Thursday, March 13, 2008

TSOM - Tivoli Security Operations Manager Overview

A product called NeuSecure, which was owned by a company called GuardedNet, was acquired by Micromuse when they bought GuardedNet in July 2005. Since the IBM acquisition of Micromuse later that year, IBM has released NeuSecure as Tivoli Security Operations Manager, or TSOM. In this article I'll cover some of the features in TSOM 3.1 and it's integration points.

TSOM provides a way for network operations folks to gather security threats from sources in the network, called "sensors", or network devices such as firewalls, Intrusion Detection systems, web servers, and present these threats based on threat level on a console. The product allows the use of watchlists to group events together, and has a number of handy console types, including an event console, and a "Powergrid" to visually manipulate events for quick analysis.

Events from the sensors can be acted on by stateful rules, alot of which are product provided, that can watch for a threat "signature" through correlation.

TSOM uses MySQL for it's event database, and offers an Oracle alternative to MySQL for the persistent database. TSOM supports a number of different firewall formats, and collects information from them using a number of different protocols, or "conduits", such as syslog, SNMP, SMTP, XML (custom events), eStreamer and Check Point FW-1.

Some features in TSOM 3.1:

Integration with TIM and TAM

Cisco SDEE support

Event import/export via SNMP

Ability to import vulnerability scans from a number of different scan products from an XML file

Ability to forward events to Netcool and Tivoli

More to come so stay tuned.

No comments: