Threat Mitigation Managed Services - DB

Higher Education Commission Threat Mitigation Managed Services
Managed Services Proposal for Threat Mitigationat M ervices Proposal
Table of Contents
1. Data Base security as in all
a. What are current threats
b. International trends
2. Policy Draft
a. IT policy impacting the DB security
b. How to enforce it?
3. Appliances to Enforce DB Security
a. Perimeter security to secure applications (UTM & IPS/IDS)
b. Prevent DDOS attack
c. DB Security - Guardium
i. (Access, control, Management, policy enforcement)
ii. Reports
iii. Incident management reporting and work flow
iv. Audit / Trail
4. Forensic Analysis - ArcSight
a. Central Log Management
b. Correlation
Entire info sec reporting
5. Defining KPI?
a. Security attacks
b. Security Breaches
c. 100% Data integrity of DB
i. Via backup of dat
6. Responsibility matrix
a. COMMTEL
b. HEC and other stakeholders
7. Onsite Implementation
a. Timelines / Plan
b. HR required
Copyright CommTel PVt Ltd , Use or disclosure of data contained on this page is subject
to the restriction in the disclosure statement of this document.
Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Mitigation Services Proposal
Introduction
CommTel Security Services has helped to set the standard for accountability,
reliability and protection in Managed Security Services (MSS).
These services are designed to help you enhance your information security
posture, lower your total cost of ownership and demonstrate compliance by
partnering with CommTel for the monitoring and management of your security
operations, regardless of device type or vendor on a 24/7/365 basis or as needed.
CommTel Managed Security Services delivers the expertise, tools and
infrastructure you need to secure your information assets from Internet attacks
24/7/365, often at a fraction of the cost of in-house security resources. Access to
the CommTel SOC, a secure Web-based management tool, provides a single
interface to easily monitor the security of your overall infrastructure of managed
and unmanaged security devices.
With Managed Security Services from our Security Services, you benefit from
improved operational, financial and strategic efficiencies across your enterprise:
Lower your total cost of ownership by saving up to 55% on information

security management costs, allowing you to reallocate resources to other
business objectives
Achieve and maintain compliance with government and industry
regulations through ongoing security monitoring and documented security
policies and procedures
Vendor neutral approach supports a variety of device types from many
vendors including Blue Coat, Cisco, IBM, SafeNet, McAfee, ArcSight and
others
Managed Security Services

Our Managed Security Services provides 24/7/365 monitoring and management
of security technologies you house in your environment. CommTel provides a
single management console and view of your entire security infrastructure,
allowing you to mix and match by device type, vendor and service level to meet
your individual business needs while drastically reducing your security costs,
simplifying security management and accelerating your speed to protection.

1. Database Security
a). What are Current Threats?

Security has always been a priority concern of IT professionals, especially the
Chief Information Officers (CIOs) who hold ultimate responsibility for their
companys computer and Internet security. In the years since the Internet first
came on the scene, the security scenario has undergone rapid changes and
developments as threat and counter-threats have been developed and deployed.
Recent surveys tend to confirm this perception. While IT security threats
continue, the form and nature of these threats may not be what most people expect
or even suspect. The following are the top Information Technology security
threats right now.
Excessive Privilege Abuse

When users (or applications) are granted database access privileges that exceed the
requirements of their job function, these privileges may be abused for malicious
purpose. For example, a university administrator whose job requires only the ability
to change student contact information may take advantage of excessive database
update privileges to change grades.
A given database user ends up with excessive privileges for the simple reason that
database administrators do not have the time to define and update granular access
privilege control mechanisms for each user. As a result, all users or large groups of
users are granted generic default access privileges that far exceed specific job
requirements.
Legitimate Privilege Abuse

Users may also abuse legitimate database privileges for unauthorized purposes
Consider a hypothetical rogue healthcare worker with privileges to view individual
students records via a custom Web application. The structure of the Web application
normally limits users to viewing an individual student's grade history multiple
records cannot be viewed simultaneously and electronic copies are not allowed.
However, the normal user/student may circumvent these limitations by
connecting to the database using an alternative client such as MS-Excel. Using MS
Excel and his legitimate login credentials, the worker may retrieve and save all
student grade history records.
It is unlikely that such personal copies of university record databases comply with
any educational institute educational data protection policies. There are two risks to
consider. The first is the bad student who is willing to trade grade records for money.
The second (and perhaps more common) is the negligent employee that retrieves
and stores large amounts of information to their client machine for legitimate work
purposes. Once the data exists on an endpoint machine, it becomes vulnerable to,
Trojans, laptop theft, etc.

Privilege Elevation
Attackers may take advantage of database platform software vulnerabilities to
convert access privileges from those of an ordinary user to those of an administrator.
Vulnerabilities may be found in stored procedures, built-in functions, protocol
implementations, and even SQL statements. For example, a software developer at a
financial institution might take advantage of a vulnerable function to gain the
database administrative privilege. With administrative privilege, the rogue developer
may turn off audit mechanisms, create bogus accounts, transfer funds, etc.
Platform Vulnerabilities
Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and
additional services installed on a database server may lead to unauthorized access,
data corruption, or denial of service. The Blaster Worm, for example, took advantage
of a Windows 2000 vulnerability to create denial of service conditions.
SQL Injection
In a SQL injection attack, a perpetrator typically inserts (or injects) unauthorized
database statements into a vulnerable SQL data channel. Typically targeted data
channels include stored procedures and Web application input parameters. These
injected statements are then passed to the database where they are executed. Using
SQL injection, attackers may gain unrestricted access to an entire database.
Weak Audit Trail

Automated recording of all sensitive and/or unusual database transactions should be
part of the foundation underlying any database deployment. Weak database audit
policy represents a serious organizational risk on many levels.
Regulatory Risk - Organizations with weak (or sometimes non-existent) database
audit mechanisms will increasingly find that they are at odds with government
regulatory requirements. Sarbanes-Oxley (SOX) in the financial services sector and
the Healthcare Information Portability and Accountability Act (HIPAA) in the
healthcare sector are just two examples of government regulation with clear
database audit requirements.
Deterrence Like video cameras recording the faces of individuals entering a
college, database audit mechanisms serves to deter attackers who know that
database audit tracking provide investigators with forensics link intruders to a
crime.
Detection and Recovery Audit mechanisms represent the last line of database
defense. If an attacker manages to circumvent other defenses, audit data can
identify the existence of a violation after the fact. Audit data may then be
used to link a violation to a particular user and/or repair the system.

Lack of User Accountability When users access the database via Web
applications (such as SAP, Oracle E-Business Suite, or PeopleSoft), native
audit mechanisms have no awareness of specific user identities. In this case,
all user activity is associated with the Web application account name.
Therefore, when native audit logs reveal fraudulent database transactions,
there is no link to the responsible user.
Performance Degradation - Native database audit mechanisms are notorious
for consuming CPU and disk resources. The performance decline
experienced when audit features are enabled forces many organizations to
scale back or altogether eliminate auditing.
Separation of Duties Users with administrative access (either legitimately or
maliciously obtained see privilege elevation) to the database server can
simply turn off auditing to hide fraudulent activity. Audit duties should ideally
be separate from both database administrators and the database server
platform.
Limited Granularity Many native audit mechanisms do not record details
necessary to support attack detection, forensics and recovery. For example,
database client application, source IP addresses, query response attributes,
and failed queries (an important attack reconnaissance indicator) are not
recorded by many native mechanisms.
Proprietary Audit mechanisms are unique to database server platform Oracle logs are different from MS-SQL, MS-SQL logs are different form
Sybase, etc. For organizations with mixed database environments, this
virtually eliminates implementation of uniform, scalable audit processes
across the enterprise.
Database software platforms typically integrate basic audit capabilities but they suffer
from multiple weaknesses that limit or preclude deployment.
Denial of Service
Denial of Service (DOS) is a general attack category in which access to network
applications or data is denied to intended users. Denial of service (DOS) conditions
may be created via many techniques - many of which are related to previously
mentioned vulnerabilities. For example, DOS may be achieved by taking advantage
of a database platform vulnerability to crash a server. Other common DOS
techniques include data corruption, network flooding, and server resource overload
(memory, CPU, etc.). Resource overload is particularly common in database
environments.

