Security Information and Event
Management
sponsored by:ISSA Web Conference
April 26, 2011
Agenda
•
The Truth & Reality of a SIEM Implementation
“Candy” Frances Alexander, CISSP CISM - Chief Information Security Officer, Long Term Care Partners
•
Data Governance in Today’s World
Peter Kohler - Optim, Guardium, and Discovery Business Unit Executive - IBM
•
Cloud Automation Protocols for SIEM
Erin Connor - Director, EWA-Canada
•
Open Panel with Audience Q&A
•
Closing Remarks
The Truth & Reality of a
SIEM Implementation
Candy Alexander, CISSP CISM
Topics
•
Background
•
Requirements
•
Typical challenges
•
Doing it the “right” way…
•
If I were to do it all over again…
Background
•
Jumped into the SIEM game 3 years ago
•
Requirements were defined as
– Compliance monitoring (HIPAA, FISMA)
– Identify security posture
– Central security management console (central view)
– Audit evidence/artifacts
– Incident response/investigations
– IT optimalization
•
Security Maturity Level: “Evolving”
•
Common challenges
– Multiple Stakeholders without clear expectations
– Getting IT involved (i.e. care and feed)
– Where does “it” really fit?
– Has it hurt or helped?
Requirements
•
Understand what YOU need the tool to do
–
Regulatory
–
Scalability
–
Learn what you “don’t know”
–
Factor in vendor support/training
•
Understand what the TOOL needs you to do
–
Skills
–
FTE/PTE?
–
Budget to grow on?
Challenges
•
Who needs a Project manager?
•
Security maturity of Program
–
Evolving Program = people/culture challenges
–
Implementation Program = technology challenges
–
Well Established Program = skill levels, resources
•
Business Value
Doing it the “right way”
•
No matter what, before you begin
–
Get common agreement
–
Use sound project management methodologies
If I were to do it all over again…
•
NO matter what, this is one of the biggest investments
and implementations that you will undertake
•
Look at your options
–
In-house (mature security programs with a huge scope)
–
Out-source (any level of maturity with a smaller scope or
resources)
–
* Hybrid (any level of maturity with smaller resources but
want/need to keep in house)
11
Question and Answer
Candy Alexander, CISSP CISM
Chief Information Security Officer Long Term Care
Partners
Data Governance in Today’s
World
Peter Kohler
Data Governance Business Unit Executive
Rampant Data Growth
Application Redundancies
Reduce brand reputation risks and audit deficiencies Cost effectively support your
information retention policies while controlling data growth.
Application Portfolio Rationalization
•Sunset legacy applications •Reduce operational IT spend
Information Compliance
The Challenges Around Data Governance
Protect and enable secure sharing of information
Information Security
Meet SLA’s
Reduce operational IT spend
63% IT executives rate
compliance with regulations a top challenge.
84% of security breaches come from internal sources, from non-production.
Average Costs and Fines for a Data Breach $6.6M
Information Governance Core Disciplines
Quality Management – Lifecycle – Security & Privacy
Protecting Information Security & Privacy Across the
Enterprise
Discover & Define Secure & Protect Monitor & Audit Discover where sensitive data resides Classify & define datatypes Define policies
Protect enterprise data from both authorized &
unauthorized access Safeguard sensitive data in documents De-identify confidential data in non-production environments
Audit and report for compliance Monitor and enforce
database access Assess database
Securing and Protecting Your Information Supply Chain
• Protecting the data across the enterprise, both internal and external threats
• Knowing who’s accessing your data when, how and why
• Monitoring and reporting on database access for audit purposes
Discover & Define
Monitor & Audit
Secure & Protect
Complete Business Object Challenge for Retention
and Masking
•
Referentially-intact subset of data across related tables and
applications; includes metadata
•
Provides “historical reference snapshot” of business activity
•
Federated object support across enterprise data stores
De-identify Data in Non-Production Environments
without Impacting Test & Development
• Mask or de-identify sensitive data elements that could be used to identify an individual
• Ensure masked data is contextually appropriate to the data it replaced, so as not to impede testing
• Data is realistic but fictional
• Masked data is within permissible range of values
•
Support referential integrity of the masked data elements to
prevent errors in testing
Personal identifiable information is masked with realistic but fictional data for testing &
development purposes.
18
Real-Time Database Monitoring
• Non-invasive architecture
• Outside database
• Minimal performance impact (2-3%)
• No DBMS or application changes
• Cross-DBMS solution
• 100% visibility including local DBA access
• Enforces separation of duties (SoD)
• Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders
• Granular, real-time policies & auditing
• Who, what, when, how
• Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)
Protect Sensitive Data Values within Documents
• Redact (or remove) sensitive unstructured data found in documents and forms, protecting confidential information while supporting the need to share critical business information
– Support compliance with industry-specific and global data privacy requirements or mandates
• Leverage an automated redaction process for speed, accuracy and efficiency
– Ensure hidden source data (or metadata) within documents is redacted as well
• Prevent unintentional disclosure by using role-based masking to confidently share data
• Ensure multiple file formats are support, including PDF, text, TIFF and Microsoft Word documents
Redact Full Name & Street Address
20
Question and Answer
Peter Kohler - Optim, Guardium, and Discovery Business
Unit Executive - IBM
SIEM and Automation
Protocols
Erin Connor – Director
EWA-Canada
Overview
•
Issues & Answers for Security Automation
•
Security Content Automation Protocol
–
Common Language Elements
–
Operational Elements
–
SCAP Content & Scanning
•
On the Automation Horizon
•
Why Automation Protocols
•
Over the Automation Horizon
Issues for Security Automation
•
Proprietary information and formats across products
•
Incompatible information across technologies
•
Information collection is costly and error prone
•
Inefficient use of resources managing configurations,
vulnerabilities and patches
•
Same or similar problems when systems connected into
networks and events start happening
•
Doesn’t scale well as networks grow and the number of
Answers for Security Automation
•
Standard Language
–
Using the same name for the same object in all instances
–
Lends itself to the use of automated tools, reducing manual
requirements
–
increases accuracy in reporting and subsequent response
•
Valuable human resources can be tasked to more
Security Content Automation
Protocol (SCAP)
•
Initial foray into automation protocols to deal with
configuration and patch issues
•
Seven Underlying Standards
•
Validation Program to test and verify that scanning
tools properly implement and understand the
language defined by the six standards, and can
properly execute SCAP content
SCAP “Common” Language
Elements
• Common Platform Enumeration (CPE™)
– defines a structured naming scheme for information technology systems, platforms, and packages
• Common Configuration Enumeration (CCE™)
– defines unique identifiers for system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools
• Common Vulnerabilities and Exposures (CVE®)
– comprises a dictionary of publicly known information security vulnerabilities and exposures (configuration issue)
SCAP “Operational” Elements
• eXtensible Configuration Checklist Description Format (XCCDF)
– defines a specification language for writing security checklists,
benchmarks, and related kinds of documents representing a structured collection of security configuration rules for some set of target systems
• Open Vulnerability Assessment Language (OVAL)
– an information security community effort to standardize how to assess and report upon the machine state of computer systems, i.e., how to query
configuration, vulnerability, etc., status of a target
• Common Vulnerability Scoring System (CVSS)
– provides an industry standard for assessing the severity of computer system security vulnerabilities thereby allowing comparison and
prioritization of response
• Open Checklist Interactive Language (OCIL)
– defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these
SCAP Content
•
Four “Tiers” identifying the form of the content:
– I – Prose checklist
– II – Non-standard (non-SCAP) machine readable
– III – SCAP “expressed” but not validated (should work in validated tool)
– IV – validated SCAP content (will work in validated tool)
•
Tier IV content (OMB & NIST) for:
– WinXP, WinVista (and associated WinFWs), IE 7 - FDCC
– Win7, Win7 FW & IE8 - USGCB
– RHEL 5 Desktop (Beta USGCB)
•
National Vulnerability Database
– U.S. government repository of standards based vulnerability management data represented using SCAP
– http://nvd.nist.gov/
SCAP Scanning
Web Servers Web Servers Application Servers Database Systems SCAP Scanner Firewall Desktop Systems DNS Server Mail Server Desktop Systems Desktop Systems Router Internet DMZ Intranet SCAP ScannerOn the Automation Horizon
•
Event Management Automation Protocol
– Being developed to do for event management what SCAP has been able to do for configuration and vulnerability management
– Builds on another set of standards, including:
• Common Event Expression (CEE™) – provide a standardized way for
computer events to be described, logged, and exchanged allowing for more efficient enterprise-wide log management, correlation,
aggregation, auditing, and incident handling
• Common Attack Pattern Enumeration and Classification (CAPEC) -
objective to provide a publicly available catalogue of attack patterns along with a comprehensive schema and classification taxonomy
• Malware Attribute Enumeration and Characterization (MAEC) - a
standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artefacts, and attack patterns
Why Automation Protocols?
• SCAP provides the ability to use standardized tools to determine and report baseline configurations in the network in real time, i.e., not only discover what is there but individual “hardened” status on an ongoing basis
• EMAP will provide a standardized language for network attached systems to report what is happening
• As more and more system vendors implement SCAP and EMAP compatible interfaces and information reporting:
– SIEM vendors will be able to concentrate on enhancing analysis and
correlation capabilities rather than keeping up-to-date with changes system vendors may make to proprietary event information reporting formats
– End users will be able to decide among SIEM tools based on comparison of analysis and reporting capabilities, and not whether the tools “speak the same language” as the devices on their networks
– Up-to-date configuration status can affect the “importance” of a network event, e.g., probes against systems known to have up-to-date mitigations may be in the category “Of Interest” rather than “Panic!”
From “Public/Private Collaboration Efforts for Enterprise Security Automation” presented at Software Assurance Forum 27 September 2010
Over the Automation Horizon
Automation Protocol initiatives underway or
proposed, including:
• Enterprise Remediation Automation Protocol
• Enterprise System Information Protocol
• Enterprise Compliance Automation Protocol
• Threat Analysis Automation Protocol
• Software Assurance Automation Protocol
• Incident Management Automation Protocol
Longer term goal to get to the point where network managers can
respond to events in real time by changing policies and configurations from a central management point
Questions
Erin Connor
EWA-Canada, Director 613-230-6067 x1214
References/Resources
Selected Standards:
• Security Content Automation Protocol (SCAP) http://scap.nist.gov/
• Common Platform Enumeration (CPE) http://cpe.mitre.org/
• Common Configuration Enumeration (CCE) http://cce.mitre.org/
• Common Vulnerabilities & Exposures (CVE) http://cve.mitre.org/
• eXtensible Configuration Checklist Description Format (XCCDF) http://scap.nist.gov/specifications/xccdf/
• Open Vulnerability Assessment Language (OVAL) http://oval.mitre.org/
• Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/
• Open Checklist Interactive Language (OCIL) http://scap.nist.gov/specifications/ocil/
• CWE http://cwe.mitre.org/
• Common Event Expression (CEE) http://cee.mitre.org/
• Common Attack Pattern Enumeration and Classification (CAPEC) http://capec.mitre.org/
• Malware Attribute Enumeration and Characterization (MAEC) http://maec.mitre.org/
References / Resources
Automation Content
• Federal Desktop Core Configuration http://nvd.nist.gov/fdcc/index.cfm
• United States Government Configuration Baseline (USGCB) http://usgcb.nist.gov/
Conferences
• NIST Annual Security Automation Conference – Autumn time frame, 2011 not yet formally announced, 2010 – http://www.nist.gov/itl/csd/2010-scap-conference.cfm
• Software Assurance Forum – semi-annual Spring and Autumn forums https://buildsecurityin.us-cert.gov/swa/forums.html
Panel Discussion
•
Phillip H. Griffin - ISSA Web Conference Committee
•
“Candy” Frances Alexander, CISSP CISM - Chief
Information Security Officer, Long Term Care Partners
•
Peter Kohler - Optim, Guardium, and Discovery
Business Unit Executive - IBM
40
Closing Remarks
Online Meetings Made Easy
