Symantec Security Information Manager Administrator Guide

Symantec™ Security

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version: 4.7.4

Legal Notice

Copyright © 2011 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation 350 Ellis Street

Mountain View, CA 94043 http://www.symantec.com

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis

■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our Web site at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL: www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

contact the support agreement administration team for your region as follows:

[email protected] Asia-Pacific and Japan

[email protected] Europe, Middle-East, and Africa

Technical Support

Section 1

Introducing the Information Manager

Chapter 1

Overview

About Symantec Security Information Manager ... 19

What's new in this release ... 20

New features ... 21

Features of Information Manager ... 22

About estimating system performance ... 27

Chapter 2

Understanding the Information Manager

components

About workflow in Information Manager ... 29

About Information Manager components ... 30

About security products and devices ... 31

About event collectors ... 31

About the Symantec Global Intelligence Network ... 32

About the Information Manager Web service ... 32

About Information Manager servers ... 32

Section 2

Managing roles, permissions, users, and

organizational units

Chapter 3

Managing roles and permissions

About managing roles ... 37

About planning for role creation ... 38

About the administrator roles ... 39

Creating a role ... 40

Editing role properties ... 48

Deleting a role ... 55

About working with permissions ... 55

About permissions ... 56

About the propagation of permissions ... 57

Modifying permissions from the Permissions dialog box ... 58

Chapter 4

Managing user and user groups

About users and passwords ... 61

Creating a new user ... 63

Creating a user group ... 65

About editing user properties ... 66

Changing a user’s password ... 66

Specifying user business and contact information ... 67

Managing role assignments and properties ... 68

Managing user group assignments ... 69

Specifying notification information ... 70

About modifying user permissions ... 72

Modifying a user group ... 73

Deleting a user or a user group ... 74

Customizing the password policy ... 74

Chapter 5

Managing organizational units and computers

About organizational units ... 77

About managing organizational units ... 77

Creating a new organizational unit ... 78

About determining the length of the organizational unit name ... 79

Editing organizational unit properties ... 80

Deleting an organizational unit ... 80

About managing computers within organizational units ... 81

Creating computers within organizational units ... 82

About editing computer properties ... 83

Distributing configurations to computers in an organizational unit ... 92

Moving a computer to a different organizational unit ... 93

About modifying computer permissions ... 94

Deleting a computer from an organizational unit ... 94

About the Visualizer ... 95

Chapter 6

Configuring a service provider

About using Information Manager in a service provider context ... 101

About the service provider environment from the provider

perspective ... 104

About customizing the Incidents view in a Service Provider Master console ... 104

About responding to a client incident ... 105

Creating Information Manager tickets in a Service Provider Master context ... 105

Exporting incident information from the Client Incident viewer ... 107

About setting up a Service Provider environment ... 107

Configuring an instance of Information Manager as a Service Provider client ... 107

Configuring an Information Manager server as a Service Provider Master ... 108

Configuring service provider client management accounts ... 109

Synchronizing the Service Provider Master with client incidents ... 110

Disconnecting a client from a Service Provider Master ... 110

Section 3

Planning for security management

Chapter 7

Managing the correlation environment

About the Correlation Manager ... 115

About the Correlation Manager knowledge base ... 116

About the default rules set ... 116

Chapter 8

Defining rules strategy

About creating the right rule set for your business ... 121

About defining a rules strategy ... 123

About correlation rules ... 123

About rule conditions ... 124

About rule types ... 125

About event criteria ... 129

About the Event Count, Span, and Table Size rule settings ... 132

About the Tracking Key and Conclusion Creation fields ... 132

About the Correlate By and Resource fields ... 134

Importing existing rules ... 135

Creating custom correlation rules ... 136

About automatically assigning incidents ... 140

Assigning incidents automatically to the least busy member in a user group ... 141