The motivations behind DOS are similarly diverse. DOS attacks are often linked to
extortion scams in which a remote attacker will repeatedly crash servers until the
victim deposits funds to an international bank account. Alternatively, DOS may be
traced to a worm infection. Whatever the source, DOS represents a serious threat for
many organizations.
Database Communications Protocol Vulnerabilities

A growing number of security vulnerabilities are being identified in the database
communication protocols of all database vendors. Four out of seven security fixes in
the two most recent IBM DB2 FixPacks address protocol vulnerabilities1. Similarly,
11 out of 23 database vulnerabilities fixed in the most recent Oracle quarterly patch
relate to protocols. Fraudulent activity targeting these vulnerabilities can range from
unauthorized data access, to data corruption, to denial of service. The SQL
Slammer2 worm, for example, took advantage of a flaw in the Microsoft SQL Server
protocol to force denial of service. To make matters worse, no record of these fraud
vectors will exist in the native audit trail since protocol operations are not covered by
native database audit mechanisms.
Weak Authentication
Weak authentication schemes allow attackers to assume the identity of legitimate
database users by stealing or otherwise obtaining login credentials. An attacker may
employ any number of strategies to obtain credentials.
Brute Force - The attacker repeatedly enters username/password combinations
until he finds one that works. The brute force process may involve simple guesswork
or systematic enumeration of all possible username/password combinations. Often
an attacker will use automated programs to accelerate the brute force process.
Social Engineering A scheme in which the attacker takes advantage the natural
human tendency to trust in order to convince others to provide their login credentials.
For example, an attacker may present himself via phone as an IT manager and
request login credentials for system maintenance purposes.
Direct Credential Theft An attacker may steal login credentials by copying post-it
notes, password files, etc.
Backup Data Exposure

Backup database storage media is often completely unprotected from attack. As a
result, several high profile security breaches have involved theft of database backup
tapes and hard disks.
Lost Laptops and Careless Employees

Of major concern to many IT security experts are the increasing portability of
laptops and storage devices. This increases the chances of these portable
computing and storage devices being stolen not only for their resale value, but for

the information contained within. This problem is apparently compounded by the

seeming lack of security awareness by many employees a reality that many
CIOs are beginning to focus on and attempt to correct through lectures, training
and even sanctions.
The concern over security extends to employees and their internet-based social
networks. Some experts point out that prior to the explosion of internet-based
social networks, most employees operated within a small and tight circle of
friends usually within the same company or industry. However, with the ease of
communication and interaction within a social network, the chances of
compromise from outsiders have increased.
Weak Information Protection Policies

IT security experts have also expressed increasing concern over identity thefts,
especially with regard to companies who routinely require employee social
security numbers as part of their hiring and recordkeeping policies.
While most companies limit physical access to employee records (especially
social security numbers), many companies still have vulnerabilities in terms of
systems and procedures in handling these.
For example, a survey indicated that many companies do not purge data when
the companys computers are reassigned or disposed of; others do not even
install passwords on employee computers; still more do not encrypt personal
information when these are transmitted over the Internet or the company
networks.
b). International Trends to Mitigate Security Threats

Several IT outsourcers entered or increased their presence in the maturing
managed security service provider market in North America. In addition to firewall
and intrusion detection/prevention monitoring and management, security log
management became a nearly universal offering.
What You Need to Know

Enterprises are engaging managed security service providers (MSSPs) to
meet security monitoring and device management requirements for several
reasons:

Gartner defines "MSS" as the remote management or monitoring of IT security
information, assets and processes where the delivery of those services is via remote
security operations centers, not through personnel on site. MSS does not, therefore,
include any consulting or development and integration services that may be included
in a security outsourcing engagement.
MSSs include:
Monitored or managed firewall or IPSs
Monitoring or managed IDSs
DDOS protection
Managed e-mail antivirus/anti-spam services
Managed gateway antivirus services
Security information management
Security event management
Managed vulnerability scanning of networks, servers or applications
Security vulnerability or threat-notification services
Managed log analysis
Reporting associated with monitored/managed devices and incident
response
All of these listed services delivered via CPE or ISP central office equipment
Policy Draft
This section describes aspects of security policy, and includes the following topics:
System Security Policy
This must include aspects of system security policy, and includes the following:
a) Database User Management
b) User Authentication
c) Operating System Security
Data Security Policy

Data security includes the mechanisms that control the access to and use of the
database at the object level. Fine-grained access control can also limit data
access to a more granular level. Your data security policy determines which
users have access to a specific schema object, and the specific types of actions
allowed for each user on the object. For example, user SCOTT can issue
SELECT and INSERT statements but not DELETE statements using the EMP

table. Your data security policy should also define the actions, if any, that are
audited for each schema object.
Your data security policy will be determined primarily by the level of security you
wish to establish for the data in your database. For example, it may be
acceptable to have little data security in a database when you wish to allow any
user to create any schema object, or grant access privileges for their objects to
any other user of the system. Alternatively, it might be necessary for data
security to be very controlled when you wish to make a database or security
administrator the only person with the privileges to create objects and grant
access privileges for objects to roles and users.
Overall data security should be based on the sensitivity of data. If information is
not sensitive, then the data security policy can be more lax. However, if data is
sensitive, a security policy should be developed to maintain tight control over
access to objects.
User Security Policy
This policy must describes aspects of user security policy, and must includes the
following topics/points while defining this policy:
a). General User Security
b). End-User Security
c). Administrator Security
d). Application Developer Security
e). Application Administrator Security
Password Management Policy
Database security systems depend on passwords being kept secret at all times.
Still, passwords are vulnerable to theft, forgery, and misuse.To allow for greater
control over database security, Oracle's password management policy is
controlled by DBAs.
This section describes the following aspects of Oracle password management:
a). Account Locking
b). Password Aging and Expiration

c). Password History
d). Password Complexity Verification
Auditing Policy
Security administrators should define a policy for the auditing procedures of each
database. You may, for example, decide to have database auditing disabled unless
questionable activities are suspected. When auditing is required, the security
administrator must decide what level of detail to audit the database; usually, general
system auditing is followed by more specific types of auditing after the origins of
suspicious activity are determined.
IT Policy Impacting the DB Security

Data security includes the mechanisms that control the access to and use of the
database at the object level. Fine-grained access control can also limit data access
to a more granular level. Your data security policy determines which users have
access to a specific schema object, and the specific types of actions allowed for each
user on the object. For example, user SCOTT can issue SELECT and INSERT
statements but not DELETE statements using the EMP table. Your data security
policy should also define the actions, if any, that are audited for each schema object.
Your data security policy will be determined primarily by the level of security you wish
to establish for the data in your database. For example, it may be acceptable to have
little data security in a database when you wish to allow any user to create any
schema object, or grant access privileges for their objects to any other user of the
system. Alternatively, it might be necessary for data security to be very controlled
when you wish to make a database or security administrator the only person with the
privileges to create objects and grant access privileges for objects to roles and users.
Overall data security should be based on the sensitivity of data. If information is not
sensitive, then the data security policy can be more lax. However, if data is sensitive,
a security policy should be developed to maintain tight control over access to objects.
Using Roles for End-User Privilege Management

