Tivoli Security Information and Event Manager V1.0
Summary
Security information and event management (SIEM) is a primary concern of the CIOs and CISOs in many enterprises. They need to centralize security-relevant events and analyze the consolidated data to obtain valuable security insights for their organizations.
IBM offers two SIEM complementary perspectives for the security information on the network:
o A real-time, network event-oriented management dashboard that facilitates attack recognition and incident management
o An information analysis dashboard to assess how well an organization adheres to its security and governance policies
IBM Tivoli Security Information and Event Manager V1.0 is comprised of two products: IBM Tivoli Security Operations Manager V4.1 and IBM Tivoli Compliance Insight Manager V8.5. These products work closely together to help you realize the full promise of enterprise SIEM. Now you can centralize log collection and event correlation across your enterprise, and leverage an advanced compliance dashboard to link security events and user behavior to your corporate policies.
Tivoli Security Information and Event Manager delivers a comprehensive foundation for addressing your SIEM requirements. As a result, IT organizations can lower their exposure to security breaches; collect, analyze, and report on compliance events; and manage the complexity of heterogeneous technologies and infrastructures. This includes support for several hundred applications, host operating systems, security products, network infrastructure, desktops, and mainframe systems.
Introduction
The Tivoli Security Information and Event Manager (TSIEM) bundle consists of specialized mature components that handle both the security information management (SIM) and the security event management (SEM) operations. In this package, you will find two products: Tivoli Security Operations Manager, which handles SEM; and Tivoli Compliance Insight Manager, which handles SIM. We have packaged these two products into a single offering for convenience and affordability.
both of these component solutions are presented to the administration to track the overall SIEM status and health of the IT deployment.
Product Overview
TSIEM technologies allow customers to start with simple deployments focused on log aggregation and simple reporting, and expand into full policy focused user reporting for compliance initiatives with auditor ready reporting, and real-time correlation for incident management and network policy monitoring.
Tivoli Security Information and Event Manager also provides interoperability with other critical IT operations and Tivoli and IBM platforms, including Netcool
Omnibus, IBM ISS Proventia solutions, z/OS, AIX, WebSphere, DB2, iSeries, Lotus Domino, Tivoli Access Manager, Tivoli Identity Manager, and Tivoli Enterprise Console, among others.
Why you bought TSIEM
• Better overall pricing: TSIEM offers you a better-priced way of obtaining both Tivoli Compliance Insight Manager and Tivoli Security Operations Manager or for upgrading from one product to both products.
• Upgrade path to IBM SIEM solution: As we develop our product range, the TSIEM offering enables customers to upgrade to other product offerings and options in this product range.
What you can do with TSIEM
Security Information Management
Who uses it?
Audit and Compliance officers benefit from using Tivoli Compliance Insight Manager because it offers them a reliable, verifiable, and automated approach to monitoring their organization’s compliance posture.
What can they do?
They can automate log management and compliance reporting. Tivoli Compliance Insight Manager provides tools to control and monitor the collection of audit logs and audit events from IT infrastructure in a reliable and verifiable way.
Compliance modules and reporting
Tivoli Compliance Insight Manager provides specific and targeted compliance reporting, enabling the CISO, SO, and audit officers to easily monitor the organization’s compliance.
The compliance modules provide:
• A template set of classifications (a grouping in Tivoli Compliance Insight Manager terminology) that are in the vocabulary of the regulation or standard. • A template policy that defines the controls that need to be monitored in terms
of the classifications defined in the template.
• A set of reports, defined to show the monitoring of the controls defined in the regulation.
Key to the compliance and audit reporting is the definition of policy. Tivoli
Compliance Insight Manager provides template policies in the compliance modules and also the capability for the customer to define policies by using the built-in policy definition tools.
Device support
By providing wide support for major pieces of IT infrastructure such as network nodes, operating systems, applications and database, and z/OS support, we can monitor the compliance of these platforms and the overall compliance of the organizations using these infrastructure components.
Security Event Management
Who uses it
The Security Operations Center is the main consumer and user of SEM capabilities. However, the reports on security risk status and threat health of the IT resources are also essential for Security Officers and CIOs.