Creating a multicondition rule ... 141

Creating a correlation rule based on the X not followed by Y rule type ... 145

Creating a correlation rule based on the X not followed by X rule type ... 147

Creating a correlation rule for the Y not preceded by X rule type ... 149

Creating a correlation rule for the Lookup Table Update ... 150

Enabling and disabling rules ... 152

Working with the Lookup Tables window ... 152

Creating a user-defined Lookup Table ... 157

Importing Lookup Tables and records ... 159

Section 4

Understanding event collectors

Chapter 9

Introducing event collectors

About Event Collectors and Information Manager ... 163

Components of collectors ... 164

Chapter 10

Installing event collectors

Before you install collectors ... 165

Requirements for point products and the collectors ... 165

Updating the hosts file ... 166

About installation and configuration tasks for collectors ... 167

Registering Collectors ... 170

Installing the Symantec Event Agent ... 170

Preinstallation requirements ... 171

About installing the Event Agent ... 171

Installing the Event Agent on Windows ... 172

Installing the Event Agent on Solaris ... 173

Installing the Event Agent on Linux ... 175

About uninstalling the Event Agent ... 176

About uninstalling the Event Agent on Windows ... 176

About uninstalling the Event Agent on Linux and Solaris ... 176

Event Agent Management with agentmgmt.bat utility ... 176

Verifying Symantec Event Agent installation ... 178

Verifying Symantec Event Agent operation ... 179

Installing the collector on a remote computer ... 181

Installing collectors on an Information Manager server ... 182

Verifying collector installation ... 182

About Symantec Universal Collectors ... 186

Downloading and installing the Symantec Universal Collectors ... 186

Chapter 11

Configuring point products and collectors

About configuring a point product to work with a collector ... 189

Creating and configuring sensors ... 190

Creating a new sensor configuration ... 191

Configuring the collector sensor to receive security events ... 192

Adding, renaming, deleting, and disabling sensors ... 193

Importing and exporting sensor properties ... 193

Updating sensor properties globally ... 194

Configuring collector raw event logging ... 195

Chapter 12

Configuring collectors for event filtering and

aggregation

Configuring event filtering ... 197

Configuring event aggregation ... 200

Section 5

Working with events and event

archives

Chapter 13

Managing event archives

About events, conclusions, and incidents ... 207

About the Events view ... 208

About the event lifecycle ... 208

About event archives ... 210

About multiple event archives ... 210

Creating new event archives ... 211

Restoring event archives ... 212

Specifying event archive settings ... 213

Creating a local copy of event archives on a network computer ... 215

Viewing event data in the archives ... 216

About the event archive viewer right pane ... 217

Manipulating the event data histogram ... 217

Setting a custom date and time range ... 218

About viewing event details ... 218

Modifying the format of the event details table ... 219

Searching within event query results ... 221

Filtering event data ... 221

About working with event queries ... 225

Using the Source View query and Target View query ... 226

Creating query groups ... 227

Creating custom queries ... 227

Querying across multiple archives ... 233

Managing the color scheme that is used in query results ... 234

Editing queries ... 234

Importing queries ... 236

Exporting queries ... 236

Publishing queries ... 237

About querying for IP addresses ... 237

Deleting queries ... 238

Scheduling queries that can be distributed as reports ... 238

Chapter 14

Forwarding events to an Information Manager

server

About forwarding events to an Information Manager server ... 241

About registering a security directory ... 243

Registering the Information Manager with a security domain ... 244

Activating event forwarding ... 245

Stopping event forwarding ... 248

Chapter 15

Understanding event normalization

About event normalization ... 249

About normalization (.norm) files ... 251

Chapter 16

About Effects, Mechanisms, and Resources

About Effects, Mechanisms, and Resources (EMR) ... 253

About Effects values ... 254

About Mechanisms values ... 255

About Resources values ... 258

EMR examples ... 261

Chapter 17

Collector-based event filtering and

aggregation

About collector-based event filtering and aggregation ... 263

About identifying common events for collector-based filtering or aggregation ... 265

About preparing to create collector-based rules ... 266

Creating collector-based filtering and aggregation

specifications ... 269

Examples of collector-based filtering and aggregation rules ... 271

Filtering events generated by specific internal networks ... 271

Filtering common firewall events ... 272

Filtering common Symantec AntiVirus events ... 275

Filtering or aggregating vulnerability assessment events ... 276

Filtering Windows Event Log events ... 277

Chapter 18

Working with the Assets table

About the Assets table ... 281

About how event correlation uses Assets table entries ... 282

About CIA values in the Assets table ... 283

Importing assets into the Assets table ... 284

Searching, filtering, and sorting assets ... 284

Visual identification of the IP addresses also on the IP Watchlist ... 286

About vulnerability information in the Assets table ... 286

About using a vulnerability scanner to populate Assets table ... 287

About locked and unlocked assets in the Assets table ... 288

Using the Assets table to help reduce false positives ... 288

About filtering events based on the operating system ... 289

About using CIA values to identify critical events ... 289

About using Severity to identify events related to critical assets ... 290

About using the Services tab ... 290

About associating policies with assets to reduce false positives or escalate events to incidents ... 291

Section 6

Configuring the Information Manager

Chapter 19

Configuring the Console

About configuring Information Manager ... 295

Identifying critical systems ... 296

Adding a policy ... 297

Specifying networks ... 298

Chapter 20

Configuring general settings in the Web

configuration interface

About the Settings view ... 302

Editing the Hosts file ... 304

Changing the network settings ... 305

Changing date and time settings ... 307

Changing a Network Time Protocol Server ... 308

About the Password view ... 309

Changing the password for Linux accounts ... 309

Changing the password for symcmgmt Linux account ... 310

About the Global Intelligence Network configuration view ... 311

About running LiveUpdate ... 312

Running LiveUpdate from the Information Manager Web configuration interface ... 313

