GuardTower TM White Paper Enterprise Security Management Systems
2 1 Table of Contents 1 Table of Contents... 2 2 Introduction... 3 3 Enterprise Security Management Systems... 3 3.1 ESMS Architectures... 3 3.2 ESMS Benefits... 4 3.3 Regulatory Compliance... 5 4 GUARDTOWER... 6 4.1 Product Features... 6 4.2 Supported Devices... 7 5 Conclusion... 8
3 2 Introduction In the early days of computing, all processes were centralized on the mainframe computer, and users connected to the mainframe from terminals, which are little more than display devices. Mainframe computer companies built information security processes and programs into their products, and today we have solutions such as RACF as an example of a mainframe security tool. With the advent of client-server computing, more processing moved to the desktop and today many corporations have a distributed, heterogeneous computing environment. Information security product vendors developed new tools to replace the security function that was well established on the mainframe, but they had to contend with different hardware platforms, operating systems, applications, and other variables. Add on top the Internet and the World Wide Web, along with an ever-growing number of protocols, and the information security product market space became very disparate. System and network managers once again need to control the various processes and programs (products) installed such as firewall, anti-virus, intrusion detection, and other functions. This was the genesis of the Enterprise Security Management Systems product market space. 3 Enterprise Security Management Systems The end of the 1990 s and the beginning of the 2000 s saw a consolidation of information security product companies. These companies have the ability to create Enterprise Security Management Systems (ESMS) to control their own product set, as well as create interfaces for third party vendors to plug into their ESMS products, similarly to the Network Management Systems available such as Tivoli and CA Unicenter. [Note: Other terms for Enterprise Security Management Systems (ESMS) include Security Management Systems, Active Security Management, Security Information Management, and more.] An IDC 2001 report stated that the ESMS market should be approximately $500 million in 2002 with a projected growth of 20% through 2005. Obviously this is a growth market given the current economic reality of Q4 2002, and shows the pent up demand for solutions in this area. 3.1 ESMS Architectures Enterprise Security Management Systems architectures have many of the same attributes. Here is a list common to ESMS products currently available. Interfaces to security tools including firewalls, IDS, and Anti-Virus systems s to collect data from the security tools Data bases to store the information Processes to perform normalization, correlation, consolidation, and analysis Processes to respond to threats or otherwise act Control consoles to view and report Toolkits to build interfaces to the ESMS Interfaces to Network Management Systems The GUARDTOWER TM solution architecture is presented below as our example of choice for this paper.
4 GUARDTOWER Architecture INPUT DATA AND PROCESSING CONTROL AND OUTPUT DATA Event Correlation Normalization Consolidation Response Suppression Escalation Statistical Monitoring Printed Reports Display Console Data Base Events Vulnerability Data OS & Application Logs Firewalls & Routers IDS & Content Monitoring Anti-Virus Systems Custom Tools Security Posturing Graphical User Interface Command Line Interface Web Interface 3.2 ESMS Benefits ESMS products can offer the following benefits. Improved Risk Management Integrated incident management, secure command and control, recurring vulnerability assessments, and enhanced uptime for improved business continuity. Security Best Practices Policy enforcement, and automated escalation of security events. Regulatory Compliance Addresses HIPAA, GLBA, and other regulations. Reduced Costs Leverage current technology investments to eliminate managed services recurring costs, and to provide for more efficient operations. Ease Of Use GUI command and control, as well as enterprise-wide automated response.
5 3.3 Regulatory Compliance ESMS solution vendors often describe how these technologies help with regulatory compliance, usually detailing how they address the Health Insurance Portability and Accountability Act (HIPAA) for health care concerns, and the Gramm-Leach Bliley Act (GLBA) for financial institutions. In addition, there are other regulations such as the Children s Information Protection Act (CIPA) for K-12 educational organizations and pending legislation on cyber-crime. In all of these cases, tools that provide Information Protection capabilities can claim to help with compliance for those regulations that have requirements in this area. The regulations mentioned above each have Information Protection requirements, some with severe penalties for non-compliance including jail time and fines. The following are brief discussions about how ESMS solutions address HIPAA and GLBA compliance. HIPAA The main intent of HIPAA that concerns most of us citizens is, simply stated, to ensure that our personal medical information is kept confidential. This means that whoever has our data, whether they be our doctors, hospitals, insurance companies, banks, pharmacies, religious groups, and any other organization that has our data, they are required to keep our data confidential. Since much of this data is now electronic, Information Protection is key to compliance. Therefore, organizations that have this data (covered entities) must assess their risks, and develop, implement, and maintain a strategy to ensure compliance. These efforts and plans are basic Information Security best practices with a HIPAA specific spin. GLBA This act enables financial institutions to do business in new ways, encouraging collaboration and other wide-ranging changes. Along with these changes came rules governing the security and privacy of certain data. Various U.S. government agencies are responsible for enforcement, including the Securities and Exchange Commission (SEC), the Board of Governors for the Federal Reserve Systems, the Federal Trade Commission (FTC), and the Treasury Department s Office of the Comptroller (OCC). Two areas are key for data security. Non-public personal information use and options is one area, and IT Security Safeguards is another. Specifically, GLBA provides for administrative, technical, and physical safeguards for customer records and information. Again, we see basic Information Security best practices being applied to the financial sector. Regulations do not (in most cases) define specific technologies, and never do they mandate a specific vendor. Rather, rules governing data and responsibilities are defined, with enforcement to boot. Risk assessments, auditing, reporting, due diligence, the application of technology and other Information Protection practices are required for compliance. ESMS solutions help prove that the organization is compliant by correlating data from all of the information security technologies and processes, providing real-time threat management, audit trails, and reporting.
