The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘IBM’ Category

Highlights from the IBM X-Force 2012 Trend and Risk Report

Posted by Xavier Ashe on March 28, 2013

Even though I am no longer an IBMer, this is still a great report to review trends.  The X-Force Blog has posted their highlights, with a link at the bottom to get the full report.  I’ve read through the report and here’s some bits I find interesting.

  • The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
  • The 2012 bank DDoS attacks appear to be coming in part not from infected PCs, but from compromised web servers that reside in high bandwidth data centers. By using security vulnerabilities in CMS systems and other popular web frameworks, the attackers were able to create a botnet of web servers that have a much longer connected uptime, as well as having more bandwidth in general, than home PCs. Because of Section I—Threats > Rising tide of security incidents > ABC’s and DDoS’s this, they were able to use fewer bots to more effectively generate larger amounts of traffic.
  • In addition to new toolkits and botnets of infected web servers, old reliable methods such as amplification attacks are being effectively used to generate high traffic. While amplification attacks such as an Internet Control Message Protocal based (ICMP) “Smurf Attack” have been used for a decade or more, attackers continue to use the same underlying principles to generate much more traffic today. In particular, DNS Amplification has been successful due to the many open or misconfigured DNS resolver servers on the Internet.
  • Malicious code activity overall continues to grow, helped along by the combined efforts of casual attackers, insider threats, cybercrime and Advanced Persistent Threats. Figure 7 demonstrates the “arms race” that exists in
    computer security today, with the number of techniques to compromise systems constantly growing, being countered, and growing again.

Posted in IBM, Security | Leave a Comment »

Harvard-ITSecurity / qradar-seculert-push

Posted by Xavier Ashe on December 14, 2012

What is it?

A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.

How does it work?

You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).

Read more and get the script on GitHub.

Posted in IBM, QRadar, Security Intelligence | Leave a Comment »

IBM Tivoli Endpoint Manager Mobile Device Manager 1.3

Posted by Xavier Ashe on November 6, 2012

IBM Tivoli Endpoint Manager (TEM), built on BigFix technology, is one of my favorite IBM products to work with.  It has an elegant architecture that makes things work so well.  I usually only deal with the security functions of the tool, but it can do so much more.  The Mobile Device Manager (MDM) is one of those features that I don’t get to deploy often, but I try to stay abreast of its capabilities.

Mobile Device Management Release Notes

Site Version 47 – Nov 1 2012

MDM Feature Release 1.3
New Features:
  1. Integrated SAFE support – Integrated Samsung Approved For Enterprise (SAFE) Phase One APIs to enabled additional management capabilities (such as selective app wipe, application blacklisting, and device encryption) to SAFE enabled android devices.
  2. Self Service Portal Redesign – Reworked the Self Service Portal (SSP) to be easier to use and much more end user friendly.
  3. Mobile Security Configuration Management Sites – MDM now includes a new batch of Center for Internet Security (CIS) Checklist sites for iOS 5.0.1, and Android 2.3, 4. These can be enabled through the normal License Overview dashboard in BES Support.
  4. Expanded Proxy Agent Capabilities – The Proxy Agent for iOS, Lotus, and MS Exchanged managed devices now supports Multiple Action Groups, Baselines, and “createfile” commands.
  5. Change Notification Dashboard – New notification dashboard to help users stay on top of the changes and improvements made to the MDM site.

Posted in IBM | Leave a Comment »

IBM Security Access Manager for Cloud and Mobile

Posted by Xavier Ashe on October 30, 2012

The new IBM Security Access Manager for Cloud and Mobile bundle brings together market leading capabilities of IBM Tivoli Federated Identity Manager Business Gateway (TFIM-BG) and IBM Tivoli Security Policy Manager (TSPM).

