Document Sample
FSP20011019_01 Powered By Docstoc
					Tivoli Risk Manager Overview

                  FSP Fall Session, 2001, Toronto
                   Focus on Intrusion Detection

                           Bruce Wishart
                           Certified Consulting I/T Specialist
                           IBM Canada – Tivoli Software
                           Oct. 19, 2001

    • Rationale for Intrusion Detection
    • Risk Manager Technical Overview
       –   Practical Realities of Intrusion Detection in Enterprise Environments
       –   What is Risk Manager
       –   How does Risk Manager Work
       –   How is Risk Manager Deployed
    • Introducing Intrusion Manager
    • Factors in the Cost / Benefit Analysis
    • Summary

Rationale for Intrusion Detection
                      Spring 2001 CSI/FBI Survey Highlights

    • 91% detected computer breaches in last 12 months
    • 64% acknowledged financial losses
          – Most serious causes were theft of proprietary information and financial fraud
    • 35% (186) were able and willing to quantify their losses
          – $377M (avg: ~$2M), vs. 2000 totals 249 and $265M (avg: ~$1M)
          – Respondents with Intrusion Detection mechanism: 61% in 2001 vs. 35% in 1998
    • Outsider threats greater than Insider (last four years)
          – Internet connection largest source of attack (70%) vs. inside (31%)
          – 23% of quantified respondents experienced system penetration from the outside,
            with an average loss of $453,967
          – Outsider growing penetrations: 40% in 2001 vs. 25% in 2000 survey
    • Technology alone not the answer
          – 95% have firewalls, 61% have IDS’s, 98% have anti-virus, 42% have digital Ids,
            90% have access control…
          – “Security is a process, not a product” – Bruce Schneier, author of “Secrets and
            Lies – Digital Security in a Networked World”

2001 survey of 538 computer security practitioners from US
corporations, government agencies, financial institutions, medical
institutions, and universities (27% with >10,000 employees)

                                  Is Improving Security Justified?

     • Hacking Exposed1: classic hacker methodology:
            – Footprinting – determining network addresses, DNS, mail servers,
            – Scanning – discovery of hosts, determining ports open, services and
              version levels, etc.
            – Enumeration – targeted queries to gain additional information or
              attempt known vulnerabilities (i.e. Bugtraq)
            – Hacking the System/Application: gaining superuser privileges
            – Consolidation of Power: establishing backdoors, spring-board or
              attack launch-point to other systems
            – Covering Tracks: removing audit trail

            “the fighting is fierce, but the war appears winnable”

1. Hacking Exposed: Joel Scambray, Stuart McClure, George Kurtz, 2001

                                  Is Improving Security Justified?

     • Hacking Exposed1: classic hacker methodology:
            – Footprinting – determining network addresses, DNS, mail servers,
            – Scanning – discovery of hosts, determining ports open, services and
              version levels, etc. Post exploit to
            – Enumeration – targeted queries to gain additional information or
              attempt known vulnerabilities (i.e. Bugtraq)
            – Hacking the fame in the underworld, and
                   gain System/Application: gaining superuser privileges
            – Consolidation of Power: establishing backdoors, spring-board or
                      watch your fellow
              attack launch-point to other systems script-kitties
                           unleash on your
            – Covering Tracks: removing audit trail victim!

            “the fighting is fierce, but the war appears winnable”

1. Hacking Exposed: Joel Scambray, Stuart McClure, George Kurtz, 2001

                     What about Security Alarm Systems (IDS’s)?
          •    What are you hoping to detect?
                 –    Am I being attacked? By whom? How? When? Why?
                 –    Detection of vulnerability attempt prior to a patch being available/applied?
                 –    Provide valuable data/reports whether penetrated or not (exert control and awareness
                      over the environment)
          •    How will you respond?
                 –    Separating real attacks from False Positives: Operations won’t respond to a pager
                      always ringing
                 –    What plans exist for responding to limit exposure? Recovery plans?
          •    Who will respond?
                 –    Balance use of resources and risk across operations, security analysts, administrators,
          •    What technologies and processes will you need to support this
                 –    Understand YOUR requirements, YOUR technology, YOUR risks, positioning of vendor
                      products and solutions
                 –    Intrusion Detection is risk mitigation, NOT an enforcement mechanism
                 –    Inhouse vs. outsource (e.g. IGS Internet Emergency Response Service)
          •    In short, first steps to improving security begin with answering1:
                 –    What are you trying to protect?
                 –    What are you trying to protect against?
                 –    How much time, effort and money are you willing to expend to obtain adequate
 1.       Simson Garfinkel and Gene Spafford in
Practical Unix Security, O’Reilly & Associates 1996
Tivoli Risk Manager Technical Overview
                 Current State of Security Monitoring
        RPC Attacks          DOS Attacks          Illegal root access   CGI vulnerabilities

                                Intrusion             Systems              WEB Servers
                                Detection           Administration        Administration

       Each component sees only a piece of the overall environment
             Network IDS can see inside SSL pipe
       Multiple consoles:
             multiple sources of information require specialized knowledge and
              operational workload
       No real interaction between security systems
             Mix of independent vendors, lack of standards
       Volumes of data
             How to detect significant alarms?
                               Large Scale IDS Architecture

Source: Chris Jorden, Computer Sciences Corporation
Analyzing IDS Data, May 2000
                                     Tivoli Risk Manager

          Tivoli NSA Network                 AntiVirus:
                Scanner1                     • Symantec Norton
                                             AntiVirus                     Network IDSs:
                                             • McAfee VirusScan            • ISS RealSecure
         Cisco Routers
                                                                           • Cisco Secure IDS
                                                                           • Tivoli Network IDS

                                                                               AIX, Solaris, Win2K,
                                                                                     NT, Linux:
         Addt’l ISV Partners                                                      Tivoli Host IDS
          Zone Labs ZoneAlarm                                                  ISS System Agent
          Trend Micro “InterScan
           VirusWall” AV
          Content Technologies’                                         CheckPoint FW-1
           Content filtering                                             Cisco PIX Firewall
          Argus Pitbull secure OS
          ClickNet entercept
           Intrusion Prevention
          Counterpane
          Apache SW Foundation      WebSphere, Microsoft IIS, Domino,
          iPlanet                   Apache, Netscape Web Servers,
          Lockstep’s WebAgain       Policy Director Webseal

     1   Technology Preview
                      Leveraging IBM/Tivoli Capability
• Correlation Requirements
     • correlation requires information from sources be normalized to a common format,
           sent to a common engine, events stored for re-evaluation and historical
     • this is exactly what TEC has been doing for years
• IBM and Tivoli Leverage
     • Correlation model developed by IBM Zurich Lab, IBM contribution to
           IEDF/IEMDF/CVE, IBM Sydney Olympics, Tivoli’s mature TEC, Tivoli Partner
• Leveraging TEC’s established correlation and scalability
     • New events in light of existing facts
     • Event cache handling non-deterministic
           event arrival
     • Leverages scalability, existing skills, and
           adapter/platform support
     • Events classified according to a class
           hierarchy with rules applied to event
           arrival to determine new states, actions
     • Large customer install base, robust
           integration tools, and existing Partner
                  A simple attack against a WEB server
                                                     WEB Server
Risk Manager                             Intrusion
                              FireWall   Detection                FireWall

                  The Attack is actually more complicated
                                                      WEB Server
Risk Manager                              Intrusion
                               FireWall   Detection                FireWall


                                  Unix,NT,Norton Antivirus         Others
                                  Webids, Network IDS, NSA

                                             Direct                 EIF
     Detection                            Integration              Toolkit

                                               Risk Manager

                                                   Risk Manager Servers
                          Events               Correlation         IDS
  Correlation            Repository             Engine            Rules

 Visualization          Data-Mining                Real Time Visualization
                         Analysis                         of Alarms
   Analysis            Decision Support                 Risk Manager
                           Console                        Console

                      Correlation Process

     • Normalize raw information into RM Event Classes
       (including aggregating duplicates, filtering)
     • Correlate based on related events in Event Class
       Hierachy and Situation Analysis (see Situation 1,2,3)
     • Aggregate based on weighting of individual events,
       number of events, tuning values, linked events,
       category of event, timing of arrival / decay function,
       “trusted” hosts, storm/duplicate event factors, …
     • Situation Alarms based on configurable threshold
       settings, adjustments for decay


     • During correlation, three keys are used in searching for
      patterns of suspicious activity
        • Category of the event class
        • Destination host
        • Source host
     • Three general types of situations are defined (specific to
      general order):
        • Class RM_Situation1: All three keys specified
        • Class RM_Situation2: Two keys specified
        • Class RM_Situation3: One key specified

                            Situations (continued)

     • Situation 1 Category/Destination/Source
         • Detect very serious single incidents
     • Situation 2-1 Destination/Source
         • Monitor for patterns of attack between two hosts.
     • Situation 2-2 Category/Destination
         • Monitor for patterns of attack against a specific host.
     • Situation 2-3 Category/Source
         • Monitor for patterns of attack originating from a specific host and
           targeting multiple hosts.
     • Situation 3-1 Source
         • Monitor for widespread attacks.
     • Situation 3-2 Destination
         • Monitor for attacks against a specific host.
     • Situation 3-3 Category
         • Monitor for a particular type of attack coming from diverse sources
           and targeting multiple hosts.

