Building an Building an Enterprise Enterprise IT Security IT Security ManagemeManagement Systemnt System

Belsis A. MeletisBelsis A. MeletisInformation Security ConsultantInformation Security Consultant

MPhil / MSc / BScMPhil / MSc / BScCWNA/CWSP, C|EH, CCSA, CWNA/CWSP, C|EH, CCSA, Network+, ISO27001LANetwork+, ISO27001LA

Information EnterprisesInformation Enterprises

Enterprises base their correct operation almost Enterprises base their correct operation almost solely on Information. To maximise the efficient solely on Information. To maximise the efficient handling of information, they use complex IS/IT handling of information, they use complex IS/IT infrastructures. infrastructures.

These infrastructures can be These infrastructures can be localisedlocalised or be or be intergalactic, intergalactic, allowing users to access them allowing users to access them locally or remotely.locally or remotely.

New technologies like mobile devices and PDAs New technologies like mobile devices and PDAs enhance the complexity of these even further.enhance the complexity of these even further.

Information Security for Information Security for enterprisesenterprises

Security threats targeting Security threats targeting these infrastructures can these infrastructures can be internal or external.be internal or external.

Adversaries use a Adversaries use a number of techniques to number of techniques to attack corporate attack corporate information for fun and information for fun and profitprofit

Examples of such include Examples of such include computer viruses, Denial computer viruses, Denial of Services attacks, of Services attacks, buffer overflows and buffer overflows and social engineeringsocial engineering

Security ArchitecturesSecurity Architectures

To provide adequate security for the modern To provide adequate security for the modern enterprise, security architectures need to be enterprise, security architectures need to be deployed.deployed.

These include security technologies, tools and These include security technologies, tools and policies that interoperate to provide “total” security.policies that interoperate to provide “total” security.

These These mustmust work transparently from the rest of the work transparently from the rest of the system and be able to follow the enterprise's system and be able to follow the enterprise's culture and future changes. culture and future changes.

Managing Security Managing Security ArchitecturesArchitectures

Ethernet

Antivirus

IDS

Ethernet

IDS File ServerData

Remote Client

Radius

Router

Remote Client Remote Client

Local Client

Local Client

Local Client

Internet

Enterprise Security Management Console

Firewall

Firewall

Firewall

Web Server

DMZ

Email Server

TThere are a number of security here are a number of security products products that that allowallow experts to experts to provide central management provide central management over large security over large security architectures. architectures.

Unfortunately the models Unfortunately the models behind these products fail to behind these products fail to interoperate with the existent interoperate with the existent enterprise models. enterprise models.

Most of Most of these products these products handle handle only specific parts of the only specific parts of the enterprise security architecture. enterprise security architecture. An example of this is the An example of this is the enterprise security history which enterprise security history which is a vital part of any modern is a vital part of any modern security infrastructure but most security infrastructure but most current products do not current products do not incorporate it in their models.incorporate it in their models.

Our Proposal Our Proposal We propose the use of a new enterprise model. The We propose the use of a new enterprise model. The

Enterprise IT Security Data Model.Enterprise IT Security Data Model.

The new model will be used as the base for the The new model will be used as the base for the development of an ESM software package.development of an ESM software package.

The new model differs from existing ones in that it includes The new model differs from existing ones in that it includes the description of the totality of an enterprise security the description of the totality of an enterprise security architecture, including the enterprise’s security history.architecture, including the enterprise’s security history.

The proposed model includes clear links to the rest The proposed model includes clear links to the rest enterprise modelling frameworks, to allow interoperability enterprise modelling frameworks, to allow interoperability with the rest enterprise business products. To succeeded in with the rest enterprise business products. To succeeded in this the new development follows the Zachman framework.this the new development follows the Zachman framework.

Proposed ModelProposed Model The main entities of The main entities of

the model are :the model are :

Departmental StructureDepartmental Structure Employee InfrastructureEmployee Infrastructure Information Information

InfrastructureInfrastructure IT infrastructureIT infrastructure physical securityphysical security IT SecurityIT Security RisksRisks Security PolicySecurity Policy Security HistorySecurity History

Enterprise Departmental

Structure

Enterprise EmployeeInfrastructure

EnterpriseInformation

Infrastructure

Enterprise ITinfrastructure

Enterprise ITSecurity

Enterprisephysical security

EnterpriseSecurity History

Enterprise SecurityPolicy

Enterprise ITinfrastructure

Enterprise SecurityPolicy

EnterpriseInformation

Infrastructure

Enterprise ITInfrastructure

Enterprise Risks

Recording Incident HistoryRecording Incident History The The incident history incident history

modelmodel has been has been decomposed and decomposed and tested.tested.

The incident history The incident history

was selected due to the was selected due to the fact the current ESM fact the current ESM products neglect this products neglect this important part of important part of security.security.

An earlier version of the An earlier version of the incident model was incident model was presented at the presented at the IFIP/Secc 2002 in Cairo.IFIP/Secc 2002 in Cairo.

Deploying the ESM system.Deploying the ESM system. The implementation The implementation

followfollowss the logical and the logical and physical distribution that physical distribution that an enterprise follows.an enterprise follows.

CORBA has been CORBA has been extensively proposed for extensively proposed for accessing distributed accessing distributed data models. data models.

CORBA will bring to the CORBA will bring to the system the required system the required transparency, efficiency transparency, efficiency and securityand security

The system incorporates The system incorporates an NLIDB server. The an NLIDB server. The server will allow for the server will allow for the easy execution of smart easy execution of smart queriesqueries

Web Client

1) Authenticate with X.509

CSIRT Web Server

2) Download JavaApplet

NLIDB

3) Execute user natural English query

4)Execute SQL Query DBMS

5) Find Data

6) Return Result

7) Return Results

8) Return Formatted Result

ORB

Security Management Console

TCP/IP

HTTP

Security DataBaseSecurity Device

Deploying the ESM systemDeploying the ESM system

Using CORBA security specialist can access and Using CORBA security specialist can access and manage the system, throughout a web based manage the system, throughout a web based interface or using specific clients that are interface or using specific clients that are integrated into the management console.integrated into the management console.

The CORBA’s Security Service can provide The CORBA’s Security Service can provide adequate security for the purpose of this system. adequate security for the purpose of this system.

CORBA’s architecture allows security expert to CORBA’s architecture allows security expert to change specific security processes without change specific security processes without affecting the rest of the system.affecting the rest of the system.

The inclusion of an NLIDB server allows experts to The inclusion of an NLIDB server allows experts to execute smart queries on the security execute smart queries on the security architecture using plain English language.architecture using plain English language.

ConclusionsConclusions This research aims in the development of a new This research aims in the development of a new

ESM product. ESM product.

The new product will differ substantially from the The new product will differ substantially from the existent ones in that it manages the totality of the existent ones in that it manages the totality of the security architecture and by providing clear links security architecture and by providing clear links with the rest of the enterprises models.with the rest of the enterprises models.

Until not the base for the development of this Until not the base for the development of this product has been developed. Some work has also product has been developed. Some work has also been done in the way the product will be deployed.been done in the way the product will be deployed.

Thank YouThank You