IBM InfoSphere Guardium Tech Talk: Guardium 101 · Information Management – InfoSphere Guardium 6...

© 2013 IBM Corporation

Information Management

IBM InfoSphere Guardium Tech Talk: Guardium 101

Joe DiPietro – Center of Excellence leadKathy Zeidenstein – Guardium Evangelist21 Feb 2013


Information Management – InfoSphere Guardium

2 IBM InfoSphere Guardium Tech Talk21 Feb 2013

What we’ll cover today

What is Guardium and what problems does it address?

Overview of some capabilities

Architectural overview and policy primer

Deployment topologies

Guardium team and projects

Whirlwind tour of the UI

Administration/automation (CLI and API)

Where to find more information

3




Data is the key target for security breaches…..… and Database Servers Are the Primary Source of Breached Data

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

2012 Data Breach Report from Verizon Business RISK Team

Database servers contain your clients’most valuable information

– Financial records– Customer information– Credit card and other account records– Personally identifiable information– Patient records

High volumes of structured dataEasy to access

“Go where the money is… and go there often.” - Willie Sutton

WH

Y?

Verizon has a team that on a yearly basis analyzes risk and breaches in the digital world, looking for attack trends and pattern changes. Akin to the work we do with X-Force. For several years they have seen a trend, where the great majority of records breached came from databases, regardless of the source of the breach. So we reach a conclusion that databases are a major point of compromise. This may not be surprising, since here is where we find the most critical enterprise data worth stealing or violating. And since it is structured, it is easier to find. This is where Guardium has focused its attention up to now, but as more and more data gets stored in nosql databases or other nonrelationaldatabases, Guardium is tackling this problem as well and has an offering for Hadoop data activity monitoring.

Insider attacks are another particularly big issue when viewed from the perspective of production databases, because they are unique complex systems that are generally completely under the control of the DBAs that administer them. In fact survey of database administers routinely verify that issue; 62% of organization have no way to control what administrators do with their organizations most sensitive data; and the majority can’t even detect if inappropriate activity is taking place.

3

4




Typical home grown solutions are costly and ineffective

Create reports

Manual review

Manual remediation dispatch and tracking

Native Database Logging

• Pearl/UNIX Scripts/C++• Scrape and parse the data• Move to central repository




• Significant labor cost to review data and maintain process• High performance impact on DBMS from native logging• Not real time• Does not meet auditor requirements for Separation of Duties• Audit trail is not secure• Inconsistent policies enterprise-wide

At IBM we’ve been fortunate to consult with hundreds of enterprises world-wide that are seeking to secure their sensitive databases. Most fall into one of two categories. Either they have no database security solution in place, or they have attempted to build a “home grown” solution based on native auditing. Most of the larger enterprises fall in the latter category.

Let’s take a moment to explore how these home grown solutions are built, and why you may not want to go down that path. These systems are built on the native logging facilities of the databases; which are turned on to enabling auditing. Since they are distributed, scripts are typically written to scrape those logs, centralize the information and clean it up. Then reports are written to simplify examination of the information. On a periodic basis some poor individual examines these logs looking for inappropriate activity. When an anomaly is identified the individual responsible for that system is contacted, typically through email, and some manual system; a spreadsheet or database is used to track the incidents and responses.

This not a very good approach to securing your company’s most valuable assets for a variety of reasons:1. It is a costly approach, involving significant labor to develop the software and do the manual remediation

discussed. 2. Secondly, many companies can not implement, or sustain the approach due to the overhead incurred

when the native logging facilities are enabled. The overhead typically ranges from 10% to 45% of CPU cycles.

3. And it is obvious this type of system is not real time. By the time an anomaly is discovered, your valuable data is long since gone.

4. From a compliance perspective this type of approach is now being challenged by auditors, as it does not provide the separation of duties they require. Privileged users like DBAs are required to run the system; they can turn off the native auditing if they want to do something inappropriate, or modify the centralized logs

5. And of course the whole system is not secure; it can be compromised at many points6. And last of all, this type of approach does not provide consistent information enterprise wide, as the

underlying audit facilities deliver inconsistent information.

5

5




Constraints

Increased Risk

Data Growth & Acquisitions

Time to understanding

Outsourced & Contractor Access

Goals

Empower users

Stay out of the papers…

Challenges

Where is sensitive data?

UnauthorizedChanges

SecurityThreats

$RisingCosts

•Reduced cost across the lifecycle•Higher quality•Improved understanding•Lowered risk •Improved compliance

Data Security & Risk (DSR)

DSR

Monitor

Enforce

Audit

AssessHarden

Find

Life-cycleDefine Metrics

Measure Results

$

IncreaseProtection

Cost

Analyze

Classify

50,000 Foot Overview

This chart lays out the goals and challenges that many organizations face when trying to reducbusiness goals.

The challenges on the bottom reflect on the fact that many organizations don’t really understanyou effectively protecting it? If a breach occurs, would you have the information you need t

The goals you probably have are to reduce risk, increase protection with a low TCO. You needYet data security is a way a moving target. Every time there is a merger or acquisition there is

private data in there as well. And companies need to be able to deploy outsourced IT resources, including DBAs and devel

Later on in this presentation, you’ll learn about how to use this data security life cycle model toEnforcement.




Historical perspective: What is Guardium?

Guardium, the company, was founded in 2002–Innovated a non-invasive solution for

continuous database auditingGuardium was acquired by IBM in 2009

The ‘Guardium’ name was extended to other products in the IBM Information Management portfolio that focus on data security and protection (that’s how good it is!)

InfoSphere Guardium Data Activity Monitoring InfoSphere Guardium Vulnerability AssessmentInfoSphere Guardium Data EncryptionInfoSphere Guardium Data Redaction

The ‘original’ Guardium and our focus for

today’s talk

The focus of this topic is the technology acquired by IBM from Guardium and is now marketed as two main offerings “InfoSphere Guardium Data Activity Monitoring and IG Vulnerability Assessment. InfoSphere Guardium Data Encryption encrypts databases and files “in place”and avoids the need to re-architect databases, files, or storage networks. Inserted above the file system and/or logical volume layers, InfoSphere Guardium Data Encryption is transparent to users, applications, databases and storage subsystems. It requires no coding, no modification to applications or databases. http://www.ibm.com/software/data/guardium/encryption-expert/InfoSphere Guardium Data Redaction protects sensitive data in documents, forms and files from unintentional disclosure by detecting & removing the data from the document version openly shared. It supports many document formats, including scanned documents, PDF, TIFF, XML and Microsoft® Word. Redaction usually happens as a result of a request, or a need to share select information. redaction is not a replacement for: Encryption,Proper access control , Secure document lifecycle management tools Web page: http://www.ibm.com/software/data/guardium/data-redaction/

7




And where does it fit?

InfoSphere Information Governance

Guardium has the privilege to be a key component in two IBM strategies: First the InfoSphere Information Governance Strategy, where there is a need to provide customers with trusted, relevant, and governed data throughout the information lifecycle. And with the Security Systems framework, where the protection of sensitive data is ultimately the essence of what enterprises want to accomplish.

Guardium integrates with and complements IM products, such as InfoSphere Discovery and Optim Archiving, as well as with Security products like QRadarand AppScan. For example, Guardium complements Optim Test Data Management solutions by monitoring sensitive data access in test environments/ It also can complement Optim Data Growth solutions with the ability to monitor access to both active and inactive (archived) data

7

99




Products and capabilities

• Configuration assessment

• Vulnerability assessments

• Vulnerability reports

• Suggested remediation steps

• Data Protection Subscription

•Configuration audit system (CAS)

•Entitlement reporting (VA Advanced)

InfoSphere Guardium Vulnerability Assessment (VA)Best practice & secure configuration

• Data discovery and classification

• Real-time activity monitoring

• Application end-user identification

• Security alerts and audit reports

• Compliance workflow

• Blocking unauthorized access

• Masking sensitive data

InfoSphere Guardium Data Activity Monitoring (DAM)For data security & compliance

Hardware, virtual or software appliances

Central Management & Aggregation Manage and use large deployments as a single federated systemCentral Management & Aggregation Manage and use large deployments as a single federated system

