Track and Eliminate Internal Threats with IBM Tivoli

Most security threats originate inside company walls

Tivoli Beat - A weekly IBM service management perspective. When most people think of enterprise IT security, they have external threats in mind—malware, hackers and even criminal organizations. The threat from within, however, may be even greater.

Consider how much potential damage can be caused by an insider motivated by profit or malice. The extra access privileges assigned to such an insider may correspond logically to that insider’s job responsibilities, but they also represent a very real potential for a security breach—potentially, a catastrophic one.

And that potential is unfortunately getting larger every day. In fact, according to some studies, insider-based fraud costs US-based enterprises as much as $600 billion a year. A Computer Security Institute study published last year suggests that more than 40 percent of US enterprises experienced some form of insider abuse in 2008. Eighty percent of the directors recently surveyed by Secure Computing say they think internal threats actually outweigh external threats in terms of negatively impacting the business.

Clearly, security strategies and solutions aimed at insider abuse should be at least as mature, effective and comprehensive as strategies and solutions that target external threats. Unfortunately, the opposite is often the case. Antiviral solutions may be in their tenth generation, and deployed for more than fifteen years, but insider abuse often remains incompletely addressed; in some cases, in fact, it isn’t being addressed at all. And when you factor in the growing number of government regulations that apply to enterprise security, and the possible consequences in the event an audit occurs and isn’t passed, the argument for a new approach to insider security and compliance management becomes even stronger.

What organizations require today, to mitigate the growing threat of internal abuse and to simplify and accelerate audit and compliance, is a comprehensive way to track security threats across domains and solutions. The goal should be to develop and implement an efficient, cost-effective, holistic security strategy that corresponds to business priorities and diminishes the impact of security breaches as much as possible—even in the case of privileged insiders.

TSIEM delivers superior insider tracking and compliance reporting

Toward that end, IBM offers a compelling solution: IBM Tivoli Security Information and Event Manager (TSIEM). TSIEM works by automatically and non-intrusively aggregating and analyzing audit and security data drawn from diverse security solutions and systems, analyzing that data and then reflecting the analysis via executive dashboards and reports.

In this way, it empowers organizations to more quickly and more effectively determine the security threats facing them. TSIEM is also directly applicable as a compliance tool; in addition to its compliance dashboard, the reports it generates can be used to establish how close an organization is to achieving compliance with pertinent regulations. Armed with the actionable intelligence in the reports, organizations can move swiftly to improve the overall compliance posture.

In both respects, then—insider monitoring and tracking and compliance auditing and reporting—TSIEM helps organizations reduce costs, increase service levels and proactively mitigate risks, and delivers a best-in-class response to an increasingly serious challenge.

Automated log collection and analysis drive down costs and drive up performance

How, specifically, does TSIEM work? The story begins with automated log aggregation. Most enterprises have many different security solutions in place; each generates an ongoing event log. Combing through those many logs, for possible security breaches, is a slow and painstaking process if performed manually. Far superior and far less expensive is the TSIEM approach: logs are collected automatically over the network by a centralized tool. Log management allows fast time to value to be achieved as reports can be run soon after data collection has started.

Once that happens, automated event correlation and analysis determine whether a security breach, violation of security policy or noncompliance with government regulations may be suggested, spurring subsequent action where necessary.

Analysis is done by transforming data to a common W7 language that enables the system to easily apply business policies to the data highlighting and prioritizing events that do not meet policy. Alerts can also be generated and sent to other consoles.

Executives interested in obtaining a big-picture perspective on how well IT is complying with government regulations and standards will find that the compliance dashboard and report distribution features of TSIEM are directly on point. These functions, which draw on regulation-specific management modules, make it exceptionally easy to pursue compliance not as an abstract, theoretical goal, but as an event happening in real time—moment-by-moment, with respect to the IT infrastructure and what is taking place within it.

If more detail is required, on any given operational subcategory or any particular regulation, the many different and customizable reports TSIEM can generate will supply that detail in any required level of depth. These reports are exceptionally easy to read—essentially stating in simple language exactly who performed which tasks using which IT resources, relating to which business goals, security policies or regulations. And in the event of an audit, the reports can be used to demonstrate ongoing compliance has been achieved over time.

Naturally, generating reports of this type will require sophisticated tracking and monitoring features—and these must apply even to the most trusted insiders with the highest access levels.

Here, too, TSIEM delivers, transparently auditing IT resources, such as databases, applications, servers and mainframes to establish user activity over time. This information helps to spur a faster and more effective response in cases of misuse—not just discovering violations of internal policies and mitigating the potential damages that could accrue to the organization, but also empowering compliance initiatives as well, since such regulations often specify the limits of what organizations should and should not do regarding access to sensitive data. Thanks to the TSIEM’s exceptionally high performance engine, user activity analytics can be generated in very close to real time, minimizing the delay in the event that action is required.

Compelling new features in TSIEM 2.0

In TSIEM 2.0, many new features have been included to make the solution easier to use, more versatile and more powerful than before.

For instance, TSIEM now has a Web-based graphic interface usable via standard browsers to shorten time-to-value and increase accessibility from anywhere on the network. A new policy editor simplifies the process of creating and processing policies to take action on the basis of security log analysis.

TSIEM 2.0 Log Management is now more functional offering very fast time to value as customers can now easily generate reports from the collected data.

Because holistic security is a concern to organizations around the world, TSIEM 2.0 is available in a variety of languages. Today, they include English, French, Spanish, German, Italian, Chinese, Korean and Japanese; eventually Russian, Polish and Hungarian will be included as well. Also supported for different nations and languages: TSIEM’s regulation-specific management modules, which are leveraged by the tool for compliance analysis and reporting.

Finally, TSIEM is now faster, more scalable and available on 64bit Microsoft Windows platforms—maximizing the number of enterprises that can use it and their convenience and return on investment in deploying it.