IBM Tivoli Security Operations Manager V4.1 new architecture enhances flexibility, scalability,
performance, and ease of use
IBM United States
Software Announcement 207-345
December 11, 2007
 ENUS207345.PDF (70KB)
|
|
Table of contents
| | Document options |
|
| |
|
(Corrected on January 2, 2008)
Electronic delivery has resumed effective December 20, 2007.
(Corrected on December 17, 2007)
Electronic delivery has been temporarily delayed.
IBM Tivoli Security Operations Manager V4.1 works to protect critical information and network
availability for you and your customers by helping you:
-
Centralize security operations across discrete organizations, technologies, and processes through a
new user interface
-
Align security operations with IT operations and business priorities to help maximize business and
service uptime
-
Address compliance reporting requirements and corporate risk management policies
-
Minimize the time it takes to recognize and resolve security incidents
For ordering, contact:
Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at
800-IBM-CALL
(Reference: YE001).
Back to top
IBM Tivoli® Security Operations Manager (TSOM) is a security information and event management
platform that can help you meet your security operations challenges. Designed to improve the
effectiveness, efficiency, and visibility of security operations and information risk management,
TSOM software centralizes and stores security data from across the technology infrastructure to help
you:
-
Automate log aggregation, correlation, and analysis
-
Recognize, investigate, and respond to security incidents automatically
-
Streamline incident tracking, handling, and resolution
-
Enable monitoring and enforcement of policy
-
Provide reporting to document your compliance efforts
TSOM V4.1 delivers new and improved capabilities to more efficiently handle IT security incidents:
-
Simplified and streamlined configuration and administration — usability enhancements to reduce the
time and effort for deployments and administration via a simplified, centralized device interface,
and new event source auto-configuration feature
-
Improved event filtering and correlation engine infrastructure providing greater flexibility,
capabilities, and performance
-
Enhanced security operations Dashboard user interface, with greater customization and new security
knowledgebase facility
-
Expanded incident ticketing and case management
-
Enhanced host investigation tooling for incident identification and resolution
-
Expanded and updated platform support including DB2®, AIX®, and full globalization and
internationalization support
-
Integrates with Tivoli Compliance Insight Manager to provide a comprehensive solution for security
information and event management (SIEM)
The following functions are no longer available in TSOM V4.1:
-
The Remedy Integration Module that allowed one way forwarding of tickets to the BMC Remedy Help Desk
System.
-
SourceFire API support.
-
High Availability function for the Central Management Server (CMS).
-
MySQL support as an internal database repository. It has been replaced by IBM DB2 Enterprise
Edition, which is included.
Back to top
Refer to the
Hardware requirements
and
Software requirements
sections.
Back to top
-
December 14, 2007: Electronic software delivery
-
January 11, 2008: Media and documentation
Back to top
Security breaches can have serious, measurable consequences: lost revenue, downtime, damage to
reputation, damage to IT assets, theft of proprietary or customer information, cleanup and
restoration costs, and potential litigation costs. To help reduce these risks, security
organizations want the capability to identify attacks quickly, and react swiftly.
Tivoli Security Operations Manager (TSOM) automates many of the repetitive,
time-and-expertise-intensive activities required for effective security operations. The result is a
more efficient and cost-effective approach to security operations.
Centralize log aggregation in multivendor environments
To detect attacks, malware, potentially dangerous misconfigurations, and internal misuse, a security
team must analyze large amounts of event data from throughout the security infrastructure including:
-
Intrusion detection and protection systems
-
Firewalls and virtual private networks (VPNs)
-
Networking infrastructure products
-
Antivirus and malicious code protection products
-
Servers, desktops, applications, and other security products
Additionally, relevant information should be obtained from IT or operations infrastructure servers
and hosts. The volume of data and number of disparate machines in a typical network usually makes
manual analysis of security data very difficult. Automating the process of aggregating events from
disparate devices and systems into one central location is essential so the data can be correlated
to facilitate incident response and reporting. Centralization and automatic aggregation of data is
also critical for addressing compliance reporting requirements where historical analysis of stored
log data may be necessary.
TSOM software provides a platform on which your organization can automatically aggregate host logs,
security events, asset data, and vulnerability data. You select how much data you want the software
to draw in — and from which sources — and TSOM software gathers the data using standard and
native protocols such as Extensible Markup Language (XML), syslog, Simple Network Management
Protocol (SNMP), CheckPoint OPSEC, Cisco SDEE, and many more. It can also use its own low-impact,
universal agent to collect information. TSOM software can collect event and log data from hundreds
of different devices and support can be added for custom devices and internal applications.
Improve incident detection by correlating across devices
Drawing on information from across the infrastructure, TSOM can help you detect attacks, misuse, and
anomalous activity. The software analyzes and prioritizes event data using complementary
correlation techniques:
-
Statistical correlation — identifies anomalies by performing advanced analysis of events and
hosts.
-
Rule-based correlation — monitors for known attacks and more proactively manage policy violations
before they become incidents.
These correlation techniques can be built into a set of TSOM V4.1 stateful rules, which provide a
decision tree like logic that enables true Boolean evaluations of event data. State tables allow
the rules engine to track the state of an event, and expose this information to other rules in the
system. TSOM V4.1 stateful rules allows for true business logic to be applied to the security data
event flow.
Additionally, TSOM software can use your business priorities to weigh the importance of assets
during the correlation process in order to prioritize security activities. When security analysts
use the console, they can see information that has been prioritized in alignment with your goals and
policy, instead of an endless list of security events.
Reduce migration time through integrated incident investigation and response
TSOM software integrates its investigation and response tools tightly to help you reduce the time it
takes to handle attacks, misconfigurations, and misuse. The software also facilitates the
escalation and tracking process. Investigative features include:
-
Integrated one-click investigation tools
-
Automated responses to block threats and close the loop
-
Geographic tracking of suspicious activity
-
Security-oriented ticketing system
Improve efficiency through operational integration
TSOM integrates with Tivoli Compliance Insight Manager (TCIM), which provides the ability for
customers to leverage TSOM's correlation and network security policy monitoring capabilities and
integrate with TCIM's user and compliance focused reporting. TSOM can feed the results of its level
correlation to TCIM for audit and compliance reporting, and TCIM can send policy violation alerts to
TSOM for situational awareness for security operations.