            Risk Manager Configurations: n-Tiered Physical Architecture

                                             Tivoli Decision Support RM Guides
                  RM Console

                                                                           6-n: Top Level Risk Manager
                                5. Regional Risk Manager

             XYZ Intranet

                                                                                 4. TEC Gateway
                                                                                 (framework based
                                                                                 agents) / Distributed
                                              Firewalls                          Intermediate Server
4-n. Distributed Intermediate                                                    (optional)
Server (AIM) (optional)

                                      3. RM Summation Adapter
                                                                                    DMZ B
              DMZ A                   (Local or Remote) (optional)

                                2. RM Event Adapters (framework or
                                non-framework based)
                                1. Network IDS, Host IDS, Firewalls,
                                AntiVirus, etc.

              Automated Responses / Extensibility

     • Tasks supplied to run on monitored endpoints –
       manually or in response to an alarm.
        – Examples:
            • Log, Block, Unblock connections from/to source/destination connections
              on a firewall
            • Disable user on a UNIX/Windows server
            • Run a command on a remote node (e.g. page, email)
            • Stop/Start an event adapter
     • Risk Manager Event Integration Facility
        – Incorporate additional sources of suspicious activity into Risk Manager
        – Included with the product with documentation and sample adapter,
          using existing event classes
     • Extensive Tuning/Configurability
        – Extensive configuration parameters to tune weightings, thresholds,
          decay, etc.

     Tivoli Decision Support: Risk Management Guide

                                    Cognos and Crystal
                                    Report based applied
                                    to alert data
                                    interactive analysis:
                                    slice, dice, filter,
                                    drill through to detail
                                    Ad-hoc analysis
                                    and historical trends
                                    on collected alert
                                    publishing to WEB

     Firewall Statistics

     Intrusion Detection Analysis

Introducing Intrusion Manager
                       Tivoli Intrusion Manager

     • What it is:
        – Existing Risk Manager Rulebase and Event Adapters, Availability
          Intermediate Manager (AIM), Crystal Reports
        – Removes TEC (framework), TDS (Cognos) to simplify and reduce OEM
        – Wintel based only (see next slide for RM/IM comparison)
     • Targeted for mid-market, sold through Tivoli Business
     • Simplified installation and deployment

     Intrusion Manager and Risk Manager Feature Comparison

          Risk Manager Features:
           Provides an Enterprise security solution to monitor, view, and MANAGE
             Provides secure communication between server and adapter
             Leverages scalability of TEC/AIM
             Provides a variety of predefined reaction tasks
             Allows the ability to build and edit rule bases using the TEC
             TDS gives ability to perform three dimensional reporting
             Provides cross-platform support

          Intrusion Manager Features:
           Provides the mid-market a solution to monitor and throttle events
           Limited scalability; one server with fixed number of adapters
           Static, best practice, generic rule base
           Crystal Reports (flat two-dimensional reporting) gives the customer a
            subset of the reports in the TDS guide
           Only a Win32 solution for the server, console, and Crystal Reports
           Shipped with DB2 UDB; compatible with Oracle and SQL Server

                         Intrusion Manager Events

     • Oct. 24 Webcast: Defending eBusiness Applications
       Against Cyber-Attacks with Tivoli Intrusion Manager

     • Tivoli Intrusion Manager Seminar Series
        –   Nov. 1: Toronto, Ont.
        –   Nov. 13: Vancouver, B.C.
        –   Nov. 15: Winnipeg, Man.

                   Security Business Partners

     • Full Range Security Services Providers (including
       product deployment)
        – IBM Global Services
        – Deloitte & Touche
        – SRA International
     • Product Deployment Service Providers (Canada)
        –   SpectrumWay
        –   Enhance Systems
        –   Blue World
        –   Others…

                               Additional Resources

     • Documentation on Tivoli SecureWay Risk Manager
        – White-Papers “Tivoli SecureWay Risk Manager Product Overview”, “The
          Value of an Enterprise Risk Management Service”
        – Redbook “Correlating Enterprise Risk Management”

     • Intrusion Detection
        – Intrusion Dectection Working Group (IDMEF, IDXP)
        – Common Vulnerabilities and Exposures
        – Analyzing IDS Data by Chris Jordan
        – The software that cried wolf - False alarms frustrate IT efforts
        – Network managers are getting swamped by a flood of data from security

                          Business Case Model Considerations

          •    Risk Avoidance
                 –   Risk = Asset ($) * Vulnerability (exposures and time) * Threat (% probability)
                 –   Money = Risk
                 –   CSI Survey: Average loss from Outsider System Penetration: $453,967 $USD
                 –   CSI Survey: Probability of at least 1 incident: 55%
                 –   Average annual number of Bugtraq postings: 1400 [1]
                 –   Estimated Percentage affecting company: 5% [1]
                 –   Therefore, expect 1400 * .05 = 70 potential incidents (more than 1/week)
                 –   Do you have a Security Intelligence Service subscription?
                 –   What is the impact of a small penetration? medium? large?
                 –   What is the anticipated % of avoided penetrations as a result of earlier warnings of suspicious
                     activity, quicker response (manual or automated), more attention to incidents, better information to a
                     security analyst
                 –   How valuable in justification of security department funding would a report showing # of attempts
                     per host, what type and where they came from, etc.
          •    Productivity Gains
                 –   How many security audits/assessments performed yearly? How much time is spent on each server
                     manually analyzing tool output?
                 –   What is the time to perform security analysis per incident/month? How many are false positives?
                 –   What is the lost user productivity/revenue due to successful attack that requires downtime to
                     investigate or recover?
                 –   How much time per server devoted to patch installation, signature updates?
                 –   How much time is devoted to daily system monitoring per server? How much is NOT being
                 –   How much time is devoted to collecting security information for each server?

           Tivoli Security Management Solutions

                   Tivoli Strategic Security Areas

     Traditional                                    e-business
         Enterprise Risk Management

         Risk Manager, Intrusion Manager

         Access Management
         Policy Director, PD MQ Series, PD OS (UNIX), Privacy Mgr

         Identity Management
         Identity Director (User Administration, Security Manager)

                Tivoli Security Management Leadership

     Tivoli® Software Portfolio Wins Information
       Security Excellence Award
     Reader's Choice Award for Enterprise Security, Authorization &
       Centralized Administration Presented to Tivoli at InfoSec World

     ORLANDO--February 26, 2001--Information Security Magazine
       presented Tivoli Systems Inc., an IBM company [NYSE: IBM],
       with an Information Security Excellence Award for the Tivoli
       (Security Management) software portfolio. Tivoli won in the
       Enterprise Security Suites, Authorization and Centralized
       Administration category, beating security software from
       Axent, Computer Associates, Netegrity, Network
       Associates, PentaSafe Security Technologies and Securant.


     • Understand:
        – What you are protecting, what the vulnerabilities are, what the
          threats are to assess the risk
        – What are you attempting to detect and why
        – What detection capabilities exist with existing platforms and
        – How you will respond
        – Practical “human factor” limitations to processing and managing the
     • Review/Evaluate/Modify:
        – Processes, Policies, Procedures, Best Practices
        – Technology
        – Organization
     • Implement
        – Technology and organization to support processes and policies
        – Analyze, act, react and tune


     Risk Manager Enables:
     • Enhanced customer trust and confidence through proactive
       management of e-business threats
     • Empowering the security analyst with tools from which to
       consolidate data from multiple sources into meaningful
       information, from which to intelligently respond to attacks in real
       time and use decision support tools analyse long term trends
       from historically collected incidents
     • A single control point while providing a scalable
       infrastructure to monitor, alert, analyze, and respond to attacks
       & intrusion attempts across diverse intrusion information sources
     • Improved productivity of operations and security analysts
       by reduction and elimination of false positives and exploitation of
       automated responses

                              Final Point

     Intrusion Detection is about what we
     don’t know!!!!!

     Tivoli Risk Manager provides you with the capability to turn
       security data into knowledge, to understand what is going
       on in your business, to enable practical intrusion detection,
       and protect the assets so that you can continue doing

     Tivoli Security Management Solutions


Shared By: