5. 5
SIEM
• SIM - Security Information Management
– Analysis & compliance reporting of log data
– Long term storage of this information
• SEM - Security Event Management
– Real-time analysis, monitoring & notification
– Networks, security-devices, systems, applications, databases
• SIEM - Security Information & Event Management
– Compliance
– Threat Management
– Incident Response
6. 6
SIEM strength
• User activity
• Access monitoring
• Collection of critical log data
• Identification of IS threats & responses
• Broad based monitoring of security events
7. 7
IAM
• Identity Access Management
• Initiate, capture, record, manage
– User identities
– Access permissions
• IAM Policy describes
– How to Authenticate
– Authorizations
– What to Audit
8. 8
IAM strength
• Acces control
– Applications & Data
• Entitlement management
– Fine-grained access to
• Structured/unstructured data, devices & services
• User and role provisioning
– Provision & deprovision
– Role engineering/role mining
• Context based
– Circumstantial factors (time, IP, application)
9. 9
Technology integration
• SIEM consumes IAM data
– For exception monitoring it needs some IAM policy context
• IAM consumes SIEM data
– Adjust access when SIEM detects abuse of privileges
• Security intelligence
10. 10
Technology integration
• Self-integrated
– Enterprise Integrated
– Combine best of breed
– a point solution
• Vendor integrated
– Platform approach
– Burden of integration to vendor
– More value for money
11. 11
Oracle
• Where is Oracle in SIEM-IAM integration?
– Ad hoc interfacing IAM audit data with SIEM
• FMW audit framework
• Database auditing
• Oracle API gateway
• Oracle Platform Security Services
• Oracle Database Firewall Integration with Arcsight SIEM
• Adaptive Access management
• real-time (online) and batch (offline) risk analytics
• Automated behavioral profiler
• Configurable decision engine (for non-IT personnel)
• Device fingerprinting