About integrating Active Directory with the Information Manager server ... 313

Managing Active Directory configurations ... 314

Adding the CA root certificate ... 316

Shutting down the Information Manager server ... 317

Restarting the Information Manager server ... 317

About using the multipath feature for storage options ... 318

About External Storage ... 318

Creating NAS Configuration ... 319

Deleting NAS configuration ... 320

Connecting Information Manager to a SAN ... 320

Connecting Information Manager to a DAS ... 322

Configuring Information Manager with DAS/SAN Storage ... 322

Extending the storage capacity of an existing DAS/SAN configuration ... 323

Unmounting the DAS/SAN configuration ... 324

Restoring a DAS/SAN configuration ... 324

Deleting a DAS/SAN configuration ... 325

Chapter 21

Managing Global Intelligence Network content

About managing Global Intelligence Network content ... 327

Registering a Global Intelligence Network license ... 328

Viewing the status of Global Intelligence Network content ... 328

Chapter 22

Working with Information Manager

configurations

About agent configurations ... 333

About Agent Connection Configurations ... 339

Configuring Agent to Manager failover ... 340

About the Information Manager configurations ... 342

About the Manager components configurations ... 342

Setting up blacklisting for logon failures ... 344

Modifying administrative settings ... 344

About Manager configurations ... 345

Increasing the minimum free disk space requirement in high logging volume situations ... 347

About Manager connection configurations ... 347

About configuring Information Manager directories ... 348

About configuring LiveUpdate ... 348

About Java LiveUpdate ... 348

Creating Java LiveUpdate configurations ... 349

Scheduling LiveUpdate requests ... 350

Modifying Java LiveUpdate configurations ... 351

Editing Java LiveUpdate configuration properties ... 357

Distributing a Java LiveUpdate configuration ... 358

Section 7

Managing application data

Chapter 23

Maintaining the Information Manager

database

About database maintenance ... 361

Checking database status ... 361

About the database health monitor service ... 362

About purging event summary, alerts, and incident data ... 363

Adjusting parameters for automated purges ... 364

Setting the safe level and the alarm level for automated purges ... 365

Chapter 24

Managing data backup, restore, and purge

About backup, restore, and purge ... 367

Performing a complete LDAP directory server backup ... 368

Performing a complete LDAP directory server restore ... 369

Performing a complete database backup ... 370

Performing a complete database restore ... 370

Performing a selective backup ... 371

Performing a selective restore ... 373

Scheduling a backup ... 374

Editing a scheduled backup ... 376

Deleting a scheduled backup ... 376

Purging incident or event summary data ... 376

Purging selective backup files ... 378

Section 8

Appendix

Appendix A

Firewall Settings for the Information Manager

Firewall settings ... 381

Introducing the Information

Manager

■ Chapter 1. Overview

■ Chapter 2. Understanding the Information Manager components

1

Overview

This chapter includes the following topics:

■ About Symantec Security Information Manager

■ What's new in this release

■ Features of Information Manager

■ About estimating system performance

About Symantec Security Information Manager

Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes.

Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise antivirus

■ Intrusion detection systems and Intrusion Prevention Systems

■ Vulnerability scanners

■ Authentication servers

■ Windows and UNIX system logs

Information Manager provides the following features to help you recognize and respond to threats in your enterprise:

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalized formats.

■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.

■ Real-time security intelligence updates from Global Intelligence Network. These updates keep you apprised of global threats and let you correlate internal security activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets.

■ An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event.

■ A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions.

■ Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise.

■ A Web-based configuration interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available.

See“Features of Information Manager”on page 22.

What's new in this release

Information Manager 4.7.4 contains enhanced features. It also includes fixes for the known issues that existed in the previous versions.

New features

Information Manager 4.7.4 includes the following new features in addition to known issues and fixes:

Symantec SIEM 9700 Series appliances SSIM Web Start Client

Role-based access to the Event Query Templates Navigation option for Event Storage Rules list

Symantec SIEM 9700 Series appliances

Symantec SIEM 9700 Series appliances are scalable security information and event management appliances. These appliances provide reliable performance with Information Manager software. The SIEM 9700 Series is comprised of three models; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundant event storage and dedicated Remote Management Module features to allow remote management of the appliance. In addition, the 9751 and 9752 provide enterprise connectivity through 8GB Fibre Channel. Each physical appliance can be combined seamlessly with virtual appliances to ease interoperability.

