The Lazy Genius

Best practices for IT security management

Xavier Ashe — Tue, 26 Feb 2008 12:11:03 -0500

The nuts and bolts of an information risk management (IRM) framework are best put in place long before you install the technology. But it's never too late to mitigate business risk by working out the mechanics of functions, requirements and controls. Discover and report on the right priorities, and you can construct a framework for making well-informed decisions.

Read Five steps to building information risk management frameworks and Developing Controls for People, Processes and Technology by Forrester analyst Khalid Kark who details how to build a sound IRM solution in your organization, including:

			Defining domains for your IRM framework
			Three questions to ask when assessing the criticality of IRM requirements
			Overcoming two significant challenges in defining security metrics programs
			Converging physical and logical security through process collaboration

Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement and reporting.

This expert advice is part of a continuing series on IBM best practices for IT security management. IBM security services and solutions such as Tivoli®, Internet Security Systems™, and Rational® enable customers to better manage their infrastructure, operations and IT processes.

PCI compliance drives identity management spending, says IBM's GRC chief

Xavier Ashe — Tue, 19 Feb 2008 15:58:18 -0500

Great interview with Kristin Lovejoy, the director of IBM Governance and Risk Management Strategy over at Information Security Magazine.

When Consul was acquired, how difficult was the technology integration?
Kristin Lovejoy: There was a good bit of integration work that had to occur. Most of it was around assuring that the product offering met the scalability requirements that had to be defined by IBM. IBM's acquisition of the technology undergoes a blue-washing process. The blue washing process assures that the technology sold to IBM customers are not packaged with any kind of code that is not documented—no open source components. Also the database infrastructure had to be reworked and released for DB2.

You've been viewed as a leader in driving the implementation of auditing as a required step in identity and access management. Talk about the importance of auditing.
Lovejoy: Of course it was Sarbanes Oxley where the concept was initiated. Section 404 required organizations to not only look at their business controls but also their IT controls. It points to a requirement that organizations adopt a control framework within the finance, accounting organization, making sure there's no conflict of interest. Sarbanes Oxley made people say trust is ok but now I have to verify. We saw a lot of companies want to be able to monitor privileged users such as database administrators and developers. They wanted to ensure that those that were working in the preproduction environment were only working in the preproduction environment.

In addition to Sarbanes Oxley, there have been over time lots of requirements like PCI DSS and HIPPA that requires you to do audit logging. These requirements, which always said you need to maintain the logs, are now beginning to indicate that it's not simply collecting logs, but you also have to be able to review the activity in logs and identify areas potentially anomalous activity.

New IBM Redbook - Deployment Guide Series: IBM Tivoli Compliance Insight Manager

Xavier Ashe — Tue, 19 Feb 2008 11:03:36 -0500

In order to comply with government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, enterprises have to constantly detect, validate, and report unauthorized change and out-of-compliance actions on their IT infrastructure.

The Tivoli Compliance Insight Manager v8.0 solution allows organizations to improve the security of their information systems by capturing comprehensive log data, correlating this data through sophisticated log interpretation and normalization, and communicating results through a dashboard and a full set of audit and compliance reporting.

We discuss the business context of security audit and compliance software for organizations, and we show a typical deployment within a business scenario.

This is the second IBM Redbook covering IBM Tivoli Compliance Insight Manager - the first book being the Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530.

This IBM Redbooks publication is a valuable resource for security officers, administrators, and architects who wish to understand and deploy a centralized security audit and compliance solution.

Download the Deployment Guide Series: IBM Tivoli Compliance Insight Manager
Publish Date: February 15, 2008 ISBN Number: 0738485705

TSOM and TCIM Integration! (TSIEM)

Xavier Ashe — Tue, 05 Feb 2008 12:01:02 -0500

Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) today are focused on prioritizing security initiatives to support their business goals, and on managing technical risk and governance. Their organizations are challenged to both minimize security-based business disruptions and ensure and demonstrate compliance with privacy regulatory requirements, with a limited set of resources. Security information and event management (SIEM) technology can provide a solution to these challenges, and provide greater leverage of people and greater visibility of their existing security infrastructure.

