GaVI is an IT service provider for a number of German insurance companies. Due to EU and national regulations, it is required to retain data generated while running communications services. In the scope of the data retention project, a distributed Novell Sentinel environment was deployed and several custom collectors were developed to collect logs from fixed telephone, Internet access, Internet e-mail and Internet telephone devices. This session will discuss how you can use the enhanced event router features and Sentinel Link to implement a distributed SIEM solution in a high event rate environment. The session will finish with a lessons-learned section.

1. Implementing Distributed
Novell Sentinel Environments
®
™
A Customer Case Study
Christine Deger Norbert Klasen
Department Manager Senior Consultant
IT Security nklasen@novell.com
christine.deger@gavi.de

2. Overview
• What is GaVI?
– A short introduction
• Data retention
– Legal requirements
• How to get there
– Planning / decision / implementation
• Demonstration
• Lessons Learned
2 © Novell, Inc. All rights reserved.

3. GaVI – IT Full Service …
… for public insurance companies in Germany

4. GaVI
History
• Gavi was founded in 2003 as subsidiary company
of three insurance companies
• Customers
– Insurance holding organizations which represent 33
insurance companies
• Offered Services
– As a full service provider gavi offers all required IT services
4 © Novell, Inc. All rights reserved.

5. Assignment and Claim
• Supply or provision of all required IT services
• Coverage and increase of the economic efficiency and
quality of our (and our customers‘) IT business
• Develop synergies
• Optimisation and homogenisation
• Structuring of technological strategies
• Consulting in all business areas
As measured by its full service customers‘ gross premium income, GaVI is
 THE leading IT service supplier of the public insurance sector (71%)
 Germany‘s third largest IT service supplier within the insurance business
(behind ASI C and ITErgo, on par with AMB Informatik Services)
5 © Novell, Inc. All rights reserved.

6. 6
Business Figures
2009
Business figures
(in 1.000 EUR)
Turnover exposure, thereof 176.000
- Shareholders and their subsidiaries 174.400
- other customers 1.600
Personnel costs 42.000
Material expenses (incl. services) 122.000
6 © Novell, Inc. All rights reserved.

7. GaVI - Facts and Figures
Employees 490
Locations 7 main locations
5 secondary locations
Business volume 180 mio EUR (2008)
Host system 13.000 MIPS
Central print 260 mio pages p. a.
Memory 600 terabyte
Server (logic)
- UNIX/Linux 700
- others 2.100
PC work stations 31.000
Mobile devices 21.000
Service desk 300.000 calls p. a.
7 © Novell, Inc. All rights reserved.

8. Data Retention

9. Legal Requirements
• EU Directive 2006/24/EC
– Retention of data generated or processed in connection with
the provision of publicly available electronic communications
services or of public communications networks
• German law
– Gesetz zur Neuregelung der Telekommunikationsüberwachung
und anderer verdeckter Ermittlungsmaßnahmen sowie zur
Umsetzung der Richtlinie 2006/24/EG
– 2nd of march 2010 arrived a press release from the german
federal consitutional court that contains that parts of the
existing law are not in line with the consitutional requirements.
This means, that all personal data had to be deleted from the
databases.
9 © Novell, Inc. All rights reserved.

10. Legal Obligations
• For fixed telephony, (mobile telephony), Internet
access, Internet email and Internet telephony
• Retain, for a period of 6 months, necessary data
– To trace and identify the source of a communication
– To identify the destination of a communication
– To identify the date, time and duration of a communication
– To identify the type of communication
• No data revealing the content of the communication
may be retained
10 © Novell, Inc. All rights reserved.

11. Arguments On Data Retention
• Data retention is an invasion of privacy
• Disproportionate response to the threat of terrorism
• Costs of retaining data
• Several lawsuits have been filed by individuals and
organizations
• Use of retained data has been restricted by BVerfG
• Some providers need not retain data until courts
have reached final judgement
11 © Novell, Inc. All rights reserved.

12. Does the Law Apply to GaVI?
• Data Retention is required for publicly available
services
• GaVI is no public internet service provider in the
general sense
• But, some of its customers explicitly allow their
employees private internet access
• Legal advisors determined, that GaVI must indeed
retain data under the aforementioned laws
12 © Novell, Inc. All rights reserved.

13. 13
Devices to Monitor
• 6 firewalls from 3 vendors
• 13 VPN gateways from 2 vendors
• 1 fax server
• 2 mail relays
• 13 proxy servers from 3 vendors
• 100 PBXs from 10 vendors
13 © Novell, Inc. All rights reserved.

14. Solution
• GaVI had deployed Novell Audit to fulfill internal
®
requirements on File Acess auditing
• Novell Audit was superseded by Sentinel , Novell’s award
™
winning general purpose Security Information and Event
Management (SIEM) product
• Sentinel has a flexible Event Source Management that
ships with a large number of connectors for all different
kind of devices – from network devices such as firewalls
and intrusion detection systems to vulnerability scanners,
databases, and operating systems.
• An SDK allows for rapid development of custom connectors.
This was key in supporting all Fax and Telephony systems
at GaVI.
14 © Novell, Inc. All rights reserved.

15. Implementation

16. 16
Novell Sentinel ®
™
• Sentinel is based on a message bus architecture that provides
flexibility and scaling for large deployments
• Real-Time Analytics,
Visualization
• Detect and analyze
trends, threats,
violations
• Drill-down into historical details from seconds to hours in the past
16 © Novell, Inc. All rights reserved.

17. Implementation
• Distributed architecture
– three Sentinel instances at major
branch offices
– one central Sentinel instance for data
retention purposes
• Local instances collect from
event sources
– Data normalization
– Shot term storage
• Events relevant to data
retention are forwarded to
central instance
– Only allowed fields
– Log term storage
17 © Novell, Inc. All rights reserved.

18. Numbers
• Combined from all three
branch offices
• Event Sources
– 150
• Sustained event rate
– 800 Events/s
• Peak event rate
– 2000 Events/s
• Storage
– 14 TB
• 90% of events fall under data
retention law
18 © Novell, Inc. All rights reserved.

19. Sentinel Link ™
• Sender
– Action and Integrator
– Event batch allows for better compression
– Reliable transport
– Encryption
• Receiver
– Connector and Collector
– Collector is a single thread and thus limited to one CPU core
– Limites parsing rate to ~500 eps
– Create dedicated connector/collector pairs for each event
source
19 © Novell, Inc. All rights reserved.

20. Sentinel Link Demonstration
™

21. Lessons Learned

22. Project Costs
• Hardware
– 150.000 € (210.000 $)
• Licenses
– 259.000 € (362.600 $)
• Internal / External effort
– Internal: 52.000 € (72.800 $)
– External: 75.000 € (105.000 $)
22 © Novell, Inc. All rights reserved.

23. Event Forwarding
• Using database connector
– No good Identifier in event record
• Forwarding from Correlation Rules
– JavaScript actions are compiled for each event
– Allows ~ 20 actions per second
– Not fast enough
• Forward from Event Router
– Events are batched up
– Action is called once for a batch of up to 500 events
23 © Novell, Inc. All rights reserved.

24. Process
• Validate Data
– Ensure complete and correct forwarding of data
– Each event was shifted into the future by one hour
• Performance
– Always test for performance issues during pilot
24 © Novell, Inc. All rights reserved.

25. Requirements by BVerfG
• If a new a bill is to be passed, it must impose strict
data security guidelines
– Separate storage
– Asymmetric encryption
– Four-eyes principle
– Advanced authentication mechanisms
– Non-repudiatable access and deletion logs
25 © Novell, Inc. All rights reserved.

26. Future
• Use deployed infrastructure for IT security monitoring
– Expand collection to Windows systems
– Correlate events across systems
– Track security incidents
– Automatically notify on suspicious or illegal activity
• Improve Compliance Reporting for IT Controls
– Fulfill requirements set forth by internal and external auditors
26 © Novell, Inc. All rights reserved.

28. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.