Guardium Tech Talk: IBM Security Guardium® and … DAM User Group on Linked In (very active)...

© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

Guardium Tech Talk:

IBM Security Guardium® and QRadar® – Enhancing

insights using bidirectional integration

Walid Rjaibi

CTO, IBM Security Guardium

Johan Varno

Product Architect, IBM Security Integrator

September 8th, 2015


IBM Security

2

This tech talk is being recorded. If you object, please hang up and

leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardium

community tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions in

the chat to the Q and A group.

We’ll try to answer questions in the chat or address them at

speaker’s discretion.

– If we cannot answer your question, please do include your email

so we can get back to you.

When speaker pauses for questions:

– We’ll go through existing questions in the chat

Logistics

http://ibm.co/Wh9x0o


IBM Security

3

Guardium community on developerWorks

bit.ly/guardwiki

Right nav


IBM Security

4

Link to more information about this and upcoming tech talks can be

found on the Guardium developerWorks community:


Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: What's new in Guardium DAM V10: A Technical Overview

Speakers: Kathy Zeidenstein, Evangelist and Community Advocate

David Rozenblat, Director of Guardium Development

Date and time: Thursday, September 17th11:30 AM US Eastern

Register here: https://ibm.biz/BdX3Qx

Reminder: Next Guardium Tech Talk


https://ibm.biz/BdX3Qx


IBM Security

5

Agenda

Data Security Drivers

Guardium & QRadar Overview

Guardium & QRadar Bi-directional Integration


IBM Security

6


Cyber attack

Organized crime

Corporate espionage

Government-sponsored attacks

Social engineering

External ThreatsSharp rise in external attacks

from non-traditional sources

Administrative mistakes

Careless inside behavior

Internal breaches

Disgruntled employees actions

Mix of private / corporate data

Internal ThreatsOngoing risk of careless and

malicious insider behavior

National regulations

Industry standards

Local mandates

ComplianceGrowing need to address a

steadily increasing number of

mandates


IBM Security

7


83% of CISOs say that the challenge posed by external threats has increased in the last three years


IBM Security

8


2014: 25% more records leaked than 2013… insane!


IBM Security

9


Time span of events by percent of breaches

GuardiumQRadar

GuardiumQRadar

Minutes To Compromise, Months To Discover & Remediate*Time span of events by percent of breaches

*Verizon data breach report 2012


IBM Security

10

Guardium Capabilities Overview

Data at Rest Configuration Data in Motion

Where is the sensitive data?

How to protect sensitive data to reduce risk?

How to secure the repository?

Entitlements Reporting

Activity Monitoring

BlockingDynamic Data

MaskingVulnerability Assessment

Who should have access?

What is actually happening?

EncryptionDiscovery

Classification

How to prevent unauthorized

activities?

How to protect sensitive data?

Harden Monitor ProtectDiscover


IBM Security

11

QRadar Capabilities Overview

Southbound APIs

Northbound APIs

IBM QRadar Security Intelligence Platform

Real Time Structured Security Data Unstructured Operational / Security Data

LEEF AXIS Configuration NetFlow Offense

Security

Intelligence

Operating

System

Reporting Engine Workflow Rules Engine Real-Time Viewer

Analytics Engine

Warehouse Archival

Normalization

LogManagement

Security Intelligence

Network Activity

Monitoring

RiskManagement

Vulnerability Management

Network Forensics

Future


IBM Security

12

Traditional Guardium & QRadar Integration

Traditional Guardium & QRadar integration is a one way information flow where

Guardium sends alerts and Vulnerability Assessment (VA) reports to QRadar

A one-way Information Flow

One Way

Guardium QRadarAlerts & VA reports

Data

Warehouse

File

Shares

Big Data

S-TAP

S-TAP

S-TAP


IBM Security

13


Policy Violation:Alert to QRadar

10.0.1.8

Bad Actor10.0.1.8

Issue SQL

Check PolicyOn Appliance

IBM QRadarSecurity Intelligence

Platform

Guardium

Oracle, DB2,

MySQL, Sybase,

etc.

