Prepared by Ted Andersonted.anderson@us.ibm.com

IBM Software Group

®

1

End to End Security Auditing

April 2007

Monitoring your enterpriseMonitoring your enterpriseAssessing the risksAssessing the risks

IBM Software Group

2March 2007 IBM Corporation

AGENDA

Business IssueBusiness IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummary

IBM Software Group

3March 2007 IBM Corporation

43% of CFOs think that improving governance, controls and risk management is their top challenge.

CFO Survey: Current state & future direction, IBM Business Consulting Services

Increasing Requirements Hundreds of compliance initiatives Compliance requirements are increasing in many industries Improved monitoring and control are needed to manage risks

and avoid penalties, and lost business

Increasing Complexity Disparate technologies and infrastructures fragment and

hamper compliance efforts Linking infrastructure-level to business-level compliance is

desirable, but challenging

Increasing Cost Lack of predictability and visibility across complex

infrastructures drives rapid cost inflation Failure to achieve compliance or to prevent security

breaches can impose enormous costs

Security and compliance challenges

IBM Software Group

4March 2007 IBM Corporation

EU DPD

CFR Part 11

Classify, Analyze, Interpret

Business Intelligence Infrastructure, Tools and Applications

Document and ArchiveRecords Management, Document Management, Knowledge Management,

Content Management and Storage

BusinessUnit

Systems

CRM andCustomer-

Facing Systems

FinancialandERP

Systems

Business Activity Monitoring and CPM

Assert Process Controls

Identify, Audit, Secure and Protect

Identity and Access Management, Network Security, and Business Continuity

CPMReporting and Risk

Sarbanes-OxleyBasel IIIASSarbanes-

OxleyBasel IIIAS

UK Companies

Law

USA PATRIOT

Acronym KeyCFR = Code of Federal Regulations ERP = enterprise resource planningCPM = corporate performance management EU DPD = European Union Data Protection DirectiveCRM = customer relationship management IAS = International Accounting Standards

GLBA

Key Driver: IT Governance and Compliance

“Components of a Logical Compliance Architecture” Gartner, 2005

IBM Software Group

5March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummary

IBM Software Group

6March 2007 IBM Corporation

IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

IBM Software Group

7March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessTivoli Security Operations managerTivoli Security Operations manager zAlertConsul InsightzAuditSummary

IBM Software Group

8March 2007 IBM Corporation

IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

IBM Software Group

9March 2007 IBM Corporation

Log Management - automated aggregation of security events and audit logs Correlation - Real-time, cross-device event correlation for incident management and investigation

Regulatory Compliance – reporting and policy monitoring to support regulatory compliance initiativesMaximize and amplify security operations resources through automation

Integrates Security Operations with other IT Operations groups via Netcool and TEC

Key Features

IBM Tivoli Security Operations Manager (TSOM) is a real-time security information and event management (SIEM) platform designed to improve the effectiveness and efficiency of security operations and information risk management. TSOM centralizes and stores security data from throughout the heterogeneous technology infrastructure so that security analysts can:

“TSOM automates the aggregation and correlation process. It mitigates false positives and alerts my team to

real threats in a timely manner. The product is more or less what I would have designed and built myself, given four

years and a pool of developers.”

~ Communications User of TSOM

Watch: IBM Tivoli Security Operations Manager for Security Event Monitoring

IBM Software Group

10March 2007 IBM Corporation

Tivoli Security Operations Dashboard

IBM Software Group

11March 2007 IBM Corporation

Tivoli Security Operations schematic

IBM Software Group

12March 2007 IBM Corporation

TSOM supports over 255 Event/Log Sources Access and Identity ManagementIBM Tivoli Access ManagerIBM Tivoli Identity Manager

Microsoft Active Directory

CA eTrust Access

CA eTrust Secure Proxy Server

CA eTrust Siteminder (Netegrity)

RSA SecureID RADIUS

Oracle Identity Management (Oblix)

Sun Java System Directory Server

Cisco ACS

Wireless SecurityAirMagnetAirDefense

Management SystemsTSOM escalates to:IBM Netcool (Micromuse)IBM/Tivoli Enterprise ConsoleCisco Information CenterRemedy ARSHP OpenView CA Unicenter

Management SystemsSource of events into TSOM:Check Point Provider-1CiscoWorksIBM Netcool (Micromuse)ISS SiteProtectorISS Fusion ModuleJuniper Global Pro (Netscreen)Juniper NSM (Netscreen)Tripwire ManagerIntrusion, Inc. SecureNet ManagerMcAfee ePONortel Defense CenterSourcefire Defense CenterQ1 QRadar Mgmt Server

ApplicationsApacheMicrosoft IIS IBM WebSphereOracle Database ServerLotus DominoSAP R3PeoplesoftOperating Systems Logs, Logging PlatformsSolaris (Sun) *AIX (IBM) OS/400 (I Series)RedHat Linux SuSE Linux HP/UX Microsoft Windows Event Log(W2K3 DHCP, W2K DHCP, IIS)Microsoft SNMP Trap SenderNokia IPSONovell NetWare OpenBSDTandem Non-Stop OS (HP)Tru64Tripplight UPSMonitorware SYSLOG KiwiSyslogzOS-Mainframe IDSConsul zAlert AntivirusCipherTrust IronMail McAfee Virus Scan Norton AntiVirus (Symantec) McAfee ePO Trend Micro InterScan

Application SecurityBlue Coat ProxyNortel ITM (Intelligent Traffic Mgmt)Teros APSSentryware HiveIBM DataPower(coming soon)Discovery ToolsLumeta IPSonar NMAPSourcefire RNA

Network Intrusion Detect/PreventionMcAfee Intrushield Sourcefire Network SensorSourcefire RNAJuniper IDPISS Proventia GISS Proventia MISS Proventia ADSISS RealSecure Network SensorISS BlackICE SentryCisco Secure IDS SNORT IDSEnterasys Dragon Nortel Threat Protection System (TPS)Intrusion's SecureNetPro Mirage NetworksNFR NID Symantec ManHunt ForeScout ActiveScout QRadarTop Layer Attack Mitigator Labrea TarPitIP AngelLancope StealthWatch Tipping Point UnityOne NDSArbor Networks PeakflowX Mazu NetworksHost-based Intrusion Detect/PreventionISS Proventia Server & DeskitopISS Server & OS SensorType80 SMA_RT (zOS-Mainframe RACF) PowerTech (iSeries-AS/400)Cisco CSA NFR HID IBM Netcool SSMsSanaSnareSymantec Intruder Alert (ITA)Sygate Secure EnterpriseTripwire McAfee EnterceptVPNJuniper SSL VPNNortel VPN Router (Contivity)Check PointCisco IOS VPNCisco VPN 3000Juniper VPNNortel VPN Gateway (SSL VPN)

FirewallsCheck Point Firewall-1 Cisco PIX CyberGuardFortinet FortiGate GNATBoxJuniper (Netscreen)Linux IP Tables Lucent Brick Microsoft ISA ServerNortel Switched FirewallStonesoft's StoneGate Secure Computing's Sidewinder Symantec's Enterprise FirewallSonicWALLSun SunScreen

Vulnerability AssessmentISS Enterprise ScannerISS Internet ScannerNessusVigilante QualysGuardFoundstoneeEye Retina, REMSPI Dynamics WebInspect nCircle IP360Harris STATTenable Lightning

Routers/SwitchesCisco Routers Cisco Catalyst Switches Cisco RCMDFoundry SwitchesF5 Big IP, 3-DNSJuniper JunOSTACACS / TACACS+Nortel Ethernet Routing Switch 5500, 8300, 8600, 400 seriesExtreme Networks

Policy ComplianceVericept

IBM Software Group

13March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertzAlertConsul InsightzAuditSummary

IBM Software Group

14March 2007 IBM Corporation

IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

IBM Software Group

15March 2007 IBM Corporation

zAlert is a real-time threat monitoring for the mainframe which goes beyond conventional configuration notification solutions to encompass prevention, as it can take instant action to stop an attack

• Monitor sensitive data for misuse • Fix configuration mistakes before others exploit them • Detect and stop security breaches• Lower operational cost associated with Incident Response activities• Feeds events to TSOM

Alerts are generated based upon SMF events, JES log events. Actions can be tailored to suit your environment.

Key BenefitsKey Benefits

How it worksHow it works

DescriptionDescription

PlatformsPlatforms OS/390 and z/OS through 1.8RACFConsul/zAudit

zAlert Overview

IBM Software Group

16March 2007 IBM Corporation

When your mainframe data is crucial enoughthat you need to know real-time

Alerting AND Action!Send WTO to trigger Automated Operations

Issue commands autonomously

When your mainframe data is crucial enoughthat you need to know real-time

Alerting AND Action!Send WTO to trigger Automated Operations

Issue commands autonomously

zAlert, the alerts

IBM Software Group

17March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightConsul InsightzAuditSummary

IBM Software Group

18March 2007 IBM Corporation

IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

IBM Software Group

19March 2007 IBM Corporation

Consul’s Product Family

• Differentiated:– Beyond perimeter to inside– People and policy focused– Depth and breadth

• Hard to emulate:– 20 years of expertise built-in– Platform specific know-how

across 50+ platforms

IBM Software Group

20March 2007 IBM Corporation

What (assess) are people doing in my enterprise?

87% of insider incidents are caused by privileged and technical users.87% of insider incidents are caused by privileged and technical users.

IBM Software Group

21March 2007 IBM Corporation

Tracking through various logs

IBM Software Group

22March 2007 IBM Corporation

Next find the Expert for the log

Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris

Windowsexpert

z/OSexpert

AIXexpert

Oracleexpert

SAPexpert

ISSexpert

FireWall-1expert

Exchangeexpert

IISexpert

Solarisexpert

IBM Software Group

23March 2007 IBM Corporation

W7 Methodology

Who did What type of action on What? When did he do it and Where, From Where and Where To?

We do the hard work, so you don’t have to!!We do the hard work, so you don’t have to!!

IBM Software Group

24March 2007 IBM Corporation

Unique ability to monitor user behavior Enterprise compliance dashboard Compliance management modules and regulation-

specific reports Broadest, most complete log and audit trail capture

capability W7 log normalization translates your logs into

business terms Easy ability to compare behavior to regulatory and

company policies

Key Features

Consul InSight Security Manager provides an enterprise security compliance dashboard with in-depth privileged user monitoring capabilities, all powered by a comprehensive log and audit trail collection capability

Assessing compliance: Consul InSight Security Manager

IBM Software Group

25March 2007 IBM Corporation

Compliance DashboardCompliance DashboardLogs after W7 – Billions of log files summarized on one overview graphic!

IBM Software Group

26March 2007 IBM Corporation

Compliance Modules

IBM Software Group

27March 2007 IBM Corporation

Insight Event SourcesOperating Systems VersionCA ACF2 through zAudit ACF2 8.0CA eTrust Access Control for AIX 5.0CA eTrust Access Control for HP-UX 5.0CA eTrust Access Control for Solaris 5.0CA eTrust Access Control for Windows 4.10CA Top Secret for VSE/ESA 3.0CA Top Secret for z/OS via z/Audit 5.2Hewlett-Packard HP NonStop (Tandem) SafeGuard D42Hewlett-Packard HP-UX audit trail 10.2, 11iHewlett-Packard HP-UX syslog 10.2, 11iHewlett-Packard OpenVMS 7.3.2Hewlett-Packard Tru64 4.0, 5.1, 5.1BIBM AIX audit trail 4.x, 5.1, 5.2, 5.3IBM AIX syslog 4.x, 5.1, 5.2, 5.3IBM OS/400 journals 4.5, 5r1-r2-r3IBM z/OS RACF - excl. DB2 through zAudit RACF Lite R10 to 1.7IBM z/OS RACF through (already) installed zAudit RACF R10 to 1.7IBM z/OS ACF2 -excl. DB2 through zAudit ACF2 Lite R10 to 1.7IBM z/OS RACF through (already) installed zAudit ACF2 R10 to 1.7IBM z/OS TopSecret - excl. DB2 through zAudit Lite R10 to 1.7Microsoft Windows security event log NT4, 2000, 2003, XPNovell Novell Netware 4, 5, 6, 6.5 (via Nsure Audit)Novell Novell Nsure Audit 1.0.1, 1.0.2, 1.0.3Novell Novell Suse Linux 8.2, 9.xRed Hat Linux syslog 6.2,7.2,8.0,9.0, ES 4, Fedora CoreStratus VOS 13.x, 14.x, 15.xSUN Solaris audit trail (32 bit & 64 bit) 7, 8, 9, 10SUN Solaris syslog 7, 8, 9, 10

User Information SourcesHewlett-Packard HP HP-UX 10.2,11iIBM IBM AIX 4.x, 5.1, 5.2, 5.3IBM IBM OS/400 4.5, 5.1, 5.2, 5.3IBM IBM z/OS R10 to 1.7Microsoft Microsoft NT Domain Windows NT4, 2000, 2003Microsoft Microsoft Active Directory Windows 2000, 2003SUN Solaris 7, 8, 9, 10

Authentication SourcesBMC Identity Manager on AIX / Oracle via ODBC 3.2.0.3CA eTrust (Netegrity) SiteMinder (from Windows) 5.5IBM Tivoli Access Manager 4.1RSA Authentication Server (Ace) 6.0

Mail servers and GroupWareIBM Lotus Domino (Notes) on Windows Max. of 3000 users 5.0, 6.0, 6.5Microsoft Exchange Server Max. of 3000 users 2000, 2003

Proxy ServersBlue Coat Systems ProxySG series SGOS 3.2.5

Web ServersMicrosoft Internet Information Server (IIS) on Windows 4.0, 5.0, 6.0SUN iPlanet Web Server on Solaris 4.0, 6.0

VPNCisco VPN Concentrator 3000 (via Syslog) 4.1

Vulnerability ScannersISS System Scanner (from Windows) 4.2

Application Packages VersionMisys OPICS 5, 6, 6.1SAP R/3 on Windows Number of applications 4.6, 4.7SAP R/3 on HP-UX Number of applications 4.6, 4.7SAP R/3 on AIX Number of applications 4.6, 4.7SAP R/3 on Solaris Number of applications 4.6, 4.7

DatabasesIBM DB2 on z/OS through zAudit Lite 7.x, 8.xIBM UDB on Windows 8.2IBM UDB on Solaris 8.2IBM UDB on AIX 8.2Microsoft SQL Server application logs 6.5, 7.0, 2000Microsoft SQL Server trace files 2000, 2005Oracle database server on Windows 8i, 9i, 10gOracle database server on Solaris 8i, 9i, 10gOracle database server on AIX 8i, 9i, 10gOracle database server on HP-UX 8i, 9i, 10gOracle database server FGA on Windows 9i, 10gOracle database server FGA on Solaris 9i, 10gOracle database server FGA on AIX 9i, 10gOracle database server FGA on HP-UX 9i, 10gSybase ASE on Windows 12.5, 15Sybase ASE on Solaris 12.5, 15Sybase ASE on AIX 12.5, 15Sybase ASE on HP-UX 12.5, 15

FirewallsCheck Point FireWall-1 (via SNMP) 4.1, NG, NGXCisco PIX (from AIX) 6.0 – 6.3.3Cisco PIX (from Windows) 6.0 – 6.3.3Cisco PIX (via SNMP) 6.0 – 6.3.3Cisco PIX (via Syslog) 6.0 – 6.3.3Symantec (Raptor) Enterprise Firewall (via SNMP) 6.0, 6.5, 7.0Symantec (Raptor) Enterprise Firewall (via Syslog) 6.0, 6.5, 7.0

IDS, IPSISS RealSecure (alerts) via SNMP 6.0ISS RealSecure (operational messages, Windows) 6.0McAfee IntruShield IPS Manager (via Syslog) 1.9Snort (Open Source) IDS (via Syslog) 2.1.3, 2.2.0, 2.3.3RoutersCisco Router (from AIX) IOS 12.xCisco Router (from Windows) IOS 12.xCisco Router (via SNMP) IOS 12.xCisco Router (via Syslog) IOS 12.xSwitchesHewlett-Packard ProCurve switch (via SNMP) Managed units, 2500 series & upVirus ScannersMcAfee ePolicy Orchestrator (ePO) 3.5.2TrendMicro ScanMail for Domino on Windows 5.3TrendMicro Scanmail for MS Exchange 5.3TrendMicro ServerProtect 5 for NT 5.3Symantec AntiVirus Corporate Edition for Windows 9.0

IBM Software Group

28March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditzAuditSummary

IBM Software Group

29March 2007 IBM Corporation

IBM’s security management vision and strategy:Preemptive, comprehensive security and compliance offerings

IBM Software Group

30March 2007 IBM Corporation

Security event audit and monitoring for the mainframe environment. Automatic detection of exposures through status auditing.

• Increase transparency • Lower cost of event collection and analysis• Identify security weaknesses• Decrease chance of costly security breaches

z/OS through 1.8 for any ESM

zAudit looks across your various mainframe systems, measuring and auditing status and events. The technology provides standard and customized reports, and real-time alerts on policy exceptions or violations that indicate a security breach or weakness.

Key BenefitsKey Benefits

How it worksHow it works

DescriptionDescription

PlatformsPlatforms

zAudit at a glance

IBM Software Group

31March 2007 IBM Corporation

z/OS Status Audit

IBM Software Group

32March 2007 IBM Corporation

z/OS User Events via zAudit

IBM Software Group

33March 2007 IBM Corporation

AGENDA

Business IssueWatch/Monitor vs. AssessTivoli Security Operations manager zAlertConsul InsightzAuditSummarySummary

IBM Software Group

34March 2007 IBM Corporation

Network-centric Attacks, Misconfigs and MisuseSecurity Data OverloadMitigation of Security Incidents

Security Operations IT Security Internal Audit

User-centric policy violations Privileged user audit and monitoringRegulatory Compliance reporting

User Persona:

Problem:

Product:

Consul InSightTivoli Security Operations Manager (TSOM)

Solution:Incident Management

Security Event Mgmt (SEM)

User Activity Monitoring

Security Info Mgmt (SIM)

Tivoli Security Operations Manager and Consul InSight

IBM Software Group

35March 2007 IBM Corporation

Next Steps:

Manage it For MeHelp Me Do ITWhat should I do

For more information contact:Joanie Gines zTivoli Sales Operation and Strategy:

Ted Anderson Security Specialist:

Jgines@us.ibm.com212.745.2044

Ted.anderson@us.ibm.com651.204.7036