utilizing novell compliance management platform for continuous controls testing and monitoring

Utilizing Novell® Compliance Management Platform for Continuous Controls Testing and Monitoring

Mark van ReijnTechnology Specialistidfocus/[email protected]

© Novell, Inc. All rights reserved.2

Agenda

Organizational risk management– It's all about balance

Information security controls and standards– COSO, CobiT, ISO/IEC 2700x

Novell® Compliance Management Platform (CMP) components and architectureBringing it together in 4 steps

– Select controls– Collect data– Setup detection mechanisms– Define actions and reports


About the Session Level

Getting from business babble to tech talk

• Some affinity with regulations and governance frameworks assumed

• Familiarity with Novell® Compliance Management Platform Products assumed

– Especially Novell Sentinel™

• Technical Content (solution pack)is available online

Organizational Risk Management


Risk Management:What Is It?

How much risk are you willing (or allowed) to take?

• Some risk is necessary in order to make a profit

– Eliminating all risk is too costly in terms of time and resources

• Balance between probability and impact

• Identify acceptable risks versus risks that need to be mitigated

• Only some critical environments might try to evade all risks

– For example, where human life is at stake


Risk Management:What Is It? (cont.)

How can Organizations prioritize their risks?• Assess the risks and determine their dimensions

– Probability between 1-99%– Impact on critical factors such as cost or time (or health)

• Plot risk dimensions on a chart– The line indicates the boundary

of acceptable risks– Develop a response for

all others High

Impact of Risk

Pro

babi

lity

of O

ccur

renc

e

Low

Low

High Critical Risk

Low-level Risk

Medium-level Risk


Risk Management:When?

Most Organizations have some sort of RiskManagement in place

• This may be internally or externally imposed

– Regulations

– Standards framework

• Often for high financial risks or key projects

Information Security Controls and Standards


Control Frameworks and Standards

Many regulations and governance frameworks deal with risk management

• COSO

– Organizational governance

– Business ethics

– Risk control model

– Financial reporting


Control Frameworks and Standards

Only a subset of most frameworks and regulationsrelate to IT

• CobiT

– Control framework for IT governance

– Link business goals to IT goals

– Define KPI from targets

• ISO/IEC 27002

– Code of practice for information security management


Risk Managementis often linked to IT Security

Obligatory Quote:

“All Security Involves Trade-offs”Bruce Schneier


Steps Towards Control Monitoring

• Get organized– Understand control objectives– Classify and prioritize systems and applications– Implement an Identity and Access Management program

• Determine appropriate control levels– Reasonable– Enforceable– Auditable

• Determine control types– Protective– Detective– Corrective

• Envision Integration

Novell® Compliance Management Platform (NCMP)Components and Architecture


Automation and ValidationSupporting Governance, Risk Management, and Compliance

Identity and Access Management

• Roles, rules, work-flows, and approval processes

• Identity integration and life-cycle management

• Authorization and access

• ESSO

Security Information and Event Management

• Audit and reporting

• Activity monitoring

• Event correlation

• Validation and remediation


Compliance Management PlatformSecurity, Access and Provisioning Challenges

Secure Web Access

User Provisioning

Security InformationManagement

Challenges


Solutions

Compliance Management PlatformModular Product Set

Tightly integrated compliance and governance solutions

Novell®

Access Manager

Novell®

Identity Manager

Novell® Sentinel™



Novell Identity Manager

RemediateMonitor

Report

Workstationsand Servers

Security Devices Applications

Network Infrastructure Databases

Logs Logs

LogsLogs

Logs IdentityData

Replace manual processeswith automated IT controls,monitoring and reporting


What is Novell® Sentinel™ Anyway?

Sentinel is a system for:

Security Information and event management• Sentinel gathers security events, and then normalizes,

displays, correlates, stores and reports on them to support both manual and automated security and business process management.

• Sentinel attempts to turn data into actionable information via normalization, graphical displays, addition of business relevance information,and correlation.


