identity access management solution

February 2, 2007

Leveraging Information Overload for Effective Security Management

Shivaprakash,A.SPre Sales HeadIndia,[email protected]

© Novell Inc. All rights reserved

2

Agenda

• About Novell

• Challenges Created by the Evolving Information Security Landscape

• Solution’s to address these challenges

• Summary

• Demo

• Q & A


3

Five Key Solution Areas

• 1 Security and Identity Solutions

• 2 Data Center Solutions

• 3 Resource Management Solutions

• 4 Workgroup Solutions

• 5 Desktop Solutions


4

Novell Open Workgroup Suite

Upto 70% less than an equivalent competing solution.

Best of both worlds : Open Source and proprietary Platforms

Backed by World class support from Novell

Evolution of Information Security Landscape


6

IT security versus information security

Business problem

Technology problem

IT security Information security•Firewalls

•Intrusion detection

•Viruses, worms

•System hardening

•Encryption

•Intellectual property

•Business/financial integrity

•Regulatory compliance

•Insider abuse

•Industrial espionage

•Privacy

Source: Forrester


7

Challenges..


8

InfoSecurity… The Tale of Sisyphus

Wireless

Remote Access

Identity

Application

Perimeter


9

Investments in Multiple Point Solutions has led to lesser RoI

IINNTTEERRNNEETT

WWAANN

APP SERVER DMZ

Public SERVER DMZ

VLAN 1VLAN 1

VLAN 2VLAN 2

WLAN VPN WLAN VPN

GatewayGateway

L2 SwitchL2 Switch Subnet ASubnet ASubnet BSubnet B

VLAN 1VLAN 1

VLAN 2VLAN 2

WLAN HandsetWLAN HandsetPDAPDA Java Smart PhoneJava Smart Phone

EXTRANET

L3 L3 SwitchSwitch

L3 L3 SwitchSwitch

L3 L3 SwitchSwitch

NIDSNIDSNIDSNIDS

NIDSNIDS

NIDSNIDSHIDSHIDS

HIDSHIDS

HIDSHIDS

Firewall & Firewall & VPNVPN

Firewall & Firewall & VPNVPN

HTTTPSHTTTPS

Application Application SwitchSwitch

SSL VPN SSL VPN

SSL SSL PortalPortal

Application Application SwitchSwitch

L2 SwitchL2 Switch

L2 SwitchL2 Switch

L2 SwitchL2 Switch

802.1q802.1q

802.1x802.1x

802.1x802.1x

802.1x802.1x

802.1x802.1x

802.1x802.1x

802.1x802.1x

802.1x802.1x

802.1x802.1x

WLANWLAN

LANLAN

PERIMETERPERIMETER

APPLICATIONSAPPLICATIONS

Ingress/Egress Ingress/Egress BW MgmtBW Mgmt

Firewall,VPN,Anti Virus,IDSFirewall,VPN,Anti Virus,IDSAuthentication: 2,3-factorAuthentication: 2,3-factor

PnP Device MgmtPnP Device MgmtRemovable Media MgmtRemovable Media Mgmt

http://www.cellular.co.za/phones/siemens/archive/siemens_multimobile.htm


10

Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

What would you rather look at .. This ??


11

Or This !


12

Or This !


13

And this !


14

Regulations, Standards & Compliance


15

Gazing at the Crystal Ball ..


16

Creating Opportunity from the Chaos : SIEM

Asset

ExposuresIncid

ents

Intelligence


17

How the Solutions Work

Transport & Aggregate

Reduce & Normalize

Correlate Report Archive

Security Information and Event Management


18

Business Benefits of SIEM• Operational Efficiency

– Monitor More Security and Compliance Controls with Limited Resources

– Measure the Effectiveness of preventative, detective, and corrective controls

• Automation of Manual Processes– Automating Auditing Preparation and Review of systems against

regulatory and internal policy– Automate data Collection, Correlation, Reporting and Incident

Response• Demonstrate Compliance to Policy/Regulation

– Regulations require organizations to establish, document, and monitor a robust internal IT control environment

– Continuously monitoring Controls and providing notification of Policy Violations in real-time


19

To help you focus on innovation and growth


20

Our Solutions Have Evolved Too ..

Management

SecurityInformation

& Event

Systems

Management

Identity & Access

Management

ComprehensiveSecurity &

Compliance

Leveraging integration and automation to drive down cost and reduce risk


21

IncidentResponse

ThreatManagement

EventManagement

IdentityManagement

PolicyMonitoring

Compliance

AccessControl


22

IDC on the e-Security acquisition

In the compliance area, customers want converged solutions that encompass system, identity, access and security event management. With the acquisition of e-Security, Novell is the only vendor with the potential to proactively address business needs for a real-time, comprehensive compliance solution that integrates people, systems and processes.

-Chris Christiansen, IDC Vice President of Security Products and Services


23

Leader with Highest Rating for “Completeness of Vision” in SIEM Magic Quadrant, 2005

“e-Security’s product architecture is supremely scalable and flexible...”

“If we had it to do over, we'd build a message bus architecture like this one [iSCALE] for scalability.”