And so, at high level, Guardium offers two product suites1.Guardium Data Activity Monitoring (DAM) - to monitor dynamic data in real time, log the activity for compliance purposes and respond in real-time on any unauthorized or suspicious activity, either by triggering an alert on any unauthorized activity. Data discover and classification Crawls the network as directed by the user's configuration settings to find new database instances. Also finds and classifies sensitive data inside databases, using an intelligent database crawler to search for customizable patterns. Once sensitive objects have been located, they are automatically tagged with meta-data classifications such as “Regulated Record” and added to groups of items with similar properties, which ensures that appropriate policies are automatically applied to groups of objects with similar properties. Application end-user ID application (part of the DAM offering) identifies application users associated with specific database queries and transactions, in connection pooling environments where applications use a generic service account to access the database.The Advanced DAM package adds prevention functions such as blocking and masking – to actively prevent unauthorized activity and protect leakage of sensitive data. 2.Database Vulnerability Assessment (VA) - Scans database infrastructure for vulnerabilities such as missing patches, misconfigured privileges and default accounts. Also checks for behavioral or dynamic vulnerabilities by analyzing monitored activities, such as excessive number of failed logins or privileged users sharing credentials. The Advanced VA package also include the following functions:

1. Configuration Audit System (CAS): Tracks all changes to objects external to the database that have security implications – such as configuration files, environment variables, registry variables and executables such as shell scripts, Java and XML programs. To accelerate deployment, CAS includes a best practices library with hundreds of preconfigured knowledge templates for all major OS and DBMS combinations.

2. Entitlement Reports (ER): Provide a simple means of understanding user rights across the enterprise, including those granted through roles and groups, by aggregating and presenting in pre-defined reports entitlement information from across database instances.

Central Management and Aggregation Provides centralized management of multiple collectors via a single Web-based console. Includes centralized management of cross-DBMS security policies and hardware appliancesettings such as archiving schedules. Creates federated system from multiple Collectors.

9

10

In order to protect your information, you first need to understand where your sensitive data liveDatabase discovery to identify where your databases are located on your network. The agentInstance discovery (using an agent) is only with DAM. "Instance Discovery" requires an agent

STAP. This is why this discovery needs an agent.Sensitive data finder - Guardium can locate databases via network IP scan and open database

(http://en.wikipedia.org/wiki/Regular_expression) to locate matching patterns. e.g. Creditcadatabase. Actions can then be taken AUTOMATICALLY; e.g. log a policy violation, send a

10

11

Actions a. alert (real time alert and log policy violation) This is useful especially when you run sensitivb. The adding of object to a group enables the system to automatically update the real-time s

policy that references this group will be updated next time it’s installed. You can install andc. The adding of an object to group also allows the system toautomatically update the complia

are aware of the new sensitive data and can take appropriate administrative actions.

11

12

Here’s an example of a realtime alert from the classification policy that indicates sensitive dataIn Oracle when you delete a table it gets into a temp table until it’s permanently purged.

That just shows that you can have sensitive data lying around in temp tables.

12

© 2013 IBM Corporation13


Vulnerability and Configuration Assessment Architecture

Based on industry standards: DISA STIG and CIS BenchmarkExtensive library of pre-built tests for all supported platformsCustomizable tests to address your specific corporate security policies

– Via custom scripts, SQL queries, environment variables, etc.

Combination of tests ensures comprehensive coverage:1.Database settings2.Operating system3.Observed behavior

OS Tier(Windows,

Solaris, AIX, HP-UX, Linux, z/OS)

DB Tier(Oracle, SQL Server, DB2,

Informix, Sybase, MySQL, Netezza,

Teradata)

Tests• Permissions• Roles• Configurations• Versions• Custom tests

• Configuration files• Environment variables• Registry settings• Custom tests

Database User Activity

Included with VA

Vulnerability Assessment (VA) is an important process to help secure and harden your infrastructure.

DISA STIG= Defense Information Systems Agency Security TechnicalImplementation Guides http://iase.disa.mil/stigs/CIS=Center for Internet Security http://www.cisecurity.org/

VA helps identify common security configuration issues like:

-Patch levels on database servers -Administrators are sharing credentials-Users are still using default passwords

There are three important categories (Observed traffic, Database configuration, Operating System configuration) of tests to ensure complete analysis of your database infrastructure.Here are the testing methods used (from the Guardium Help Book)Guardium’s Database Vulnerability Assessment combines three essential testing methods to guarantee full depth and breadth of coverage. It leverages multiplesources of information to compile a full picture of the security health of the database and data environment.1. Agent-based-Using software installed on each endpoint (e.g. database server).They can determine aspects of the endpoint that cannot be determined remotely, such as administrator’s access to sensitive data directly from the 13