For more information, see the following guides:

■ Symantec SIEM 9700 Series Appliances Maintenance Guide

■ Symantec SIEM 9700 Series Appliances Installation Guide

■ Symantec SIEM 9700 Series Appliances Product Description Guide

■ Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide

■ Symantec SIEM 9700 Series Appliances Safety Guide

See“New features”on page 21.

SSIM Web Start Client

By using SSIM Web Start Client, you can now reach the Information Manager console directly without downloading and installing the Information Manager console.

The Launch SSIM Web Start Client link, that is located on the logon page of the Information Manager Web configuration interface, launches the Information Manager console. You can also access this link from the Downloads option on the

Home view of the Web configuration interface.

See“New features”on page 21.

Role-based access to the Event Query Templates

In Information Manager, an administrator can restrict the access of a user to Event Query Templates. Access to Event Query Templates can be controlled based on the View Event Query Templates permission that is granted to a role. By default, this permission is enabled for new roles.

If the View Event Query Templates permission is disabled for a role, the user who is assigned with this role cannot access the Templates folder on the Events view. If the View Event Query Templates permission is enabled for a role, the user who is assigned with this role can access and run the Event Query Templates. See“Enabling access to the Event Query Templates”on page 46.

See“New features”on page 21.

Navigation option for Event Storage Rules list

A Move to top option and a Move to bottom option are now available in the Event

Storage rules list. These options can be used to move a rule directly to the top or

to the bottom of the list. See“New features”on page 21.

Features of Information Manager

Symantec Security Information Manager 4.7 offers several new features over previous versions of Information Manager.

You can find the following new features in the 4.7 release of the Information Manager:

■ Information Manager is now hardware independent.

You can now install the Information Manager software on the hardware of your choice subject to the minimum requirements.

■ To identify the critical incidents and threats in your environment, the Information Manager lets you drill down into the reports and dashboards. Using the drill-down feature (available only on the console of the client), you can view the resources that are associated with an incident. This feature provides insights into the parts of the organization that the incident affects and the background information regarding the resources that are implicated. The drill-down feature helps simplify organizing, searching, and prioritizing specific assets or sets of assets, to assist in monitoring identity and access activities.

■ Top N by field

■ Trending for Top N by field

■ Summary data queries

■ The Information Manager now ships with version 4.7.1 of the Symantec Event Agent.

■ Active Directory Integration

This feature allows the users of the Active Directory to access the Information Manager. This feature lets you configure the Information Manager server to use the Active Directory to perform user authentication.

■ Report Templates

The Information Manager has report content ready for regulatory compliance standards. These reports can automate the collection and analysis of log data. Therefore, businesses can provide the accountability and the transparency that is required to comply with stringent mandates and regulations. Report Templates are available for the following categories:

■ HIPAA ■ NERC ■ SOX ■ FISMA ■ UK-DPA ■ PCI-DSS ■ ISO 27001 ■ GLBA ■ MISC

■ Custom Log Management

Using the Custom Log Management feature, you can now gather and correlate log data for applications universally for which collectors are not available. The Custom Log Management feature lets you collect logs from an application that the Information Manager does not support. You can analyze the received log data and adjust the fields where necessary so that the Information Manager can interpret the data. This feature helps in interpreting the log data that is collected from the application that the Information Manager does not support. The Information Manager provides Universal Collectors that you can use to collect the logs of applications that the Information Manager does not support. You can install the Universal Collectors on the computers on which Symantec Event Agent is installed. From the Custom Logs view on the Web configuration

interface, you can map the application log data. Universal collectors collect this data to the fields that are defined in the Events view in the Information Manager.

■ Advanced Event Correlation

The Advanced Event Correlation feature now lets you define and use a combination of multiple rules to correlate events.

The Advanced Event Correlation feature enables you to define multiple conditions in a rule. Multi-conditioning lets you define the rules that support up to five user activities in a sequence. You can create a conclusion when a sequence of a specified pattern is detected for one combination of one-to-many fields within a specified time period.

Multi-conditioning provides flexibility and extensibility of the correlation rules. This flexibility significantly extends the ability of Information Manager to detect attacks and to identify the threats.

■ Event definition with negatives is possible in the Information Manager server. You now have the ability to generate incidents based on negative occurrences. This means that the Information Manager can generate incidents based on expected events not occurring.

Information Manager supports the definition of a rule that creates a conclusion when two user activities occur after one another that can be harmful. In addition to this type of rule definition, Information Manager also supports the definition of rules when a certain user activity does not occur after a valid user activity. The ability of Information Manager to generate events based on negative occurrences extends the possibility of threat detection.

The Information Manager server supports the following rule types:

■ Lookup Table Update

■ Many Sources, One Target

■ Many Symantec Signatures, One Source

■ Many Symantec Signatures, One Target

■ Many Targets, One Event

■ Many Targets, One Source

■ Many to One

■ Multi-condition

■ Single Event

■ Symmetric Traffic

■ X not followed by X

■ X not followed by Y

■ Y not preceded by X

■ Trending Queries

The Information Manager lets you create a new query based on trends. The Trending Queries feature gives you a breakup of trend data for the Top N Events by Category (such as Product or Organizational Units) over a selected time frame. For example, you can view the Top Five Events Counts by Product over the last week. The results of the trending query can be displayed in a table, line bar, stacked, or multiple pie graphs.

The user can query the trends over the following time slice parameters:

Trend for the last five minutes plotted for each minute of the last five minutes.

Last 5 minutes

Trend for the last 10 minutes plotted for each minute of the last 10 minutes.

Last 10 minutes

Trend for the last 15 minutes plotted for each minute of the last 15 minutes.

Last 15 minutes

Trend for the last 30 minutes plotted for each minute of the last 30 minutes.

Last 30 minutes

Trend for the last 45 minutes plotted for each minute of the last 45 minutes.

Last 45 minutes

Trend for the last hour that is plotted for each minute of the last hour.

Last hour

Trend for the last eight hours plotted for each hour of the last eight hours.

Last 8 hours

Trend for the last 12 hours plotted for each hour of the last 12 hours.

Last 12 hours

Trend for the last 24 hours plotted for each hour of the last 24 hours.

Last 24 hours

Trend for the last 48 hours plotted for each hour of the last 48 hours.

Last 48 hours

Trend for the last seven days that is plotted for each day of the last seven days.

Last 7 days

Trend for the last 14 days that is plotted for each day of the last 14 days.

Last 14 days

Trend for the last 30 days that is plotted for each day of the last 30 days.

Last 30 days

Trend for the present day that is plotted for every hour.

Today

Trend for the day before today that is plotted for every hour.

Yesterday

Trend for this week that is plotted for each day of the week.

This week

Trend for the last week that is plotted for each day of the week.

Last Week

Trend for this month that is plotted for each week of the month.

This Month

Trend for this month that is plotted for each day of the month.

This Month (Daily Trend)

Trend for the last month that is plotted for each week of the month.

Last Month

Trend for the last month that is plotted for each day of the month.

Last Month (Daily Trend)

Trend for this quarter that is plotted for each month of the quarter.

This Quarter

Trend for this quarter that is plotted for each week of the quarter.

This Quarter (Weekly trend)

Trend for the last quarter that is plotted for each month of the quarter.

Last Quarter

Trend for the last quarter that is plotted for each week of the quarter.

Last Quarter (Weekly Trend)

Trend for this year that is plotted for each month of the year

This Year

Trend for the last year that is plotted for each month of the year.

Last Year

instead of restoring all the data to an earlier state. Further you can also select and purge the backup files. Only those backup files that were selectively backed up can be purged.

About estimating system performance

To determine the performance of an Information Manager server or set of servers. consider your unique environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization of settings to match each environment. Hence, the physical performance depends greatly on the collectors and settings that you choose.

The observed events per second (EPS) rates under optimal circumstances are provided here which can be used for general planning purposes. You can create a rough estimate of system performance by using the information available in these tables. However, you must note that the system performance may vary widely from these figures depending on your specific environment. Your estimates need to be adjusted over time as your policies, settings, and storage requirements are refined.

Note:The performance figures are currently being updated. An addendum to Symantec Security Information Manager 4.7.4 Administrator Guide will be available soon with the new performance figures.

See“About Symantec Security Information Manager”on page 19.

Understanding the

Information Manager

components

This chapter includes the following topics:

■ About workflow in Information Manager

■ About Information Manager components

About workflow in Information Manager

The Symantec Security Information Manager workflow includes the following steps:

■ Event collectors gather events from Symantec and third-party point products. See“About Event Collectors and Information Manager”on page 163.

■ Events are filtered and aggregated.

See“Configuring event filtering”on page 197. See“Configuring event aggregation”on page 200.

■ Symantec Event Agent forwards both the raw and the processed events to the Information Manager server.

See“About forwarding events to an Information Manager server”on page 241. See“Activating event forwarding”on page 245.

■ The Information Manager server stores the event data in event archives. See“About event archives”on page 210.

■ The Information Manager server correlates the events with threat and asset information based on the various correlation rules.

See“About the Correlation Manager”on page 115.

■ Information Manager security events trigger a correlation rule and create a security incident.

About Information Manager components

Symantec Security Information Manager has the following components:

■ Security products and devices

See“About security products and devices”on page 31.

■ Event collectors

See“About event collectors”on page 31.

■ Information Manager servers

See“About Information Manager servers”on page 32.

■ Global Intelligence Network

See“About the Symantec Global Intelligence Network ”on page 32.

■ Web service

See“About the Information Manager Web service”on page 32.