IBM Security Access Manager for Cloud and Mobile provides the following key capabilities:

 

  • Helps detect and prevent user access fraud by enforcing risk-based access control
  • Reduces costs and complexity by enabling single sign-on and federation for cloud and on-premise applications
  • Improves security posture and helps demonstrates compliance through centralized policy management

IBM Security Access Manager for Cloud and Mobile extends user access protection to mobile and cloud environments using federated single sign-on, user authentication, and risk scoring based on location, device, access pattern, etc.  IBM Security Access Manager for Cloud and Mobile provides risk-based access control from mobile end points such as smartphones and tablets so that users don’t inadvertently expose your sensitive IT assets in an unsafe environment.

IBM Security Access Manager for Cloud and Mobile helps enterprises adopting cloud-based services leverage single sign-on for secure information sharing across private, public and hybrid cloud environments.  Using IBM Security Access Manager for Cloud and Mobile, enterprises can implement a powerful mediation service for Cloud, SaaS and web services, while reducing administrative costs, establishing trust and facilitating compliance.
IBM Security Access Manager for Cloud and Mobile highlights:

  • Risk-based access control for anytime/anywhere access from mobile devices
  • Cloud Single Sign-On and Federation with easy onboarding of applications
  • Centralized Policy Management and Fine-grained Access Control

Posted in IBM, Security | Leave a Comment »

New features in QRadar 7.1

Posted by Xavier Ashe on October 29, 2012

Stolen from the QRadar 7.1 Release notes:

 

  • Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
    • For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
    • For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.

      If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.

  • New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
  • New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
  • New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
  • New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
  • Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
  • Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.

Posted in IBM, QRadar, Security, Security Intelligence | Leave a Comment »

Videos about IBM XGS 5000, NextGen IPS

Posted by Xavier Ashe on October 8, 2012

It’s been interesting to watch the firewall and IPS space over the years.  First we had firewall vendors adding IPS features.  Then we had IPS vendors adding firewalls features.  Personally, I’ve always thought it made sense to use an IPS with firewall features because I’ve never seen a firewall with an IPS worth using.  Now application aware firewalls have proven useful, it’s time for IPS vendors to add more application awareness.  Hey look, I work for an IPS vendor 😉

IBM’s Security Network Protection XGS 5000 is a next generation intrusion prevention system, adding tons of features to IPS like web content, application and application action control, protocol analysis based intrusion prevention, URL filtering, Injection Logic Protection, Shell Code Heuristics, and virtual patch.

Marketing bullet points:

  • Help stop threats from compromising unpatched vulnerabilities without sacrificing high-speed network performance.
  • Help protect networks, servers, desktops, and business critical applications from malicious threats.
  • Conserve network bandwidth and provide insight into what users are doing on the corporate network. It helps control user bandwidth consumption by limiting or eliminating access to nonbusiness critical applications.
  • Help enforce compliance and internal corporate usage of nonbusiness critical applications such as social networking, peer to peer file transfers, instant messaging traffic, and streaming media.
  • Provide an extensible security platform that can grow as threats evolve, help consolidate network protection technologies, and help reduce the cost of deploying and managing point solutions.

You can get lots of print literature here, but who wants to read when you can watch videos on YouTube.

IBM Security NextGen IPS Use Case Videos

IBM Security NextGen IPS How to Videos

Posted in IBM, ISS, Security | Tagged: , , , | Leave a Comment »

QRadar and QRM 7.1 are Generally Available!

Posted by Xavier Ashe on October 5, 2012

The QRadar Product Management team is very glad to announce the General Availability (GA) of QRadar SIEM and Risk Manager Version 7.1.  Another major milestone of the QRadar product, QRadar 7.1 delivers several new key features to meet the needs of our current and future customers, a new appliance and new tools to provide more flexibility in deploying the QRadar solution, and great usability features to increase the visibility to more security intelligence data, as well as the ability to better optimize and tune QRadar.