TSOM software addresses operational inefficiencies, experienced by siloed IT organizations, by
facilitating the flow of incident management data between security, network, and systems management
operations teams. For example, TSOM integrates closely with enterprise network and system
management products, including event managers and dashboards, as well as IBM Tivoli Enterprise™
Console and IBM Tivoli Netcool/OMNIbus. You can leverage these integrations to help:
-
Support business and service assurance requirements
-
Correlate security insights with information from the broader operations environment
-
Further facilitate incident remediation
TSOM software also integrates with IBM Tivoli Identity Manager and IBM Tivoli Access Manager for
e-business to provide monitoring and oversight for customers' identity and access policies —
helping you to enforce policies, and more quickly detect and address potential misuse attempts.
Deepen understanding of security trends through comprehensive reporting
The on-the-fly data mining, historical reporting, self-auditing, and tracking capabilities in TSOM
software provide critical components for understanding security trends. What's more, these reports
help IT communicate relevant security information to other audiences, such as management and audit
teams.
Features include:
-
Standard and customizable report templates
-
An automated report scheduler
-
HTML, PDF, and XML exporting of graphs and charts
-
Self-auditing and tracking of security activities
TSOM software draws on information stored in a security event database to deliver on demand
historical reporting and trending.
Select from multiple deployment options to suit your environment
TSOM software features a modular architecture that can adapt to and grow with your organization's
security infrastructure. The event aggregation module that collects and normalizes data, the
central management server that performs advanced analysis and correlation, and the database that
stores historical information are distributed components, each on their own system. The
installation can be expanded by adding additional event aggregation modules.
An organization might deploy multiple event aggregation modules throughout the organization to
support higher volumes of event information or facilitate geographic distribution of system
resources. For example, one customer might deploy 12 event aggregation modules for each of its
geographically dispersed locations enabling the company to distribute data collection and processing
activities.
Similarly, widely dispersed event aggregation modules can send data to a single central management
server, or an organization can use multiple servers to maximize availability. If one server is
unavailable to an event aggregation module, it can forward the event to a secondary central
management server.
Improve your operational efficiency through a design focused on consumability
From the initial install procedures to daily maintenance, TSOM software delivers easier-to-use
interfaces and procedures to help minimize the time and training required to obtain value from the
solution. The user interface improvements to the simple and centralized device configuration reduce
the burden of installing and configuring a large number of device sources. High performance
algorithms can more quickly correlate and filter a large number of security events. Finally, for
problem resolution and reporting TSOM software leverages expertise in security deployments through
the use of a security knowledgebase, and common best practices for compliance reporting, enhancing
security governance of the complete IT installation.
Provide a platform for offering managed security services
In addition to serving as the critical IT security platform for enterprises and carriers, TSOM
software can also act as a strong, proven foundation for a managed security services business. The
same deployment options that make TSOM software scalable and stable for organizations can help
managed security service providers meet the needs of their highly distributed managed services
environment.
When used by managed security service providers, TSOM software helps:
-
Reduce operational costs by offering a high degree of operational automation
-
Optimize time to value, thanks to speedier implementation and immediate, out-of-the-box capabilities
-
Demonstrate service levels and value to customers through comprehensive reporting capabilities
TSOM components
In order to install TSOM software, it is important to understand the TSOM architecture and a few
major components:
-
Central Management System (CMS)
-
Event Aggregation Module (EAM)
CMS is the hub that coordinates all aspects of the TSOM system, bringing together event datastreams
from all of the EAMs deployed in the network. It is here that the event data is correlated and
analyzed. Event correlation and threat determination require a combination of embedded logic and
configurable rules to correlate events, while determining the threat level of each event. CMS
maintains a running subset of the correlated event data for real-time display, while directing the
correlated event datastream to the achiever for continuous storage. Both real-time and historic
data is used in presenting relevant information through the user interface and reporting module.
EAM gathers event data from the various network security devices. EAM then normalizes, filters, and
transmits that data to the CMS. EAM is configurable to gather data from many, if not all of the
currently deployed security devices deployed in the enterprise network. This data is gathered using
conduits designed to communicate with each security device using the device's native protocol, such
as syslog, SNMP, OPSEC, or by ASCII or XML log files. By communicating in the device's native
protocol, configuration of EAM and the devices providing the raw data is minimized. The stream of
event data coming from multiple deployed devices is then normalized to provide a common event
format. This normalization process creates a common language that can be used by the TSOM system in
filtering, correlating, and presenting of the data. It is the first step in creating relevant
information from raw data.
Migration
IBM Tivoli Risk Manager customers, who purchased Risk Manager software before
January 9, 2007, and who are current on maintenance, are entitled to obtain TSOM software
as a replacement for Tivoli Risk Manager. Contact your IBM representative or Business Partner for
details.
National language support
TSOM software offers a choice of 10 supported languages to help match your operations in their
native environment.
Accessibility by people with disabilities
A U.S. Section 508 Voluntary Product Accessibility Template (VPAT) can be requested via the IBM Web
site
IPLA and Subscription and Support considerations
IPLA licenses can be transferred from one machine to another within, but
not limited to an enterprise. You may aggregate the capacity for all the
processors the product is operated on to achieve a more economic price.
This will result in a single Proof of Entitlement (PoE). It is your
responsibility to manage the distribution of Value Units within the
limits of the entitlement of the product license.
Subscription and Support must cover the same capacity as the product
license entitlement. Subscription and Support will be available in the
country in which the agreement is made.
Back to top
IBM Tivoli Security Operations Manager is enabled for worldwide availability on the dates shown
below.
Product description Language GA date
Security Operations Multilingual (French, January 11, 2008
Manager V4.1.0 Korean, Chinese --
Simplified, Spanish,
Portuguese-Brazilian,
German, Japanese,
Chinese --
Traditional, English,
Italian)
Trademarks
-
-
Tivoli Enterprise is a trademark of International Business Machines Corporation in the United States
or other countries or both.
-
-
Tivoli, AIX, and DB2 are registered trademarks of International Business Machines Corporation in the
United States or other countries or both.
-
-
Other company, product, and service names may be trademarks or service marks of others.
Back to top
Comprehensive education for IBM Tivoli® products is offered through Worldwide Tivoli Education
Delivery Services. A wide range of training options are available, including classes led by
instructors, learning on demand, on-site training, and blended learning solutions.
