Utilizing Novell Compliance Management Platform for Continuous Controls Testing and Monitoring

Utilizing Novell Compliance ®

Management Platform for
Continuous Controls Testing and Monitoring

Mark van Reijn
Technology Specialist
idfocus/mvreijn@idfocus.nl

Agenda

Organizational risk management
– It's all about balance
Information security controls and standards
– COSO, CobiT, ISO/IEC 2700x
Novell Compliance Management Platform (CMP)
®

components and architecture
Bringing it together in 4 steps
– Select controls
– Collect data
– Setup detection mechanisms
– Define actions and reports
2 © Novell, Inc. All rights reserved.

About the Session Level

Getting from business babble to tech talk
• Some affinity with regulations and governance
frameworks assumed
• Familiarity with Novell Compliance Management
®

Platform Products assumed
– Especially Novell Sentinel ™

• Technical Content (solution pack)
is available online


Organizational Risk Management

Risk Management:
What Is It?

How much risk are you willing (or allowed) to take?
• Some risk is necessary in order to make a profit
– Eliminating all risk is too costly in terms of time and resources

• Balance between probability and impact
• Identify acceptable risks versus risks that need to
be mitigated
• Only some critical environments might try to evade
all risks
– For example, where human life is at stake

Risk Management:
What Is It? (cont.)

How can Organizations prioritize their risks?
• Assess the risks and determine their dimensions
– Probability between 1-99%
– Impact on critical factors such as cost or time (or health)
• Plot risk dimensions on a chart
– The line indicates the boundary High C
rit
i ca

Probability of Occurrence
lR
of acceptable risks M
is
k
ed
– Develop a response for iu
m
-le
vHigh
all others el
R
Lo is
w k
-le
ve
l R
is
k
Low
Low Impact of Risk

Risk Management:
When?

Most Organizations have some sort of Risk
Management in place

• This may be internally or externally imposed

– Regulations

– Standards framework

• Often for high financial risks or key projects


Information Security Controls and Standards

Control Frameworks and Standards

Many regulations and governance frameworks deal
with risk management

• COSO

– Organizational governance

– Business ethics

– Risk control model

– Financial reporting

Control Frameworks and Standards

Only a subset of most frameworks and regulations
relate to IT
• CobiT
– Control framework for IT governance

– Link business goals to IT goals

– Define KPI from targets

• ISO/IEC 27002
– Code of practice for information security management


Risk Management
is often linked to IT Security

Obligatory Quote:

“All Security Involves Trade-offs”
Bruce Schneier


Steps Towards Control Monitoring
• Get organized
– Understand control objectives
– Classify and prioritize systems and applications
– Implement an Identity and Access Management program
• Determine appropriate control levels
– Reasonable
– Enforceable
– Auditable
• Determine control types
– Protective
– Detective
– Corrective
• Envision Integration


Novell Compliance Management Platform (NCMP)
®

Components and Architecture

Automation and Validation
Supporting Governance, Risk Management, and Compliance

Identity and Access Security
Management Information and
Event Management
• Roles, rules, work-
flows, and approval • Audit and reporting
processes
• Activity monitoring
• Identity integration
and life-cycle • Event correlation
management
• Validation and
• Authorization remediation
and access

• ESSO


Compliance Management Platform
Security, Access and Provisioning Challenges

Secure
Web Access

User Provisioning
Challenges

Security Information
Management


Compliance Management Platform
Modular Product Set

Tightly integrated compliance and governance solutions

Novell ®

Access Manager

Novell ®

Identity Manager Solutions

Novell Sentinel
®
™


Novell Sentinel ®
™

Network Infrastructure Logs Logs Databases
Report

Replace manual processes
Logs with automated IT controls, Logs
Security Applications
Devices monitoring and reporting

Monitor Remediate

Workstations Logs Identity
and Servers Data Novell Identity Manager


What is Novell Sentinel Anyway? ®
™

Sentinel is a system for:
Security Information and event management
• Sentinel gathers security events, and then normalizes,
displays, correlates, stores and reports on them to
support both manual and automated security and
business process management.
• Sentinel attempts to turn data into actionable
information via normalization, graphical displays,
addition of business relevance information,
and correlation.


