IBM Global Technology Services May IBM Internet Security Systems Proventia Management SiteProtector system version 2.0, SP 7.

Transcription

1 IBM Global Technology Services May 2008 IBM Internet Security Systems Proventia Management SiteProtector system version 2.0, SP 7.0 Preview Guide

2 Page 1 Executive Summary IBM Internet Security Systems (ISS) Proventia Management SiteProtector system version 2.0, SP 7.0, the new SiteProtector system release, provides significant advancements in the management of security products from IBM ISS. The new SiteProtector system SP 7.0 release helps enterprises manage, measure, and integrate security devices into the IT fabric, while heightening awareness regarding the network s overall security risk. SiteProtector system SP 7.0 supports internal and external security compliance through a more audit focused policy management workflow, offline event archival to facilitate compliance around event storage requirements, and the addition of two-factor authentication for a more secure user environment. In addition to these features, IBM has also incorporated several of the most requested enhancements as indicated by our customers. These additional enhancements include new reporting capabilities, and improvements in the area of work practice to make everyday tasks simpler and more intuitive.

3 Page 2 The SiteProtector system SP 7.0 release offers enhancements in many areas of Security Management. These enhancements affect a number of functional areas within the SiteProtector system, including the following: Upgrade Process Policy Management Audit trail and versioning Robust policy repository Locally configured agents Support for compliance oriented change control processes Event driven policy change System Health Enhanced awareness of critical systems status Identify system performance trends Highly configurable notification systems Risk Analysis and Identification Public exploit Asset risk score Common Vulnerability Scoring System (CVSS) analysis Work practice Summary portlets User interface (UI) upgrades Product update streams Vulnerability Management Automated vulnerability ticketing Scanning workflow Platform integrations and enhancements On-demand MSS IBM Security Event and Log Management Service integration Reporting Two-factor authentication support SecureSync Agent communications One-Trust licensing Event and Asset application programming interface (API) Platform support

4 Page 3 1. Upgrade Process The upgrade to version 2.0 SP 7.0 is only available for systems currently running version 2.0 SP 6.1. Once the upgrade is complete, the new enhancements will be immediately apparent. In the past, migrating from one version to the next was performed completely through the client interface. With the version 2.0 SP 7.0 release, the initial download is accomplished in the same manner as before; however, once the upgrade package is downloaded to the application server, users will log in to the Application Server operation system (OS) and then run the upgrade directly from the Application Server OS. The benefit of running the upgrade directly from the Application Server is that it provides for greater visibility and interaction during the upgrade process.

5 SiteProtector SP 7.0 Page 4 2. Policy Management In the SiteProtector system SP 7.0 release, IBM ISS made several changes to the policy management feature based on user feedback from the previous versions. This feedback provided the framework for implementing audit based change control grounded in common practices found in many of today s most secure IT environments. The goal of these changes, is to provide a staged approach to policy change, and also to provide an audit trail for simplified compliance management Figure 1: Policy Management - Policy Repository

6 Page 5 Audit trail and versioning In the previous release of SiteProtector (SiteProtector system version 6.1), policies were structurally organized in groups and could be deployed or modified offline. While this allowed for simplified modification, it also created problems with audit trails as required by most of today s security regulations. In the SiteProtector system SP 7.0 release, the policy repository is independent of the group tree, and each policy can be given a meaningful name to help identify its purpose and use. As policies are modified, a version history is created and stored. This means that at any time, a previous version of a policy can be easily redeployed, and an audit trail of all policy changes is enforced. Version Comments easily viewed to reveal analysts notes regarding policy change. Actions can be performed against all previous versions of a policy Figure 2: Policy Management Audit Trail and Versioning

7 Page 6 Robust policy repositories New to the SiteProtector system SP 7.0 release, is the introduction of a policy repository along with agent policies that contain shared objects. These shared objects are used by multiple agent policies rather than each policy having objects designed specifically for that one agent. Example: The Response Objects policy contains , simple network management protocol (SNMP) and other objects that are used in multiple policies. To simplify policy management, shared objects policies are not versioned, nor can multiple copies of them exist in the same policy repository. For environments where multiple copies of these policies are desired, due to segregation of policy management or because of another dynamic at work, then creating multiple policy repositories for segmented policy management is a useful solution. At any point in the group tree, a new policy repository can be created and used by the child group structure. Drag and drop policies from one repository to the other Independent policy repositories for different areas of the organization or customers Figure 3: Policy Management - Multiple Repositories

