Lieberman Exposes Super-User Activity to SIEMs

February 8, 2011 Alex Woodie

Organizations can feel a little more secure that their IT workers aren’t abusing powerful user profiles as a result of integration work done by Lieberman Software and Q1 Labs. The two security software companies teamed up to ensure that every use of Lieberman’s Enterprise Random Password Manager is tracked by Q1 Labs’ security information and event management (SIEM) software.

Lieberman’s ERPM is designed to streamline and secure the process of granting IT workers elevated authority on a server or application. ERPM controls access to powerful user profiles, such as ALLOBJ on the IBM i OS or ROOT on Unix, through the passwords that are associated with these user profiles. IT workers can get the authority they need by logging into EPRM, which randomly generates a password for the user profiles in question. The software, which runs on SQL Server or Oracle database, supports most popular platforms, including IBM i, z/OS, Windows, Linux, Unix, Cisco networking gear, major user directory servers, and others.

Liberman already offers its customers the option of requiring two forms of user authentication (including via RSA devices) before ERPM will grant access to powerful user profiles. But with such a treasure trove of corporate resources sitting on the other side of the ERPM wall (one shudders to imagine what a knowledgeable hacker could do if he were granted full access to an IBM i or System z server of a major public company), this is a situation where you almost can’t have too many walls, or too much inter-connectedness among security systems.

While there’s little question that Lieberman successfully maintains tight security over its customers’ delegated domains via ERPM, larger enterprises with big IT security concerns clearly want to view ERPM activities via their SIEMs, those all-seeing, all-knowing eyes in the sky that are charged with detecting coordinated security attacks on corporate information systems.

To that end, Lieberman has embarked upon a concerted effort to get ERPM interfaced to, and certified with, other enterprise security systems. Last year, the Los Angeles company certified ERPM to work with the SIEM from ArcSight, which attracted so much positive attention that was snapped up by Hewlett-Packard last fall for $1.5 billion. It has also integrated ERPM with third-party incident reporting and tracking systems.

Last week, Lieberman announced that ERPM activities will be exposed to QRadar, the SIEM from Q1 Labs, which is another respected developer of enterprise security tools (and one that is now supporting IBM i). According to the vendors, the certification ensures that ERPM can effectively leverage Q1 Labs’ LEEF and AXIS “open security intelligence protocols” to identify security threats and anomalies involving powerful user profiles and the passwords that authorize IT workers to use them.

This means that all password check-in and check-out activities, credentials changes, and successful and failed password verifications managed by ERPM are now visible in QRadar, where they can be correlated with other security events in real time. Reporting and auditing elements of ERPM are also now exposed to QRadar.

Lieberman Software president and CEO Philip Lieberman says the integration “closes the loop” on security event management. “With this 360-degree view of security events Lieberman Software and Q1 Labs can show not only what is happening, but also who is behind the activity–effectively ending anonymous access to privileged accounts.”

Strong sales of EPRM fueled a strong fiscal 2010, with year-over-year revenues increasing nearly 40 percent, Lieberman said last month. The company attributes the increased sales to a boost in awareness, including the new integration points with SIEM vendors like Q1 Labs and ArcSight.