Other SIM solutions reporting to the 451 Group Impact Report (11/10/05)

2nd Consecutive Year!

e-Security Receives Highest Rating In InfoWorld’s SEM Test

e-Security Wins 2005 Technology Innovation Award

Analyst and Industry Recognition


24

Sentinel Product Information and Architecture


25

• View up-to-date reports on security posture

• Eliminate manual log review and consolidation

• Identify threats in real-time

• Contain/remediate attacks quickly

• Manage risk more effectively

• Improve proof-of-compliance reporting, security metrics

• Cut compliance and security costs View up-to-date compliance reports on Critical IT Assets

• Eliminate manual log review and consolidation

• Support “tone at the top”

Solution Benefits


26

Pre-defined CollectorsFirewallsSymantec Enterprise FirewallCheck Point Firewall-1CyberGuardISS BlackICECISCO PIXSunScreenSonic Wall SonicwallSymantec Enterprise FirewallWatchGuard FireboxJuniper Netscreen

Intrusion PreventionSymantec ManHuntMcAfee IntruShieldMcAfee Entercept

Intrusion Detection(network-based)Symantec Decoy ServerCISCO IDSNFR Sentivist IDSEnterasys DragonOpen Source Software SnortIntrusion.com SecureNetISS RealSecureISS SiteProtectorJuniper NetscreenSourcefire Sourcefire

Routers & SwitchesNortel allCisco all

Incident ManagementBMC RemedyHewlett-Packard Service Desk

AuthenticationRSA ACECISCO Secure Access Control Server (ACS)

Policy MonitoringSymantec Enterprise SecurityManager (ESM)

Intrusion Detection(host-based)Open Source Software COPSISS RealSecureTripwireSymantec Intruder Alert Manager

Patch ManagementBMC MarimbaPatchLinkNetwork ManagementIBM Tivoli Enterprise ConsoleHewlett-Packard OpenViewBMC PatrolMicromuse Netcool

Operating SystemsMicrosoft Windows NTMicrosoft Windows 2000/3Sun SolarisSun SunOSHewlett-Packard HP-UXIBM AIXRed Hat EnterpriseSuSE EnterpriseAS/400

Anti-VirusSymantec AntiVirusMcAfee VirusScanMcAfee ePolicy OrchestratorTrend Micro ServerProtectTrend Micro ScanMailTrend Micro InterScan VirusWall

ERPPeopleSoftSAP

Web ServersApache ApacheMicrosoft IISMicrosoft ProxyNetscape Proxy

Directory ServicesLDAP (standard)Active Directory

MainframeACF2, RACF, Top SecretOS/390Z/OSHP NonStop

DatabasesOracleSybaseMicrosoft SQL ServerMYSQL ABInformixSybaseDB/2

VPNCISCO VPN 3030CISCO PIX Device ManagerNortel VPNCheck Point VPN-1

VulnerabilityAssessmentISS Internet ScannerISS Database ScannerMcAfee CyberCop ASaPMcAfee FoundstoneQualys QualysGuardOpen Source Software NessuseEye Retina Network SecurityScanner


27

• Lower TCO• Unmatched Performance


28

• Build your own Collectors on the fly and collect data from ANY source

• Collect, parse, normalize and enrich events.• Available for many sources

– Windows, Unix, AS400, Tandems– Firewalls, VPN, Routers, Switches– Vulnerability Scanners– IDS/IPS/Access Control Systems– Databases, Mainframes– Etc

• Collect data remotely via– Logfile, Socket, Syslog, SSL, SSH,

OPSEC, SNMP, ODBC, JDBC, HTTP, WMI and more

Wizard Collection Technology


29

• Real-time Dashboard that delivers under high event loads

• Detect and Analyze Trends, Threats, Violations

• Monitor Compliance Controls across the Enterprise

Security and Compliance Dashboard

Detect Violations Faster


30

Automatically Retrieve Data About Event

• Vulnerability state of target• Patch status• Asset details• Intelligence data on attack• Initiate data-gathering scripts

– System details– Full-content monitoring

Assign Incident• Individual or Team

Accept & Verify Incident Assignment• Continue to manage incident locally or send

to external system– Remedy or HP Service Desk

Run Eradication Scripts• Perform active actions

– Shut down port– Perform vulnerability analysis– Remove foreign programs

Run Containment Scripts• Gather host & network-based evidence• Perform active actions

• Enable consistent, repeatable, documented response to violations• Creates audit trail, system-of-record• Drive metrics (e.g. “mean time to resolution”)

Resolve and Document Policy Violations Faster


31

• Gain Needed Insight Into IT Controls– Discover trends, anomalies– Track and report security-related activity on

assets impacted by Sarbanes-Oxley, other regulations

• Improve Proof-of-Compliance Reporting

– Demonstrate Your Organization> Monitors activity on critical IT assets> Identifies and analyzes security

and compliance incidents> Tracks and resolves incidents

and policy violations• Out-of-Box Reports, Configure

Existing Reports, Create Your Own

Sentinel ReportsT:

Security Metrics, Compliance Reporting


32

Summary

“Success is a moving target and evolution is the only way forward “


33

Demo


34

Q & A

identity access management solution

Documents

udp port

session opened

session closed

udp scan

policy violations

user root

03 rmarty

09 rmarty