For additional information, visit
For information on IBM Tivoli Security Operations Manager, visit
Search on IBM Tivoli Security Operations Manager.
Back to top
Product information is available via the Offering Information Web site
Also, visit the Passport Advantage® Web site
Back to top
The following TSOM V4.1 English
publications may be downloaded at general availability from
-
Quick Start Guide (GC23-6098-00)
-
Administration Guide (SC23-6100-00)
-
Installation Guide (GC23-6099)
-
User Guide (SC23-6301-00)
-
Problem Determination Guide (GC23-8850-00)
The following translated publications can be ordered from the IBM
Publications Center 60 days after general availability:
IBM Tivoli Security GC23-6099-00 Brazilian
Operations Manager Portuguese, French,
Installation Guide German, Italian,
Japanese, Korean,
Spanish
IBM Tivoli Security SC23-6306-00 Brazilian
Operations Manager Portuguese, French,
User Guide German, Italian,
Japanese, Korean,
Spanish
IBM Tivoli Security SC23-6100-00 French, German,
Operations Manager Italian, Japanese,
Administration Guide Korean, Spanish
IBM Tivoli Security GC23-6098-00 Brazilian
Operations Manager Portuguese,
Quick Start Guide Simplified Chinese,
French, German,
Italian, Korean,
Spanish
IBM Tivoli Security GC23-8850-00 French, Italian,
Operations Manager Korean
Problem Determination
Guide
Back to top
Specified operating environment
Hardware requirements
Minimum system requirements for Central Management Server (CMS):
-
Red Hat Enterprise Linux™ ES 4.5 platform with:
-
Dual Intel® Pentium® IV, 3.0 GHz, or greater CPU
-
8 GB, or more RAM
-
120 GB, or larger hard drive
-
Sun Solaris 10 platform with:
-
SunFire V445 Dual 1.5 GHz, or greater UltraSparc
-
8 GB, or more RAM
-
146 GB, or larger hard drive
-
IBM AIX 5L™ V5.3 platform with:
-
IBM System p5™ 510 or 525 Dual 1.5 GHz, or greater
-
8 GB, or more RAM
-
146 GB, or larger hard drive
Minimum system requirements for database server:
-
Red Hat Enterprise Linux ES 4.5 platform with:
-
Quad Intel Pentium IV, 3.0 GHz, or greater CPU
-
8 GB, or more RAM
-
120 GB, or larger hard drive (note that storage requirements are highly dependent on overall system
event rate and archival and reporting objectives)
-
Sun Solaris 10 platform with:
-
SunFire V445 Quad 1.5 GHz, or greater UltraSparc
-
8 GB, or more RAM
-
146 GB, or larger hard drive (note that storage requirements are highly dependent on overall system
event rate and archival and reporting objectives)
-
IBM AIX 5L V5.3 platform with:
-
IBM System p5 510 or 525 Quad 1.5 GHz, or greater
-
8 GB, or more RAM
-
146 GB, or larger hard drive (note that storage requirements are highly dependent on overall system
event rate and archival and reporting objectives)
Minimum system requirements for Event Aggregation Module (EAM):
-
Red Hat Enterprise Linux ES 4.5 platform with:
-
Pentium IV, 3.0 GHz, or greater CPU
-
4 GB, or more RAM
-
36 GB, or larger hard drive
-
Sun Solaris 10 platform with:
-
SunFire V225 Dual 1.5 GHz, or greater UltraSparc
-
4 GB, or more RAM
-
73 GB, or larger hard drive
-
IBM AIX 5L V5.3 platform with:
-
System p5 510 or 525 1.5 GHz, or greater
-
4 GB, or more RAM
-
76 GB, or larger hard drive
Software requirements
Supported platforms:
-
Red Hat Enterprise Linux ES 4.5
-
Sun Solaris 10
-
AIX 5L V5.3
Supported browsers for client:
-
Microsoft® Internet Explorer 6.x, or later
-
Mozilla Firefox 1.7, or later
-
Sun Java™ 1.5, or later
-
IBM Java 5 JRE, or later (included)
Supported databases:
-
DB2® Enterprise Server Edition V9.1 (included)
-
Oracle Enterprise Edition 10g
Migration
Current IBM Tivoli Security Operations Manager customers, who are current on Software Maintenance,
are entitled to upgrade to IBM Tivoli Security Operations Manager V4.1 without paying additional
license fees. IBM Tivoli Risk Manager customers, who acquired Risk Manager before
January 9, 2007 and who are current on Software Maintenance, are entitled to acquire IBM
Tivoli Security Operations Manager software as a replacement for IBM Tivoli Risk Manager without
paying additional license fees. Contact your IBM representative or Business Partner for details.
Planning information
Software Maintenance is included with licenses purchased through Passport Advantage and Passport
Advantage Express. Product upgrades and technical support are provided by the Software Maintenance
offering as described in the Agreements. Product upgrades provide the latest versions and releases
to entitled software and technical support provides voice and electronic access to IBM support
organizations, worldwide.
IBM includes one year of Software Maintenance with each program license acquired. The initial
period of Software Maintenance can be extended by the purchase of a renewal option, if available.
Packaging
IBM Tivoli Security Operations Manager is distributed with:
-
International Program License Agreement (Z125-3301)
-
License Information document
-
CD-ROMs
Security, auditability, and control
IBM Tivoli Security Operations Manager uses the security and auditability features of the operating
system software.
The customer is responsible for evaluation, selection, and implementation of security features,
administrative procedures, and appropriate controls in application systems and communication
facilities.
Back to top
IBM Software Services has the breadth, depth, and reach to manage your services needs. You can
leverage the deep technical skills of our lab-based, software services team and the business
consulting, project management, and infrastructure expertise of our IBM Global Services team. Also,
we extend our IBM Software Services reach through IBM Business Partners to provide an unmatched
portfolio of capabilities. Together, we provide the global reach, intellectual capital, industry
insight, and technology leadership to support any critical business need.
