Enterprise Security Information and Event Management (SIEM)
|
|
|
|
|
|
The Bsafe/Cross-Platform AuditTM is an enterprise security information and event management system (SIEM), aimed at organizations running computer systems from many different platforms. The CPA consolidates platform-specific audit events and makes them available to auditors and administrators in an intuitive and easy-to-use interface. It does this while maintaining a high level of granularity to filter events by platform-specific characteristics.
|
|
|
The CPA lets you monitor the activity of a user across different computers on different platforms and present that activity on screen in event log and graphical format.
|
|
|
The Platforms:
|
- IBM i
- IBM Mainframe
- Windows
- SQL Server
- Unix/AIX
- Linux
|
|
|
The Bsafe/Cross-Platform Audit logs raw transaction data and, through a variety of online filtering, reporting and dashboard tools, provides meaningful information that can give valuable insight to the organization. It has the ability to monitor activity on all the organization's computers and analyze it in a consolidated manner. For example, a user in an enterprise application might execute a series of transactions across different platforms - something which doesn't draw interest when looked at on the level of one computer but could be seen in a different light when the entire audit trail is examined.
|
|
|
Using the CPA, system activity and user behavior can be analyzed as a consolidated chain of actions executed across different computers. The global users function allows tracking of a user's trail under various user IDs they have used on different computers and platforms.
|
|
|
|
|
How it Works
|
|
|
The CPA monitors and collects security audit events as they occur on each computer. There, they can be viewed and sorted directly and are made ready to transfer to the consolidated central data repository when requested.
|
|
|
The importing of audit data from each computer to the central data repository can be executed at any time and also be scheduled to take place at pre-defined days and times. You have the flexibility to specify specific groups of audit events for import.
|
|
| The audit events imported from the different platforms are stored in the CPA in a uniform format so they can be filtered, reviewed and analyzed as if they originated on the same computer. |
|
Main Features
|
|
|
Multiple Event Types: Including system events, field-level data before and after change, user actions, policy deviations, TCP/IP events, SQL statements, object-specific events and more.
|
|
|
CPA Alert Center: Set up alerts that can be triggered when selected events are identified, based on specific event parameters. Alert events can be set to trigger notifications by email, screen pop-up and by routing the message to Syslog by specifying the IP address of a Syslog host.
|
|
|
SOC: A graphical tool for the analysis of security audit events, trends and incidents (see detail later, in this document).
|
|
|
Audit Policy Management: Define the types of events to be logged by your computers.
|
|
|
Compliance Tools: Create template-based compliance policies with deviation checking and repair options. Ready-defined reports, alerts and templates for compliance.
|
|
Managing Audit Policy
|
|
|
The security events logged on each computer are determined by the audit policy. The Cross-Platform Audit provides you with a convenient way of viewing and changing the audit policy for each computer and defining what kinds of events will be included in the audit.
|
|
|
|
|
IBM i Platform
|
|
|
The CPA is tightly integrated with Bsafe/Enterprise Security, allowing the import of audit events together with group and report definitions from the IBM i.
|
|
|
A large selection of IBM i system audit reports are provided, defined and ready to run.
|
|
|
Audit data imported to the central data repository can originate in any of the monitored IBM i applications including:
|
- Application audit (like signon, TCP/IP, FTP and database reads)
- File audit (actual data changes)
- Alerts (that have already been issued)
- View record data (information read)
- System audit events (such as system value changes, object management and authorization failures)
- Bsafe administrator audit (a trail of the actions taken by the Bsafe administrator)
- SQL statement audit
- IP filtering events
- Compliance deviations
|
|
|
Applications can be further filtered by event category, for example ‘object authority' deviations only or ‘database' application audit events, and even down to function such as SQL read, add and/or delete.
|
|
|
Using the powerful custom application option, IBM i event reports can be produced for any combination of applications and event categories.
|
|
|
|
|
IBM Mainframe Platform
|
|
|
The Cross Platform audit handles all mainframe system and data audit events from the leading security applications, RACF, Top Secret and SAFE and additionally, DB2, TCP/IP and SMF.
|
|
|
CPA SMF events for RACF and Top Secret are categorized into four categories: Security events (e.g. resource access, add volume, scratch), admin events (e.g. change password, change group profile), z-Unix (e.g. kill, link, open) and Kerberos events (e.g. grant ticket, PKI verify).
|
|
|
DB2 events collected by the Cross Platform Audit from the allow you to monitor data read and changed at the field level. In the case of changes, the before and after values of the changed fields are shown side by side.
|
|
|
|
|
|
Events from Bsafe's range of mainframe security products include SAFE/CICS security events such as program violations, user suspensions, SMF and non-SMF access via FTP and Telnet (e.g. logon, logoff, send, retrieve), and VSAM file operations (e.g. record open, close, abend).
|
|
|
Shown below is an example of one of the ready-defined MF reports included in the CPA. Other customizable standard report formats are: users who have submitted programs with another user's code, unauthorized access to system resources, unauthorized access to sensitive files and unused sensitive files.
|
|
|
|
|
|
The CPA shares the same GUI as Bsafe's leading CICS security products such as Bsafe/Security for CICS which allows complete access control by user for resources such as files, programs and transactions and provides field level protection and masking.
|
|
SQL Server Audit
|
|
|
The Cross-platform audit includes a host of powerful auditing functions for SQL server. Full-featured audit policy definition includes specification of categories of system audit events, SQL statements, databases, users and applications.
|
|
|
The CPA's SQL Server audit capabilities incorporate auditing directly on the database with three powerful audits: SQL Statement Audit that displays full-length SQL statement detail, System Audit showing activity such as login and database management events and Data Audit showing data changes in tables at the field level.
|
|
|
|
|
|
SQL Server audit data can be imported to the CPA's central data repository for integrated auditing alongside audit events from other platforms.
|
|
|
|
|
Windows Platform: Event Logs
|
|
|
The Cross-Platform Audit gives you direct access to all event logs on your Windows PCs and servers. These include the three standard event logs, application, security and system plus any other logs residing in the default event log location. Examples: Directory server, DNS, file replication service, forwarded events, and application-specific logs.
|
|
|
Parameters such as log size and overwrite policy can be changed directly on the host computer through the CPA interface.
|
|
|
|
|
Windows Domain Server and Active Directory - SOX Compliance
|
|
|
The Windows SOX Compliance Manager is a tool to create, document and maintain a clear security policy for the Windows PCs and servers in your organization. The policy details are defined through templates specific to different categories pertaining to local PC and Windows Active Directory definitions. The template categories are:
|
- Active Directory Account Policy
- Active Directory Group Account
- Active Directory Group Membership
- File Permissions
- File Permissions (advanced)
- File Security Audit Definitions
- Folder Sharing Permissions
- Password Settings
|
|
|
The policy can be checked against the actual definitions in the system, producing a report showing any deviations from your policy.
|
|
|
|
|
AIX Platform
|
|
|
The CPA provides direct control of AIX audit policy with event logging including system and Unix DB2 events.
|
|
The main system audit events are categorized as follows:
|
- System events (devices, time changes...)
- Kernel procedure (execution, loads...)
- Audit (audit policy changes)
- File system (opens, reads, ownership...)
- SVIPC system (msg reading, writing...)
- TCP/IP user level (connect, data in/out...)
- TCP/IP kernel level (bind, listen, receive...)
- Unix commands (cron jobs, group changes..)
|
|
Plus 12 other event categories including shell, objects and secureway directory server.
|
|
|
|
|
|
The DB2 audit events are categorized as follows:
|
- DB2 audit control (start, stop, config...)
- Checking (function, object, transfer...)
- Object maintenance (rename, alter ...)
- Security maintenance (grant, revoke...)
- System admin (drop DB, start DB2...)
- Validation (authentication, group mbr ...)
- SQL statements (connect, drop, execute..)
|
|
Linux Platform
|
|
|
Linux events on all the main hardware platforms are handled in the Cross Platform Audit including: X86, X86 64-bit, IAX 64-bit, PPC, PPC 64-bit and system 390 / 390X).
|
|
|
|
|
|
Linux events are categorized as follows:
|
- Audit system commands (list, login, user...)
- User space trusted application messages (user command, user login, add group...)
- Messages internal to the audit daemon (config, start, abort...)
- Audit event messages (config change...)
- Kernel SE Linux use(AVC path, MAC sts)
- AppArmor (allowed, denied, error...)
- Kernal crypto events(first / last message)
- Kernal anomaly(abend, promiscous)
- User space anomaly and response (crypto fail, login failure, alert, kill proc...)
- User space LSPP (device allocation, role assign / remove, user role change...)
- User space crypto (first / last messages)
|
|
|
The currently-defined audit policy for each machine can be viewed and changed through the CPA.
|
|
CPA Security Operations Center (SOC)
|
|
|
Cross Platform Security Operations Center (CPA SOC) makes the events consolidated in the CPA available through easy-to-configure dashboards. Events from across the enterprise can be combined, sorted and filtered into hundreds of different combinations of platform, application, IP address, user, identity management user, transaction status and date. The graphs are built dynamically by the user selecting the sort parameter at each level.
|
|
|
Each component of the on-screen graphs can be expanded at the click of the mouse to show the actual audit events behind the statistics and each event can be drilled down to show its detail including the name and value of each event parameter.
|
|
|
The graphs include statistical views and time-line views of the audit events. The graphs and summary tables can be displayed on the screen, printed, sent by email and saved as files in various formats including PDF and MS Office-compatible HTML that can be opened by Excel and Word.
|
|
|
|
|
Report Scheduling and Exporting
|
|
|
The CPA's full power of multi-platform auditing is realized through its reports. They include the CPA correlation reports that automatically match events from different audit sources, the CPA special MF reports such as the unauthorized access to sensitive files report, and the CPA contents reports - for the display of database changes on different platforms.
|
|
|
Over 200 ready defined reports complement the ability to create custom reports to meet any requirement.
|
|
|
Create and run reports instantly on-screen, print them, email them or save them in different file formats like PDF, Microsoft Word, Excel, text and more. Report runs can be scheduled to run periodically by day, week or month.
|
|
|
|
|
|
|
|
Cross Platform Audit Report Examples
|
|
|
MF DB2 Log Records (Exported to HTML format)Shows DB2 table field values before and after change.
|
|
|
|
|
SMF DB2 Events Full Audit (exported to text file) Full description of events showing user, connection, network, result of action and more.
|
|
|
|
|
Correlation Report: Violations in both MF RACF and DB2 app (Exported to Excel). The correlation report automatically matches events from different selected audit sources.
|
|
|
|
Bsafe/Cross Platform Consolidated Audit
|
|
|
The Bsafe/Cross-Platform Audit offers the administrator and auditor a comprehensive solution for enterprise auditing. It provides the convenience of auditing, investigating or just browsing your enterprise activity in a consolidated and easy to understand format, in a single application. It empowers administrators to analyze behavior on your systems to pinpoint activity that might otherwise have passed unnoticed and to investigate incidents quickly and thoroughly.
|
|
|
It gives auditors the freedom to look into the activity of all the organization's systems and to produce their own reports without IT department assistance.
|
|
|
This functionality contributes much towards fulfilling legal and industry regulatory compliance requirements for auditing like view-data monitor, required by HIPAA and maintaining an audit trail for several years, as required by Sarbanes Oxley.
|
|
|
|
|
|