Guardium Assessment Results

Recommendations on how to fix the

failure

Overall score

Are you making

progress?Detailed scoring matrix

Assessment tests give you information to help you correct failures and to show improvement over time. You can also create your own tests. A query based test is either a pre-defined or user-defined test that can be quickly and easy created by defining or modifying a SQL query, which will be run against database datasource and results compared to a predefined test value. See backup slides for an example. Once you've established a good VA score, you know your configuration is in good shape and you want to "lock down" the system by installing the Guardium Configuration Audit System (CAS) module, that will alert you on any change in configuration, file permissions, environment variables, etc." -- and it is part of the VA Advanced, which makes it a natural next-step for VA. CAS Tracks all changes that can affect the security of database environments outside the scope of the database engine• Tracks changes to database configuration files and other external objects that can affect your database security posture, such as ––Environment/registry variables, ––Configuration files (e.g. SQLNET.ORA, NAMES.ORA), ––Shell scripts, ––OS files, ––Executables such as Java programs• Required for all governance and risk management implementations• Implements security best practices with no administrator workCAS is a light-weight agent that runs on the server where database instances are installed. CAS monitors all changes to various constructs, including changes to files, file ownership and permission definitions, registry values, environment variables, and database structures. It will then poll these constructs based on a set of periods defined by the user and, if there are any changes, it will notify the InfoSphere Guardium server precisely which element was changed, what the new value is (versus the old value), etc. CAS works from a template that defines what to monitor. The InfoSphere Guardium system includes a set of predefined templates that define the best practices for monitoring in several different database environments

14

15

The PCI and SOX accelerators are included with your DAM standard edition license as of V9. They are still a separate download patch and install but will likely be incorporated into the base producTo see the PCI tabs, you need to be a user with the PCI role as assigned by the Access Manager of yourThe accelerators provide you with out of the box reports and predefined group definitions (you can popKeep an eye on developerWorks – there will be an article on using the PCI accelerator sometime in 1H

15



EmployeeTableSELECT

Fine-Grained Policies with Real-Time Alerts

Application Server

10.10.9.244

Database Server

10.10.9.56

Included with DAM

Heterogeneous support including System z and IBM i data servers

Example of detecting access to the database server from someone using the App Server credentials.Alerting is one of the options you have for policy rules. You can set up pretty fine-grained rules. Alerts can be sent to email, syslog and/or to a SIEM system such as QRAdar. They will also appear on the Incident Management tab of the Guardium UI. Be careful about how yo uset the Action – Alert per match could end up sending a lot of emails to someone depending on the type of SQL statement. Notes:The most common type of exception rule created is to alert on x number of failed login attempts within x minutes; for example 3 failed login attempts within 5 minutes.To create this alert, create a new exception rule as follows:•Action = Alert Per Match•Minimum Count = 3•Reset Interval = 5•Excpt. Type = LOGIN_FAILED•DB User = . <period>. Placing a period in DB User causes to the system to place a counter on DB User, so that you will only receive an alert the same user attempts to login three times with in five minutes. Otherwise, it will alert whenever there are three failed logins from any three users within five minutes, which could result in a great deal of false positives.

16



S-GATES-GATEHold SQL

Connection terminated

Policy Violation:Drop Connection

Privileged Users

Issue SQL

Check PolicyOn Appliance

Oracle, DB2, MySQL, Sybase,

etc.

“DBMS software does not protect data from administrators, so DBAs today have the ability to view or steal confidential data stored in a database.” Forrester, “Database Security: Market Overview,” Feb. 2009

S-GATE: Blocking Access

Session Terminated

SQLApplication Servers

Outsourced DBA

Included with DAM Advanced

Preventing Unauthorized Access

Configurable behavior to block access for example of privileged users on sensitive data. Guardium solution works across multiple different database types and does not rely on an appliance between the App Server and database to do this. No impact to the legitimate Application Server traffic.SGATE – an extension of the S-TAP Agent resides at the kernel level on the Database Server. S-GATE can look for Privileged User access specifically and hold only this traffic for validation Guardium will hold the transaction – do an analysis – and allow it only if it doesn’t violate a policy. If the Privileged User violates a policy – Guardium can block this and report or alert on the violation.Other solutions that rely on using an inline apliance, would add latency to the application traffi and

would not be able to block a user at the database console – it can’t block local access.Using this reqiures you configure the guard_tap.ini file and create a policy ruleHere’s part of guard_tap.ini.firewall_default_state=0firewall_fail_close=0firewall_force_unwatch=NULLfirewall_force_watch=NULLfirewall_installed=1firewall_timeout=10

For more detail on using S-GATE for blocking: See the Guardium “Protect” Help book.