Common alerting use cases for databases:

• Failed logins

• Unauthorized access

• SQL Error codes (e.g., SQL injection attacks)

• Users trying to escalate their privileges

• Users creating triggers and views to indirectly access sensitive data


IBM Security

14



IBM Security

15

The New Guardium & QRadar Integration

Guardium QRadarAlerts & VA reports

Data

Warehouse

File

Shares

Big Data

S-TAP

S-TAP

S-TAP

Guardium policy updates

It is now possible to have the Guardium data protection policies updated

automatically and nearly in real time in response to security intelligence events

from QRadar

A two-way Information Flow


IBM Security

16


Machine 10.0.1.8 was compromised

10.0.1.8

Issue SQL

Check PolicyOn Appliance

IBM QRadarSecurity Intelligence

Platform

Guardium

Oracle, DB2,

MySQL, Sybase,

etc.

Common use cases:

• Block access from a machine that became compromised

• Increase audit levels for access by a user id that became suspicious

• Increase audit levels for access by a privileged shared user id that was on-

boarded in a Privileged Identity Management (PIM) system

Hold SQL

Block access from 10.0.1.8

Connection terminated


IBM Security

17


* Intelligence sources* Rules & events

Scenario:QRadar determines that certain IP addresses are untrusted and that Guardium should block access from them

TCP/JSON

SDI1. Map from QRadar event to Guardium group2. Select attribute in event payload to be added to Guardium

group3. Reload Guardium policy for change to take effect

QRadar Event1: Guardium groupXX, attributeYY, policyZZQRadar Event2: Guardium groupAA, attributeBB, policyCC

REST

Solution Architecture: The solution builds upon IBM Security Integrator (SDI) to bridge QRadar and Guardium


IBM Security

18

IBM Security Directory Integrator


IBM Security

19


Solution Deployment: The solution requires SDI 7.1.1 or later with the latest fixpak installed

1. Guardium Create the desired policy and associated group Set up a client ID and secret for SDI to invoke Guardium REST API (Guardium REST API article:

http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html

2. QRadar Configure a forwarding destination Configure rules to dispatch QRadar events to the solution

3. Security Directory Integrator (SDI) Install the solution configuration files



IBM Security

20


Solution Deployment: The SDI configuration files are available with an accompanying white paper on developerworks. The customer copies these files to the configs sub-folder of the SDI Solution Directory

Configuration File Description

QRTrigger.xml The SDI Config xml file containing the AssemblyLines and other

assets used by the SDI Server to power the solution

QRTrigger.properties Properties file that sets the ports used by the QRadar listener

process, as well as the status REST service

QRGuardium.xml The SDI Config xml file with the response logic for Guardium

integration

QRGuardium.properties Properties file for various settings needed to communicate with

Guardium

eventAction.rules Properties file that ties QRadar Events to the appropriate action to be

taken


IBM Security

21


Parameter Name Description

guardium.url The URL to the Guardium instance.

guardium.username User name/id used to authenticate to Guardium.

guardium.password Password associated with the username.

guardium.client.id Client Id registered with Guardium.

guardium.client.secret Client secret provided for the Client Id

Parameter Name Description

listener.port The port used by the QRListener AL to receiving incoming TCP messages from

QRadar.

The default value is 1198.

metrics.port The port used by the Metrics AL to accept incoming HTTP client GET requests.

The default value is 1598

QRTrigger.properties

QRGuardium.properties


IBM Security

22


Starting the solution: The solution is started by navigating to the TDI Installation Directory and executing the following command.

On Windows

ibmdisrv -c configs/QRTrigger.xml -d

On Unix

./ibmdisrv -c configs/QRTrigger.xml -d

23 © 2015 IBM Corporation

Slide walkthrough demo


IBM Security

24


QRadar Dashboard…


IBM Security

25


Configure QRadar Events for Forwarding…


IBM Security

26


Configure Guardium policy to use the group that will be written to


IBM Security

27


Mapping QRadar Events to Actions in Guardium…

Ignore most events.Process event named “Data Leak Prevention Detected”:Add IP address in QR field “src” to Guardium group “Server_IP” and reload Guardium policy “ServerBlackList” so that it picks up the new group member.