About security products and devices

The security products and devices in your enterprise can generate overwhelming amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise.

See“About Information Manager components”on page 30.

About event collectors

Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules.

Symantec provides event collectors for the following types of products:

■ Firewalls

■ Routers, switches, and VPNs

■ Intrusion detection and prevention systems

■ Vulnerability scanners

■ Web servers, filters, and proxies

■ Databases

■ Mail and groupware

■ Enterprise antivirus

■ Microsoft authentication services

■ Windows and UNIX system logs

31 Understanding the Information Manager components

For access to the extensive library of event collectors, visit Symantec support at the following Web site:

http://www.symantec.com/enterprise/support/

See“About Information Manager components”on page 30.

About the Symantec Global Intelligence Network

Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging

vulnerabilities, threats, risks, and global attack activity. See“About Information Manager components”on page 30.

About the Information Manager Web service

The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications.

See“About Information Manager components”on page 30.

For more information on interfacing your application to use the Web service, see the application documentation or your application vendor.

About Information Manager servers

Symantec Security Information Manager is hardware independent. You can install the Information Manager server on any approved hardware that meets the minimum system requirements.

correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred.

See“About Information Manager components”on page 30.

33 Understanding the Information Manager components

Managing roles, permissions,

users, and organizational

units

■ Chapter 3. Managing roles and permissions

■ Chapter 4. Managing user and user groups

■ Chapter 5. Managing organizational units and computers

■ Chapter 6. Configuring a service provider

2

Managing roles and

permissions

This chapter includes the following topics:

■ About managing roles

■ About working with permissions

About managing roles

A role is a group of access rights for a product. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role.

See“About planning for role creation”on page 38.

You create new roles in the Symantec Security Information Manager console. When you click Roles on the System view of the console, you can perform the following tasks:

■ Create a role.

See“Creating a role”on page 40.

■ Edit role properties.

See“Editing role properties”on page 48.

■ Delete a role.

See“Deleting a role”on page 55.

Note:Only members of the SES Administrator role and the Domain Administrator role can add or modify roles.

See“About the administrator roles”on page 39.

About planning for role creation

Roles control user access; therefore, before you create roles you should plan carefully. You need to identify the tasks that are done in your security

environment, and who performs them. The tasks determine the type of roles that you must create. The users who perform these tasks determine which users should be members of each role.

See“About managing roles”on page 37. Consider the following issues:

■ Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role.

■ Who administers your security network by creating management objects such as users and organizational units?

These users must be members of the roles that provide management access and the ability to access the System view.

■ Which products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System view only.

■ Who is responsible for monitoring events and incidents?

These users must be members of event viewing roles for the products for which they are responsible. Users who monitor events must have access to the Events view. Users who monitor incidents must have access to the Events view and the Incidents view.

■ Who responds to problems and threats?

These users must have access to the Events view and the Incidents view. Users who create and manage help desk tickets must also have access to the Tickets view.

Table 3-1lists the common roles in a security environment and the responsibilities that belong to each role.

Table 3-1 Typical roles and responsibilities

Responsibilities Role name

Defines the user roles and role authority. Domain Administrator

Table 3-1 Typical roles and responsibilities (continued)

Responsibilities Role name

■ Creates the correlation rules and collection filters.

■ Performs the user and the device administration. User Administrator

Views all incidents, events, reports, and actions. Information Manager

■ Views the incidents, events, and reports for assigned devices.

■ Reviews and validates incident response.

■ Provides the affirmation of incident review and response by administrators to GAO and others.

Report Writer

Views the events and reports for assigned devices. Report User

Creates, edits, and deploys rules. Rule Editor

About the administrator roles

When you install the Information Manager, the following default administrator roles are created:

This role has full authority over all of the domains in the environment.

SES Administrator

This role has full authority over one specific domain in the environment.

Domain Administrator

If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. If you have multiple domains (for example one for each geographic region of your company), each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure.

The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. The password for the administrator user account is specified at the time of installation.

You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user should not be assigned to any other roles.

39 Managing roles and permissions

See“Editing role properties”on page 48.

Creating a role

You can create roles using the Role Wizard in the Information Manager console. Only a user who has either the Domain Administrator role or the SES

Administrator role can create roles.

See“About planning for role creation”on page 38.

Note:If the Role members will have access to all archives option is selected, role members can access new archives automatically. If the Role members will have

access to only the selected archives option is selected, role members cannot

access new archives automatically.

To create a role

1

2

3

4

5

■ In the Role name text box, type a name for the role.

■ In the Description text box, type a description of the role (optional).

6

■ To give the role members access to all of the listed products, click Role

members will have access to all products, and click Next.