Roles are the easiest way to grant and manage the common privileges needed by
different groups of database users.
Consider a situation where every user in the accounting department of a company
needs the privileges to run the ACCTS_RECEIVABLE and ACCTS_PAYABLE
database applications. Roles are associated with both applications, and contain the
object privileges necessary to execute those applications.
9

The following actions, performed by the database or security administrator, address
this simple security situation:
Create a role named ACCOUNTANT.
Grant the roles for the ACCTS_RECEIVABLE and ACCTS_PAYABLE database
applications to the ACCOUNTANT role.
Grant each user of the accounting department the ACCOUNTANT role.
This plan addresses the following potential situations:
If accountants subsequently need a role for a new database application, that

application's role can be granted to the ACCOUNTANT role, and all users in
the accounting department will automatically receive the privileges
associated with the new database application. The application's role does not
need to be granted to individual users requiring use of the application.
Similarly, if the accounting department no longer requires the need for a
specific application, the application's role can be dropped from the
ACCOUNTANT role.
If the privileges required by the ACCTS_RECEIVABLE or ACCTS_PAYABLE
applications change, the new privileges can be granted to, or revoked from,
the application's role. The security domain of the ACCOUNTANT role, and all
users granted the ACCOUNTANT role automatically reflect the privilege
modification.
You have an index where a user requires only 1 role.
When possible, utilize roles in all possible situations to make end-user privilege
management efficient and simple.
10

2. Appliances to Enforce DB Security
Understanding of HEC Goals for DB Security

Higher Education Commission (HEC) intends to evaluate, select and implement a
database monitoring tool (or set of tools) as the standard solution across the bank,
with the capability to:
Monitor, log, report and review database high privileged accounts and
activities (DBAs, developers, etc) to meet their compliance requirements with
internal audit; and for the purpose of
Achieving a separation of duties between high privileged users and security

personnel; tasked with reviewing the activities of high privileged users.
Monitoring and controlling access to databases is a critical component of information

security risk strategies because it forms
the last line of defence for enterprise
data, typically one of the most sensitive and valuable corporate assets. This has
become even more challenging in recent years as a result of increasing demands of
regulations like Sarbanes-Oxley (SOX), Payment Card Industry Data Security
Standard (PCI-DSS), HIPAA, and the Graham-Leach-Bliley Act (GLBA).
Furthermore, as advancement in technology enable increasingly sophisticated
means to misuse private data, privacy regulations and laws have evolved in order to
protect private information. Higher Education Commission is bound to protect private
data by these regulations and laws and equally, to ensure the trust of its
students/customers and employees. In order to protect sensitive data and to reduce
the risk of inadvertent or intentional exposure of that data, Higher Education
Commission has embarked on a project to implement a means to obfuscate
production information when needed.
Part of this initiative also includes the goal to reduce the overall amount of
information that is distributed throughout the organization, and provide limited, need
to know only access to that data, further limiting the potential liability as well as
lowering the overall costs associated with the development process.
The proposed IBM solution leverages our extensive understanding of the financial
services industry, the business processes that are core to that industry and the
tooling required to build robust database monitoring solution across the enterprise.
IBMs commitment to Higher Education Commission is to leverage the extensive
partnership we have developed in working together, and provide robust tooling to
meet Higher Education Commission business process modelling requirements as
both a standalone solution and within the context of the overall lifecycle.
11

a). First Step: Perimeter Security to Secure Applications

Segmentation of DMZs with all Network Segments
Proposed Design and Implementation

Basic, thumb rule, all we wanted to say here is. Must do segmentation of 3 different
type of networks
1). External
2). Internal
3). DMZ
All Servers in DMZ must have different network IP Scheme and all internal users
must access servers in DMZ farm through firewall and policies of firewall. Only
Specific service must be allowed on specific IP from sources to destinations and with
application defenses. Firewalls here must understand application proxies and all
applications and must provide reporting and dashboard information in form of
application prism. I hope above diagram clarify our concept easily.
12

b). Denial of Service Threat on Applications

A Denial-of-Service (DoS) attack is a malicious attempt to render a service, system,
or network unusable by its legitimate users.
To achieve that goal, attackers usually try one of the following:
Crash or disable the target service or system.
Disrupt or prevent normal users from accessing the target.
Saturate essential (often limited) resources on the target.
In a Distributed Denial-of-Service (DDoS) attack, attackers take advantage of many
hosts across the Internet, which they have previously compromised, to launch a
brute-force attack that starves the target of its essential resources.
How to Cater DDoS/DoS attacks with Technology

We are referring here technology not product. So our methodology is simple here we
will work with technology which cater DoS/DDoS with:
1). Traffic Threshold

2). Source IP Reputation Filtering with Global Database of IP Reputation
3). Signatures
Traffic Threshold
The threshold method provides administrators with a way to trigger alerts if a preconfigured traffic volume threshold is exceeded.
The key to successfully using thresholds is to have an understanding for the normal
traffic levels on the network. In most cases, an external device such as, a Sniffer is
used to baseline the network, and the initial levels are set according to those data.
13

Once a baseline has been established, the administrator can enable the relevant
thresholds and configure each with values that make sense for the particular
network. In Figure Threshold Mode, an alert will be sent if a Sensor sees 1000 or
more TCP SYN packets within a 1 second interval.
Network Reputation to cater DoS/DDoS

Blended threats and attacks are not limited to just web and email, although these
are the primary mechanisms today. Many zombie-infected machines are not only
used to host malware or participate in global spam campaigns, they are also used for
distributed denial-of-service (DDoS) attacks or event application attacks like SQL
injection attacks against public-facing web applications linking to backend databases.
Theoretically, these machines could be programmed to perform any attack on
corporate infrastructure like voice over IP (VoIP), for example. McAfee
TrustedSource collects threat intelligence data globally from thousands of deployed
network security sensors such as McAfee Firewall Enterprise.
TrustedSource gathers valuable threat intelligence about any IP host, regardless of
the application connection being used. It is the first and only global reputation system
to provide network reputation in addition to web and email.
14

As a sensor, Firewall Enterprise analyzes network activity and intelligence

information about connections that are sent back to McAfee Labs for further
investigation. This network reputation feedback is unique in the industry and provides
industry-leading, broad-scale global threat intelligence.
Heres how firewall and network administrators benefit from TrustedSource:
Increased effectivenessBy verifying IP host reputations on inbound connections
to public-facing servers and applications, many zero-day attacks can be blocked as
they are often distributed by known malicious hosts and zombie machines. By
ensuring that users connect only to trustworthy hosts and sites, organizations
prevent users from infecting machines or compromising company confidential data.
Because TrustedSource also collects geographical information about IP hosts,
Firewall Enterprise administrators can create customized policies based not only on
the trustworthiness of a host but also its geo-location. This helps reduce risk and
allow only local markets to connect to local web services, for example.
Reduced bandwidth consumptionBy identifying and blocking known bad senders,
TrustedSource reduces the intake of messages into the network by up to 80 percent.
This is critical in handling the constantly increasing load of mail.
15

