Secure Your Operations through NOC/SOC Integration

(1)

®

IBM Software Group

Secure Your Operations through NOC/SOC

Integration

David Jenkins

Security Consultant

(2)

Only Tivoli’s suite offers fault, performance and security management

Agenda for this presentation:

• Security Management Challenges

• Operational Integration Best Practices

• Tivoli Security Operations Manager (TSOM) Integration

• Further Resources

(3)

IBM Software Group | Tivoli software

3

The problem we solve….

1,200 Events Per Second

72, 000 Events Per Hour

(4)

Vendor-specific point solutions

Host IDS Network IDS

Firewall Antivirus Servers Apps Routers Siloed

Management ConsolesMultiple CorrelationManual

Best of Breed Multi-Vendor, Multiple-Domain Environment

Virus

(5)

5

Issues

Day to day: manual analysis of log data wherever it exists, typically

using multiple command and control dashboards

Cost of expensive Security Experts

Operational:

Time to resolution

Difficult to create problem owner for resolution

Expensive

Strategic: Siloed Security Management does not encourage

(6)

Management Systems: NS escalates to: Remedy ARS HP OpenView IBM/Tivoli CA Unicenter Micromuse Netcool Management Systems:

Source of events into NS:

NetScreen Global Pro ISS RealSecure SiteProtector Tripwire Manager

Intrusion, Inc. SecureNet Manager McAfee ePO

Symantec ESM

Integrated Investigative Tools:

NS GeoLocator Service Hostname and WHOIS Lookup Finger NMAP HTTP Probe OS Fingerprint SNMP Probe SMTP Probe RPC Probe NFS Probe

CGI Vulnerability Probe Trace Route

UDP/TCP Port Scan QualysGuard

Web Servers:

Apache Microsoft IIS

BEA WebLogic Server Logs

Operating Systems Logs:

Solaris (Sun) AIX (IBM) RedHat Linux SuSE Linux HP/UX

Microsoft Windows Event Log Nokia IPSO

OpenBSD Tripplight UPS

Antivirus:

CipherTrust IronMail McAfee Virus Scan Norton AntiVirus (Symantec) McAfee ePO

Trend Micro InterScan

Application Security:

Blue Coat Proxy Teros APS

VPN:

Neoteris IVE (NetScreen) Check Point

Cisco IOS Nortel Contivity

Network-based Intrusion Detect/Prevention:

Intruvert (NAI) Intrushield Sourcefire Network Sensor Juniper Networks NetScreen IDP AirMagnet

ISS RealSecure ISS Proventia ISS BlackICE Sentry Cisco Secure IDS SNORT IDS Enterasys Dragon Intrusion's SecureNetPro NFR NID Symantec ManHunt ForeScout ActiveScout Top Layer Attack Mitigator Labrea TarPit

IP Angel AirDefense

Lancope StealthWatch Tipping Point UnityOne NDS

Host-based Intrusion Detect/Prevention:

Cisco CSA (Okena) NFR HID

Sana Security – Primary Response Snare

Symantec Intruder Alert (ITA) Sygate Secure Enterprise Tripwire

ISS RealSecure Entercept HIDS (NAI)

Firewalls:

Juniper Networks NetScreen Check Point Firewall-1 Cisco PIX CyberGuard Fortinet FortiGate GNATBox Linux IP Tables Lucent Brick Stonesoft's StoneGate Secure Computing's Sidewinder Symantec's Enterprise Firewall SonicWALL

Sun SunScreen

Vulnerability Assessment:

Nessus Vigilante

ISS Internet Scanner QualysGuard Foundstone eEye Retina

SPI Dynamics WebInspect

Harris STAT

Routers/Switches:

Cisco Routers

Cisco Catalyst Switches

Nortel Routers

TACACS / TACACS+

Policy Compliance:

Vericept

(7)

7

(8)

Gartner’s 2006 SIEM Magic Quadrant

Ability to Execute

(9)

®

IBM Software Group

Best Practices in Operational Integration

Network Operations Network Operations Security Operations Security Operations

(10)

IBM Global CEO Study 2006

• One-on-one, one-hour interviews with 765 CEOs

• across 20+ industries

(2004: 456 survey respondents, 380 interviews)

35 5 10 15 20 25 30 % Euro pean Uni o n U.S./Canada Japan Chi n a Austr a lia/NZ India H ong K ong/Ta iwa n Latin Americ a ASEAN _Euro pe/No n EU Korea <$500M $500M-$1B $1B-$10B >$10B 35 5 10 15 20 25 30 % Respondents by annual sales/ turnover (US$) (Percent of respondents) <5000 5000-25,000 >25,000 500 0 100 200 300 400 Respondents by number of employees (Number of respondents) Respondents by geography (Percent of respondents)

(11)

11

IBM Global CEO Study 2004, multiple answers permitted IBM Global CEO Study 2006, point allocations

Enterprise pressures and opportunities

revenue growth cost reduction asset utilization risk management products/ services/markets 2006 operations (processes & functions) business model

they must achieve... and want to innovate their...

2004

20% 40% 60% 80% 100%

(12)

0 50000 100000 150000 200000 250000 300000 350000 2005 2006 2007 2008 Administration Development Operations

70% of CIO budget is Labor

Hardware Services Labor Software 70% of 2005 CIO Budget is Labor

 Operations labor will be 73% of

CIO labor budgets by 2008

 Application development will

decline at -10% CGR to 2008 0% 20% 40% 60% 80% 100% 2001 2002 2003 2004

App Development App Supt/Maint IT Operations

Application development & support labor has dropped from 48% to 34% of IT Labor spend over previous 4 years.

