Embed Size (px)
DESCRIPTION
GaVI is an IT service provider for a number of German insurance companies. Due to EU and national regulations, it is required to retain data generated while running communications services. In the scope of the data retention project, a distributed Novell Sentinel environment was deployed and several custom collectors were developed to collect logs from fixed telephone, Internet access, Internet e-mail and Internet telephone devices.This session will discuss how you can use the enhanced event router features and Sentinel Link to implement a distributed SIEM solution in a high event rate environment. The session will finish with a lessons-learned section.
Citation preview
Implementing Distributed Novell® Sentinel™ EnvironmentsA Customer Case Study
Christine DegerDepartment Manager IT Security [email protected]
Norbert KlasenSenior [email protected]
© Novell, Inc. All rights reserved.2
Overview
• What is GaVI?
– A short introduction
• Data retention
– Legal requirements
• How to get there
– Planning / decision / implementation
• Demonstration
• Lessons Learned
GaVI – IT Full Service …… for public insurance companies in Germany
© Novell, Inc. All rights reserved.4
GaVI
History
• Gavi was founded in 2003 as subsidiary company of three insurance companies
• Customers
– Insurance holding organizations which represent 33 insurance companies
• Offered Services
– As a full service provider gavi offers all required IT services
© Novell, Inc. All rights reserved.5
Assignment and Claim
• Supply or provision of all required IT services• Coverage and increase of the economic efficiency and
quality of our (and our customers‘) IT business• Develop synergies• Optimisation and homogenisation• Structuring of technological strategies• Consulting in all business areas
As measured by its full service customers‘ gross premium income, GaVI is
THE leading IT service supplier of the public insurance sector (71%)
Germany‘s third largest IT service supplier within the insurance business (behind ASI C and ITErgo, on par with AMB Informatik Services)
© Novell, Inc. All rights reserved.6
6
Business figures 2009 (in 1.000 EUR)
Turnover exposure, thereof - Shareholders and their subsidiaries - other customers
176.000 174.400 1.600
Personnel costs 42.000
Material expenses (incl. services) 122.000
Business Figures
© Novell, Inc. All rights reserved.7
GaVI - Facts and Figures
Employees
Locations
Business volume
Host system
Central print
Memory
Server (logic)
- UNIX/Linux
- others
PC work stations
Mobile devices
Service desk
490
7 main locations
5 secondary locations
180 mio EUR (2008)
13.000 MIPS
260 mio pages p. a.
600 terabyte
700
2.100
31.000
21.000
300.000 calls p. a.
Data Retention
© Novell, Inc. All rights reserved.9
Legal Requirements
• EU Directive 2006/24/EC – Retention of data generated or processed in connection with
the provision of publicly available electronic communications services or of public communications networks
• German law– Gesetz zur Neuregelung der Telekommunikationsüberwachung
und anderer verdeckter Ermittlungsmaßnahmen sowie zur Umsetzung der Richtlinie 2006/24/EG
– 2nd of march 2010 arrived a press release from the german federal consitutional court that contains that parts of the existing law are not in line with the consitutional requirements. This means, that all personal data had to be deleted from the databases.
© Novell, Inc. All rights reserved.10
Legal Obligations
• For fixed telephony, (mobile telephony), Internet access, Internet email and Internet telephony
• Retain, for a period of 6 months, necessary data
– To trace and identify the source of a communication
– To identify the destination of a communication
– To identify the date, time and duration of a communication
– To identify the type of communication
• No data revealing the content of the communication may be retained
© Novell, Inc. All rights reserved.11
Arguments On Data Retention
• Data retention is an invasion of privacy
• Disproportionate response to the threat of terrorism
• Costs of retaining data
• Several lawsuits have been filed by individuals and organizations
• Use of retained data has been restricted by BVerfG
• Some providers need not retain data until courts have reached final judgement
© Novell, Inc. All rights reserved.12
Does the Law Apply to GaVI?
• Data Retention is required for publicly available services
• GaVI is no public internet service provider in the general sense
• But, some of its customers explicitly allow their employees private internet access
• Legal advisors determined, that GaVI must indeed retain data under the aforementioned laws
© Novell, Inc. All rights reserved.13
13
Devices to Monitor
• 6 firewalls from 3 vendors
• 13 VPN gateways from 2 vendors
• 1 fax server
• 2 mail relays
• 13 proxy servers from 3 vendors
• 100 PBXs from 10 vendors
© Novell, Inc. All rights reserved.14
Solution
• GaVI had deployed Novell® Audit to fulfill internal requirements on File Acess auditing
• Novell Audit was superseded by Sentinel™, Novell’s award winning general purpose Security Information and Event Management (SIEM) product
• Sentinel has a flexible Event Source Management that ships with a large number of connectors for all different kind of devices – from network devices such as firewalls and intrusion detection systems to vulnerability scanners, databases, and operating systems.
• An SDK allows for rapid development of custom connectors. This was key in supporting all Fax and Telephony systems at GaVI.
Implementation
© Novell, Inc. All rights reserved.16
16
Novell® Sentinel™
• Sentinel is based on a message bus architecture that provides flexibility and scaling for large deployments
• Real-Time Analytics, Visualization
• Detect and analyze trends, threats, violations
• Drill-down into historical details from seconds to hours in the past
© Novell, Inc. All rights reserved.17
Implementation
• Distributed architecture– three Sentinel instances at major
branch offices– one central Sentinel instance for data
retention purposes
• Local instances collect from event sources
– Data normalization– Shot term storage
• Events relevant to data retention are forwarded to central instance
– Only allowed fields– Log term storage
© Novell, Inc. All rights reserved.18
Numbers
• Combined from all three branch offices
• Event Sources– 150
• Sustained event rate– 800 Events/s
• Peak event rate– 2000 Events/s
• Storage– 14 TB
• 90% of events fall under data retention law
© Novell, Inc. All rights reserved.19
Sentinel™ Link
• Sender– Action and Integrator– Event batch allows for better compression– Reliable transport– Encryption
• Receiver– Connector and Collector– Collector is a single thread and thus limited to one CPU core– Limites parsing rate to ~500 eps– Create dedicated connector/collector pairs for each event
source
Sentinel™ Link Demonstration
Lessons Learned
© Novell, Inc. All rights reserved.22
Project Costs
• Hardware
– 150.000 € (210.000 $)
• Licenses
– 259.000 € (362.600 $)
• Internal / External effort
– Internal: 52.000 € (72.800 $)
– External: 75.000 € (105.000 $)
© Novell, Inc. All rights reserved.23
Event Forwarding
• Using database connector– No good Identifier in event record
• Forwarding from Correlation Rules– JavaScript actions are compiled for each event
– Allows ~ 20 actions per second
– Not fast enough
• Forward from Event Router– Events are batched up
– Action is called once for a batch of up to 500 events
© Novell, Inc. All rights reserved.24
Process
• Validate Data
– Ensure complete and correct forwarding of data
– Each event was shifted into the future by one hour
• Performance
– Always test for performance issues during pilot
© Novell, Inc. All rights reserved.25
Requirements by BVerfG
• If a new a bill is to be passed, it must impose strict data security guidelines
– Separate storage
– Asymmetric encryption
– Four-eyes principle
– Advanced authentication mechanisms
– Non-repudiatable access and deletion logs
© Novell, Inc. All rights reserved.26
Future
• Use deployed infrastructure for IT security monitoring
– Expand collection to Windows systems
– Correlate events across systems
– Track security incidents
– Automatically notify on suspicious or illegal activity
• Improve Compliance Reporting for IT Controls
– Fulfill requirements set forth by internal and external auditors
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