8 Page 7 Locally configured agents At the bottom of the policy tree is a section defined as locally configured agents. This section of the screen denotes network devices whose policies differ from the group(s) where they reside. Modifying the group policy for a particular device is performed by selecting a particular device and then selecting the Local Settings Override SiteProtector Group Settings during the agent registration process as the network appliance registers itself with the SiteProtector system. Figure 4: Policy Management - Locally Configured Agents

9 Page 8 Event driven policy change The SiteProtector system collects security events from the following protection devices and software: IBM Proventia Network Intrusion Detection System (IDS) IBM Proventia Network Mail Security System IBM Proventia Server Intrusion Prevention System (IPS) IBM RealSecure Server Sensor IBM Proventia Network Intrusion Prevention System (IPS) IBM Proventia Desktop Endpoint Security IBM Proventia Network Enterprise Scanner IBM Internet Scanner software IBM Proventia Network Anomaly Detection System (ADS) Thanks to the broad detection and intelligence capabilities of the SiteProtector system, SP 7.0 allows users to create a Central Response rule for use when certain event triggers are detected on the network. When a particular trigger is detected, the system can intelligently deploy and enforce a policy specified for any particular device or group of devices it manages.

10 Page 9 An example of such an implementation could include a Central Response rule that modifies a host or network firewall policy when a port-level event has been detected that violates established policy. A Central Response rule can be triggered on any SiteProtector event, providing administrators with the ability to customize policy responses based on their particular needs and environmental situation. Policy change is carefully articulated to only affect specified agents and policies Figure 5: Policy Management - Event Driven Policy Change

11 Page System Health SP 7.0 includes a new System Health feature for the SiteProtector system. Now all SiteProtector system components can report and display their System Health Status in the Console. In future releases IBM intends to offer additional Agent types, and each Agent type will also incorporate the System Health feature. The Health Status feature is dynamic not static meaning that if a particular device s health status changes, the SiteProtector system can be configured to generate an alert or a notification (either via a console icon message to logged in users, or via an ) in response to the change. Some health checks also include utilization measurements. For these, thresholds can be tied to a health level based on the utilization percentage or based on a hard number. Example: A database health status indicator can be set to generate a failure alert when the database grows to 80 percent of its total capacity. or Similarly, if a database is only allowed 100GB of disk space, a failure alert can be generated when the total utilization exceeds a hard number, such as 75GB.

12 Page 11 This feature allows the user to drill down and see exactly why a particular component appears as Unhealthy, Offline, or Stopped in the SiteProtector system Console. In many instances, the alert will be accompanied by a suggested corrective action, allowing the user to correct the problem themselves, or it can be used as a diagnostic aid when a technician is required either onsite or via remote access. Figure 6: System Health

13 Page Identifying Risk Public exploit With the release of SP 7.0, prioritizing assets based on risk, is a much simpler proposition. In the Asset tab, the Risk Index column has been modified to provide a different piece of information, described as a Public Exploit. When an exploit is developed and made available to the public, it is identified and tracked by the IBM ISS X-Force research and development team. The new exploit information is shared with the SiteProtector system and if the asset is one that the SiteProtector system has identified as having a a vulnerability that can be exploited via the Public Exploit, then a risk severity level is shown for that particular asset. Understanding which assets are vulnerable to a particular exploit is critical to understanding the overall risk of network assets and the network as a whole. Risk score The risk score, which was previously only available in the robust set of graphical reports in the reporting module, is now available in the Asset tab as well. The Risk Score is a calculation of an individual asset s potential for compromise based on several factors known by the SiteProtector system. These factors include the following: What is the criticality of the asset? How many High, Medium, and Low non-blocked attacks have targeted this asset? How many High, Medium, and Low vulnerabilities are present on this asset? Does this asset have a vulnerability that currently has a public exploit available for it? Is this host protected with a host based IPS? Has this host been scanned by Enterprise Scanner or Internet Scanner software?

14 Page 13 These risk-related factors will assist in determining the prioritization of the asset. Quickly assess the security disposition of your risk prioritized assets. Provides automated intelligence and speeds response. Figure 7: Risk Posture - Public Exploits and Risk Scores CVSS score analysis CVSS scoring is an industry standard for assessing the vulnerability of computer systems security vulnerabilities. 1 The CVSS score includes a number of factors within the scoring methodology. The amount of activity generated by an exploit in response to the vulnerability in the wild is captured in the CVSS analysis and factored into the CVSS score detailed in the vulnerability management analysis. The score provides not only the impact that the vulnerability represents, but also a relative risk posture given the activity surrounding the vulnerability. 1 CVSS,