Source: Tivoli Commissioned IDC Study 1Q05

Source: Gartner Group, IT Spending & Staffing surveys

Decrease in Efficiency as IT Spending Shifts to Operations Labor

IT Efficiency and Effectiveness are Waning

 70% of CIO budget is labor

 $325B in operations labor by

(13)

13

www

Labor Cost

Sense Isolate Diagnose Take Evaluate Time

Action Storage Experts And tools Application experts and tools Database experts and tools Security experts and tools Network experts and tools Availability Management

Security and Compliance Management. Change Management Release Management Mainframe experts and tools Information Mgmt. Unix Experts And tools

IT Silos: Architectural Complexity Exposes

Organizational Complexity

(14)

Perspective:

Used to be….Lock Down vs. Availability

New focus on Business Impact vs. System Impact has changed all that.

Problem-solving Techniques:

NOC – objective…black and white situations…up or down.

SOC – subjective….context….why is it up or down…shades of grey.

Tools:

Requires tools that process, analyze and handle event data differently

(15)

15

The Solution: Focus on the end goal

Transcends IT silos ( NOC/SOC/Help Desk)

Requires convergence at:

- Organizational level (i.e. common first level response)

- System level (i.e. integrated ticketing and workflow)

- Asset level (i.e. shared sensors and criticality information)

Requires responses based on the business impact, not cause

Improves problem resolution and time to mitigation

The end goal for both IT and security operations

is business and service assurance

(16)

Operations SOC NOC Level 1 Level 2 Level 2 Level 3 Level 3 Level 1 Workflo w Ticketing Workflo w Ticketing

Typical Operations model

NOC

Management

SOC

(17)

17

Converged Operations

Security Operations Network Operations _{Level 1}

Level 2 Level 2 Level 3 Level 3 Shared Workflow Shared Ticketing Incident Analysis

Joint SLA to Business

Organizational Convergence

(18)

Converged Systems

As an event unfolds it may need to be re-classified – from

network-related to security-network-related and vice versa

This requires system integration as well as integrated procedures

There should be a single ticketing and workflow system that allows the

teams to collaborate, review, annotate and take action on events

Historical views of prior events or problems should also be

consolidated – a past configuration error could be related to a current security error

A common knowledge base will assist Level 1 in making a correct

diagnosis

Converged reporting can reduce compliance costs and increase

operational excellence across the board

Include periodic (monthly/quarterly?) results reporting process under

(19)

19

Converged Sensors and Asset Inventories

Companies build the NOC before they build a SOC

Leverage all those deployed sensors!

Build on top of existing network monitoring and leverage existing

ticketing systems – do not build a security “island”

Both NOC and SOC need asset inventories

Provide perspective into the importance, location and status of the asset

Assets have an associated business “criticality” and “risk” – regardless of

whether they suffer a network problem or a security problem

Converged asset inventories provide a business level perspective and

ensure the appropriate level of response

(20)

Conclusions and Bottom Lines

The driving force for both IT and Security operations is business

process availability

This driver transcends silos and requires convergence

Converged NOC/SOC operations means convergence at:

The organizational level – common Level 1 response

The system level – integrated ticketing and workflow

The asset level – shared history and criticality information

Operational models must be flexible enough to adapt to a changing

(21)

21

Points for discussion

How big is each NOC / SOC before integration, what is the natural limit for

outsourcing?

Are there other formal ways to classify the structure of different growing models

than a joint SLA to the Business?

How do we assess the physical properties as a whole, such as its robustness

or damages or vulnerability to malicious attack?

How to quantify the interaction between network operations of different

character, how do we model network evolution?

How much difficulty do you see in this model?

(22)

(23)

23

Intelligent dashboard to manage complex security

environments

Communicates critical security information throughout

the IT organization

Real-time, cross-device event correlation to improve

incident recognition

Integrated asset weighting to assist with prioritization of investigations

Integrated incident investigation and automated

remediation

Customizable reporting for audit, trending and

compliance Operational Efficiency Risk Reduction Audit and Compliance

(24)

Frequency Eve nt Clas s E v ent C lass Dom ain Freque ncy Freque nc y

(25)

25

(26)

New Integration Capabilities b/t Netcool and TSOM

1. Escalate raw or correlated security events to Netcool Omnibus

2. View security metrics via Netcool dashboards

3. Leverage of a Universal Collection Layer

4. TSOM device support for Netcool SSMs

5. TSOM support for Micromuse Portal for integrated solutions

6. Security Knowledgebase (for common first line support)

(27)

®

IBM Software Group

Conclusions and Further Resources

(28)

Operational Integration

Converge security operations with IT operations to ensure business and service uptime

Invest in one vendor who understands your infrastructure holistically

Only Tivoli’s suite offers fault, performance and security management

(29)

29

Security as a Option

Security is an add-on Challenging integration Not cost effective

Cannot focus on core priority

Security as part of a System

Security is built-in

Intelligent collaboration Appropriate security

Direct focus on core priority

(30)

Further Resources

Tivoli Webinar: NOC/SOC Integration – an Overview

Johna Till Johnson, Nemertes Research and Jim Alderson, IBM

http://www.micromuse.com/events/webinars/SM_30-Nov-2005.html

Tivoli Webinar: NOC/SOC integration for Service Providers

Andreas Antonopoulos, Nemertes Research and Jim Alderson, IBM

http://www.micromuse.com/events/webinars/secure_operations_23Mar2006.html

Issue Paper: Integrating Event Response

Andreas Antonopoulos, Nemertes Research

http://www.micromuse.com/downloads/pdf_lit/wps/Nemertes_Issue_Paper_Integr ating_Event_Response.pdf

Secure Your Operations through NOC/SOC Integration