The new features of QRadar SIEM 7.1 consist of:

  • Index Management:  More refined control over the creation of indexes used for searches and exposure of field and index usage statistics, enabling more efficient storage utilization and performance optimization.
  • Store and Forward: Capability of collecting and storing events by a new appliance, Event Collector (EC), in a remote location and forwarding events to an upstream Event Processor for analysis based on a pre-determined policy,  allowing effective log collection at remote network locations with unreliable network connections or bandwidth constraints.
  • Import/Export of Security Contents: Ability to export security and configuration content on a QRadar system to an external, portable format which then can be imported into another QRadar system, with a command line interface, enabling quick deployment of a new QRadar system or sharing of security contents across systems.
  • Vulnerability Details Screen – Enhanced GUI screens to display detailed vulnerability data imported from third party vulnerability scanner products, allowing customers to fully explore the nature and relevance of vulnerabilities on the hosts involved in QRadar detected incidents and offenses.
  • WinCollect: Complete centralized control of local and remote Windows event collection, with bulk adding of servers, per server troubleshooting, automated deployment and update of policy and agent itself.  Also includes tuning for different environments and support for latest capabilities like XPath queries.

The new features of QRM 7.1 consist of:

  • P2P Networks: Support for point-to-point networks, such as VPNs and serial links. This allows customers to add these links to their QRM network topology.
  • Firewall Rule Reporting: Perform comprehensive reporting on firewall rules, including shadowed, most and least used rule reports. Reports can be generated across multiple firewalls and is full integrated into the QRadar reporting engine.
  • Enhanced Policy Monitoring:  Monitor policy question passes and failures, typically required for compliance reporting. Customers can now generate reports that show that network policies have been in compliance over a given period of time, in addition to those which were not compliant.

Posted in IBM, QRadar | 2 Comments »

TSIEM to QRadar Transition Guide, finally published!

Posted by Xavier Ashe on July 24, 2012

This publication took longer to get through the gears of IBM, but it’s now publicly available. Don’t forget, this guide covers transitioning from IBM Tivoli Compliance Insight Manager (TCIM) as well.

Click here to download the IBM Tivoli Security Information and Event Manager to IBM QRadar Transition Guide.

Abstract:

IBM Tivoli Security Information and Event Manager (TSIEM) was developed as a compliance management monitoring and reporting product for various operating systems, applications and devices. IBM acquired Q1 Labs in 2011 with its industry-leading security intelligence platform QRadar, providing a security solution that can be used across the entire network.

Anyone who is planning a transition of TSIEM to QRadar should read this document first to deter-mine what steps should be considered to create a transition plan. This document provides a high level description of the steps rather than the detailed technical description of how to perform the actual transition. Tooling is not part of this document although the description may help in designing such tooling. IBM Services or any other IBM Business Partner can help produce the appropriate toolbox to automate the transition. The customer should be prepared to keep their TSIEM installation to support historical reporting or log archive management to meet their compliance or audit requirements. This transition document therefore should only address the replacement of TSIEM by QRadar within the context of regulatory compliancy.

This document will provide a basic overview of TSIEM to QRadar data migration capabilities and options, as well as data storage principles.

Posted in IBM, QRadar, Security Intelligence, TCIM, TSIEM | Leave a Comment »

Transitioning from TSIEM to QRadar – Terminology

Posted by Xavier Ashe on May 21, 2012

The transition guide from IBM Tivoli Security Information and Event Manager (TSIEM) to IBM QRadar is essentially complete. I still have to get it formatted to the standard template, though. We are also figuring out internally where to post it officially, but once I fix the formatting, it will be available here.

Until then, you can wet your appetite with this terminology chart.

TSIEM

QRadar

Agent Adaptive Log Exporter, Event Processor
Agent group Log Source Group
Alerts Rule Response
Archiving Data Backup & Restore
Audited machine Asset and/or Log Source
Backup & Restore Backup & Restore
Chunk No equivalent – data is stored together in Ariel
Compliance Dashboard Dashboard
Compliance Management Module No equivalent – all reports are included in QRadar
Consolidation component Magistrate
Credential Store Credentials are stored in Postgres
Depot Ariel
Distribution Email distribution is configured within the report definition
Enterprise Server 31xx console in a distributed deployment
Event Source Log Source
Forensics component Payload search (with optional indexing)
Group Definitions Building Block
GSL Parser Universal Device Support Module (uDSM) XML file
GML Mapper Map Event – available in the GUI
Launchpad (Tivoli Integrated Portal) Console GUI
Log Continuity Report No equivalent due to use of syslog for most log sources
Log History Report QRadar report called “Errors and Failures”
Log Manager Dashboard Log Sources in the Admin tab
Log Management Activity Report QRadar report: (Daily, Weekly, or Monthly) Log/Event Distribution by Category
Log Management component QRadar Log Manager
Log Management Depot Investigation