To learn more about IBM Software Services or to contact a Software Services sales specialist, visit
To locate an IBM Business Partner, visit:
IBM Tivoli Enhanced Value-Based Pricing terminology
IBM Tivoli Enhanced Value-Based Pricing:
IBM Tivoli software products are priced using IBM Tivoli's Enhanced Value-Based Pricing. The
Enhanced Value-Based Pricing system is based upon the IBM Tivoli Environment-Managed Licensing
Model, which uses a managed-environment approach — whereby the applicable license fees are based
on what is managed rather than the number and type of product components installed.
For example, all servers monitored with IBM Tivoli's monitoring product (IBM Tivoli Monitoring)
require entitlements sufficient for those servers. Other Tivoli products may manage clients, client
devices, agents, network nodes, users, or other items, and are licensed and priced accordingly.
Unlike typical systems management licensing models that require entitlements of specific software
components to specific systems, the IBM Tivoli Environment-Managed Licensing Model provides the
customer flexibility to deploy its IBM Tivoli software products within its environment in a manner
that can address and respond to the customer's evolving architecture. That is, as the architecture
of a customer's environment changes, the customer's implementation of IBM Tivoli software can be
altered, as needed, without affecting the customer's license requirements (as long as the customer
does not exceed its entitlements to the software).
Under Enhanced Value-Based Pricing, licensing and pricing of server-oriented applications are
determined based upon the server's use in the customer's environment. Typically, such applications
are licensed and priced in a manner that corresponds to each installed and activated processor of
the server managed by the IBM Tivoli application to help correlate the license fees to value while
offering a simple solution.
Where a server is physically partitioned, this approach is modified. This partitioning technique is
the approach used with systems that have either multiple cards or multiple frames, each of which can
be configured independently. For servers capable of physical partitioning (for example, IBM System
p™ Scalable POWERparallel® Systems servers, Sun Ultra servers, and HP Superdome servers), an
entitlement is required for each processor in the physical partition being managed by the Tivoli
application. For example, assume that a server has 24 processors installed in aggregate. If this
server is not partitioned, entitlements are required for all 24 processors. If, however, it is
physically partitioned into three partitions, each containing eight processors, and Tivoli products
were managing only one of the three partitions, then entitlements would be required for the eight
processors on the physical partition managed by the IBM Tivoli application.
For servers with virtual or logical partitions, entitlements are required for all installed and
activated processors on the server. For each IBM Tivoli application managing a clustered
environment, licensing is based on the cumulative number of installed and activated processors on
each server in the cluster. Where the cluster includes physically partitioned servers, the
considerations described above concerning physically partitioned servers apply as well.
Enhanced Value-Based Pricing recognizes the convergence of RISC and UNIX®, and Microsoft
Windows® and Intel technologies, in order to simplify your licensing requirements, and to provide
a smoother, more scalable model. Pricing and licensing does not differentiate between non-System
z™ server platforms or operating systems. For some products, this platform neutrality extends to
System z and other host servers as well.
IBM Tivoli Enhanced Value-Based Pricing terminology definitions
Applications and databases instances
A license entitlement is required for each instance of the application being connected.
Applications and databases refer to the programs instances running on a server operating system,
which provide a source of security events and logs. Examples of applications include, but are not
limited to SAP, Siebel, and Exchange. Examples of databases include, but are not limited to DB2,
Oracle, and Sybase.
Client device or client
A client device is a computer system that requests the execution of a set of commands, procedures,
or applications from another computer system that is typically referred to as a server. Multiple
client devices may share access to a common server. A client device generally has some processing
capability or is programmable to allow a user to do work. Examples include, but are not limited to,
notebook computers, desktop computers, desk side computers, technical workstations, appliances,
personal digital assistants, automated teller machines, point-of-sale terminals, tills and cash
registers, and kiosks.
Install
An install is a copy or instance of the main managing program in the enterprise.
Instance
An instance is the occurrence of something in the enterprise. For example, if you have acquired an
application instance authorization for an application, you are permitted to deploy and run one copy
of the licensed application on one machine or LPAR. Another example would be if you have acquired
an operating system instance authorization for an operating system, you are permitted to deploy and
run one copy of the licensed operating system on one machine or LPAR.
Network node
Network nodes include routers, switches, hubs, and bridges that contain a network management agent.
A single network node may contain any number of interfaces or ports.
Network security device
Network security device is any network-based security appliance or server, running network
security-based software, that provides a source of security events or logs. Examples include, but
are not limited to firewalls, application firewalls, intrusion detection systems, intrusion
protection systems, virtual private networks (VPNs), threat protection products (antivirus
gateways), content filtering (Web, e-mail), identity and access management, directory servers,
network anomaly behavior products, and multifunction security appliances.
Resource Value Unit
A resource is the measurement for program license entitlements which is based upon the quantity of
the specific designated measurement used for a given program. A Resource Value Unit is a pricing
charge metric of IBM Tivoli's Enhanced Value-Based Pricing, which uses a managed-environment
approach whereby the applicable license fee is based on what is managed. Whenever the designated
measurement is a resource, not all resources require the same number of Resource Value Units.
Resource Value Unit schedules are located in the
Pricing examples
section.
Server
A server is a computer system that executes requested procedures, commands, or applications to one
or more user or client devices over a network. A PoE must be obtained for each server on which the
program, or a component of the program, is run or which the program manages. Where blade technology
is employed, each blade is considered a separate server.
Standby or backup systems
For programs running or resident on backup machines, IBM defines three types of situations: cold,
warm, and hot. In the cold and warm situations, a separate entitlement for the copy on the backup
machine is normally not required and typically no additional charge applies. In a hot backup
situation, you need to acquire another license or entitlements sufficient for that server. All
programs running in backup mode must be solely under your control, even if they are running at
another enterprise's location.
As a practice, the following are definitions and allowable actions concerning the copy of the
program used for backup purposes:
Cold:
A copy of the program may reside, for backup purposes, on a machine as long as the program is not
started. There is no additional charge for this copy.
Warm:
A copy of the program may reside for backup purposes on a machine and is started, but is idling, and
is not doing any work of any kind. There is no additional charge for this copy.
Hot:
A copy of the program may reside for backup purposes on a machine, is started, and is doing work.
The customer must acquire a license or entitlements for this copy and there will generally be an
additional charge.
Doing work includes, for example, production, development, program maintenance, and testing. It
also could include other activities such as mirroring of transactions, updating of files,
synchronization of programs, data, or other resources (for example, active linking with another
machine, program, database, or other resource, and so on), or any activity or configurations that
would allow an active hot switch or other synchronized switch over between programs, databases, or
other resources to occur.