IBM Security

28


Guardium Policy Group is initially empty


IBM Security

29


Starting the solution…

SDI starts and loads the QRTrigger solution which listens for TCP messages from QRadar


IBM Security

30


The QR-listener is receiving messages and adding them to the Guardium group


IBM Security

31


Verify that Guardium groups have been updated


IBM Security

32

Summary

Near real-time, automated, threat remediation to protect sensitive corporate data based on QRadar best of breed security intelligence

Sensitive data protected near real time against new threats by a single automated central policy update that applies to all sensitive data targets protected by Guardium

Significantly reduces the time between threat discovery and threat remediation

Flexible solution that can address many security scenarios

Possible attack

through the

application

Several login failures to

an application (e.g. SAP)

could indicate someone

to look out for at the

database layer and

heighten controls on

databases connected to

SAP resource.

Detect database

attacks before

reaching DB

Detection of an SQL

injection at the network or

application layer can help

apply blocking rules to

data extraction

Virtual patching

remediation

Detecting vulnerabilities

at the application layer

can help put rules in

place to be in the lookout

for exploitation

Sam

ple

Use

Cas

es


IBM Security

33

Resources

Installation and Configuration guide: Updating Guardium Policies based on events from

QRadar: https://ibm.biz/BdXMsK

developerWorks article on using Guardium REST APIs


Guardium and QRadar integration overview and demo:

https://www.youtube.com/watch?v=M0P12R2Kkjc

Guardium and QRadar integration configuration:

https://www.youtube.com/watch?v=IA4UbJnN9KE

Video demo: QRadar and Guardium Vulnerability Tests

http://www.ibm.com/developerworks/library/se-gqradar/index.html

Guardium, QRadar and Privileged Identity Manager Integration demo:

https://www.youtube.com/watch?v=TedDkWnAArc

Guardium Knowledge Center topic on customizing LEEF format and sending alerts and audit

results to QRadar. http://www-

01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/administer/topi

cs/configuring_global_profile.html?lang=en

https://ibm.biz/BdXMsK


https://www.youtube.com/watch?v=M0P12R2Kkjc

https://www.youtube.com/watch?v=IA4UbJnN9KE

http://www.ibm.com/developerworks/library/se-gqradar/index.html

https://www.youtube.com/watch?v=TedDkWnAArc

http://www-01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/administer/topics/configuring_global_profile.html?lang=en


IBM Security

3434

Information, training, and community cheat sheet

Guardium Tech Talks – at least one per month. Suggestions welcome!

Guardium YouTube Channel – includes overviews, technical demos, tech talk replays

developerWorks forum (very active)

Guardium DAM User Group on Linked In (very active)

Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules)

Guardium on IBM Knowledge Center (was Info Center)

Deployment Guide for InfoSphere Guardium Red Book

Technical training courses (classroom and self-paced- provided by Business Partners)

InfoSphere Guardium Virtual User Group. Open, technical

discussions with other users. Not recorded!

Send a note to [email protected] if interested.

34


http://www.youtube.com/user/InfoSphereGuardium

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=2648&start=0

http://www.linkedin.com/groups/IBM-Guardium-Database-DB-Activity-3746392

https://www.ibm.com/developerworks/mydeveloperworks/groups/service/html/communityview?communityUuid=432a9382-b250-4e55-98d7-8e9ee6cbf90e

http://www-01.ibm.com/support/knowledgecenter/SSMPHH/SSMPHH_welcome.html

http://www.redbooks.ibm.com/abstracts/sg248129.html?Open

http://www-01.ibm.com/software/data/education/guardium.html


IBM Security

35

Link to more information about this and upcoming tech talks can be

found on the Guardium developerWorks community:


Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: What's new in Guardium DAM V10: A Technical Overview

Speakers: Kathy Zeidenstein, Evangelist and Community Advocate

David Rozenblat, Director of Guardium Development

Date and time: Thursday, September 17th11:30 AM US Eastern

Register here: https://ibm.biz/BdX3Qx

Reminder: Next Guardium Tech Talk


https://ibm.biz/BdX3Qx


IBM Security

36

Gracias

Merci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish

Guardium Tech Talk: IBM Security Guardium® and … DAM User Group on Linked In (very active)...

Documents

Transcript of Guardium Tech Talk: IBM Security Guardium® and … DAM User Group on Linked In (very active)...