Tool

Payload search (with optional indexing)
Log Management Retrieval Tool >“Raw Log” view in Log Activity
Normalization component Built-in to QRadar, required part of the event processor
Policy Building Block
Policy Explorer/Editor Rules/Building Blocks Editor
Policy Generator QRadar Tuning Guide
Regulations Contained within QRadar reports
Reporting Database No equivalent – QRadar is real-time, with all data going into the same Ariel datastore
Security Information Management (SIM) component Security Information and Event Management (SIEM) component
Security Group All QRadar deployments use one User store, the console appliance, unless external authentication is configured
Scoping User Role (scope by network hierarchy) and User Account (scope by Log Sources)
Significance Magnitude
Special Attention Rule Building Block or Rule
Standard Server All-in-one Console
Trending Time Series
User Information Source Reference Set
User Roles User Roles
W7 No equivalent term, but QRadar has a standard normalization scheme as well

Posted in IBM, QRadar, Security, TSIEM | Tagged: | Leave a Comment »

TSOM, TSIEM, and QRadar at IBM Pulse

Posted by Xavier Ashe on March 5, 2012

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.

Posted in IBM, QRadar, TSIEM, TSOM | 2 Comments »

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Posted by Xavier Ashe on February 7, 2012

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

Posted in IBM, QRadar, Security, Security Intelligence, TSIEM, TSOM | Leave a Comment »

Introducing the updated IBM Security Framework.

Posted by Xavier Ashe on January 16, 2012

The Updated IBM Security Framework

The Updated IBM Security Framework

How does an IBMer describe how IBM covers security?  How can you map the product offerings we have to various security domains in frameworks like CoBIT, ISO, etc.?  Whats a good way to learn all the products in our portfolio?  The answer in the IBM Security Framework.  First used in 2008. it’s been modified to evolve with IBM’s broadening capabilities.  It’s the high-level overview that’s perfect for opening discussions with customers, business partners, and other IBMers.  The deep-dive version is the IBM Security Blueprint – a must read for security practitioners.  From Marc van Zadelhoff:

Today, we launch the updated version of the IBM Security Framework, depicted here.  The Framework represents a comprehensive way to view security risks and in turn the areas where IBM has invested in solutions.  As you can see, it identifies the four foundational aspects we continue to be focused on: People, Data, Applications and Infrastructure. You need best-in-class capabilities in each area in order to be secure and compliant today.  We’ve found that these dimensions extend equally well to solving problems that have become more prominent in the last few years: cloud security and mobile security.  The same dimensions apply and customers are using the Framework and IBM’s capabilities in each area to solve these newer issues like they do with traditional data centers security.

That box at the the top, Security Intelligence, Analytics and GRC, is my main playground. Traditionally this was just “SIEM”, but now we are looking to fill lots of roles.  We need advance intelligence to provide to the SOC teams.  We need in-depth analysis for compliance and CERT teams.  We need dashboarding and business relative data for GRC.  So just trowing around the term SIEM isn’t effective.

Go read Marc’s overview of the change to the framework and start using the new graphic with the new ISS division.

READ MORE:  Introducing the Updated IBM Security Framework

Posted in IBM, ISS | Leave a Comment »

Rise, ancient unused blog! Be Reborn!

Posted by Xavier Ashe on January 16, 2012

Hello World. This poor under used blog needs some love. There is much to talk about. Starting at the beginning of this year IBM create a new software division for most of it’s security software. So I no longer work for Tivoli, but am a proud member of IBM Security Systems. Yes, unfortunately we are using the same ISS acronym. That will make things confusing, so I will do my best to clear things up. ISS is now a full fledged software brand, just like Tivoli, Websphere, Rational and Lotus.