In the case of a program or system configuration that is designed to support a high availability
environment by using various techniques (for example, duplexing, mirroring of files or transactions,
maintaining a heartbeat, active linking with another machine, program, database, or other resource),
the program is considered to be doing work in the hot situation and a license or entitlement must be
purchased.
Value Units
A Value Unit is a pricing charge metric for program license entitlements which is based upon the
quantity of a specific designated measurement used for a given program. Each program has a
designated measurement. The most commonly used designated measurements are processor cores and
MSUs. However, for select programs, there are other designated measurements such as servers, users,
client devices, and messages. The number of Value Unit entitlements required for a specific
implementation of the given program must be obtained from a conversion table associated with the
program. Customers must obtain a PoE for the appropriate number of Value Unit entitlements for
their implementation. The Value Unit entitlements of a given program cannot be exchanged,
interchanged, or aggregated with Value Unit entitlements of another program. Whenever the
designated measurement is a processor core, not all processors require the same number of Value Unit
entitlements. To determine the number of Value Unit entitlements required, refer to the processor
Value Unit conversion table on the Passport Advantage Web site
Product Web sites
A complete list of IBM Tivoli products is available at Web site
Licensing Web site
IBM Tivoli product licensing documents are available at Web site
Passport Advantage:
Through the Passport Advantage Agreement, you may receive discounted
pricing based on the total volume of eligible products, across all IBM
brands, acquired worldwide. The volume is measured by determining the
total Passport Advantage points value of the applicable acquisitions.
Passport Advantage points are only used for calculating the entitled
Passport Advantage discount.
To determine the required Tivoli product configuration under Passport
Advantage, the Tivoli Enhanced Value-Based Pricing Model applies. Your
environment is evaluated on a per-product basis.
Use the following two-step process to determine the total Passport
Advantage points value:
-
Analyze your environment to determine the number of Tivoli Management
Points or other charge unit for a product. The quantity of each
product's part numbers to be ordered is determined by that analysis.
-
Order the Passport Advantage part numbers. A Passport Advantage point
value, which is the same worldwide for a specific part number regardless
of where the order is placed, is assigned to each Tivoli product part
number. The Passport Advantage point value for the applicable part
number, multiplied by the quantity for that part number, will determine
the Passport Advantage points for that Tivoli product part number. The
sum of these Passport Advantage points determines the Passport Advantage
point value of the applicable Tivoli product authorizations, which then
may be aggregated with the point value of other applicable Passport
Advantage product acquisitions to determine the total Passport Advantage
points value.
The discounted pricing available through Passport Advantage is expressed
in the form of Suggested Volume Prices (SVPs), which vary depending on
the SVP level. Each SVP level is assigned a minimum total Passport
Advantage point value, which must be achieved, in order to qualify for
that SVP level.
Media packs and documentation packs do not carry Passport Advantage
points and are not eligible for SVP discounting.
For additional information on Passport Advantage, refer to the following
Web site
The following Passport Advantage part number categories may be orderable:
-
License and Software Maintenance 12 Months — this is the product
authorization with maintenance to the first anniversary date.
-
Annual Software Maintenance Renewal — this is the maintenance renewal
for one anniversary that applies when you renew the existing coverage
period prior to the anniversary date at which it expires.
-
Software Maintenance Reinstatement 12 Months — this is when you have
allowed the Software Maintenance to expire, and later wish to reinstate
your Software Maintenance.
-
Media packs — these are the physical media, such as CD-ROMs, that
deliver the product's code.
Pricing examples:
The pricing for Tivoli Security Operations Manager (TSOM) is based
on Resource Value Units. There are six chargeable license components
that may apply in any given installation. Application and Database
licensing are now included in TSOM V4.1. There are two license volume
discount schedules. The following table illustrates the six licenses and
the volume discount that applies to that license.
Volume
discount
Price metric schedule
Tivoli Security Operations Manager installs Schedule 2
Client devices Schedule 1
Network nodes Schedule 1
Network security devices Schedule 1
Server instances Schedule 1
Applications and databases instances Schedule 2
The two volume discount schedules are as follows:
Schedule 1
Tier Number of resources RVUs per resource
1 0-10 1.00
2 11-100 0.90
3 101-250 0.75
4 251-500 0.60
5 501-5,000 0.45
6 5,001-25,000 0.30
7 Greater than 25,000 0.15
Schedule 2
Tier Number of resources RVUs per resource
1 0-2 1.00
2 3-5 0.90
3 6-10 0.80
4 11-20 0.70
5 21-35 0.60
6 36-50 0.45
7 Greater than 50 0.30
The pricing for TSOM software follows the IBM Enhanced Value-Based model
with an additional volume-based discount schedule for each of its
components, including the TSOM Install and the adaptor components for
each type of resource, device or end point monitored by the customer
using TSOM (each a device).
TSOM infrastructure, correlation capabilities, security policy rules,
incident management functions, user interfaces and reporting capabilities
are included in the TSOM Install pricing model. TSOM Install core
components include Central Management Servers (CMSs), Event Aggregation
Modules (EAMs), security dashboards, reporting, and report designer
application. Any number of TSOM Install core components can be copied
and installed, as needed, to handle scalability and performance when
monitoring devices using TSOM.
For each TSOM Install, customers must also acquire adaptor components for
each device based on the applicable device category: network security
devices; servers instances; network nodes; application and database
instances; and desktop clients. The number of chargeable adaptor
components is based on the number of original, unique sources of event
and log inputs in each device category represented in the customer's
inventory. There are no additional charges based on how data is
collected by TSOM, whether via a centralized management server, API,
agent, or agentless technology. All of the data collection options that
TSOM supports (including XML, Syslog, SNMP, JDBC, text file, OPSEC, and
Cisco IDS) are included and do not affect pricing.
To provide some clarification of monitored device categories listed
above, and which products apply to them, review the pricing examples and
details below. Also there are a few pricing instances that may not be
clear from the definitions provided above. For example client represents
sources of logs that come from end clients (personal firewall, antivirus)
and the applicable license fee is based on the number of unique
endpoints, independent of how TSOM software collects the information.