Sentinel™ Process Summary

Collect ➔ Normalize ➔ Monitor ➔ Respond ➔ Report


Novell® Sentinel™ Components

Collector managers and collectors

Correlation engine

Sentinel control center

Active views dashboards

iTRAC incident remediation system

Data repository

iSCALE message bus


Novell® Sentinel™ Architecture

CorrelationSentinel

Control CenterRemediationWorkf-low Repository

ChannelsSubscribe

Publish

Collector Manager

Collectors Collectors

Collector Manager


Parse-normalizetaxonomy business

relevance exploit detection

VPN

Host IDS

Network IDS Antivirus

Firewall

Custom Events

RDBMSBusiness Apps

DomainControllerMainframe

LaptopsWorkstations

ServerVulnerability

Mgmt

Patch MgmtAsset Mgmt

IdentityMgmt

Security Perimeter Referential IT Sources Operating Systems Application Events

External Event Sources



CorrelationSentinel


ChannelsSubscribe

Publish

Collector Manager


Collector Manager




VPN

Host IDS


Firewall

Custom Events

RDBMSBusiness Apps


LaptopsWorkstations

ServerVulnerability

Mgmt


IdentityMgmt





CorrelationSentinel


ChannelsSubscribe

Publish

Collector Manager


Collector Manager




VPN

Host IDS


Firewall

Custom Events

RDBMSBusiness Apps


LaptopsWorkstations

ServerVulnerability

Mgmt


IdentityMgmt



Event Sources

Data Collection

Communication Channel

Data Processing

Bringing It Together


Four Steps Towards Control Automation

Select the desired controls to monitor– Largely dependent on regulations and risk management

Identify and collect the needed information– Security logs, Identity information

Identify and implement detection mechanisms– Typically, correlation rules in Sentinel

Define actions and reports– Without some form of incident management or mitigation the

previous steps are useless

1

2

3

4


1. Select Controls

Common Threats

• Non-person accounts (typically un-managed)

– Standard accounts

– Privileged users*

– Service accounts

• Contingency workers, temp workers

• Misconfiguration

• Data exposure


2. Identify and Collect Information

• Depending on the control or regulation, systems may or may not be in scope

– Epic example: financial systems are in scope for Sox– The list of systems will follow from the selected controls

• Collecting event data is not enough– Need business relevance and context

• Sentinel will enrich events with external information– Asset data– Identity data– Other business information


DeptLocationDPDIPSPSIPEvent Name

Product Name

PIX Firewall – standard syslog format

Dragon IDS - Data Items separated by pipes

2004-08-20 16:12:56|doldrgn1|dragonserver|10.10.10.240|11711|10.10.10.241|1031|I|---AP---|6| tcp,sp=11711,dp=1031,flags=---AP---|

9/10/04 5:05:29 PM, 10.10.10.1 %PIX-6-106015: Deny TCP (no connection) from20.97.173.18/2182 to 10.10.10.10/63228 flags SYN RST PSH ACK on interface outside

PIX Firewall

Atlanta

Chicago

Finance

IS

Normalization and Context


Taxonomy


3. Detection Mechanisms

• Violation of policy and / or suspicious activity should be detected

• Correlate normalized events

• For example, check account names for authentication events against a blacklist

• These rules are the true implementation of corporate policy (business rules)


4. Define Actions and Reports

• When violations are detected, actions or incidents may be triggered

• Actions can be fully automated– Novell® Sentinel™ triggers account disable in Identity Manager

• Actions may require manual intervention– Sentinel triggers workflow in Identity Manager which asks for a

human decision• Incidents ensure registration of the event and the

subsequent handling process• Reports can include violations, incident management

data or overviews of regular critical events



Compliance Management Platform Actions

• LDAP Remediation

– Provides a method to update the Identity Vault through correlation/remediation

> Not limited to Novell® Identity Vault – can update any LDAP directory

• SOAP Remediation

– Provides a method to update the Identity Vault through correlation/remediation

> Not limited to Novell Identity Vault, can update any SOAP end-point


ITRAC Incident Management

Manual activity Automatic activity

Stage 1: Assign a user or role to the activity

Stage 2: Perform data collection

Start

Check UserAssignments

Assign User

Accept Incident

Verify IncidentAssignment

Confirm StartData Collection

Data Collection

ConfirmStart Com

Confirm EndData Collection


Report Types

High Level

Trends

Detailed


Reporting - Data Categories

Data access

Network access

Authentication

Authorization

User/group management

Password management

Patch management

Scanning activity (AV / VA)

Data integrity (transport) – VPN, etc...

Summary


Getting to Compliance Automation

• Get organized on compliance• Determine appropriate control levels• Determine control types• Envision Integration• Follow four-step implementation of monitoring

1. Select the desired controls to monitor2. Identify and collect the needed information3. Identify and implement detection mechanisms4. Define actions and reports

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

utilizing novell compliance management platform for continuous controls testing and monitoring

Documents

sort of risk management

event management sentinel

available online3 novell

access management program

risklowlowimpact of

risk managementis

control frameworks

control monitoring