15 Page Work Practice Summary portlets This release of the SiteProtector system includes several enhancements in the Console s Summary tab. The Available Updates portlet now dissects updates into categories by update type: Security Content, Product Maintenance and Product Features. Each category is further expanded to distinguish whether the update is for a SiteProtector system component or an Agent that is reporting to the SiteProtector system. In SP 5.2 and older versions, each group of assets within the network group tree was accompanied by a number indicating the total number of Agents active and online in the group as compared to the number of agents in total. This provided a quick glance into a group s overall Agent status. This feature was removed in SP 6.x, but it has now been included again with the release of SP 7.0. In this release, an Offline/Stopped Agents portlet has been added to the Summary tab that displays the number of offline or stopped Agents in each group. If a group has zero Agents in this state, no information will be displayed for that group in the portlet. For each portlet that displays data for a set period of time (e.g., days, weeks, etc.) the time value can now be adjusted on a per-portlet basis.

16 Page 15 The final enhancement to the Summary Portlet is the ability to view data from different modules within the SiteProtector system by simply selecting the requisite hyperlink from the Summary tab. This differs from previous versions that required users to navigate from tab to tab looking for the desired information. This feature enhancement simplifies Console navigation for the novice and expert user alike. Figure 8: Work Practice - Summary view

17 Page 16 User interface upgrades SiteProtector system SP 7.0 includes many enhancements to the Console based on feedback and requests made by SiteProtector system users. The first feature includes the ability to save the current Console layout so that it is automatically restored to the same layout the next time the Console is opened. This usability feature allows users to customize and save the look and feel of the Console to their liking. This feature can be enabled or disabled via the Tools Options menu. In the Analysis tab, cell selection and manipulation now conforms to the standards of cell selection commonly found in today s popular spreadsheet applications. This feature can also be enabled or disabled via the Tools Options menu. Restore tabs Cell selection on / off selections Figure 9: Work Practice - UI Enhancements

18 Page 17 Further changes to the Analysis tab include changes to the IP Address field. It has now been combined so that there is only one Source and one Target field instead of two fields for each as in previous versions of the SiteProtector system. You can now enter a classless inter-domain routing (CIDR) address in this field that will be translated into the appropriate IP range. To enter an IP range without using CIDR notation, users can still do so from the Filters option. There is also a hyperlink available directly from the Analysis tab that displays the filters that have been applied to the current Analysis view. Filters icon Source and Target IP field Hyperlink to display filters Figure 10: UI Enhancements IPv6 Support is also included in the Analysis tab in the SP 7.0 release. An IPv6 address can be entered in either the Source or Target IP field. IPv6 address information is also available as a data column in the Analysis field.

19 Page 18 Other changes within the Analysis tab include changes to default views and configuration. Prior to the SP 7.0 release, when the Analysis tab was selected, the Event Analysis Event Name view loaded by default. Now users can designate which view loads by default when the Analysis tab is selected and users can also configure the system to open the Analysis tab without loading any data, to facilitate faster loading of the Analysis tab view. Figure 11: UI Enhancements

20 Page Vulnerability Management Several of the day to day management features found in the Vulnerability management module have been enhanced with the SP 7.0 release. Auto ticketing Automated ticketing has been included at the group level. This allows administrators to set auto grouping rules hierarchically, or simply have one set of rules that apply to the entire organization. Grouping rules can be defined based on the vulnerability severity, CVSS score, the Asset s Criticality, OS or the function it serves within the enterprise. These rule options provide a robust ticketing result that can be tailored to individual organizational needs. In addition to configuring ticketing triggers, the system also provides a method for determining how many vulnerabilities each ticket represents and also, who receives the ticket. Figure 12: Vulnerability Management - Automated Ticketing

21 Page 20 Scanning workflow Direct access to the three key areas of scanning Scan Policy, Scan and Scan Status has been added to the action toolbar at the top of the SiteProtector system Console. These three areas provide fast access to scan policy modification, initiating a scheduled or ad-hoc scan, and monitoring the scan activity while it is in process. Additionally, selecting a single asset from the Asset tab and initiating a scan has been enhanced for simplification and ease of use. 7. Platform Integrations and Enhancements On-demand services integration All of the security products and services within IBM Security Solutions work together to simplify and tighten security operations and integration. One example of this is illustrated in the way the SiteProtector system and the IBM Security Event and Log Management Service unify agent intelligence gathering and event processing for streamlined detection and alerting processing using the new On-demand feature of the SiteProtector system. The On-demand feature lets administrators direct event information gathered by agents to the Virtual-SOC. This information is still available for viewing within the SiteProtector system console in real time and event history is stored online and available for viewing though the IBM Managed Security Services (MSS) portal.