What can they do
The SEM components allow operators to collect, parse, aggregate, filter, categorize, correlate, and analyze real-time security threat data from a wide set of different sources throughout the enterprise. It helps operators understand and distill the
disparate security event data into business relevant alerts, which can be analyzed from a single location and quickly tracked through to resolution. SEM helps in identifying weak areas in the security of the IT deployment, and quickly reports on the status of the systems, for further use in compliance audits.
Correlation
One main advantage of the SEM solution is the capability to create rules that reflect how the company wants to handle particular security events, depending on geographic location, resource importance, source of the event, network topology, relationship with other events, frequency, and a myriad of other policy combinations.
Notifications, alerts, and forwarding of events can also be configured according to these rules.
Analysis
After the data is correlated, the operator can get different views of how the security events are affecting the IT resources; for example, by network, by functional group, by detail, and by many other groupings. When interesting vulnerabilities are found, the operator can drill down into the affected resources to troubleshoot the source of the problem using a set of common tools available from a convenient central location. All these operations can be tracked with an internal ticketing system.
Reporting
The end goal is to assess and report on the security health of these IT implementations. The SEM solution offers a customizable set of views and
dashboards that provide operators an at-a-glance view of the vulnerability status for the resources that are most relevant to them. Additionally, there is a large set of pre-configured reports to provide executives and administrators with security threat snapshots of the systems, for further use in compliance reporting.
Device support
costly. Therefore, being able to collect, parse, normalize, and categorize security event data from over 200 different devices is of great benefit for large organizations.
How to install TSIEM Servers
Because TSIEM bundles two existing products together, the TSIEM package consists of two sets of installation CDs: one set for Tivoli Compliance Insight Manager and another set for Tivoli Security Operations Manager.
The products can be installed in any order. Each product requires its own server, and each server must be installed on its own dedicated system. For information on installing each product, see:
• Tivoli Compliance Insight Manager V8.5 Quick Start Guide, located on the Tivoli Compliance Insight Manager V8.5 Quick Start CD
• Tivoli Security Operations Manager V4.1 Quick Stat Guide, located on the Tivoli Security Operations Manager V4.1 Quick Start CD
Typical Configuration
Event Sources Points of Presence IBM Tivoli SIEM Install Output
Collectors
TSOM
Compliance Dashboard
Reports
Retrieve Log-files
Third party integration
alerts Applications
Databases
Operating Systems
IDS & IPS
Firewalls Mainframe
TCIM
Operational Dashboard Event Sources Points of PresencePoints of Presence IBM Tivoli SIEM InstallIBM Tivoli SIEM Install OutputOutput
Collectors
TSOM
Compliance Dashboard
Reports
Retrieve Log-files
Third party integration
alerts Applications
Databases
Operating Systems
IDS & IPS
Firewalls Mainframe
TCIM
Integration potential
The integration between event management and information management is alluring. Being able to react in real time and offer an operational dashboard and ultimately filter information upwards to the compliance dashboard, presenting correlated events in a compliance perspective, provides customers with the all round view they need of their compliance posture.
Integration options
Sending auditable, correlated events from Tivoli Security Operations Manager to Tivoli Compliance Insight Manager:
In this instance, Tivoli Security Operations Manager is configured to correlate certain auditable events (such as changes to policy in firewalls), or denial of service attacks, and to send those events to Tivoli Compliance Insight
Manager. Tivoli Compliance Insight Manager will then report on those events in the compliance and audit reports and also keep the events in the depot for future reporting, investigation, or audit purposes.
Sending alerts from Tivoli Compliance Insight Manager to Tivoli Security Operations Manager for further action:
In this instance, Tivoli Compliance Insight Manager is configured to send an alert to Tivoli Security Operations Manager. The contents of the alert are the 7Ws of the event that triggered the alert.
Tivoli Security Operations Manager is then configured to raise a ticket to have this alert recorded and resolved.
For more detailed integration information, see the TSIEM documentation available on the information center for each product:
• Tivoli Security Operations Manager
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.netcool_ som.doc/welcome.htm
• Tivoli Compliance Insight Manager
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itcim.do c/welcome.htm
