Академический Документы
Профессиональный Документы
Культура Документы
MANAGER
WHY SIEM ?
Issues
The Solution
Security Information and Event Management (SIEM)
Use Case:
Vulnerable Server Attacked
TIVOLI SIEM
INTRODUCTION
Introduction to TSIEM
Tivoli Security
Information and Event
Manager (TSIEM):
An enterprise-wide auditing
program for monitoring
internal computer activity.
TSIEM:
Provides continuous, non-intrusive
assurance and documentary
evidence that data and systems
are
being managed in accordance
with and comply with company
policies.
Components of TSIEM
Log Management
The Log Management
module collects log data that
is relevant to security
auditing and compliance
monitoring. It
stores the data on a central
server, the Log Management
Server.
Security Information
Management (SIM)
The SIM module
evaluates and reports on
user-oriented
events and evaluates
them against
predetermined policy.
Continued..
EVENT
SOURCES
Event sources
W7 Format
W7 Fields
W7 Fields
Configuring
Policies and
Alert Rules
Configuring policies
Committing policies
A committed policy is
used to run automated
compliance checks.
Only work policies can
be committed. After a
policy is committed, it
cannot be modified or
deleted.
Testing policies
Managing alerts
All defined alerts are displayed in the Alerts page. You can
create, edit, and delete alerts, and you can also configure
the protocol settings used to send the alerts.
The purpose of an alert is to raise attention for events that
require a follow-up, that is, special attention events or
events that are above a defined severity level, such as
security policy exceptions. Alerts notify specified recipients,
such as a system administrator, when a serious or
potentially harmful security event has occurred. The
relevance (severity) of an event is defined in the security
policy.
Reporting in
TSIEM
Introduction to Reports
Compliance Reports
Graphic Reports
Trend reports
Report Centers
Configuration tools
Daily verification reports
Detailed investigation reports
Firewall reports
Configuration tools
Daily verification
Detailed Investigation
Troubleshooting
and
Best Practices
Agent/Agent-less Collect
Troubleshooting:
Connection fails.
Collect User has inadequate permission
(Audit Trail/TEMP).
Collect Script fails.
No Events to collect.
Connection Failures
Best Practices
Good event logging systems will capture 100% and let you
purge later
Best Practices
Demo
Questions/Comme
nts!!!!
Best Practices