What will I be doing in the new org? I am still in services, meaning that I still am focusing on making out products work for our customers. I’m not in sales, but occasionally help our sales teams. I not in development, but give lots of feedback to our product managers. I build solutions for our customers, and look to build tools and documentation to make it easier and more productive to implement IBM Security Systems.

We have a broad portfolio in the ISS division now, but I will be focusing on Security Intelligence and Data Protection. In particular I am focusing on the recent Q1 Labs acquisition and ensuring their success under big blue. I will be writing future posts about TSOM, TSIEM and QRadar, so stay tuned. I just needed to get this “first post” out the way.

Posted in IBM, ISS, Security Intelligence | 1 Comment »

New Web based Training for TSOM 4.1

Posted by Xavier Ashe on October 7, 2008

IBM Tivoli Security Operations Manager 4.1 – Fundamentals

Course description

In this 4-hour Web-based training course, you will use IBM Tivoli Security Operations Manager 4.1 to learn its fundamentals and operator tasks.

Objectives

After completing this course, you should be able to:

  • Install and configure IBM Tivoli Security Operations Manager 4.1
  • Configure and collect events from sensors

Course outline

  1. Introduction
  2. Installation
  3. Administration
  4. Investigating Events
  5. Correlating Events

Who will benefit from this course

This course is intended for implementers and administrators who need to correlate security events.

Required skills/knowledge

  • Intrusion detection: Understand the basic concepts of intrusion detection
  • TCP/IP: Understand IP addresses, networks, and ports

Recommended courses

Click here for order information.

Posted in IBM, Security, TSOM | Leave a Comment »

IBM software bundle targets retail theft, data breaches

Posted by Xavier Ashe on October 2, 2008

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

SecureStore, announced Wednesday, combines surveillance and RFID systems with software that protects online and in-store transactions, as well as software that protects databases and applications from network-based threats, IBM said. While SecureStore mainly consists of pre-released products from IBM divisions such as Internet Security Systems (ISS), Tivoli and Rational, Big Blue’s Val Rahmani says it is unique in that it brings together products from various parts of IBM to address one industry segment, and re-architects the products so they fit together and are optimized for retail.

Read the full article on Network World.

Posted in IBM, ISS, Security, TSOM | Leave a Comment »

Security and Society: Role of Government

Posted by Xavier Ashe on September 29, 2008

Posted in IBM, Security | Leave a Comment »

TSOM Redbook

Posted by Xavier Ashe on September 5, 2008

Network and resource availability is critical to business and service assurance. But enterprises, federal agencies, and service providers can lose millions of dollars per year as a result of worms and other types of malware that bring down corporate resources and customer-facing services. That is why information security is one of the top concerns of every CIO in any organization. To maximize resource and service availability and protect customer information, today’s information security teams must be able to:

– Quickly recognize and handle security incidents.
– Enforce security policies.
– Support audit and compliance initiatives.

The problem is that each of these activities involves security data that resides throughout the organization. Enterprises and service providers need to be able to access and quickly analyze this time disparate data quickly and efficiently. In today’s complex, multi vendor environments that means leveraging an automated, integrated solution. In response to these challenges, IBM Tivoli Security Operations Manager, a security information and event management (SIEM) platform is designed to improve the effectiveness, efficiency and visibility of security operations and information risk management.

This IBM Redbooks publication helps you design/create a solution using Tivoli Security Operations Manager to centralize and store security data from throughout the technology infrastructure so that you can:

– Automate log aggregation, correlation and analysis.
– Recognize, investigate and respond to incidents automatically.
– Streamline incident tracking and handling.
– Enable monitoring and enforcement of policy.
– Provide comprehensive reporting for compliance efforts.

This book is a valuable resource for security officers, administrators and architects who wish to understand and implement a Security Event and Information Management system.

Download the new IBM Redbook: Deployment Guide Series: IBM Tivoli Security Operations Manager 4.1

Posted in IBM, TSOM | Leave a Comment »

TSOM + CloudShield + ISS + Blade = Awesome

Posted by Xavier Ashe on September 4, 2008

IBM (NYSE: IBM) on Tuesday introduced a blade server that supports CloudShield Technologies’ software for real-time analysis of network traffic to prevent viruses and denial of service attacks.

“The IBM BladeCenter PN41 enables service providers to manage their network, security and telecommunications technology on a integrated platform,” Jim Pertzborn, VP of telecommunications industry solutions for IBM Systems Group, said in a statement. “This integration can help service providers meet their customers’ evolving requirements for data, voice and video services.”The new blade and software support are key components of IBM’s hardware, software and services framework for service providers. The package also includes IBM’s intrusion prevention technology and Tivoli Security Operations Manager.

Read the full article on InformationWeek.  I first heard about this project about 2 years ago when I was helping develop solutions for the Telecom group at IBM.  It’s taken a lot of work to get this packaged together and I am glad to see it finally hit the streets.  Other sites that have picked this up:

Posted in IBM, ISS, Security, TSOM | Leave a Comment »

Draft Redbook: Certification Study Guide, TCIM 8.5

Posted by Xavier Ashe on August 12, 2008

This IBM Redbooks publication is a study guide for IBM Tivoli Compliance Insight Manager Version 8.5 and is meant for those who want to achieve IBM Certifications for this specific product.

The IBM Tivoli Compliance Insight Manager Certification, offered through the Professional Certification Program from IBM, is designed to validate the skills required of technical professionals who work in the implementation of the IBM Tivoli Compliance Insight Manager Version 8.5 product.

This book provides a combination of theory and practical experience needed for a general understanding of the subject matter. It also provides sample questions that will help in the evaluation of personal progress and provide familiarity with the types of questions that will be encountered in the exam.

This publication does not replace practical experience, nor is it designed to be a stand-alone guide for any subject. Instead, it is an effective tool which, when combined with education activities and experience, can be a very useful preparation guide for the exam.

Planned Publish Date: 30 September 2008

Download the Redbook here.

Posted in IBM, Security, TCIM | 1 Comment »

Redbook Draft: z/OS Mainframe Security and Audit Management using IBM Tivoli zSecure

Posted by Xavier Ashe on June 13, 2008

Every organization has a core set of mission-critical data that must be protected. Security lapses and failures are not simply disruptions—they can be catastrophic events, and the consequences can be felt across the entire organization. As a result, security administrators face serious challenges in protecting the company’s sensitive data. IT staff are challenged to provide detailed audit and controls documentation at a time when they are already facing increasing demands on their time, due to events such as mergers, reorganizations, and other changes. Many organizations do not have enough experienced mainframe security administrators to meet these objectives, and expanding employee skillsets with low-level mainframe security technologies can be time-consuming.

The IBM Tivoli zSecure suite consists of multiple components designed to help you administer your mainframe security server, monitor for threats, audit usage and configurations, and enforce policy compliance. Administration, provisioning and management components can significantly reduce administration, contributing to improved productivity, faster response time and reduced training time needed for new administrators.

This book is a valuable resource for security officers, administrators, and architects who wish to better understand their mainframe security solutions.

Table of Contents

Part 1. Architecture and design

  • Chapter 1. Business context
  • Chapter 2. Tivoli zSecure component structure
  • Chapter 3. zSecure Admin
  • Chapter 4. zSecure Alert
  • Chapter 5. zSecure Audit
  • Chapter 6. zSecure Visual
  • Chapter 7. zSecure Command Verifier
  • Chapter 8. z/OS compliance enablers
  • Chapter 9. zSecure CICS Toolkit
  • Chapter 10. Planning for deployment

Part 2. Customer scenario

  • Chapter 11. Delft Transport Authority
  • Chapter 12. Project requirements and design
  • Chapter 13. Implementation phase I
  • Chapter 14. Implementation phase II
  • Chapter 15. Implementation phase III

Part 3. Appendixes

  • Appendix A. Troubleshooting
  • Appendix B. An introduction to CARLa
  • Appendix C. User roles for zSecure Visual
  • Appendix D. A look at the Consul/Tivoli transformation

Download the PDF here.

Posted in IBM, Security | Leave a Comment »

 
%d bloggers like this: