Transcript Slide 1

Enforcive CPA
Cross Platform Auditing
Company Profile
•
•
•
•
•
•
•
Formed in 1983
Pioneer in IBM mainframe and midrange security
Offices in New Jersey, Toronto and Israel
80 Resellers in 60 countries
Global distribution agreement with IBM
Thousands of installations worldwide, including Fortune 500 companies
Expertise in Compliance and Event auditing – cross platform
Customers Around the World
CPA Customers
Customers from Many Segments
Banking
Finance
Insurance
Automotive
Electronics
Pharmaceutical
Healthcare
Transportation
Manufacturing
Others
Enforcive Cross Platform Security Offering
All products work together and can be operated through a common GUI manager
CPS
Cross Platform Security
ES for IBM i
CPA
CPC
PSS
Enterprise Security
Cross Platform Audit
Cross Platform Compliance
Password Self Service
Host Based Security,
Audit & Compliance
for IBM i
Log Management &
Database Activity
Monitoring
GRC
Password
Synchronization - SSO
•Access Management
Windows
Windows
IBM i
•Field Encryption
Unix (AIX &
Solaris)
AIX
Windows
•Log Management
•Compliance Management
For IBM i
Linux
OS400
IBM i (OS400 & DB2)
MS SQL Server
MF/CICS & DB2
Host Based Security &
Audit
for IBM mainframe
•Access
Management
•Field Masking
•Log
Management
z/OS
for
z/OS – CICS
MS SQL Server
VSE – CICS
Oracle
DB2
DB2
VSAM
Oracle
Sybase
My SQL
Progess
Syslog
Flat File Format
6
Easy Said.
Easy Done.
Goodbye Haystacks. Find the needles you’ve
been looking for.
What is the Cross-Platform Audit™?
•
•
•
An enterprise-wide Compliance Event
Monitor.
The CPA is all about practical
organizational security. It provides log
monitoring for your computer systems,
and databases; collecting and
consolidating data from across the
enterprise. Many sources available
including: Windows, Mainframe, IBM i,
Unix, DB2, SQL, Oracle and Progress.
The CPA filters then collects the events
into a single database and presents
them in an intuitive GUI for ease of
analysis and investigation.
The Need
•
•
•
•
Monitoring of the organization in
order to satisfy regulatory
policies in a multi-platform
environment.
Administrators need minimal
platform specific expertise to
achieve their goals.
Reduces the need to use local
disk to store historical log files.
Simplifies forensic investigation
by correlating seemingly
unconnected events into an
audit trail indicating a possible
breach of security.
Differentiators
•
•
•
•
•
A single Management Console is used to manage the central repository
as well as the individual systems that are being monitored.
Focus is on critical information, for example the important data changes
performed in the database.
High visibility of changes using before and after images.
Specialized IBM i logs – covering many unique event categories, with a
high level of granularity.
Specialized IBM Mainframe logs – covering a large amount of event
categories, with a high level of granularity.
Features of the Cross-Platform Audit™
•
•
•
•
•
•
•
•
Collection of diverse data formats into a uniform database.
Comprehensive monitoring in a multi-platform environment.
Reporting real user activity utilizing all the user’s identities.
Graphical analysis of security information statistics.
Powerful filtering to pinpoint events with specific characteristics.
Event information drill-down to the field change level, incorporating
‘before’ & ‘after’ images.
Audit information from different systems available all in one place.
Comprehensive audit information for every critical event, showing
exactly who did what, when and how.
Collection Flow
All Sources
• System Audit
• File and Field Audit
• Alerts
• Application Audit
• SQL Statement
• IP Filter
• Compliance
• Message Queue
• History Log
• View Data
• System Audit X86
• System Audit 86_64
• System Audit IA64
• System Audit PPC64
• System Audit PPC
• System Audit S390X
• System Audit S390
• Audit
• Connect
• Query
• Prepare
• Execute
• Shutdown
• Quit
• No audit
• Init DB
• Other
• SMF TELNET
• SMF FTP
• SMF VSAM
• SMF RACF
• TCP/IP Application Audit (FTP and Telnet)
• DB2 SMF
• DB2 LOG (Data Audit)
• DB2 CICS (SQL Data Capture)
• DB2 BATCH (SQL Data Capture)
• System Audit
• System Audit
• Data Audit
• Windows Event Logs: Security, Application, DNS, and more
• Windows Active Directory Compliance
• ISA Server logs
• DHCP logs
• IIS Web Server logs
• Exchange Server
• System Audit
• DB2 SMF – MF
• DB2 LOG (Data Audit) – MF
• DB2 CICS (SQL Data Capture) – MF
• DB2 BATCH (SQL Data Capture) – MF
• DB2 System Audit – i, AIX, LUW
• DB2 SQL Statement Audit – i, AIX, LUW
SYSLOG Sources
• Routers
• Firewalls
• Antivirus
• Other SYSLOG senders
• System Audit
• UNIX DB2
• SQL Statements
• SQL System Audit
• SQL Data Audit
• SQL Statements
• Oracle System
• Oracle Admin
• Oracle Profiles/Users
• Oracle Procedures
• Data Audit
Event Sources
(click category to expand)
•
•
•
•
•
•
IBM Systems
Open Systems
Databases
Microsoft Servers
Syslogs
(view all)
Cross-Platform Security™
Enterprise-wide Compliance Event Monitor
Updated: October, 2013
Feature: CPA as SYSLOG Server
Our Goal:
Simplicity in implementation
and daily use.
Implementation: Simple Steps
Add Systems
Tailor
Reports
Specify
Alerts
Set Audit
Policy
Define Data
Transfer
Examples: Using CPA
1)
2)
3)
4)
5)
6)
7)
8)
9)
Make a change to table contents in SQL
View that event locally
View that event in the Central Repository
Defining an audit policy
How to define which events are collected
How to alert on critical events
Investigating a global user’s activities
Visual analysis
Correlation Reporting
1: Make a change to table contents in
SQL
This example demonstrates how the CPA Repository will monitor critical
events within a database: A user executes an SQL statement to change
the salary field in an employee record.
2: View that event locally
The change appears locally, both in the SQL Statement Audit and in
the Data Audit
SQL Statement Audit:
Data Audit:
Curren
t
Previou
s
3: View that event in the Central
Repository
Once collected into the Repository the information can be filtered by
date, platform and user. The event will appear both as an SQL
statement and a Data Audit event showing the changes
Curren
t
Previou
s
4: Defining an Audit Policy
4: Defining an Audit Policy
4: Defining an Audit Policy
4: Defining an Audit Policy
4: Defining an Audit Policy
5. How to define which events are
collected.
6: How to alert on critical events.
7: Investigating a Global User’s
Activities
IBM z
IBM i
Windows
AIX DB2
8: Visual Analysis
Report of currently
active applications
8: Visual Analysis
9: Correlation Reporting
Network Access Login:
9: Correlation Reporting
Database contents before and after image report:
9: Correlation Reporting
Mainframe Violations in both RACF and DB2
9: Correlation Reporting
Oracle Logon Failure Report
9: Correlation Reporting
Program Failures
Sneak Peek: User Identification
Functionality