Syslog for SIEM using iSecurity Real-Time Monitoring of IBM i Security Events

1
Syslog for SIEM using iSecurityReal-Time
Monitoring of IBM i Security Events
2
Syslog Why and How?

• Fact Multi platform environments are the reality
  at nearly all companies.
• Company Goal Consolidate relevant event
  information from multiple environments onto a
  single console ? require a SIEM (Security
  Information Event Manager solution). Optimally,
  security event information should be both
  infrastructure related as well as application
  related.
• Method Syslog is the most widely used protocol
  for sending alert messages in real time to SIEM
  solutions.
• Raz-Lees iSecurity Partners
• IBM Tivoli Security Manager
• Q1Labs (recently purchased by IBM)
• RSA enVision
• GFI
• iSecurity also proven with Arcsight, HPOpenview,
  CA Unicenter and others.

3
Typical Syslog Environment
System Information and Event Manager (SIEM)
Products
and other SIEM Products
Syslog (After optional filtering)
iSecurity
IBM i
IBM i
PC
PC
Linux
Unix
MF
Individual Multiple System Management
4
iSecurity Overview Syslog Coverage
Audit Capture User Management System
Control User Profile ReplicationSystem Value
Replication Central Admin
Auditing
3
Evaluation
6
PCI, HIPAA, SOX or Security Breach or Management
Decision
1
Protection
Firewall Authority on Demand Anti-Virus
Screen Password Action Native Object Security
4
Assessment
2
Compliance Evaluator Visualizer
Databases
5
AP-Journal View FileScope
7
8
4
5
Real-Time Alert handling in iSecurity
Execute CL Scripts
Send e-mail
Write to MSGQ
Write to SYSLOG
Send SMS, SNMP, Twitter, etc.
Issue Real-Time Alerts via iSecurity Action
Network Security (Firewall)
Critical OS messages (QSYSOPR/QSYSMSG)
Database Journals (AP Journal)
Authority changes (Authority on Demand)
QAUDJRN (Audit)
6
Syslog in iSecurity

• iSecurity sends Syslog security event information
  originating from
• the systems infrastructure (QAUDJRN, network
  access, virus detection product, user profile
  changes including requests for stronger
  authorities, etc.)
• business-critical applications (not only field
  level writes updates but also unauthorized READ
  accesses to sensitive data)
• iSecurity includes advanced filtering
  capabilities to select which events are sent to
  SIEM for analysis ? can control Syslog traffic
• Super fast iSecurity Syslog implementation
  enables sending extremely high volumes of
  information with virtually no performance impact.
• Syslog message structure is easily definable by
  each site and can include event-specific values
  such as user profile name, field-level before
  value, etc.

7
Syslog Success Stories (names available upon
request)

• Large insurance company
• Sends all field-level data changes via
  AP-Journals Syslog facility to RSA enVision
• Monitors changes to ensure that only authorized
  PROD users who also have change authority
  change data by more than X or Y (specific
  amount)
• More than 1000 transactions/second are sent via
  Syslog CPU overhead lt1
• Manage journal change file on PC rather than on
  IBM i
• AP-Journal produces field-level change reports to
  corporate and application managers
• Planned integration of Syslog from iSecurity
  Audit (based on QAUDJRN system journal) and
  iSecurity Firewall in 1Q2012

8
Syslog Success Stories (names available upon
request)

• Very large mortgage bank
• Monitors all Firewall rejects, sending reject
  information via Syslog to Arcsight
• Monitors all QAUDJRN system journal activities
  via Audit, sending important event information
  via Syslog
• Arcsight performs advanced forensic analysis on
  Firewall and Audit log information
• Products produce auditing reports to both
  internal and external auditors

9
Syslog Success Stories (names available upon
request)

• Large national airport authority
• For years they sent alerts to internal AS/400
  messages queues. Simply by checking message
  headers, the Syslog facility sends SNMP alerts to
  HP OpenVIew.
• All definitions of new user profiles with high
  authorities, or changes to such user profiles,
  are sent as SNMP alerts to HPOV.
• Upcoming implementation of mass SNMP
  capability they will define which QAUDJRN audit
  types NOT to send SNMP traps for, and all QAUDJRN
  entries with the other audit types will
  automatically be sent, en masse to HPOV with very
  little overhead

10
Syslog Attribute Definitions
Syslog Severity range can be defined.
For each alert message, the First level
message (1) is appended to the pre-defined
Message Structure.
This option shown on following slide.
11
Set Syslog handling per Audit sub-type
Severity level can be set for each audit
entry-type/sub-type combination.
12
Defining Syslog message format
Variables beginning with are replaced
withactual event values. DPRICE(B) is the
previousprice (before value) of the item.
13
Syslog Messages in (free) Kiwi Syslog Daemon
Syslog messages written when special user
authority added or removed. Note multi-product,
multi-system multi-IP messages.
14
Syslog Messages in (free) Kiwi Syslog Daemon
Note real-time user-defined messages from
AP-Journal containing previous and new quantity
and price values.
15
Downloadable iSecurity Resources (1/2)

• Free Assessment Tool
• Compliance Information (PCI, SOX, HIPAA)
• iSecurity Presentation
• iSecurity Data Sheets
• Case Studies White Papers
• Raz-Lee Securitys Corporate Blog
• Twitter Updates

16
Downloadable iSecurity Resources (2/2)

• Short Demo and Training Videos
• iSecurity in 3 Minutes!
• PCI Compliance with Compliance Evaluator
• User and System Value Replication
• Creating security rules using Visualizer
• GUI Queries and Reports
• GUI 4.1 Improvements
• Visualizer QuickDemo Highly Recommended!
• Visualizer User Profile and Queries Training

17

• Thank You!
• Visit us at
• www.razlee.com
• marketing_at_razlee.com