Sentinel Process Summary ™

Collect ➔ Normalize ➔ Monitor ➔ Respond ➔ Report

Novell Sentinel Components
®
™

Collector managers and collectors

Correlation engine

Sentinel control center

Active views dashboards

iTRAC incident remediation system

Data repository

iSCALE message bus


Novell Sentinel Architecture ®
™

Sentinel Remediation
Correlation Control Center Workf-low Repository

Subscribe Channels

Publish
Parse-normalize
Collector Manager Collector Manager taxonomy business
relevance
exploit detection
Collectors Collectors Collectors Collectors
External
Event Sources

VPN
Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS

Host IDS

Identity Vulnerability Domain Custom
Antivirus Server Mainframe
Network IDS Mgmt Mgmt Controller Events
Security Perimeter Referential IT Sources Operating Systems Application Events

™


Subscribe Channels

Publish
Parse-normalize
relevance
exploit detection
External
Event Sources

VPN

Host IDS


™


Data Processing
Subscribe Channels

Communication Channel
Publish
Parse-normalize

Data Collection
relevance
exploit detection

External
Event Sources

VPN

Host IDS
Firewall
Event Sources
Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS


Four Steps Towards Control Automation

1 Select the desired controls to monitor
– Largely dependent on regulations and risk management
2 Identify and collect the needed information
– Security logs, Identity information
3 Identify and implement detection mechanisms
– Typically, correlation rules in Sentinel
4 Define actions and reports
– Without some form of incident management or mitigation the
previous steps are useless


1. Select Controls

Common Threats
• Non-person accounts (typically un-managed)
– Standard accounts

– Privileged users*

– Service accounts

• Contingency workers, temp workers
• Misconfiguration
• Data exposure


2. Identify and Collect Information

• Depending on the control or regulation, systems may or
may not be in scope
– Epic example: financial systems are in scope for Sox
– The list of systems will follow from the selected controls
• Collecting event data is not enough
– Need business relevance and context
• Sentinel will enrich events with external information
– Asset data
– Identity data
– Other business information


Normalization and Context

PIX Firewall – standard syslog format

9/10/04 5:05:29 PM, 10.10.10.1 %PIX-6-106015: Deny TCP (no connection) from
20.97.173.18/2182 to 10.10.10.10/63228 flags SYN RST PSH ACK on interface outside

Dragon IDS - Data Items separated by pipes

2004-08-20 16:12:56|doldrgn1|dragonserver|10.10.10.240|11711|10.10.10.241|1031|I|---AP---|6|
tcp,sp=11711,dp=1031,flags=---AP---|

Product Event SIP SP DIP DP Location Dept
Name Name

Atlanta Finance

Chicago IS


Taxonomy


3. Detection Mechanisms

• Violation of policy and / or suspicious activity should be
detected

• Correlate normalized events

• For example, check account names for authentication
events against a blacklist

• These rules are the true implementation of corporate
policy (business rules)


4. Define Actions and Reports

• When violations are detected, actions or incidents may
be triggered
• Actions can be fully automated
– Novell Sentinel triggers account disable in Identity Manager
®
™

• Actions may require manual intervention
– Sentinel triggers workflow in Identity Manager which asks for a
human decision
• Incidents ensure registration of the event and the
subsequent handling process
• Reports can include violations, incident management
data or overviews of regular critical events


Novell Sentinel ®
™

Compliance Management Platform Actions

• LDAP Remediation
– Provides a method to update the Identity Vault through
correlation/remediation
> Not limited to Novell Identity Vault – can update any LDAP directory
®

• SOAP Remediation
– Provides a method to update the Identity Vault through
correlation/remediation
> Not limited to Novell Identity Vault, can update any SOAP end-point


ITRAC Incident Management

Stage 1: Assign a user or Stage 2: Perform data
role to the activity collection

Check User Confirm End
Verify Incident Data Collection
Assignments Assignment

Start
Accept Confirm Start
Incident Data Collection
Confirm
Start Com

Assign User Data Collection

Manual activity Automatic activity


Report Types

High Level
Detailed

Trends


Reporting - Data Categories

Data access
Network access
Authentication
Authorization
User/group management
Password management
Patch management
Scanning activity (AV / VA)
Data integrity (transport) – VPN, etc...

Getting to Compliance Automation

• Get organized on compliance
• Determine appropriate control levels
• Determine control types
• Envision Integration
• Follow four-step implementation of monitoring
1. Select the desired controls to monitor
2. Identify and collect the needed information
3. Identify and implement detection mechanisms
4. Define actions and reports


Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Utilizing Novell Compliance Management Platform for Continuous Controls Testing and Monitoring

More Related Content

Similar to Utilizing Novell Compliance Management Platform for Continuous Controls Testing and Monitoring

More from Novell

Utilizing Novell Compliance Management Platform for Continuous Controls Testing and Monitoring