22 Page 21 This feature is ideally suited for SiteProtector system customers that do not currently have a 24x7 network or security operations center monitoring the activity within their infrastructure. With the On-demand feature, customers can take advantage of IBM MSS during out-of-hours or during those times when staffing is not readily available, such as during holidays or during extreme weather events. Another excellent use for this service is to provide a follow-the-sun level of event monitoring even if your organization does not have staff throughout the world. Reporting enhancements Report generation and customization also received an upgrade in the SP 7.0 release. First, organizations can now replace the default IBM logo that appears on the graphical reports with their own company logo. The logo can consist of the following file types: jpeg jpg png bmp

23 Page 22 Users can now also export all or part of their data in.xls format from the Analysis, Asset, Agent and Ticket views. Many customers have a process that entails exporting data from one of the above mentioned views into a.csv format file and then into a spreadsheet. The ability to export directly to a common format such as.xls removes at least one time consuming step in the export process. Additionally, the new, enhanced cell selection feature makes it easier to select and export only the columns and rows desired within the report. This is a significant improvement from SP 6.x, where the entire Analysis view had to be exported. Figure 13: Platform integrations and enhancements - Reporting

24 Page 23 Two-factor authentication SP 7.0 now includes an interface that supports most two-factor authentication methods. This complements Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) certification authentication plug-ins that already exist within the SiteProtector system. SecureSync enhancements There have been several improvements to the SecureSync process in SP 7.0. SecureSync allows customers to transfer centralized management functionality to a secondary site in the event of catastrophic failure, network outage or disaster affecting the primary site. With these improvements, SecureSync will now create a distinct, detailed log for each activity performed during the SecureSync transfer process (e.g., import, export, release agents and manage agents). This provides users with better feedback and insight into what happens during the SecureSync process. Another change is that Primary and Secondary sites are now considered dynamic roles instead of being statically assigned to specific instances either primary or secondary of the SiteProtector system. This means administrators can now promote what was traditionally a secondary site, to primary site status in the event that the original primary site becomes unrecoverable.

25 Page 24 Agent Manager s persistent connection capabilities With the SP 7.0 release, the Agent Manager will now be able to maintain a persistent connection to some of the Agent types. Similar to setting a priority level on a device, this feature is particularly important for devices that require a high level of notification regarding device status. This feature decreases the response time of the device to accept changes and/or provide results from an initiated command. Currently, the persistent connection will work with most non-host based Agents. This feature is controlled from the Actions menu in the SiteProtector system Console. Figure 14: Platform integrations and enhancements - Persistent Connection

26 Page 25 OneTrust updates Enhancements have also been made to the Proventia OneTrust Licensing module for the SiteProtector system. With the release of SP 7.0, all SiteProtector system components can be updated using OneTrust. OneTrust is the preferred licensing mechanism for all SiteProtector system components; however, if a OneTrust license does not exist in the SiteProtector system, the traditional keys used previously will still work, provided the license is still in good standing. Event and asset API To assist third party vendors in their efforts to extract data from the SiteProtector system, SP 7.0 includes an Event and Asset API that can be used instead of the traditional model of connecting directly to the database. The advantage here is that a vendor need only write to the API once rather than having to revisit the code each time the SiteProtector system database schema changes. This feature is also helpful for those customers that have written custom applications leveraging the data within the SiteProtector system and that would like to access the information in a way that will not be susceptible to changes made by SiteProtector system product updates. Platform support SiteProtector system SP 7.0 now supports running the database on a 64-bit Windows Server 2003 operating system with a 64-bit version of SQL Server SP 7.0 also includes support for VMware ESX 3.5 in addition to the 3.0.x versions previously supported. Platform Support Notes: Both Windows Server 2000 and SQL Server 2000 will only be supported for upgrades of SiteProtector system to SP 7.0. If installing SP 7.0 on a new system, Windows Server and SQL 2000 will not be supported. The next major release of the SiteProtector system after SP 7.0 will not support Server 2000 or SQL 2000 at all. At that time, IBM will offer support for Server 2008 and SQL 2008.

27 Copyright IBM Corporation 2008 IBM Global Services Route 100 Somers, NY U.S.A. Produced in the United States of America All Rights Reserved IBM, the IBM logo, Internet Security Systems and Proventia are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft, Windows, Server and SQL are all trademarks or registered trademarks of the Microsoft Corporation in the United States and/or other countries. VMware is a registered trademark of VMware Inc. in the U.S, and other countries. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information provided in this executive summary is for information purposes only and subject to change without notice as to the availability of specific features and functions, until such time as the product is announced.