Skip to main content

Can you describe your service options for Security Monitoring?

Answer
The User Activity Compliance Monitoring solution defines policies for each of the events / system activities (could be vulnerability logs or server logs or proxy logs, etc) - this is the upfront work that IBM has built into the proposal to discover use cases and properly define all parameters.
·         We then build the policies in the SIEM tool, test them and deploy them
·         Based on the policies, alerts are generated in the system and analysts look at the alerts / events of interest to decipher (categorize it as noise/false positive or a true incident.
·         Upon identification of a true incident, the incident management process is invoked.
·         On an ongoing basis during governance calls with the customer, events of interest will be discussed and additional policies will be developed (this may also result in tuning to reduce the noise or add additional policies to identify incidents).
In addition, the Select level of Intrusion Detection and Prevention System Management is designed to provide monitoring, alerting and support of network intrusion detection and intrusion prevention systems (called “Agents”) across a variety of platforms and technologies.
Managed Security Services are delivered from a network of Security Operations Centers (“SOCs”). And will provide access to the SOCs 24 hours/day, 7 days/week.
All of our monitoring and management service offerings come with full access to the Virtual SOC portal, security intelligence through the Threat Analysis Center, including the ability to create a vulnerability watch list with customized threat information, standard automated analysis of events and incidents, health monitoring, and reporting. In addition to our standard IDPS monitoring services we are also offering Security Event Monitoring which includes the standard Automated Analysis and adds real-time 24x7 human analysis. With this option the security incident alert notification drops from 1 hour to 15 minutes.
The optional event monitoring and notification is an eyes-on option that is described and differentiated from our automated analysis below.
Automated Analysis
Agents are capable of generating a high volume of alarms in response to the security conditions they are configured to detect. The actual security risk corresponding to a particular condition detected is not always clear, and it is not practical to block all data that may be harmful as the default. Additional monitoring and analysis of these alarms is important to a sound security program.
IBM has developed and maintains an automated intelligence (“AI”) analysis engine as part of the X-Force Protection System. Events from Agents are submitted to the AI analysis engine for correlation and identification, as they are collected. The AI analysis engine performs the following basic functions:
·         correlates both real-time and historical alarms;
·         utilizes statistical and rules-based analysis techniques;
·         leverages raw, normalized and consolidated data; and
·         operates on application and operating system alarms.
X-Force Protection System AI alerts are made available to you via the Portal. CSS sends you an hourly X-Force Protection System alert notification e-mail, summarizing the AI alerts, if you select this opt ion in the Portal.
Event Monitoring and Notification
MSS security analysts perform event monitoring and analysis of intrusion event AI alerts generated by the X-Force Protection System which result from automated analysis performed on IDS/IPS events. Whether or not a security event is considered a security incident is determined solely by IBM. Identified events are classified, prioritized, and escalated as IBM deems appropriate. Alerts that are not eliminated as benign triggers are classified as a security incident (“SI”).
Security incidents (“SI”) are classified into one of the three priorities described below:
·         SI – Priority 1 - Investigations that result in a high priority classification (i.e., Priority 1) require immediate defensive action.
·         SI – Priority 2 - Investigations that result in a medium priority classification (i.e., Priority 2) require action within 12 - 24 hours of notification.

·         SI – Priority 3 - Investigations that result in a low priority classification (i.e., Priority 3) require action within 1 – 7 days of notification

Comments

Post a Comment

Popular posts from this blog

LinuxGuruz Netfilter IPTABLES Firewall Page

The Netfilter Project Homepage http://www.netfilter.org Source Code Userspace code (tar.bz2) http://www.netfilter.org/files/iptables-1.3.0.tar.bz2 FAQ Netfilter/Iptables FAQ http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html Firewall Forensics (What am I seeing?) FAQ http://www.robertgraham.com/pubs/firewall-seen.html Network Intrusion Detection Systems - IDS http://www.robertgraham.com/pubs/network-intrusion-detection.html Sniffing (network wiretap, sniffer) FAQ http://www.robertgraham.com/pubs/sniffing-faq.html Linux IP Masquerade FAQ http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/ Firewall Admins Guide to Porn FAQ http://www.robertgraham.com/pubs/firewall-pr0n.html Hacking Lexicon - hacking dictionary http://www.robertgraham.com/pubs/hacking-dict.html Submit a FAQ Link or URL http://www.linuxguruz.com/iptables/#links Scripts Home LAN masquerading http://the-devil.dnsalias.net/home/extremist_MASQ Home LAN ip6t...
Post a Comment
Read more

How to Address the Patching Paradox

Analyze your vulnerability response capabilities.  Assess vulnerability detection and patching capabilities to identify vulnerability response issues. Tackle low-hanging fruit first.  Prioritize minor vulnerability response problems and build a comprehensive vulnerability response strategy over time. Eliminate barriers between security and IT teams.  Combine vulnerability and IT configuration data into a single platform to drive collaboration between security and IT teams. Create end-to-end vulnerability response processes.  Develop vulnerability response processes and ensure that security and IT teams have a shared view of these processes. Retain security talent.  Remove internal barriers, optimize day-to-day processes and automate mundane work; by doing so, an organization can create a positive environment for security teams, increase employee satisfaction and boost the likelihood of retaining top security talent. Manual vulnerability response process...
Post a Comment
Read more

mobile application Security Testing

Apps that enterprises develop themselves (or have developed by outsourcers) must be tested, to ensure they’re not leaking customer data or opening the enterprise to attack It’s cheaper and faster to test apps pre-production than it is after deployment Automated testing of mobile software is faster and more effective than manual testing Mobile applications interact with back-end web servers and services that also need to be tested That’s where AppScan® comes in What customers struggle with: Deploying secure mobile applications – both iOS and Android Static testing of mobile applications for security exposures, prior to deployment Inability to assess security of mobile applications developed by outsourcers Finding resources to test application code Understanding security risks of the mobile application environment Bringing together mobile application testing results with back-end web application and services resu...
Post a Comment
Read more