53
TIVOLI SECURITY INFORMATION AND EVENT MANAGER TSIEM Introduction| Event sources| Configuring Policies| Reporting in TSIEM |Best Practices in TSIEM

TSIEM Presentation.pptx

  • Upload
    chalig

  • View
    12

  • Download
    0

Tags:

Embed Size (px)

Citation preview

Tivoli Security Information and Event ManagerTSIEM Introduction| Event sources| Configuring Policies| Reporting in TSIEM |Best Practices in TSIEM1

WHY SIEM ?2

Security Information/Events = Logs Logs are audit records generated by any software component running on our IT infrastructure Log records cover: Normal activity Incident alerts Error conditions Non-privileged access to files Configuration changes User access to assets Policy changes Unauthorized use of resources User behavior patterns Clearing of sensitive data Logs provide feedback on the status of IT resources and all activitygoing through them3

Event Log Data Creators

4What is the Problem?Complexity of the Security Infrastructure

5

IssuesDay to day: manual analysis of log data wherever it exists, Cost of expensive Security ExpertsOperational:Time to resolutionDifficult to create problem owner for resolutionExpensiveStrategic: Siloed Security Management does not encourage Operational Convergence across Discrete Business Units6

The Solution Security Information and Event Management (SIEM)

7

Use Case:Vulnerable Server Attacked

8

TIVOLI SIEM INTRODUCTION9Introduction to TSIEMTivoli Security Information and Event Manager (TSIEM): An enterprise-wide auditing program for monitoring internal computer activity.TSIEM:Provides continuous, non-intrusive assurance and documentary evidence that data and systems arebeing managed in accordance with and comply with company policies.10

Components of TSIEM Log ManagementThe Log Management module collects log data that is relevant to security auditing and compliance monitoring. Itstores the data on a central server, the Log ManagementServer.Security Information Management (SIM)The SIM module evaluates and reports on user-orientedevents and evaluates them against predetermined policy.11

Server types and their functions1.Log Management server It provides all Log Management functions, including log collection, log storage, log retrieval, forensic search, and log management reports. This server type is deployed to manage log data for which SIM functions, such as W7 normalization and compliance reporting, are not required. If you did not purchase the Security Information Module, you can deploy only Log Management Servers 12

Continued.. 2. SIM Standard ServerIt provides log collection, log storage, log retrieval, W7 normalization, and compliance reporting, but no forensic search or log management reports 3. SIM Enterprise ServerIt provides all Log Management Server functions as well as all SIM functions such as W7 normalization and compliance reporting. Also provides a consolidated view of normalized W7 data on the attached Standard Servers , forensic search and log management reporting.

13

EVENT SOURCES14

Event sources Audit data is collected from various devices and applications using event sourcesTo establish event monitoring in Tivoli Security Information and Event Manager, you must deploy one or more event sourcesAn event source can be a database, an application, an operating system, a network device, or other platform that records its events in logs and to which the Tivoli Security Information and Event Manager has access in order to collect a selection of security-relevant logs for event monitoring and reporting.15

Data Collection scenarios

16

W7 FormatFirst collect the raw events that are being generated by event sourcesThese events would be placed as chunks in the depot directory of the TSIEM server which can then be loaded as per schedule.The customized script run periodically so that raw audit data is converted into the W7 CSV or XML file and placed at a location (which you have mentioned while creating the W7 Event Source on the TSIEM GUI).when, who, what, where, wherefrom, whereto, onwhat

17

Description of the W7 fields

18

W7 Fields

19

W7 Fields

20

Configuring Policies and Alert Rules21

Configuring policiesA Security policy consists of group definition sets, policy rules, and attention rules defined for one or more platforms.When systems whose activity is audited are registered, IBM Tivoli Security Information and Event Manager applies the policy and attention rules in your security policy to load audit data from each system into a SIM Reporting Database, organizing the data using the groups you defined, and displaying the results in the Compliance Dashboard.

22

Committing policiesA committed policy is used to run automated compliance checks. Only work policies can be committed. After a policy is committed, it cannot be modified or deleted.

23

Elements of a security policyWhen you create a security policy, you must define the following elements:PlatformsGroup definition setsGroupsConditionsRequirementsPolicy rulesAttention rules24

Testing policiesBefore you commit a Work policy, it can be helpful to test it and see how it analyzes the audit data.When you test a policy, you load audit data and map the W7 data against the policy definitions. Only Work policies can be tested. The testing functionality is not available for Committed policies.Open the Policy Editor. Click Test Policy. The Load Database Wizard opens. Manually map and load audit data into a Reporting Database and run the dataset against a Work policy25

Managing attention rulesAttention rules determine which events trigger an alert.The trigger criteria is based on a rule or combination of rules.We can use the Policy Editor to view attention rules, create rules, delete rules, edit rules, copy rules, paste rules, and import rules.Attention rules are also referred to as Black listed policies or Alert rules.26

Managing alertsAll defined alerts are displayed in the Alerts page. You can create, edit, and delete alerts, and you can also configure the protocol settings used to send the alerts.The purpose of an alert is to raise attention for events that require a follow-up, that is, special attention events or events that are above a defined severity level, such as security policy exceptions. Alerts notify specified recipients, such as a system administrator, when a serious or potentially harmful security event has occurred. The relevance (severity) of an event is defined in the security policy.27

Reporting in TSIEM28

Introduction to ReportsTivoli Security Information and Event Manager provides dozens of security compliance reports that enable you to check compliance with security policy, to verify the log collection events, and to analyze data in the Log Management Depot.The log management reports are accessed through the Log Management Dashboard.The Tivoli Common Reporting report set can be accessed through the navigation panel in the Tivoli Integrated Portal as well as through the Log Management reports.29