5). DB Security IBM Guardium
Understanding of HEC Goals for DB Security

Higher Education Commission (HEC) intends to evaluate, select and implement a
database monitoring tool (or set of tools) as the standard solution across the bank,
with the capability to:
Monitor, log, report and review database high privileged accounts and
activities (DBAs, developers, etc) to meet their compliance requirements with
internal audit; and for the purpose of
Achieving a separation of duties between high privileged users and security

personnel; tasked with reviewing the activities of high privileged users.
Monitoring and controlling access to databases is a critical component of information

security risk strategies because it forms
the last line of defence for enterprise
data, typically one of the most sensitive and valuable corporate assets. This has
become even more challenging in recent years as a result of increasing demands of
regulations like Sarbanes-Oxley (SOX), Payment Card Industry Data Security
Standard (PCI-DSS), HIPAA, and the Graham-Leach-Bliley Act (GLBA).
Furthermore, as advancement in technology enable increasingly sophisticated
means to misuse private data, privacy regulations and laws have evolved in order to
protect private information. Higher Education Commission is bound to protect private
data by these regulations and laws and equally, to ensure the trust of its
students/customers and employees. In order to protect sensitive data and to reduce
the risk of inadvertent or intentional exposure of that data, Higher Education
Commission has embarked on a project to implement a means to obfuscate
production information when needed.
Part of this initiative also includes the goal to reduce the overall amount of
information that is distributed throughout the organization, and provide limited, need
to know only access to that data, further limiting the potential liability as well as
lowering the overall costs associated with the development process.
The proposed IBM solution leverages our extensive understanding of the financial
services industry, the business processes that are core to that industry and the
tooling required to build robust database monitoring solution across the enterprise.
IBMs commitment to Higher Education Commission is to leverage the extensive
partnership we have developed in working together, and provide robust tooling to
meet Higher Education Commission business process modelling requirements as
both a standalone solution and within the context of the overall lifecycle.
16

Solution Summary
Database Monitoring
IBM Guardium 8.0 is a proven solution consisting of system software and optional
hardware that helps organization secure their enterprise data and easily pass their
audits.
The worlds largest organizations have standardized on this technology to provide
visibility and reduced costs around audit tasks. Upon installation and connection to
the network, IBM Guardium 8.0 immediately begins monitoring and capturing
valuable information about the who, what, when, where and how of activity between
users and relational databases.
To better understand the components of the IT environment, Guardiums auto
discovery capability builds an interactive, real-time graphical map of the infrastructure
configuration including database and network connections by focusing on activity
monitoring, auditing and database security,
Guardium 8.0 can help enable companies to become compliant with regulations such
as Sarbanes Oxley, PCI, Basel II and Data Privacy.
Proposed Design and Implementation
IBM recommends leveraging best-practice methodologies to define a comprehensive
Database logging and monitoring strategy and policy regarding access to sensitive
data and changes to database by privileged users.
IBM recommends a federated system approach where many individual nodes
comprise one logical, federated system. This allows corporate policy to be unified
across diverse geographies yet allows for individual privacy laws, etc (like in
Switzerland) to personalize policies and reports for line-of-business use. Adherence
to these policies needs to be ensured by monitoring and auditing all attempts to
update, delete, insert, or view important data and database structures in real-time by
privileged users. All production databases should be considered in -scope for
logging and monitoring high privileged accounts based on categorization of the risk
The classification/definition of risk can be assessed by the IBM solution to provide a
list of classified assets and focus implementation tasks to the most critical assets
first.
Real-time reporting of activities will be implemented based on the industry best
practices and regulatory requirements. Over time, database logging and monitoring
will be able to establish patterns and provide risk-based real-time blocking of
privileged account activities using S-TAP Terminate and S-GATE.
Initial design will start with monitoring and reporting on Highly Privileged Users.
Industry guidelines suggest that database administrators (DBAs) and system
administrators activity should be monitored. Both internal and external auditors
require proof that no one has altered data inappropriately, either accidentally or
maliciously, that could jeopardize the integrity of data stored in databases or expose
sensitive data to this group inadvertently in the process of doing their jobs. Database
Activity Monitoring technologies that focuses on the who becomes the foundation of
a strong global strategy. Secondly we will review and suggest specific, selective
objects be monitored. As visibility increases into the activities of highly privileged
17

users, the next step is to start identifying and classifying database objects, grouping
them into categories such as financial data, HR data, and sensitive customer data.
By selectively applying controls to these groups of sensitive data, risk can be
mitigated. Moving from reporting on these events to preventative controls (like
blocking a DBA from seeing sensitive financial data outside of an application) further
increases effectiveness of a monitoring solution.
Lastly, as an option, certain situations may call for comprehensive (or Full) auditing
where both inbound SQL requests and outbound result sets are logged. Moving to a
full audit scenario where the who, what, when, where, and how of database access
and usage is monitored, audited and reported on can provide further insight on
business processes, suggest optimization of the database infrastructure and monitor
patterns of DB activity both through applications and independently by DBAs and
SysAdmins. Entitlement reports, change-control reconciliation, and further
adherence to evolving industry regulations are possible when all data is monitored,
analyzed, and reported to other systems as well as IT/business personnel.
Both statistical and real-time alerts will be implemented. A Statistical Alert is
triggered by a query that looks back over a specified time period to determine if the
query condition has been satisfied (for example, alerting when over the course of a
week if a privileged user has extracted many records from the same table). These
are important because a sophisticated attacker may not try to extract 100,000
records all at once (thus triggering a real-time alert) but rather access 10 records at a
time over a very long period of time. Statistical alerts allow us to define any condition
over long periods of time through which patterns and behaviours can be identified.
A real-time alert is triggered by a security policy rule as database traffic is being
analyzed in real-time (for example, an attempt to extract credit card information by an
unauthorized application). Each alert should be able to utilize any combination of the
following four notification mechanisms: SMTP (outgoing e-mail) server, SNMP
(network information and control) server, Syslog, and custom (a user written handler
that can invoke functions that may already exist as part of the infrastructure).
All of this forensics-quality audit data will be retained for a period of 90 days online
within the IBM solution
Benefits of the Guardium Managed Services

Partnering with IBM for Guardium software and implementation, Higher Education
Commission will achieve the following:
Deliver an ROI with a short payback period

Proven success The Guardium solution is proven with realized cost savingsacross
several organizations of similar size as Higher Education Commission
Visibility & Simplification detailed insight into database usage and out of the box
reports for compliance and auditors automation of entire compliance workflow
Real-time auditing addressing business requirements to inform decision-makers of
changes made to the database and who is making those changes
18

Eliminates risk and exposure, blocks in real-time unauthorized or suspicious actions
by privileged users as well as attacks from rogue users or outsiders
Enable organization to provide a consistent and scalable solution to secure and
protect data across the enterprise, especially in non-production/development
environments
Higher Education Commission is a Key Account successful long running
partnership
Implementation plan for Gaurdium

This is a sample of the test plan for Guardium implementation in HEC. .
Step 1: Pre- Implementation Tasks
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
Compile database inventory

Responsible Party: Business Analyst & Implementation Team Leader
Develop technical design diagram - schematic indicating location of the appliances,

connections between database servers and appliances, etc.
Responsible Party: Implementation Team Leader
Provide above documents to Guardium for review and approval

Responsible Party: Project Manager
Develop functional specification defining:

- Guardium application users
- Backup, archive and purge requirements
- Reports
- Polices
- Audit processes
- Alerts
Responsible Party: Business Analyst
Develop test plan

Submit/raise necessary paperwork for installation of software on the database

servers
Submit/raise necessary paperwork for installation of patches on Guardium

appliances
Document and assign responsibilities for the installation and operation of Guardium
software to the members of the implementation team
Estimate professional services time need and arrange required support with
Guardium
Develop and publish implementation schedule

Schedule team meetings

Document acceptance criteria

Responsible Party: Project Manager & Project Sponsor
19

1.13
Complete tests in non-production environment

Step 2: Configure Production Environment
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
Discuss any customization (i.e. installation of additional network cards) done to the
Guardium appliance with the professional services consultant. Be prepared to
install additional patches to accommodate changes
Responsible Party: Guardium Administrator & Guardium Consultant
Secure disk space needed for backup and archiving

Responsible Party: Guardium Administrator & Storage Administrator
Configure appliance1
Responsible Party: Guardium Administrator, Network Administrator & Database Administrator
Verify patch level on the appliance. Install patches if needed

Verify network connectivity between appliances and database servers. Adjust

firewall rules if needed
Responsible Party: Guardium Administrator & Network Administrator
Notify members of the extended team (OS administrators, network engineers,

application owners, database administrators, development teams, etc) that their
time will be needed to verify installation
Download latest version of the S-TAP software from Guardium FTP site
Responsible Party: Guardium Administrator & System Administrator
Document S-TAP configuration parameters and installation procedures

Responsible Party: Guardium Administrator
Install S-TAP 2
Responsible Party: System Administrator
Configure inspection engines

Responsible Party: Guardium Administrator & Database Administrator
Install Ignore All policy on appliance

Build/import components of Guardium application:

- Groups
- Reports
- Polices
- Audit processes
20

Step 3: Test Plan
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
Verify traffic collection

Responsible Party: Guardium Administrator & Database Administrator
Observe traffic volume. Adjust alert thresholds and times for backup, archive and
aggregation to coincide with the time of low traffic volume
Observe performance of the database server

Incorporate Guardium warning and error messages into the overall monitoring of
the database server process
Verify that SNMP traps and polls deliver correct information. Incorporate monitoring
of Guardium appliances into overall infrastructure monitoring
Responsible Party: Guardium Administrator, Network Administrator, & Guardium Consultant
Asses data and verify assumptions used to build a policy. For example, if you were
planning to filter traffic based on the name of the application executable and the
captured data is not specific enough this rule will have to be replaced
Responsible Party: Guardium Administrator, Business Analyst & Application Development Team
Adjust content and re-install groups and policies

Work with the database/application administrator to generate traffic for each rule
defined in the policy
Responsible Party: Guardium Administrator, Database Administrator & Application Development Team
Generate conditions for all defined alerts and verify responses

Responsible Party: Guardium Administrator, Network Administrator, System Administrator
Confirm proper distribution of audit processes

Check backup, archive, and purge processes. Note disk space used for backup
outside Guardium appliance and adjust disk space estimates accordingly
Responsible Party: Guardium Administrator & Storage Administrator
Perform backup/recovery test using backup from the production appliance and
restoring data into development environment. Document steps.
Restore subset of data onto development environment. Document steps.

Step 4: Ongoing Support and Maintenance
4.1
4.2
4.3
Define organizational structure to support monitoring and auditing of the

databases
Responsible Party: Project Manager & Project Sponsor
Define roles, responsibilities and steps for daily review of audit processes,
including audit reports and appliance health check reports
Responsible Party: Security Team, Guardium Administrator
Document process flows for:

Responsible Party: Business Analyst & Security Team
21

4.3.1
Policy rule changes

User provisioning
4.3.3 Alert response (P1 through P4)
4.3.4 Suspected breach response
4.3.5 Event reconciliation
4.3.6 Guardium hardware malefaction
4.3.7 Guardium software patching and upgrade
4.3.8 Expanding/decreasing number of monitored databases
4.3.9 Temporary termination of the database monitoring
4.3.10 Audit preparation
4.3.2
Our Resource Skills Set for DB Security Managed Services
To deploy IBM Guardium in HEC premises, we required below still set from HEC
and our skill set will be provided as per chart below.
Deliverable
Resource
Type
Source
Skill Set
Quantity
Information
gathering for
deployment
Project
Manager
Consultant/CommTel
Min 5 year
experience CISSP
and CCNA and
CCSP must be IT
graduate
Deployment Team
Engineers
Consultant/CommTel
Minimum 5 similar
deployments,
must be IT
graduate
Network team
Engineers
Internal IT/HEC
Internal
Database Admins
Engineer
Internal IT/HEC
Internal
Depends
on how
many
DB
admins
HEC has
and DB
server
type
Support/Monitoring
team
Engineer
Consultant/Commtel
Minimum 3 year of
experience and 2
deployments
22

6). Forensic Analysis - ArcSight
a). Central Log Management

ArcSight provides a three-tiered architectural approach to enterprise scalability to
meet the demands of its customers with large, heterogeneous networks. The three
tiers in the complete ArcSight Security Suite are called the Integration Layer, Core
Engine Layer and Module Layer.
PERN & HEC Review for Log Management

CommTel has reviewed the technical details that PERN provided and with the
specific details regarding event sources and business drivers, along with the
assumptions listed below, has developed solution proposal for SIEM monitoring.
23

PERN Solution Assumptions and Facts

CommTel has developed the following solution proposal with the following
assumptions and facts as it pertains to PERN:
PERN has a distributed Wide-Area Network (WAN) servicing 3 regions

within Pakistan primarily known as the Khi, Lhr & Isb
Each Region is connected via POP routers to each other
Each university in every region is connected to the POP and in turn to the
other region
So the flow of traffic is University -> POP rtr -> Regional rtr
PERN has a mandate to centralize and monitor all of their network device
logs from all these different regions
The scope of deployment of a SIEM solution would require PERN to monitor

118 Huawei routers, 2 Cisco ASA, 4 Microsoft Active Directory servers, 8
Microsoft exchange servers, 2 Cisco 4500 core switches, ISA and Squid
proxy servers.
ArcSight was not provided any details on the number of proxy servers such
as ISA and SQUID and has assumed the count of 10 for each.
Since web servers and databases are applications running on servers,

ArcSight assumes the device count for these applications has already been
represented by the server counts.
ArcSight was not provided with any event rates or log volumes and has made
the following assumptions around the Events Per Second (EPS) rate for the
four categories of devices:
o
118 Routers = 59 eps average
2 Cisco ASA = 60 eps average
4 Ms Active Directory = 32 eps average
8 Ms Exchange servers = 64 eps average
2 Cisco 4500 core switches = 48 eps average
10 ISA proxy servers = 140 eps average
10 Squid proxy servers = 140 eps average
24

ArcSight Proposed Solution Diagram

ArcSight PERN Logical
Architecture
Primary Data Center

ArcSight
Console
(SOC Tier 2)
152 Event Sources

543 EPS Average, 2500 Peak EPS
ArcSight Web
(SOC Tier 1)
Dashboards
Reports
Notifications
Module Layer
Workflow
NOTE: The Collection Tier will accept or pull (depending on

the event source) events from log sources using the
Connector Servers at the regional sites. Events will then be
stored in Storage Groups on Logger and a subset of the
collected data will then be sent to ESM in the Management
Tier for correlation, alerting, incident handling and identity
monitoring.
IdentityView
Solution
Unencrypted Event Data

Encrypted SSL Connection
Core-Engine Layer
ArcSight Express
M7200 - X
Regional Level Loggers

L3200
C3000
Event
Sources
L3200
C3000
C3000
Connector
Server
University Level
Regions (Region1, Region2, Region3)
Connector
Server
University Level
Integration Layer
Connector
Server
University Level
L3200
Event
Sources
PERN Solution Benefits

1. The Smart Connectors that are installed at the University level would
Normalize and Categorize the logs and send it over to the Core engine layer
2. The logs are also compressed at the University level using a 10:1
compression thus saving on the bandwidth between the University level and
the POP
3. In the eventuality of a connectivity failure between the Smart Connector and
the Logger appliance, the SmartConnectors would detect this automatically
25

as it shares a heartbeat with the Logger appliance. Also the
SmartConnectors can cache the logs till the time link is down and then once
the connectivity is up they can forward the logs to the logger appliance
4. Smart Connectors can provide batching wherein certain logs can be sent
over to the Logger only at desired time
5. SmartConnectors provide aggregation and filtering thus eliminating network
noise and aggregating similar events into one and associating a count
against it thus reducing the actual EPS it the network
6. The Logger appliance provides fast searching capabilities on the logs that
captured.
7. The logger appliance provides extensive reporting capabilities.
8. The effective online storage on the Logger appliance is 42TB thus PERN
would not require to invest into any other storage solutions
9. The Arcsight Express solution provides real-time correlation capabilities to
detect any network related issue in real time
Entire InfoSec Reporting

Operating System Dashboard
26

Firewall Connection report
SOC Dashboard
27

Firewall DashBoard
28

7). Defining Key Performance Indicators

Defining parameters to evaluate the performance of entire setup
Key Performance Indicators Include:
Service Level Management
Capacity of Resource Management
Ability/Skill Management
Operational Continuity Management
Security Incidents Management
Configuration Change Management
Critical Reports
Service Level Management

Fulfillment of service level, whether service is Onsite or Telephonic Support it should
be fulfilled according to the agreed service level with HEC. Number of Service issues
are also need to be cater as per the SLA, number of service issues in the services
provision, which are identified and addressed in an improvement plan.
Capacity of Resource Management

Monitor Incidents/Security Issues which were not taken care of due to resource
unavailability for any reason, then managing capacity and availability of resource
adjustment to services and component capacity as a result of resource availability
bottleneck.
Ability/Skill Management
Data Center Security Services & Deployment team skills matrix should be
McAfee Security Firewall
29

To Deploy Firewall in HEC Data Center we will provide resources with below
experties and experience for deployment and monitoring/services.
Deliverable
Resource
Type
Source
Skill Set
Quantity
Information
gathering for
deployment
Project
Manager
Consultant/CommTel
Min 5 year
experience CISSP
and CCNA and
CCSP must be IT
graduate
Deployment
Team
Engineers
Consultant/CommTel
Minimum 5 similar
deployments, must
be IT graduate
Network team
Engineers
Internal IT/HEC
Internal
Server Admins
Engineer
Internal IT/HEC
Internal
Depends
on
quantity
and type
of
servers
behind
DMZ
Support /
monitoring
team
Engineer
Consultant/CommTel
Minimum 3 year of
experience and 5
deployments in
specific field
Skills required for Data Base Security Solution services deployment
To deploy DB Security Solution in HEC premises, we required below still set from
HEC and our skill set will be provided as per chart below.
Deliverable
Resource
Type
Source
Skill Set
Quantity
Information
gathering for
deployment
Project
Manager
Consultant/CommTel
Min 5 year
experience CISSP
and CCNA and
CCSP must be IT
graduate
30

Deployment Team
Engineers
Consultant/CommTel
Minimum 5 similar
deployments,
must be IT
graduate
Network team
Engineers
Internal IT/HEC
Internal
Database Admins
Engineer
Internal IT/HEC
Internal
Depends
on how
many
DB
admins
HEC has
and DB
server
type
Support/Monitoring
team
Engineer
Consultant/Commtel
Minimum 3 year of
experience and 2
deployments
Skills required for Security Testing for HTTP Applications
Penetration testing require experience and expertise, below are resources

required and provided for talks
Deliverable
Resource
Type
Source
Skill Set
Quantity
Project
Methodology
Presentation
Project
Manager
Consultant/CommTel
Min 10 year
experience CISSP
and CCNA and
CCSP, CEH must be
IT Security Phd
Support Team
Engineers
Consultant/CommTel
Minimum 5 similar
deployments, must
be IT graduate with
CISSP and CEH
Depends
on scope
Network team
Engineers
Internal IT/HEC
Internal
Depends
Server Admins
Engineer
Internal IT/HEC
Internal
Depends
how
many
web
servers
and
admins
31

Skill set required for Intrusion Detection and Prevention Solution
Skill set provided and required to deploy IPS/IDS in network for intrusion
prevention and detection
Deliverable
Resource
Type
Source
Skill Set
Quantity
Information
gathering for
deployment
Project
Manager
Consultant/CommTel
Min 5 year
experience CISSP
and CCNA and
CCSP must be IT
graduate
Deployment Team
Engineers
Consultant/CommTel
Minimum 5 similar
deployments,
must be IT
graduate
Network team
Engineers
Internal IT/HEC
Internal
Server Admins
Engineer
Internal IT/HEC
Internal
Depends
on
quantity
and type
of
servers
behind
DMZ
Support/Monitoring
Engineer
Consultant/CommTel
Minimum 3 year of
experience and 3
deployments
32

SKill Set required for SIEM Solution
Skill set provided and required to deploy SOC Monitoring Solution in network of
PERN and HEC
Deliverable
Resource
Type
Source
Skill Set
Quantity
Information
gathering for
deployment
Project
Manager
Consultant/CommTel
Min 5 year
experience
CISSP and CCIE
R&S and ISO
27001 Certified
Deployment Team
Engineers
Consultant/CommTel
Minimum 5
similar
deployments,
must be IT
graduate with 5
year of
experience in
industry
Network team
Engineers
Internal IT/HEC
Internal
Server Admins
Engineer
Internal IT/HEC
Internal
ALL
Application
servers
and
network
devices
Support/Monitoring
Engineer
Consultant/CommTel
Minimum 3 year
of experience
and 3
deployments
Operations Continuity Management

It means no downtime when any of the network device which is part of managed
services fails.
1).If Inline IPS failed, it must have fail safe feature to avoid any downtime. VMWare is
secondary option for backup
2). If firewall is down, firewall must be placed in cluster of HA primary/standby or peer
to peer.
3). Log management of overall network and network devices for at least 12 Month, if
correlation and log management device failed, there should be mechanism of
collection of logs and backup availability in no time.
4). Back-up availability of DB solution in case of faulure,
33

5). Availability of resources responsible for managing specific device.
6). 24/7 Support in case of resource unavailability through telephonic support or
onsite support.
7). No operational downtime due to any of the security device false positives or
malfunctioning.
Security Incidents Management

An incident is a set of one or more security events or conditions that requires action
and closure in order to maintain an acceptable risk profile. In the haystack of events,
we must find the "needles" that are the security incidents. Events are isolated and
disconnected, but incidents add the context that enables security administrators to
gain understanding and take action.
1. SCOPE the number of systems affected (Via SIEM)

2. IMPACT the degree to which each system is affected in terms of
confidentiality, integrity and availability (SIEM + IPS Reporter)
3. BUSINESS CRITICALITY the importance of the incident based on the
business value of the impacted systems relative to other systems (SIEM
Compliance Reporting and alerts)
4. PRIORITY the urgency of the required response relative to other incidents
(Automated prioritization through SIEM)
34

Sample Report for Incidents Management
35

Configuration Change Management

This is change management of network devices, not project change management
services project must be capable to monitor configuration change in each and every
network device including firewalls and routers. Process is simple, send syslogs to our
SIEM solution and monitor reports like.
36

Critical Reports
I love one page management reports which summarise the entire business. Ideally
each critical success factor would have one key performance indicator. Unfortunately
this isn't always possible. Some critical success factors are complicated and have
multiple dimensions of performance or clear cause and effect which you need to
understand.
Which of our SOC reports/alerts will help you the most?

ArcSight Regulatory Compliance Violation Reports/Alerts
Must run ISO compliance package, ok now here in below snapshot we can see one
compliance policy is violated and we got alert in SOC monitoring solution. lets see
couple of reports
So, it was former employee account attempt. This Account named 'mhedberg' was
disabled and someone enable it for some transactions.
37

From here our job is not yet finished, we must do investigations of target user and
see what transactions have been performed with this user.
After some investigations, picture is in front of you. User 'Zara' has enabled and
disabled this account after some transactions.
that was sample of compliance monitoring, now lets take a look at some other type of
reports.
Attacks Monitoring on Firewalls & IPS in one dashboard.
below snapshot indicates intrusion attacks coming from outside of network. Reports
shows source country as well.
38

Virus activity report, detail of activity from where virus was spreading to which IPs
39

Worm Spread Overview
Critical DB Activity Monitoring Reports

Server Accessed Reports
40

One User One IP Reports
Detailed Session Reports
41

Error Reports
42

8). Responsibility Matrix

This Responsibility Matrix describes responsibilities that will be included in HEC Agreement
with CommTel and it identifies which party must perform them. The responsibilities described
in this Responsibility Matrix are not exhaustive, and they are in addition to the other terms
and conditions in HEC Agreement with CommTel. Each party shall perform the
responsibilities assigned to it in the applicable sections of this Responsibility Matrix.
Facilities
CommTel
HEC
Provide Power, backup power, HVAC, 24x7 physical security, video surveillance, biometrics, fire
X
suppression
Provide Internet
Maintain insurance for colocated equipment, if any
Provisioning
CommTel
Ensure that the Configuration of Security Appliances, as specified, is sufficient to meet HEC
HEC
X
needs, including performance
Build the Configuration of Firewalls, IPS, SOC Monitoring, DB Security Solutions
Provide HEC with the use of the Configuration
Execute upgrades or modifications to the Configuration as directed by HEC
Comply with CommTel Tech Policies regarding the deprecation of hardware and/or software
For every Eligible Application, maintain redundant hardware of equal specifications for all
constituent servers and devices
43

Monitoring and Response
CommTel
Monitor the availability of servers and devices 24x7x365
Replace defective hardware(which is part of managed service) within 4 business hour of diagnosis
HEC
by CommTel
Before going live, set up health check tests, in conjunction with CommTel, to determine
application health and availability
Monitor for application health and availability pursuant to HEC's written instructions
Before going live, provide a detailed written description of all monitoring, alerting, notification
and response procedures
Implement emergency failover procedures that are developed by HEC and provided to Commtel in
writing upon the occurrence of a detected failure
Provide up-to-date contact information via Commtel for contact authorization, monitoring, alerting
and response procedures, including an up-to-date contact distribution list with specific response
and escalation instructions for complex contact protocols with numerous parties
Notify CommTel and other non-Commtel authorized contacts of any maintenance that may result
in application unavailability or system alerts
Security and Patching
CommTel
Apply critical security updates (e.g., patches addressing vulnerabilities that allow remote root or
Administrator exploits) through announced emergency maintenance
Apply quarterly critical security patches through planned maintenance with 24 hours' notice
Manage firewalls and implement access changes as requested by authorized client contact in
writing
44
HEC

Maintain and follow security procedures as specified
X
X
Follow generally accepted security practices for the administration of Hosting Equipment
Administration and Support
CommTel
Provide 24x7x365 Network Security Operations Center support via telephone, Web and email &
HEC
Onsite
Provide emergency (i.e., application down) support 24x7x365
Provide systems, network, and security administration, which includes the following: (1) operating
system AV if part of managed services maintenance and upgrading; (2) responding to Trouble
Tickets and alerts; (3) performing routine network Security Devices administration and
maintenance; (4) systems database security administration to ensure high-availability; (5) replacing
failed Hosting Equipment; and (6) maintaining a CommTel client portal
Request off-peak, non-emergency maintenance 48 hours in advance
Develop, maintain and support all Client applications and Content, including tuning services upon
which Client Applicaion is dependent (e.g. Apache)
Maintain the compatibility of all HEC Applications and Content with O/S version and version
upgrades
Backup and Restoration
CommTel
Schedule a Weekly backup of HEC Security Reports for data recovery
Copy and/or move data off-site on a weekly basis
Initializing restoration request within 4 hour of receipt
Manually re-attempt backups within 24 hours of receiving backup failure alert
45
HEC

Maintain sufficient committed backup storage space for a minimum of 2 restore points per server
Determine backup storage requirements on a per server basis based on days retention required
Notify CommTel of all changes to a server that may affect backups, e.g., a change in partitions,
etc.
Configure custom backups for data contained in files held open by the operating system, including
database files
Security
CommTel
HEC
Follow generally accepted practices for network security and server administration
Apply critical security updates for applications and operating systems on virtual machines
Infrastructure and Support
CommTel
Execute upgrades and maintenance to the All Security Devices in HEC premises
Provide 24x7x365 availability of Security Appliances, excluding maintenance windows
Monitor compute node and storage layer health
Notify clients of maintenance that may result in unavailability of the Infrastructure or Cloud device
on a specific compute node
Confirm that high availability failovers execute properly in the event of isolated compute node
failures
Provide online support through CommTel Cloud Services Website, including documentation and
forums
46
HEC

Onsite Implementation
The CommTel Approach to Information Security:
In order to streamline security and help meet your information security needs,
CommTel has developed a five-step methodology covering the complete security
management lifecycle, including phases for Assessment, Design, Deployment,
Management and Education. This process identifies and analyzes gaps between the
current security state and industry standards and best practices, designs and
implements solutions to close those gaps and ensures that the gaps remain closed.
Whether performed by HEC, by CommTel, or a combination of the two, these steps
are critical to the over-all success of the project.
Phase 1: Assessing the current level of information security

This phase systematically identifies and baselines network devices and resources. It
assigns values to data groups on the network. This results in a clear understanding
of the gaps between the current network security state and industry standards,
regulations, best practices, and HECs desired security level. From the assessment
results, CommTel can design an effective security policy and infrastructure for HEC.
Phase 2: Designing policies, processes and solutions to ensure

protection
This phase converts the assessment data into lists of network security applications,
deployment locations, implementation strategies and specific configuration guidelines
for each network device or security application. At the completion of this stage, a final
security policy and topology document exists, accompanied by a deployment plan for
all necessary technologies.
Phase 3: Deploying protection technologies and services

This is the process of implementing the plans and deploying the technologies
detailed in the design phase. It includes the installation, the testing, the training and
the conversion to a production environment. Policies at this stage may be running
only on simulation mode and may take a while to be verified by HEC Technical team
that it is ready to be deployed in real protection mode.
47

Phase 4: Managing the security program to serve business goals

This involves measuring performance data from the network security infrastructure
against the goals stated in the security policy. Non-compliant systems and events
trigger specific actions, as stated in the policy, including re-evaluating the policy and
restarting the policy generation process.
Phase 5: Educating the organization on security best practices and

superior technologies
This phase is an ongoing effort to raise awareness of the need for network security at
the executive, management, administrator, and end user levels. Education is woven
into all other steps, and includes both continuing training for administrators regarding
emerging threats to their systems, and awareness among end users of the security
diligence.
Project Scope, Phases & Deliverables

Project Initiation
This task requires a collaborative effort between appropriate HEC staff members and
the CommTel team. This approach promotes knowledge sharing between HEC and
CommTel team members that will not only facilitate the information gathering phases
of this engagement, but also allow HEC staff to learn from CommTel security
professionals. This implementation Engagement will last for 30-45 business days
from start till sign off and submitting of deliverables.
At the commencement of this engagement, a Planning Meeting will be held with the
CommTel Project Manager, CommTel team assigned to this project, and the HEC
technical and business stakeholders. The purpose of this planning session is to
define a detailed strategic project plan to ensure that expectations, timelines, and
deliverables are appropriately managed. This plan will identify the phases of the
engagement and tasks to be completed in order to ensure that both CommTel and
HEC understand the expectations of the engagement.
During this phase, which will last one or two days, we will commence the deployment
services with a kickoff meeting in which we will define the following, but not limited to:
Project Manager, CommTel side

Project Manager, HEC side
CommTel technical team
Exact Deployment timeline according to the below phases
Defining the policy trends that will be implemented through the deployed
products
Education courses attendees and timing
Testing and Guarantee Methodology
48

HEC Pre-deploymen Pre-requisites
Before CommTel or its subcontractor can mobilize their resources for a University
site deployment, there are a set of pre-deployment pre-requisites and deliverables
are expected from the university staff to be delivered or sent to CommTel or its subcontractor in order to confirm that the required resources and tools are available and
the environment is ready for the Security Firewalls deployment. The following are the
pre-requisites the university staff would have to confirm availability before any
deployment, otherwise the deployment will not be scheduled and will not take place
until the requirements are written confirmed.
Site Pre-requisites:
Surrounding topology is up: The customer will need to confirm that the
surrounding network devices have been deployed and up and running including
but not limited to the following
Internet Router
Firewall/UTM
Internal Switches
Internet Access: The customer should confirm that there is internet access
and that its stable and operational. The internet access will be use updating the
installed components and will help in retrieving the required license. If the internet
access is not available for any reason, the customer should notify CommTel team
or its subcontractor so that it takes necessary measures.
Availability of the hardware server required management application
according to the required specification as per this minimum requirements
document.
Availability of a dedicated technical personnel : this personnel will be
the facilitator for the deployment crew in case they need any further help within
the requirements.
HEC Pre-deployment Deliverables

a. Current network topology and statistics: The customer will be
requested to provide the most updated Network diagram, so that it
can be used in determining the involved factors in the deployment as
well as confirm the best suggested security solution using the
available Security products. As well as a summary of the number of
computer nodes/users, internal servers, published services, used
bandwidth and DMZs structure.
b. Protected Assets: The customer will be requested to provide a list of
the assets that need to be protected ordered by criticality so that
CommTel personnel will be able to design the best policy that ensure
to deliver the maximum security for the critical assets.
c. Used network protocols/services: The customer will be requested
to provide a list off all the protocols that is expected to pass
inbound/outbound of their network and their assigned ports, as well
as all the services that are running and provided within the network
(i.e. Mail, Web Portals, SQL Servers, etc.). This will be used in
49

designing the Firewall/IPS policies to reach the maximum optimized
performance.
d. Suggested Network Auditing activities: The customer will be
requested to provide the network activities that will need to be
inspected. This activity will help the Security and Network
administrators enforce the security policy and reach a higher level of
optimization for their network usage. Auditing network activities such
as FTP usage, Password Management, IM activities, P2P activities,
Email subjects and attachments, etc.
Allocated Network/Hardware Resources: The customer will be requested to
provide Hardware Specifications for the machines allocated for Security products as
well as the Network configuration schema for the products according to the needs
requested by CommTel personnel.
IPS Post Deployment Deliverables
Deployment Report
After the completion of the deployment technical tasks, CommTel Team will
commence in documentation in order to deliver all the required technical and
administrative details of the project for the customer. CommTel team will provide the
customers with the following documentation:
Deployment Technical Report: This report will include all the technical details that
have been tackled in the deployment, including but not limited to:
1. Reviewed Network Design including new Security components
with technical explanation
2. Software configuration for All products including
schema,
usernames, password and permissions.
3. Specific Management tools settings such as, Email distribution
policy, central responses, SNMP rules, Update scheduling, etc.
4. Hardware cabling guide for the Installed appliances
5. The general Final Policy applied on All products, any exception
will briefly be mentioned
6. Extracted Events and Reports generated over the period of the
deployment and during the policy fine tuning phase.
Product Documentation and Guidelines

After the completion of the deployment technical tasks, CommTel team will provide
HEC with a complete set of product documentation and user guides that would
facilitate HEC running their own solution in the future.
Client Responsibilities
During the course of the project it is important for the satisfactory conclusion of the
work that HEC undertakes certain responsibilities to:
50

Carry out a back-up of the most critical systems, to protect against the unlikely
event of an unintended system failure or disruption.
Ensure that all appropriate personnel within his organization are informed of the
nature and timing of the work to be undertaken, on a need-to-know basis, to
avoid undesirable disruptions or delays to us or HEC.
A client representative with deep technical knowledge of the environment being
protected will be present with CommTel team.
Inform us of the existence of available downtime windows, which are ideally
suited to carry out some of the more sensitive probes.
Answer any of our queries in a timely fashion.
CommTel will require access to key staff to undertake this service. This may
include the Chief Security Officer, Chief Information Officer and Network
Administrators. Please ensure key staff will be available during the entire period.
CommTel team will typically spend half of the time of an assignment on site.
Each team member will require an adequate desk, access to a printer and a
telephone line.
Each team member must have an individual access badge to give them to the
working area from 8am to 5pm. Additionally, the badge should grant access to
the server rooms, and any other area within the scope of this assessment.
Access badges should be applied for before the project commences. Campus
maps should be provided along with explicit instructions on areas that
consultants must not visit must be made during the kick-off meeting.
Project Organization
Name
Designation
Responsibilities
Asher
Faisal
Khan
Director
Ovais
Zahid
Project
Manager
51
Organization
Contact
Details
Responsible for overall

Project Management as
per the scope document
CommTel
03008413673
Project Management
Scheduling
Assigning tasks
Responsible for
deployment of the
Security Solution as per
the scope document
Responsible for testing
and support of the
CommTel
03218230154

Shoaib
Abbasi
Lead Security
Solution
Tehseen Deployment
Sarwar
Engineer
the scope document

Account Manager
Deployment
Scheduling
Assigning tasks
Responsible for
deployment of the
the scope document
Responsible for testing
and support of the
the scope document
Account Manager
Deployment of the
McAfee Solution under
the guidelines of the
Project Manager
CommTel
03432517608
CommTel
03432517612
03432517611
Sh.Abdu
l Majid
Deployment
Engineer
Deployment of the
McAfee Solution ,
BlueCoat and SafeNet
under the guidelines of
the Project Manager
CommTel
Najdat
Khan
Deployment
Engineer
Deploying Bluecoat and

Iss Solution under the
guidelines of the project
manager
CommTel
Ahsan
Khan
Deployment
Engineer
Deploying ArcSight and

ISS Solutions
CommTel
52
03432517609

Ahemr
Faisal
Khan
DB Security
Expert
53
Deployment of DB
Security Solution
CommTel
03218103161

Threat Mitigation Managed Services - DB

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Threat Mitigation Managed Services - DB

Hochgeladen von

Copyright:

Verfügbare Formate

Higher Education Commission Threat Mitigation Managed Services

Managed Services Proposal for Threat Mitigationat M ervices Proposal

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Lower your total cost of ownership by saving up to 55% on information

Managed Security Services

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

a). What are Current Threats?

Excessive Privilege Abuse

Legitimate Privilege Abuse

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Weak Audit Trail

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Database Communications Protocol Vulnerabilities

Backup Data Exposure

Lost Laptops and Careless Employees

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

the information contained within. This problem is apparently compounded by the

Weak Information Protection Policies

b). International Trends to Mitigate Security Threats

What You Need to Know

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Data Security Policy

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

User Security Policy

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

IT Policy Impacting the DB Security

Using Roles for End-User Privilege Management

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

This plan addresses the following potential situations:

If accountants subsequently need a role for a new database application, that

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

2. Appliances to Enforce DB Security

Understanding of HEC Goals for DB Security

Achieving a separation of duties between high privileged users and security

Monitoring and controlling access to databases is a critical component of information

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

a). First Step: Perimeter Security to Secure Applications

Proposed Design and Implementation

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

b). Denial of Service Threat on Applications

How to Cater DDoS/DoS attacks with Technology

1). Traffic Threshold

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Network Reputation to cater DoS/DDoS

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

As a sensor, Firewall Enterprise analyzes network activity and intelligence

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

5). DB Security IBM Guardium

Understanding of HEC Goals for DB Security

Achieving a separation of duties between high privileged users and security

Monitoring and controlling access to databases is a critical component of information

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Benefits of the Guardium Managed Services

Deliver an ROI with a short payback period

Managed Services Proposal for Threat Mitigationat M ervices Propohreat

Implementation plan for Gaurdium

Step 1: Pre- Implementation Tasks

Compile database inventory

Develop technical design diagram - schematic indicating location of the appliances,

Provide above documents to Guardium for review and approval

Develop functional specification defining: