Enforcive CPA

1
Enforcive CPA Cross Platform Auditing
2
Company Profile

• Formed in 1983
• Pioneer in IBM mainframe and midrange security
• Offices in New Jersey, Toronto and Israel
• 80 Resellers in 60 countries
• Global distribution agreement with IBM
• Thousands of installations worldwide, including
  Fortune 500 companies
• Expertise in Compliance and Event auditing
  cross platform

3
Customers Around the World
4
CPA Customers
5
Customers from Many Segments
Banking Finance Insurance
Automotive
Electronics
Pharmaceutical Healthcare
Transportation
Manufacturing
Others
6
Enforcive Cross Platform Security Offering
All products work together and can be operated
through a common GUI manager
CPS Cross Platform Security
ES for IBM i Enterprise Security
MF/CICS DB2
CPA Cross Platform Audit
CPC Cross Platform Compliance
PSS Password Self Service
Host Based Security, Audit Compliance for IBM i
GRC
Password Synchronization - SSO
Host Based Security Auditfor IBM mainframe
Log Management Database Activity Monitoring

• Access Management
• Field Encryption
• Log Management
• Compliance Management
• For IBM i

Windows Unix (AIX Solaris) Linux OS400 z/OS MS
SQL Server Oracle DB2 Sybase My
SQL Progess Syslog Flat File Format
Windows AIX IBM i (OS400 DB2) MS SQL
Server Oracle
IBM i Windows

• Access Management
• Field Masking
• Log Management
• for
• z/OS CICS
• VSE CICS
• DB2
• VSAM

6
7
Easy Said.Easy Done.
Goodbye Haystacks. Find the needles youve been
looking for.
8
What is the Cross-Platform Audit?

• An enterprise-wide Compliance Event Monitor.
• The CPA is all about practical organizational
  security. It provides log monitoring for your
  computer systems, and databases collecting and
  consolidating data from across the enterprise.
  Many sources available including Windows,
  Mainframe, IBM i, Unix, DB2, SQL, Oracle and
  Progress.
• The CPA filters then collects the events into a
  single database and presents them in an intuitive
  GUI for ease of analysis and investigation.

9
The Need

• Monitoring of the organization in order to
  satisfy regulatory policies in a multi-platform
  environment.
• Administrators need minimal platform specific
  expertise to achieve their goals.
• Reduces the need to use local disk to store
  historical log files.
• Simplifies forensic investigation by correlating
  seemingly unconnected events into an audit trail
  indicating a possible breach of security.

10
Differentiators

• A single Management Console is used to manage the
  central repository as well as the individual
  systems that are being monitored.
• Focus is on critical information, for example the
  important data changes performed in the database.
• High visibility of changes using before and after
  images.
• Specialized IBM i logs covering many unique
  event categories, with a high level of
  granularity.
• Specialized IBM Mainframe logs covering a large
  amount of event categories, with a high level of
  granularity.

11
Features of the Cross-Platform Audit

• Collection of diverse data formats into a uniform
  database.
• Comprehensive monitoring in a multi-platform
  environment.
• Reporting real user activity utilizing all the
  users identities.
• Graphical analysis of security information
  statistics.
• Powerful filtering to pinpoint events with
  specific characteristics.
• Event information drill-down to the field change
  level, incorporating before after images.
• Audit information from different systems
  available all in one place.
• Comprehensive audit information for every
  critical event, showing exactly who did what,
  when and how.

12
Collection Flow
13
All Sources
System Audit File and Field Audit
Alerts Application Audit SQL Statement IP
Filter Compliance Message Queue History
Log View Data

• SMF TELNET
• SMF FTP
• SMF VSAM
• SMF RACF
• TCP/IP Application Audit (FTP and Telnet)
• DB2 SMF
• DB2 LOG (Data Audit)
• DB2 CICS (SQL Data Capture)
• DB2 BATCH (SQL Data Capture)

System Audit UNIX DB2
Audit Connect Query Prepare Execute
Shutdown Quit No audit Init DB Other
SQL Statements SQL System Audit SQL Data
Audit
SQL Statements Oracle System Oracle
Admin Oracle Profiles/Users Oracle
Procedures Data Audit
System Audit
System Audit X86 System Audit 86_64 System
Audit IA64 System Audit PPC64 System Audit
PPC System Audit S390X System Audit S390

• DB2 SMF MF
• DB2 LOG (Data Audit) MF
• DB2 CICS (SQL Data Capture) MF
• DB2 BATCH (SQL Data Capture) MF
• DB2 System Audit i, AIX, LUW
• DB2 SQL Statement Audit i, AIX, LUW

System Audit Data Audit
Windows Event Logs Security, Application,
DNS, and more Windows Active Directory
Compliance ISA Server logs DHCP logs IIS
Web Server logs Exchange Server
SYSLOG Sources Routers Firewalls
Antivirus Other SYSLOG senders
System Audit
14
Event Sources (click category to expand)

• IBM Systems
• Open Systems
• Databases
• Microsoft Servers
• Syslogs
• (view all)

15
IBM Systems

• IBM System i (AS/400)
• IBM System z (Mainframe)
• IBM System p (AIX)
• ltReturn

16
IBM Systems

• Operating system V5R1M0 and above
• System Audit
• File and Field Audit
• Alerts
• Application Audit
• SQL Statement
• IP Filter
• Compliance
• Message Queue
• History Log
• View Data

• IBM System i (AS/400)
• IBM System z (Mainframe)
• IBM System p (AIX)
• ltReturn

17
IBM Systems

• Operating system z/OS v 1.9 and above
• SMF TELNET
• SMF FTP
• SMF VSAM
• RACF (according to operating system)
• SMF RACF
• Communication Server (TCP/IP) (according to
  operating system)
• TCP/IP Application Audit (FTP and Telnet)
• DB2 v8, v9 and above
• DB2 SMF
• DB2 LOG (Data Audit)
• DB2 CICS (SQL Data Capture)
• DB2 BATCH

• IBM System i (AS/400)
• IBM System z (Mainframe)
• IBM System p (AIX)
• ltReturn

18
IBM Systems

• IBM System i (AS/400)
• IBM System z (Mainframe)
• IBM System p (AIX)
• ltReturn

• Operating system IBM AIX 5.3
• System Audit
• UNIX DB2

19
Open Systems

• Linux
• Solaris Coming Soon
• ltReturn

20
Open Systems

• Operating system Linux all distributions (Red
  Hat, CentOS) Kernel version gt 2.6
• System Audit X86
• System Audit 86_64
• System Audit IA64
• System Audit PPC64
• System Audit PPC
• System Audit S390X
• System Audit S390

• Linux
• Solaris Coming Soon
• ltReturn

21
Cross-Platform SecurityEnterprise-wide
Compliance Event MonitorUpdated October, 2013
22
Open Systems

• Linux
• Solaris Coming Soon
• ltReturn

• System Audit

23
DatabasesAgentless collection

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

24
DatabasesAgentless collection

• SQL Server 2005/2008
• SQL Statements
• SQL System Audit
• SQL Data Audit
• SQL Server 2000
• SQL Data Audit

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

25
DatabasesAgentless collection

• V10 and up
• SQL Statements
• Oracle System
• Oracle Admin
• Oracle Profiles/Users
• Oracle Procedures
• Data Audit

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

26
DatabasesAgentless collection

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

• V10, V11
• System Audit
• Data Audit

27
DatabasesAgentless collection

• DB2 v8, v9 and above
• DB2 SMF
• DB2 LOG (Data Audit)
• DB2 CICS (SQL Data Capture)
• DB2 BATCH
• DB2 LUW (Linux UNIX Windows)
• DB2 System Audit
• DB2 SQL Statement Audit

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

28
DatabasesAgentless collection

• SQL Server
• Oracle Server
• Progress OpenEdge
• DB2
• Sybase
• ltReturn

• V15.7
• System Audit

29
Microsoft ServersAgentless collection

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

30
Microsoft ServersAgentless collection

• Windows Event Logs Security, Application, DNS,
  and more
• Windows Active Directory Compliance
• ISA Server logs
• DHCP logs
• IIS Web Server logs

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

31
Microsoft ServersAgentless collection

• Windows Event Logs Security, Application, DNS,
  and more
• Windows Active Directory Compliance
• ISA Server logs
• DHCP logs
• IIS Web Server logs

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

32
Microsoft ServersAgentless collection

• Windows Event Logs Security, Application, DNS,
  and more
• Windows Active Directory Compliance
• ISA Server logs
• DHCP logs
• IIS Web Server logs

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

33
Microsoft ServersAgentless collection

• Windows Event Logs Security, Application, DNS,
  and more
• Windows Active Directory Compliance

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

34
Microsoft ServersAgentless collection

• Windows Event Logs Security, Application, DNS,
  and more
• Windows Active Directory Compliance

• Windows Server 2008
• Windows Server 2003
• Windows Server 2000
• Windows 7
• Windows XP
• ltReturn

35
Syslogs

• Routers
• Firewalls
• Antivirus
• Other Syslog senders
• ltReturn

36
Syslogs
Standard Syslog messages can be picked up by the
Enforcive Syslog Connector, then forwarded to the
CPA Manager. If required CPA can act as a SYSLOG
server.

• Routers
• Firewalls
• Antivirus
• Other Syslog senders
• ltReturn

37
Syslogs
Standard Syslog messages can be picked up by the
Enforcive Syslog Connector, then forwarded to the
CPA Manager. If required CPA can act as a SYSLOG
server.

• Routers
• Firewalls
• Antivirus
• Other Syslog senders
• ltReturn

38
Syslogs
Standard Syslog messages can be picked up by the
Enforcive Syslog Connector, then forwarded to the
CPA Manager. If required CPA can act as a SYSLOG
server.

• Routers
• Firewalls
• Antivirus
• Other Syslog senders
• ltReturn

39
Syslogs
Standard Syslog messages can be picked up by the
Enforcive Syslog Connector, then forwarded to the
CPA Manager. If required CPA can act as a SYSLOG
server.

• Routers
• Firewalls
• Antivirus
• Other Syslog senders
• ltReturn

40
Feature CPA as SYSLOG Server
41

• Our Goal
• Simplicity in implementation
• and daily use.

42
Implementation Simple Steps
43
Examples Using CPA

1. Make a change to table contents in SQL
2. View that event locally
3. View that event in the Central Repository
4. Defining an audit policy
5. How to define which events are collected
6. How to alert on critical events
7. Investigating a global users activities
8. Visual analysis
9. Correlation Reporting

44
1 Make a change to table contents in SQL

• This example demonstrates how the CPA Repository
  will monitor critical events within a database A
  user executes an SQL statement to change the
  salary field in an employee record.

45
2 View that event locally

• The change appears locally, both in the SQL
  Statement Audit and in the Data Audit
• SQL Statement Audit
• 
  
  Data Audit

Current
Previous
46
3 View that event in the Central Repository

• Once collected into the Repository the
  information can be filtered by date, platform and
  user. The event will appear both as an SQL
  statement and a Data Audit event showing the
  changes

Current
Previous
47
4 Defining an Audit Policy
48
4 Defining an Audit Policy
49
4 Defining an Audit Policy
50
4 Defining an Audit Policy
51
4 Defining an Audit Policy
52
5. How to define which events are collected.
53
6 How to alert on critical events.
54
7 Investigating a Global Users Activities
IBM z IBM i Windows AIX DB2
55
8 Visual Analysis
56
8 Visual Analysis
57
9 Correlation Reporting

• Network Access Login

58
9 Correlation Reporting

• Database contents before and after image report

59
9 Correlation Reporting

• Mainframe Violations in both RACF and DB2

60
9 Correlation Reporting

• Oracle Logon Failure Report

61
9 Correlation Reporting

• Program Failures

62
Sneak Peek User Identification Functionality