6 4 GUARDTOWER In the fall of 1998, the GUARDTOWER TM Security Management System was developed for a large Secure Commerce Systems wireless telecommunications client. It had the ability to analyze vulnerability data correlated and contrasted against log data from firewalls, routers, intrusion detection engines, and anti-viral logs. Providing near real time alerts via cell phone and e-mail, the Computer Emergency Response Teams were provided the data they needed to defend the enterprise against malicious and unwanted attacks. GUARDTOWER Security Correlation Appliance GUARDTOWER Security Correlation Appliance (SCA) has been enhanced since 1998 to support more devices and leading edge products. The SCA is the first a series of products providing a higher level of security assurance defined within the GUARDTOWER Cyber Security Defense System (CSDS) and the GUARDTOWER life-cycle methodology. 4.1 Product Features GUARDTOWER embodies the features and benefits of Enterprise Security Management Systems described in this paper. GUARDTOWER also includes features that set it apart from other ESMS solutions, including Suppression, Escalation, and Security Posturing. Brief definitions of these technologies are listed below. The feature descriptions below are a more detailed set to further expand on the architecture presented earlier in the ESMS Architecture section. Module Based Architecture Modules are the building blocks for event unification and processing. Module types include an inbound module (syslog server), an outbound module, and a processing module (correlation engine and response engine). Connection Matrix Provides internal and external connectivity of modules. Integrated Event Firewalling Enforces the interconnectivity event processing. Inbound Processing Process to receive events and alerts via Syslog and GUARDTOWER agents. Multi-Tier Correlation Engine Integrates events and alerts, maps signatures from dissimilar vendors, incorporates vulnerability data from security scanners, and utilizes threat management statistics. Special modules are added to enhance functionality including predictive analysis and response, threat management service statistics, and vulnerability assessment data. Escalation Process to define how incidents are managed from the initial event through action, according to a predefined rule set. Response Suppression and Management Incorporates specialized correlation processes to effectively manage the outbound processing of common and duplicate responses. Responses include common alerting options and immediate electronic containment. By defining recipients and setting suppression and escalation thresholds, administrators control the amount of user interaction required.
7 Statistical Monitoring The statistics engine monitors the activity of devices, modules, and events to identify abusive behavior by analyzing audit data that deviates from a predicted norm. As events are captured, their event ID's are determined and posted. StatMonitors are created to record event statistics and to track changes occurrences over time, and provide responses to those activities reaching or exceeding thresholds. Start and End times determine the duration for each monitor, and the duration is called a cycle. Once a monitor has expired it is stored and all counters are reset for the next cycle. The stored data is then used for trend analysis. A series of monitors grouped by technology can define criteria used for understanding the Security Posture of computer networks. Statistical monitoring complements rules-based intrusion detection. Security Posturing Graphical and text based output display of event and response analysis, including trending. This process helps with compliance. Outbound Processing Validated security events are reformatted and sent to the User Interface and 3D Graphical Monitor for clear understanding. Incidents can be reformatted to coexist with existing legacy or custom systems, such as TIVOLI and HP-OpenView. Appliance Chaining Interconnects multiple SCA s for enterprise environments. Web-based Interface Used for initial appliance setup. Command Line Interface Uses SSH to securely connect to the SCA. Graphical User Interface Used to customize correlation mapping, response suppression, inbound and outbound processing, and module configuration. 4.2 Supported Devices The following is a table of devices supported by GUARDTOWER TM. Firewall Check Point FW-1 Cisco PIX Nokia IP Security Appliances Network Intrusion Detection Network Flight Recorder (NFR) ISS RealSecure Cisco NetRanger Dragon IDS Snort IDS Operating Systems & Host Intrusion Detection BSDI Free, Net, Open BSD Linux OpenBSD Solaris SunOS Windows 2000 Windows NT General Server Applications Apache Web Server Microsoft IIS* SendMail* SSH* DNS* Cisco Routers Content Filtering Aladdin esafe Trend Micro ScanMail GUARDTOWER can support any Information Security technology via the import of log data and by building custom agents. These agents are quickly created due to the open nature of the GUARDTOWER architecture.
8 5 Conclusion Enterprise Security Management Systems are a natural progression in the maturity of the Information Security product market place. ESMS can provide the command and control required by organizations to improve Information Risk Management and to comply with regulations. The GUARDTOWER TM Security Management System provides the features and benefits of ESMS solutions as well as unique technology that positions it as a market leader. This proven technology should be considered when evaluating ESMS products.