■ To limit the role member's access to certain products, click Role members

will have access to only the selected products and select the appropriate

products. Then click Next. Symantec Security Information Manager is checked by default in the Product List.

7

■ To give role members all permissions that apply to Information Manager, click Enable all Permissions, and click Next.

■ To give role members a limited set of permissions, click Enable specific

Permissions. From the permissions list, uncheck the permissions that

8

■ To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and click Next.

■ To limit what role members can see when they display the console, click

Role members will have only the selected console access rights. From

the list, enable at least one of the console access rights, and click Next. See“Modifying Information Manager console access rights ”on page 47.

9

■ To give role members access to all organizational units, click Role

members will have access to all organizational units, and click Next.

■ To give role members access to specific organizational units, click Role

members will have access to only the selected organizational units. In

the organizational unit tree, select at least one organizational unit to associate with this role, and click Next.

When you select an organizational unit that has additional organizational units, users of the role are given access to those additional organizational units also.

If you add an organizational unit to a role, the following users can see the events that are generated by the security products:

■ Users who are role members

■ Users who have event viewing access

These users can view only those events that are generated by the security products that are installed on the computers of that organizational unit. Role members can see events only from computers in the organizational units that have been added to their roles.

10

■ To give role members access to all of the Information Manager servers in your security environment, click Role members will have access to all

servers, and click Next.

■ To limit role members' access to certain servers, click Role members will

have access to only the selected servers. In the server tree, select at least

one server to associate with this role, and click Next.

Members of the role can modify configurations on the selected servers. The role members can also view event archives that reside on the selected servers.

11

41 Managing roles and permissions

■ To add individual users to the role now, click Add Members. In the Find

Users dialog box, add one or more users, from the Available Users list to

the Selected Users list and click OK. In the Members panel, click Next.

■ To add the users who are members of a specific user group, click Add

Members From Groups. In the Find User Groups dialog box, add one or

more user groups, and click OK. The users that are associated with the groups you selected are added to the Selected Users list. When you are finished, click Next.

■ To continue without adding users to the role, click Next.

You can add users to the role later by editing the role’s properties. See“Adding a user to a role”on page 43.

You can also associate a role with a user by editing the user’s properties. You can assign users to a role only if you have already created those users. See“Creating a new user”on page 63.

12

The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed.

13

Editing role properties

After you create a role in Information Manager, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles.

You can edit the properties of a role by selecting the role in the right pane. You can also edit the role properties from any dialog box that displays the role’s properties.

To edit role properties

1

2

3

See“Modifying Information Manager console access rights ”on page 47. See“Modifying product access rights”on page 44.

See“Modifying server access rights”on page 48. See“Modifying access permissions in roles”on page 49.

Adding a user to a role

When a user logs on to Information Manager, the user’s role membership determines the user's access to the various products and event data. You can assign a user to a role in the following ways:

■ Assign each user individually to one or more roles.

■ Assign users to groups, and assign user groups to roles.

When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually.

Note:Before you assign users and user groups to roles, you must create users and user groups in the Directory.

See“Creating a new user”on page 63. See“Creating a user group”on page 65. To add a user to a role

1

2

3

4

5

6

Properties.

43 Managing roles and permissions

7

8

9

1

2

3

4

5

6

The user group name appears in the Selected user groups list.

7

8

9

10

Modifying product access rights

The Products property lets you select and modify the products to which role members have access.

To modify product access rights

1

2

3

4

■ To give the role members access to all of the listed products, click Role

■ To limit the role members' access to specified products, click Role

members will have access to only the selected products. Enable (check)

or disable (uncheck) access to individual products in the list.

Consider the tasks that role members perform as you select products from the list.

Modifying access permissions in rolesdescribes the access requirements of typical enterprise security roles.

5

See“Editing role properties”on page 48.

Modifying SIM permissions

Use the SIM Permissions property to enable or disable several types of Information Manager permissions that are assigned to a role.

See“About managing roles”on page 37. To modify SIM permissions

1

2

3

4

■ To assign all Information Manager permissions to the role, click Enable

all Permissions.

■ To limit the permissions that are assigned to the role, click Enable specific

Permissions. Then click the check boxes as needed to enable or disable

permissions for the role.

Table 3-2lists the permissions that the users who perform specific functions need.

5

About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives unrestricted access to all of the event archives for which role a user has been granted access.

When a user with this role performs an event query, the query bypasses any additional permission settings based on Organizational Unit, Domain, or Product settings. The query returns a complete data set from the archives for which the user has been given access. Enabling Bypass Event RBAC enhances query

45 Managing roles and permissions

performance by reducing the set of permissions criteria against which the query must be processed.

See“About managing roles”on page 37.

About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives unrestricted access to all of the event archives for which role a user has been granted access.

When a user with this role performs an event query, the query bypasses any additional permission settings based on Organizational Unit, Domain, or Product settings. The query returns a complete data set from the archives for which the user has been given access. Enabling Bypass Event RBAC enhances query performance by reducing the set of permissions criteria against which the query must be processed.

See“About managing roles”on page 37.

Enabling access to the Event Query Templates

The View Event Query Templates permission in a role controls the access to the

Templates folder in the Events view. If this permission is enabled for a role, the

user who is assigned with the role can access the Event Query Templates. For example, the Information Manager administrator creates two roles,

IncidentAnalyst and EventAnalyst. The View Event Query Templates permission is disabled for the IncidentAnalyst role, and enabled for the EventAnalyst Role. The IncidentAnalyst role is assigned to user A and the EventAnalyst role is assigned to user B. From the Events view, user A who is assigned with the IncidentAnalyst role cannot view the Event Query Templates. User B who is assigned with the EventAnalyst role can view the Event Query Templates and run the corresponding queries.

You can edit the existing roles to enable the View Event Query Templates permission.

To enable View Event Query Templates permission for existing roles

1

2

3

Properties.

4

6

7

By default, this permission is enabled for new roles. While creating a role, you can disable the View Event Query Templates permission for a new role. Select the Enable specific permissions option from the SIM Permissions panel and then uncheck View Event Query Templates.

See“Creating a role”on page 40.

See“Role-based access to the Event Query Templates ”on page 22.

Modifying Information Manager console access rights

Console access rights control the views that a role member can access when they log on to the Information Manager console.

You can modify the Console access rights that you assigned when you created the role. Based on the Console access rights, various views of the console are visible to the role members whenever they log on to Information Manager.

To modify console access rights

1

2

3

4

■ To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console

access rights.

■ To limit what members of the role can see when they display the Information Manager console, click Role members will have only the

selected console access rights. From the list that appears, enable or disable

console access rights as you want.

The following table describes the tiles (views in the Information Manager console) that are available to members:

Displays the Assets view in the console.

Show Assets Tile

Displays the Dashboard view in the console.

Show Dashboard Tile

47 Managing roles and permissions

Displays the Events view in the console.

Show Events Tile

Displays the Incidents view in the console.

Show Incidents Tile

Displays the Intelligence view in the console.

Show Intelligence Tile

Displays the Reports view in the console.

Show Reports Tile

Displays the Rules view in the console.

Show Rules Tile

Displays the Statistics view in the console.

Show Statistics Tile

Displays the System view in the console.

Show System Tile

Displays the Tickets view in the console.

Show Tickets Tile

Modifying access permissions in roleslists the console access rights that the users who perform specific functions need.

5

See“Editing role properties”on page 48.

Modifying server access rights

Use the Servers property to select the servers to which role members have access. The selections for this property determine the servers that the role members can see on the following console locations:

■ The Testing tab on the Rules view that can be used for testing a specific rule.

■ The servers and archives that are available for each query on the Events view.

■ The Server Configurations tab on the System view. To modify server access rights

1

3

4

■ To give role members access to all Information Manager servers in the network configuration, click Role members will have access to all servers.

■ To limit role members' access to certain servers, click Role members will

have access to only the selected servers. In the server tree, select at least

one server to associate with this role, and click OK. See“Editing role properties”on page 48.

Modifying access permissions in roles

Roles include the permissions that determine the types of access (for example, Read and Delete) for a role member. Based on these permissions a role member can access various functions on the Information Manager console. Permissions are assigned to roles on various functions and the users belonging to those roles can perform tasks accordingly.

You can change the access permissions for the following types of objects:

■ Container objects that were created when you installed Information Manager, such as organizational units.

■ The new objects that you create within the container objects.

When you view the properties of a role, you can view and modify the permissions by selecting tabs in the Editing Role Properties dialog box.

Warning:Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See“About working with permissions”on page 55.

Table 3-2describes the access requirements of typical enterprise security roles.

49 Managing roles and permissions

Table 3-2 Access requirements for roles Access permissions Console access Symantec Security Information Manager permissions Products Role All

Note:You cannot modify access permissions of the SES Administrator and Domain Administrator roles. All All All SES Administrator and Domain Administrator

Read and Search on Published / System Query groups

■ Show Dashboard Tile

■ Show Intelligence Tile

■ Show Statistics Tile

■ Show System Tile

■ Allow Asset Edits

■ Move Computers Information

Manager System

Administrator

■ Read and Search on Published /System Query groups

■ Read and Write on users and user groups

■ Read and Write on rules and roles

■ Show Assets Tile

■ Show Dashboard Tile

■ Show Intelligence Tile

■ Show Rules Tile

■ Show System Tile

■ Allow Dashboard Auto Refresh

■ Move Computers

■ Allow Asset Edits