Agile Security Management Horia Constantinescu - Security Solutions Expert SCOP Computers Bucharest 21 Septembrie 2004

The IT Management Challenge To optimally deliver on the business application needs of a secure, available and performing infrastructure Responding to rapid business change and deployment Aligning IT and business objectives Aligning IT service delivery with user expectations While managing increasing complexity Growing number of distributed moving parts to manage Advancing sophistication of applications and threats Skyrocketing costs of downtime and incidents With decreasing resources Budgets Availability of skills The IT management challenge is really something that’s been going on for many, many years now. We’ve been trying to align business and IT since the beginning of IT. Your specific challenges are to optimally deliver on the business application needs of a secure, available and performing infrastructure. Daily you have to think about responding to rapid business change in deployment. You have to aligning IT and the business objectives. And specifically, you must aligning IT service delivery with user expectations. After all, you get measured by what your users think of the performance, availability and security of your infrastructure. You have to do this while managing increasing complexity. The number of moving parts is going up every day, right? The heterogeneous nature of your environment, the number of disparate platforms you have to manage, the advancing sophistication of applications and their threats, and the skyrocketing cost of down time and incidents. You don’t want to be a headline. Or maybe you do. If you want to be the headline, you want to be using IT as a competitive differentiator. You don’t want to be: “We were down and we lost money, and now the bank’s in trouble.” Right? It’s a tough challenge to delivering optimally on the business-application needs of a secure, reliable available and performing infrastructure —while managing increasing complexity and while you’re driving costs out of the business. And at NetIQ, we call delivering on that challenge, IT agility. Delivering on this challenge requires “agility”

Why Does IT Need to Become Agile? IT is a business enabler $$$ Capitalize on business opportunities with dynamic responsiveness and insight Maximize return on IT assets and achieve targeted service level management Achieve increased levels of manageability through diagnostics and analysis IT is in disaster avoidance mode $$$ You want to become agile because you want to avoid major service disruptions. You don’t want to become that headline that we talked about. Secondly, you want to increase your levels of manageability. Why? Because you’re being held accountable — right? — for delivering service to your corporation. You want to be able to maximize your return on IT assets. And ultimately, you really want to be in the boardroom and saying, “Yes we can enable the business to be a competitive differentiator through IT.” Now there’s an interesting cutoff here that’s just above the manage line. If you’re below that line, chances are you’re in IT-disaster-avoidance mode. Now what happens when you’re above the line? What do you think? Well, you’re a business enabler. And that’s the primary reason why you want to become agile. Avoid major service disruptions and disasters through element management and basic reporting Chaotic & Vulnerable

Goals of Security Incident Management IDENTIFY threats more quickly and easily REDUCE the deluge of security events RESPOND to threats by turning data into actionable knowledge

Value of Incident Management Decrease exposure time Improve security knowledge Increase protection levels Boost operational performance

Decrease Incident Exposure Time Incident Occurs Exploit Detected Research Initial Response Final Resolution Detection Time Reaction Time Exposure Time Exposure Time = Detection Time + Reaction Time Source: Winn Schwartau, Time Based Security

NetIQ’s Solution Agile Security Management Suite Incident Management Vulnerability Management RECOGNIZE policy violations REDUCE vulnerabilities RESPONDING with automated remediation RECOGNIZE threats more quickly REDUCE the deluge of security events RESPOND to threats by turning data into actionable knowledge

NetIQ Security Manager Incident Management NetIQ Security Manager Intrusion Protection Event Management Correlation & Visualization Forensics & Trending Firewalls OS/DB Antivirus IDS Networking

NetIQ Security Manager: Enterprise Security Incident Management Proactively discover, detect & prevent intrusive activities Multi-layered approach to intrusion defense (Host/Network/Prevention) Collect, consolidate, and normalize security events across the enterprise Filter events, alert and notify personnel , execute countermeasures Security Event Management Intrusion Protection Correlation & Visualization Forensics & Trending Mention the SLM stuff – this is the SLM for security,,,,improve as your circle the loop Hacker clearing logs…. We have the daTA stored in a central location; Trending on the WHOLE infratstructure……not just one vendor…. Obtain information for incident response Identify and analyze important security trends Easily generate reports of log information to evaluate summary log information and statistics Correlate events from various security sensors to accurately identify critical security incidents “Dashboard” for visual management

NetIQ Security Manager Provides a single solution for protecting against intrusions, managing & correlating security events, and performing advanced forensics & trending Allows the deployment of a single infrastructure to solve both real-time alerting and log management needs Functions: Intrusion protection Event management Correlation & visualization Forensics & trending

Security Manager – Intrusion Manager Real-time detection and prevention of security breaches and policy violations to reduce downtime, loss of confidential data or potential data integrity compromises Out-of-box rules and signatures for HIDS for Microsoft Windows & major Unix operating systems Automatically stops security breaches and policy violations Extended workflow and incident management capacity within the product Rules-based notification and alerting capabilities

SM – Intrusion Protection SM Demo: Detect logon using service account Send alert & log user off Second Demo: Detect LophtCrack start up and shut it down

Security Manager – Event Manager Centralizes monitoring and response to security alerts generated by security sensors across the enterprise Manage events and alerts from a central console Built-in support for major security sensors and applications XML-based integration with new security data sources Built-in & customizable security knowledge base Automatically updated from NETIQ site……

Security Manager – Sensor Support Firewalls OS/DB Antivirus Networking IDS

Security Manager – Correlation Reduces noise and false positives by correlating events from various security sensors to accurately identify critical security incidents Rules-based correlation engine Set – describes a collection of events, occurring in any order, that match a certain description and relate to each other in particular ways Sequence – arranges sets of events in a particular order Threshold – assigns a weighted value to events matching a certain description Out-of-the-box pre-built correlation signatures Correlation wizard for creating rules

Correlation – Real-time Border router Perimeter Firewall NIDS Sensor Failed RSHELL Attempt Failed Logon Attempt Port Scan Detected Coordinated attack from same source IP address nmap RSHELL attempt Bad Guy IP Address: 10.10.1.46 Firewall Login attempt

Security Manager – Log Manager Enables scalable, automated log collection and centralization with the ability to query, trend and report on the collected audit trail Forensic analysis Obtain information for incident response and remedy (e.g., prosecution) Trend analysis Identify and analyze important security trends and security resource planning (prioritizing security) Standard log reports Quickly and easily generate reports of log information to evaluate summary log information and statistics

Log Analysis Made Easy Go from this… To this… Demo trending reports, summary reports and forensic reports

Security Manager – Log Manager Forensic Reporting Dig in and expose the raw log data from many security sources

Security Manager – Log Manager Trend Reporting Identify security trends based on historical activities

Security Manager – Log Manager Log Reports Out of the box knowledge reports on “best practice” reviews ex. Unsuccessful logons, Group change etc.

Web Server (Internal Users) Visualization? DB Server Web Servers Internet DNS Server Public 2 Web Server (Internal Users) DB Servers DB Server App Servers TRUSTED eC SEGMENT SAN S/W Load Balancing Firewall DMZ FTP Drop H/W or S/W Load Balancing 4 Corporate LAN Employees & Other Internal Users Trusted Business Partners Extranet Firewall Level IV Data Internet App Servers Firewall Firewall So let’s look at real world example. An attack occurs and the attacker passes through the perimeter firewall. It then moves to the external web server where the web server is then compromised. Next the attacker identifies a vulnerability on the internal DMZ firewall. So just in the outer DMZ we have a minimum of three systems that all have pieces of the story to tell in their respective logs. The attacker then passes through the internal DMZ firewall to the various DB and App servers where they find a vulnerability to exploit. Now they pass through the layer 4 firewall where the credit card database resides and compromises the eCommerce credit card data where they then steel hundreds of credit card numbers. Again we now have at least 3 more systems with another portion of the story. So in order to put the whole attack together there are a minimum of six logs that will need to be collected and right now manually correlated. There may also be devices like IDS sensors that will have relevant log data as well. So the NETIQ SEM solution would allow you to perform real time monitoring of all these devices and receive alerts on suspicious activity. Further the log consolidation are archive component allows the automated collection of all the log data and storing it for further analysis. Therefore in the time of attack the liklihood is greater that the raw data will be preserved for analysis while the critical business systems are restored. Web Servers ?

A Bottom Line Requirement Security Incident Management is critical to: Recognizing threats quickly Reducing the huge volume of sensor data Responding to threats NetIQ Security Manager provides the broadest Incident Management capabilities available: Intrusion protection Event management Correlation & visualization Forensics & trending

SCOP Computers horia.constantinescu@scop.ro Questions? SCOP Computers horia.constantinescu@scop.ro