Server instance represents a unique instance of native operating system
logs, of which a physical hardware server may have several, if running
virtualization software. Host-based intrusion protection and security
products for servers, such as IBM ISS Proventia Server, Cisco Security
Agent, or Tripwire are counted as network nodes when calculating the
applicable license fees. Following are some examples with more detail.
Pricing Scenario 1
Transaction 1
In phase 1, a customer wants to purchase TSOM software to set up a
Security Operations Center (SOC) for a division that is opening a new
electronic commerce portal. The customer's initial deployment goal is to
consolidate information from the customer's perimeter security products
and Internet-facing servers. The customer's initial deployment will
focus on:
-
1 TSOM installation.
-
No clients.
-
100 network infrastructure products and server intrusion protection
agents (network nodes).
-
In addition, the customer will be monitoring 50 server's operating
systems.
-
15 firewalls, 10 intrusion protection appliances, and 5 additional
network security products (total of 30 network security devices).
Transaction 1 table reflecting quantities to order
Quantity in Resource
Price metric Schedule environment Value Units
TSOM install Schedule 2 1 1
licenses
Client licenses Schedule 1 0 0
Network node Schedule 1 100 91
licenses
Server instance Schedule 1 50 46
licenses
Network Schedule 1 30 28
security device
licenses
Transaction 2
In phase 2, the customer wants to add:
-
1,200 desktop clients collecting desktop antivirus events from McAfee
ePolicy Orchestrator
-
60 more server's operating systems
-
3 databases
-
115 more network infrastructure products
-
35 more network security products, including firewalls, VPNs, and
identity management servers
Total additional quantities to order are:
New Resource
required Value
Previous Resource Unit
Previous New Resource Value quantity
Price quantity quantity Value Unit to
metric Schedule totals totals Units totals order
TSOM Schedule 1 1 1 1 0
Install 2
licenses
Client Schedule 0 1,200 0 669 669
licenses 1
Network Schedule 100 215 91 178 87
node 1
licenses
Server Schedule 50 110 46 99 53
instance 1
licenses
Network Schedule 30 65 28 60 32
security 1
device
licenses
APP and Schedule 0 3 0 3 3
DB 2
instance
Licenses
For Scenario 1, the final quantities in the customer's environment are
reflected in the table below.
Scenario 1 quantities in the customer environment
New quantities New Resource
in the Value Unit
Price metric environment quantities
TSOM install licenses 1 1
Client licenses 1,200 669
Network node licenses 215 178
Server instance licenses 110 99
APP and DB instance licenses 3 3
Network security 65 60
device licenses
Pricing Scenario 2
A federal government agency wants to purchase a TSOM installation for
three divisions to set up independent SOC for each. Each division wants
control of its own management system, security correlation rules, and
operations, and will be set up and staffed independently. Division A is
going to start by monitoring 200 network security devices and 300 network
nodes only; Division B will start with 100 network security devices, 200
network nodes, 500 desktop clients, and 1,000 servers; Division C will be
covering 200 network security devices, 2,000 servers, 12 databases, 2
applications, 10,000 clients, and 3,000 network nodes.
Summary of Agency's chargeable components
Monitored
resource Division A Division B Division C
TSOM installs 1 1 1
Clients 0 500 10,000
Network nodes 300 200 3,000
Servers 0 1,000 2,000
Instances
Network 200 100 200
security
devices
Applications 0 0 14
and DBs
Instances
Scenario 2 table reflecting total quantities to order
Resource
Quantity Value
in the Units to
Price metric Schedule environment order
TSOM install Schedule 2 3 3
licenses
Client licenses Schedule 1 10,500 4,029
Network node Schedule 1 3,500 1,704
licenses
Server Schedule 1 3,000 1,479
Instances
licenses
Network Schedule 1 500 354
security device
licenses
Applications Schedule 2 14 12
and DBs
Instances
Additional TSOM pricing details, interpretations, and examples
The license fee charged is dependent upon the number of unique resources
monitored regardless of how the data from them is collected. Events or
logs may be collected individually from each resource or from a central
management server (like ISS SiteProtector, McAfee ePolicy Orchestrator,
and Juniper NSM). The license fee is based on the number of original
event sources, independent of the collection implementation. Examples of
customer environments and interpretations on quantifying resources are
listed below.
Example A:
A customer is collecting Check Point Firewall-1 event logs from 25
firewalls through one Check Point Provider-1 management console
connection via an OPSEC API. This counts as 25 network security devices
for calculating Resource Value Units. The fact that TSOM software
collects the data via a single OPSEC connection is an implementation
detail that doesn't affect the applicable license fee.
Example B:
A customer is collecting Windows Event Logs from 200 servers. These
logs have all been forwarded to a single Windows Domain Server for
collection by TSOM software. For TSOM software licensing, this counts as
200 server instances.
Example C:
A customer is collecting Windows operating system event logs, Tivoli
Security Compliance Manager alerts, and SAP application logs all from 10
critical servers. This counts as 10 servers, 10 applications, and 10
network security devices under TSOM software licensing.
Example D:
A customer is collecting events from 10,000 client systems running
Proventia desktop, via a single SiteProtector system. The same 10,000
client systems are running McAfee antivirus, and want to collect these
logs via a single McAfee ePolicy Orchestrator server. This counts as
10,000 clients under TSOM licensing.
Example E:
A federal government agency acquires TSOM for use in two divisions to
set up independent SOC for each division. Each division wants control of
its own TSOM Install in order to control its unique security correlation
rules and security operation customizations. Division A will start by
monitoring 200 network security devices and 300 network nodes only.
Division B will start by monitoring 100 network security devices, 200
network nodes, 500 desktop clients, and 1,000 servers.
Division A will buy:
-
An entitlement for a single TSOM Install
-
Entitlements for 200 network security devices
-
Entitlements for 300 network nodes
Division B will buy:
-
An entitlement for a single TSOM Install
-
Entitlements for 100 network security devices
-
Entitlements for 200 network nodes
-
Entitlements for 500 desktop clients
-
Entitlements for 1,000 servers
Later, Division B seeks to expand its TSOM Install to handle performance
in monitoring its devices. Division B can achieve performance
improvements by installing two more CMS components and five more EAM
components. Division B also seeks to monitor 200 additional network
security devices.
Division B will have to buy:
-
Entitlements for 200 additional network security devices
Division B will not have to acquire additional TSOM Install entitlements
because it can add the additional CMS and EAM components using the
original TSOM Install.
Back to top
This product is only available via Passport Advantage. It is not available as shrinkwrap.
Product information
Product Product
Licensed function title group category
Tivoli Security Tivoli IBM Tivoli
Operations Manager Security Security
Install Operations
Manager
Tivoli Security Tivoli IBM Tivoli
Operations Manager for Security Security
Applications and Operations
Databases Manager
Tivoli Security Tivoli IBM Tivoli
Operations Manager Security Security
for Client Devices Operations
Manager
Tivoli Security Tivoli IBM Tivoli
Operations Manager Security Security
for Network Nodes Operations
Manager
Tivoli Security Tivoli IBM Tivoli
Operations Manager for Security Security
Network Security Operations
Devices Manager
Tivoli Security Tivoli IBM Tivoli
Operations Manager Security Security
for Servers Operations
Manager
PID Charge unit
Program name number description
Tivoli Security Operations Manager 5724-R05 Resource Value
Install Unit
Tivoli Security Operations Manager 5724-R05 Resource Value
for Applications and Databases Unit
Tivoli Security Operations Manager 5724-R05 Resource Value
for Client Devices Unit
Tivoli Security Operations Manager 5724-R05 Resource Value
for Network Nodes Unit
Tivoli Security Operations Manager 5724-R05 Resource Value
for Network Security Devices Unit
Tivoli Security Operations Manager 5724-R05 Resource Value
for Servers Unit
Charge metrics definitions
Refer to
IBM Tivoli Enhanced Value-Based Pricing
terminology section in this announcement.
Passport Advantage customer: Media pack entitlement details
Customers with active maintenance or subscription for the products listed are entitled to receive
the corresponding media pack.
Security Operations Manager V4.1.0
Entitled maintenance Part
offerings description Media packs description number
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
Install Resource VU Manager V4.1.0 CD Media
Pack, Multilingual
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
for Apps/DBs Resource VU Manager V4.1.0 CD Media
Pack, Multilingual
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
for Client Devices Manager V4.1.0 CD Media
Resource VU Pack, Multilingual
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
for Network Nodes Manager V4.1.0 CD Media
Resource VU Pack, Multilingual
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
for Network Sec Devices Manager V4.1.0 CD Media
Resource VU Pack, Multilingual
Tivoli Security Ops Mgr Tivoli Security Operations BJ0LTML
for Servers Resource VU Manager V4.1.0 CD Media
Pack, Multilingual
New licensees:
Orders for new licenses will be accepted now.
Shipment will begin on the planned availability date.
Basic license
Ordering information for Passport Advantage:
Passport Advantage allows you to have a common anniversary date for Software Maintenance
renewals, which can simplify management and budgeting for eligible new versions and releases (and
related technical support) for your covered products. The anniversary date, established at the
start of your Passport Advantage Agreement, will remain unchanged while your Passport Advantage
Agreement remains in effect. New software purchases will initially include twelve full months of
maintenance coverage. Maintenance in the second year (the first year of renewal) can be prorated to
be coterminous with your common anniversary date. Thereafter, all software maintenance will renew
at the common anniversary date and include twelve full months of maintenance.
Refer to the IBM International Passport Advantage Agreement and to the IBM Software Maintenance
Handbook for specific terms relating to, and a more complete description of, technical support
provided through Software Maintenance.
The quantity to be specified for the Passport Advantage part numbers in the following table is per
product install plus per number of monitored resources by type. There are four categories of
monitored resources. They are network security devices, servers, network nodes, and clients. To
order for Passport Advantage, specify the desired part number and quantity.
Passport Advantage program licenses
IBM Tivoli Security Operations Manager
Part
Part description number
Tivoli Security Operations Manager Install
TSOM Install Resource Value Unit D61U4LL
License and SW Maint 12 Mos
TSOM Install Resource Value Unit E046WLL
SW Maint Annual Renew
TSOM Install Resource Value Unit D61U5LL
SW Maint Reinstate
Tivoli Security Operations Manager for Servers
TSOM Resource Value Unit SW D61UFLL
Maintenance Reinstate 12 Mos
TSOM Servers Resource Value Unit D61UELL
License and SW Maint 12 Mos
TSOM Servers Resource Value Unit E0471LL
SW Maint Annual Renew
Tivoli Security Operations Manager
for Network Security Devices
TSOM Network Security Devices Resource D61TULL
Value Unit Lic and SW Maint 12 Mos
TSOM Network Security Devices Resource E046RLL
Value Unit SW Maint Annual Renew
TSOM Network Security Devices Resource D61TXLL
Value Unit SW Maint Reinstate 12 Mos
Tivoli Security Operations
Manager for Network Nodes
TSOM Network Nodes Resource Value D61TVLL
Unit Lic and SW Maint 12 Mos
TSOM Network Nodes Resource Value E046SLL
Unit SW Maint Annual Renew
TSOM Network Nodes Resource Value D61TYLL
Unit SW Maint Reinstate 12 Mos
Tivoli Security Operations
Manager for Client Devices
TSOM Client Devices Resource Value D61U2LL
Unit License and SW Maint 12 Mos
TSOM Client Devices Resource E046VLL
Value Unit SW Maint Annual Renew
TSOM Client Devices Resource Value D61U3LL
Unit SW Maint Reinstate 12 Mos
Tivoli Security Operations Manager
for Applications and Databases
TSOM Apps and DBs Resource Value E046ULL
Unit SW Maint Annual Renew
TSOM Apps and DBs Resource Value D61U1LL
Unit SW Maint Reinstate 12 Mos
TSOM Apps and Dbs Resource Value D61U0LL
Unit License and SW Maint 12 Mos
To order a media pack for Passport Advantage, specify the part number in the desired quantity from
the following table:
Part
Description number
Tivoli Security Operations Manager BJ0LTML
V4.1.0 CD Media Pack, Multilingual
IBM Tivoli Security Operations Manager is also available via Web download from Passport Advantage.
Back to top
The information provided in this announcement letter is for reference and convenience purposes only.
The terms and conditions that govern any transaction with IBM are contained in the applicable
contract documents such as the IBM International Program License Agreement, IBM International
Passport Advantage Agreement, and the IBM Agreement for Acquisition of Software Maintenance.
Licensing:
IBM International Program License Agreement including the License Information document and PoE
govern your use of the program. PoEs are required for all authorized use.
Part number products only, offered outside of Passport Advantage, where applicable, are license only
and do not include Software Maintenance.
This software license includes Software Maintenance, previously referred to as Software Subscription
and Technical Support.
License Information form number
Program
Program name number Form number
IBM Tivoli Security Operations Manager 5724-R05 P-RZHG-76QNEJ
The program's License Information will be available for review on the IBM Software License Agreement
Web site
Limited warranty applies:
Yes
Warranty:
IBM warrants that when the program is used in the specified
operating environment, it will conform to its specifications. The
warranty applies only to the unmodified portion of the program. IBM does
not warrant uninterrupted or error-free operation of the program or that
IBM will correct all program defects. You are responsible for the
results obtained from the use of the program.
IBM provides you with access to IBM databases containing information on
known program defects, defect corrections, restrictions, and bypasses at
no additional charge. Consult the
IBM Software Support Guide
for further information at
IBM will maintain this information for at least one year after the
original licensee acquires the program (warranty period).
Program technical support:
Technical support of a program product will be available for a
minimum of three years from the general availability date, as long as
your Software Maintenance is in effect. This technical support allows
you to obtain assistance (via telephone or electronic means) from IBM for
product-specific, task-oriented questions regarding the installation and
operation of the program product. Software Maintenance also provides you
with access to updates, releases, and versions of the program. You will
be notified, via announcement letter, of discontinuance of support with
12 months' notice. If you require additional technical support from IBM,
including an extension of support beyond the discontinuance date, contact
your IBM representative or IBM Business Partner. This extension may be
available for a fee.
Money-back guarantee:
If for any reason you are dissatisfied with the program and you are
the original licensee, you may obtain a refund of the amount you paid for
it, if within 30 days of your invoice date you return the program and its
PoE to the party from whom you obtained it. If you downloaded the
program, you may contact the party from whom you acquired it for
instructions on how to obtain the refund. For programs acquired under
the IBM International Passport Advantage Agreement, this term applies
only to your first acquisition of the program.
Authorization for use on home/portable computer:
The program may be stored on the primary machine and another
machine, provided that the program is not in active use on both machines
at the same time. You may not copy and use this program on another
computer without paying additional license fees.
Product name
IBM Tivoli Security Operations Manager No
Usage restriction:
Yes
For additional information, refer to the License Information Document
that is available on the IBM Software License Agreement Web site
International Passport Agreement
Passport Advantage applies:
Yes, and through the Passport Advantage Web site at
This product is only available via Passport Advantage. It is not
available as shrinkwrap.
Agreement for Acquisition of Software Maintenance:
The following agreement applies for maintenance and does not require
customer signatures:
IBM Agreement for Acquisition of Software Maintenance (Z125-6011)
Software Maintenance applies:
Yes. Software Maintenance is included with licenses purchased
through Passport Advantage and Passport Advantage Express. Product
upgrades and technical support are provided by the Software Maintenance
offering as described in the Agreements. Product upgrades provide the
latest versions and releases to entitled software and technical support
provides voice and electronic access to IBM support organizations,
worldwide.
IBM includes one year of Software Maintenance with each program license
acquired. The initial period of Software Maintenance can be extended by
the purchase of a renewal option, if available.
While your Software Maintenance is in effect, IBM provides you assistance
for your routine, short duration installation and usage (how-to)
questions, and code-related questions. IBM provides assistance via
telephone and, if available, electronic access, to your information
systems (IS) technical support personnel during the normal business hours
(published prime shift hours) of your IBM support center. (This
assistance is not available to your end users.) IBM provides Severity 1
assistance 24 hours a day, 7 days a week. For additional details,
consult your
IBM Software Support Guide
at
Software Maintenance does not include assistance for the design and
development of applications, your use of programs in other than their
specified operating environment, or failures caused by products for which
IBM is not responsible under the applicable agreements.
For additional information about the International Passport Advantage
Agreement and the IBM International Passport Advantage Express Agreement,
visit the Passport Advantage Web site at
Volume orders (IVO):
No
System i™ Software Maintenance applies:
No
Educational allowance available:
Not applicable.
Back to top
Information on charges is available at Web site
In the Electronic tools category, select the option for "Purchase/upgrade
tools".
Passport Advantage
For Passport Advantage information and charges, contact your IBM
representative or authorized IBM Business Partner. Additional
information is also available at
Business Partner information
If you are an IBM Business Partner — Distributor for Workstation
Software acquiring products from IBM, you may link to Passport Advantage
Online for resellers where you can obtain Business Partner pricing
information. An IBM ID and password are required.
Back to top
To order, contact the Americas Call Centers, your local IBM
representative, or your IBM Business Partner.
To identify your local IBM representative or IBM Business Partner, call
800-IBM-4YOU (426-4968).
Phone: 800-IBM-CALL (426-2255)
Fax: 800-2IBM-FAX (242-6329)
Internet: callserv@ca.ibm.com
Mail: IBM Teleweb Customer Support
ibm.com Sales Execution Center, Americas North
3500 Steeles Ave. East, Tower 3/4
Markham, Ontario
Canada
L3R 2Z1
Reference: YE001
The Americas Call Centers, our national direct marketing organization,
can add your name to the mailing list for catalogs of IBM products.
Note:
Shipments will begin after the planned availability date.
Trademarks
-
-
AIX 5L, System p5, System p, System z, and System i are trademarks of
International Business Machines Corporation in the United States or other
countries or both.
-
-
Tivoli, Passport Advantage, DB2, POWERparallel, and PartnerWorld are
registered trademarks of International Business Machines Corporation in
the United States or other countries or both.
-
-
Intel and Pentium are registered trademarks of Intel Corporation.
-
-
Microsoft and Windows are registered trademarks of Microsoft Corporation.
-
-
Java is a trademark of Sun Microsystems, Inc.
-
-
UNIX is a registered trademark of the Open Company in the United States
and other countries.
-
-
Linux is a trademark of Linus Torvalds in the United States, other
countries or both.
-
-
Other company, product, and service names may be trademarks or service
marks of others.
At a glance