IBM offers two SIEM complementary capabilities for the security information and events:

A real-time, network event-oriented management dashboard that facilitates attack recognition and incident management
An information analysis dashboard to assess how well an organization adheres to its security and governance policies

IBM Tivoli Security Information and Event Manager V1.0 (TSIEM) is comprised of two products: IBM Tivoli Security Operations Manager V4.1 (TSOM) and IBM Tivoli Compliance Insight Manager V8.5 (TCIM). These products, working together, help you realize the full promise of enterprise SIEM. By centralizing log collection and event correlation across your enterprise, you can leverage an advanced compliance dashboard to link security events and user behavior to your corporate policies.

Tivoli Security Information and Event Manager delivers a comprehensive foundation to help address your SIEM requirements. As a result, IT organizations can reduce their exposure to security breaches; collect, analyze, and report on compliance events; and manage the complexity of heterogeneous technologies and infrastructures. TSIEM provides support for numerous applications, operating systems, security products, and network infrastructures, as well as desktop and mainframe systems.

Using TCIM and TSOM together provides the benefits of both products, through their complementary user-centric and network-centric perspectives. Integration between TSOM and TCIM can provide additional unique capabilities:

Identify important audit and administrative events from the network/security infrastructure for privileged user monitoring and compliance reporting. This leverages the broad network and security product support of TSOM and its correlation capabilities to provide added value auditable events for use in the TCIM privileged user monitoring and audit and compliance reports.
Identify network-centric policy violations with TSOM, and forward these high level correlated events to TCIM for consolidated compliance dashboard and reporting and views.

The integration described in this document provides the foundation to accomplish these two general use cases. It describes the specific of configuring TSOM to send events to TCIM.

Dowload the Tivoli Security Information and Event Manager: Tivoli Security Operations Manager and Tivoli Compliance Insight Manager Integration Guide

Tivoli Security Information and Event Manager

Xavier Ashe — Tue, 29 Jan 2008 11:22:48 -0500

This product offering is the next evolution of what I've been doing at IBM. Finally, a public announcement!!

IBM Tivoli Security Information and Event Manager V1.0 helps IT security organizations obtain valuable security insights that your organization can act on, by:

    * Facilitating compliance by using centralized dashboard and reporting capabilities.
    * Helping to protect intellectual property and privacy by auditing the behavior of all users — privileged and nonprivileged.
    * Managing security operations effectively and efficiently with centralized security event correlation, prioritization, investigation, and response.

IBM Tivoli Security Information and Event Manager V1.0 offers:

    * Integration and exchange of events between IBM Tivoli Security Operations Manager and IBM Tivoli Compliance Insight Manager correlation engines.
    * New endpoint pricing for both security incident and audit log collection.

Security information and event management (SIEM) is a primary concern of CIOs and CSOs in many enterprises and organizations. There is a need to centralize security-relevant events and analyze the consolidated data to obtain valuable security and compliance insights.

IBM offers two complementary perspectives on SIEM:

    * A real-time, network event-oriented management dashboard that facilitates attack recognition and security incident management.
    * An information analysis dashboard to monitor how well an organization adheres to its security and governance policies.

IBM Tivoli® Security Information and Event Manager V1.0 is comprised of two products that work closely together to help realize the full promise of enterprise SIEM: IBM Tivoli Security Operations Manager V4.1 and IBM Tivoli Compliance Insight Manager V8.5. Now you can centralize log collection and event correlation across the enterprise, and can leverage an advanced compliance dashboard and regulatory compliant reports to link security events and user behavior to corporate policies.

Tivoli Security Information and Event Manager V1.0 delivers a foundation from which to address your SIEM requirements — now and into the future. As a result, IT organizations can lower their exposure to security breaches; control the costs of collecting, analyzing, and reporting on compliance related events; and manage the complexity of heterogeneous technologies and infrastructures. IBM Tivoli Security Information and Event Manager offers end-to-end capabilities including:

    * Security compliance dashboard.
    * Security operations dashboard for security incident management.
    * Real-time log aggregation, correlation, and analysis of security incidents.
    * IT operations integration.
          o Recognize, investigate, and respond to security incidents automatically.
          o Streamline incident tracking, handling, and resolution.
    * Mainframe, operating system, application, and database audit analysis.
    * Privileged user monitoring and auditing (PUMA).
    * Log management reporting.