Compliance ReportsTSIEM provides many security compliance reports, including:Graphic reportsEvent summary reportsEvent detail reportsTrend reportsStandard reportsCustom reportsLog management reportsCompliance management module reports30

Graphic ReportsGraphic reports provide visual analyses of security policy compliance activities. The purpose of graphic reports is to show you, at a glance, the status of security compliance in your organization.Examples of graphic reports include the Enterprise Overview graph, the Trend graphic, the Database Overview graphic, some of the Log Manager reports, and others31

Example: Enterprise overview graph

32

Event summary reportsEvent summary reports, or event lists, provide lists of all events that match the specified criteria. For example, you can see a list of all events that occurred during a particular time period. Event summary reports are useful for seeing what other events occurred at the same time or affected the same technological assets, or otherwise share a W7 attribute.From the event list, you can drill down to see event detail reports.33

Example: Event summary reports

34

Trend reportsTrend reports show security events over specific time periods.Trend reports are useful for identifying general trends in security compliance.You can drill down into the trend reports to see information about specific events.35

Example: Trend reports

36

Report CentersConfiguration toolsDaily verification reportsDetailed investigation reportsFirewall reports37

Configuration tools

38

Daily verification

39

Detailed Investigation

40

Troubleshootingand Best Practices41

General Troubleshooting & Best PracticeAgent/Agent-less Collect Troubleshooting:Over View of the Collect processLogs involvedStages where collect may failTroubleshooting42

Collect Process Overview

43

Stages where collect may failConnection fails.Collect User has inadequate permission (Audit Trail/TEMP).Collect Script fails.No Events to collect.44

Connection FailuresVerifying that the Agent and TSIEM server are communicatingVerifying ssh connections are goodSome common connection errors (this not an exhaustive list):1. Agent not running2. Agent and or target is not reachable3. SSH keys bad4. Agent certificate bad.45

User Permissions to the Audit Trail:The user the agent runs as must have access to the audit trail directory/files and any other directories defined in the Event Source properties.Recommended user that the agent should run as. Windows - administraor Linux/AIX - root46

Reporting Database Load Problems

47

Best PracticesDont Try to filter the logs at the source Good event logging systems will capture 100% and let you purge laterDetermine Reporting Time Periods 1 week, 1 month, 90 days - more? Reporting Periods will drive event data retention policies. Plan to store data at least 2 complete reporting intervals If you purge old data be sure you have proper archivesUse a centralized, standard time source When event logs are time aligned life is much easier48

Best Practices Dont Alert on Everything Take it Slow Prioritize on what You REALLY want to be alerted onLeverage Correlation to Weed Out False Positives Rules-based correlation techniques can reduce the chatter Correlated reporting will let get a more holistic view of the networkBe cautious of sensitive event log content Be sure that centralized logging facility is secureEncourage Your Teams to Analyze the Data Determine your standard reports develop baselines look for exceptionsIf You Didnt Log It, Then It Never Happened49DemoQuestions/Comments!!!!50

51

Best Practices

Page 7452

Agent-based data flow log collection

Page 7253


CASE PRESENTATION.pptx

CASE PRESENTATION.pptx

Documents
Software presentation.pptx

Software presentation.pptx

Documents
Biofuels presentation.pptx

Biofuels presentation.pptx

Documents
ISAAC Presentation.pptx

ISAAC Presentation.pptx

Documents
Epc presentation.pptx

Epc presentation.pptx

Education
Tweeter Presentation.pptx

Tweeter Presentation.pptx

Documents
Article Presentation.pptx

Article Presentation.pptx

Documents
media presentation.pptx

media presentation.pptx

Documents
jQuery Presentation.pptx

jQuery Presentation.pptx

Documents
POVERTY PRESENTATION.pptx

POVERTY PRESENTATION.pptx

Documents
STZ presentation.pptx

STZ presentation.pptx

Documents
Intelligence Presentation.pptx

Intelligence Presentation.pptx

Documents
Seminar Presentation.pptx

Seminar Presentation.pptx

Documents
Aerospace Presentation.pptx

Aerospace Presentation.pptx

Documents
Paper Presentation.pptx

Paper Presentation.pptx

Documents
Tsiem compliance management u bankarstvu - nina ugrinovska

Tsiem compliance management u bankarstvu - nina ugrinovska

Technology
Piping Presentation.pptx

Piping Presentation.pptx

Documents
Compliance management u bankarstvu tsiem - nina ugrinovska

Compliance management u bankarstvu tsiem - nina ugrinovska

Technology
my presentation.pptx

my presentation.pptx

Documents
ASSIGNMENT PRESENTATION.pptx

ASSIGNMENT PRESENTATION.pptx

Documents
Community Presentation.pptx

Community Presentation.pptx

Documents
internationalpolitics Presentation.pptx

internationalpolitics Presentation.pptx

Documents
the presentation.pptx

the presentation.pptx

Documents
Resume presentation.pptx

Resume presentation.pptx

Business
Finance presentation.pptx

Finance presentation.pptx

Documents
Respiratory Presentation.pptx

Respiratory Presentation.pptx

Documents
Jaundice presentation.pptx

Jaundice presentation.pptx

Documents
TMA Presentation.pptx

TMA Presentation.pptx

Documents
Highway Presentation.pptx

Highway Presentation.pptx

Documents
Powerpoint Presentation.pptx

Powerpoint Presentation.pptx

Documents