Mask Unauthorized Access To Sensitive InformationCross-DBMS Dynamic Data Masking (DDM)

Redact and Mask Sensitive Data

Unauthorized Users

Issue SQL

Oracle, DB2, MySQL,

Sybase, etc.

SQLApplication Servers

Outsourced DBA

Cross-DBMS policiesMask sensitive dataNo database changesNo application changes

S-TAPS-TAP Actual data stored in the

database

User view of the data in the database

Included with DAM Advanced

It’s critical to keep private data private, and that includes keeping it private from authorized users such as DBAs.Guardium can mask data using a single solution across multiple database types. Redaction (Scrub) rules should be set on the session level (meaning, trigger rules on session attributes like IPs, Users, etc), not on the SQL level / attributes (like -OBJECT_NAME or VERB), because if you set the scrub rule on the SQL that needs to be scrubbed it probably will take a few miliseconds for the scrub instructions to make it to the S-TAP where some results may go though unmasked. To guarantee all SQL is scrubbed, set the S-TAP (S-GATE) default mode to "attach"for all sessions (in guard_tap.ini). This will guarantee that no command goes through without being inspected by the rules engine and holding each request and waiting for the policy's verdict on the request. This deployment will introduce some latency but this is the way to ensure 100% scrubbed data. For more information, see the Guardium “Protect” Help Book.



InfoSphere Guardium Data Encryption

Name: J SmithCCN:60115793892Exp Date: 04/04Bal: $5,145,789SSN: 514-73-8970

Name: Jsmith.docCreated: 6/4/99Modified: 8/15/02

Clear Text

File DataFile Data

File File SystemSystem

MetadataMetadata

dfjdNk%(AmgdfjdNk%(Amg8nGmwlNskd 9f8nGmwlNskd 9fNd&9Dm*Nd&9Dm*NddNddxIu2Ks0BKsjdxIu2Ks0BKsjdNac0&6mKcoSNac0&6mKcoSqCio9M*qCio9M*sdopFsdopF

Name: Name: Jsmith.docJsmith.docCreated: 6/4/99Created: 6/4/99Modified: 8/15/02Modified: 8/15/02

MetaClearBlock-Level

fAiwD7nb$Nkxchsu^j23nSJis*jmSL

dfjdNk%(Amg8nGmwlNskd 9fNd&9Dm*NddxIu2Ks0BKsjdNac0&6mKcoSqCio9M*sdopF

• Protects Sensitive Information Without Disrupting Data Management• High-Performance Encryption• Root Access Control• Data Access as an Intended Privilege

File DataFile Data

File DataFile Data

InfoSphere Guardium Encryption Expert uses a proven and highly effective encryption process called MetaClear. MetaClear encryption protects the file data while leaving the File System MetaData (the data about the data) in the clear. There are three benefits of MetaClear encryption

* Transparency : because the outward appearance of the files do not change there is not impact to the OS, databases, storage, end-users, etc.

* Need to know : Applications and privilege administrators can still access protected data but may not be allowed to see the file data in clear-text. This meets separation of duties requirements. It also enforces need to know policies.

* Performance : we only encrypt/decrypt the specific portion of the file that is being processed. This has major implications in databases since a database doesn’t use all of it’s data at once, only a few rows at a time.



Entitlement Reporting: Reducing the Cost of Managing User Rights

Provides a simple means of aggregating and understanding entitlement information

–Scans and collects information on a scheduled basis, including group and role information

Out-of-the box reports for common views –Report writer for custom views

Integrated with all other modules including workflow, etc.

Eliminates resource intensive and error prone process of manually examining each database and stepping

through roles

Included with VA Advanced

Entitlement reviews are the process of validating and ensuring that users only have the privileges required to perform their duties. Along with authenticating users and restricting role-based access privileges to data,even for the most privileged database users, there is a need to periodically perform entitlement reviews, the process of validating and ensuring that users only have the privileges required to perform their duties. This is also known as database user rights attestation reporting.Use Guardium’s predefined database entitlement (privilege) reports (for example) to see who has system privileges and who has granted these privileges to other users and roles. Database entitlement reports are important for auditors tracking changes to database access and to ensure that security holes do not exist from lingering accounts or ill-granted privileges.Custom database entitlement reports have been created to save configuration time and facilitate the uploading and reporting of data. Entitlement reports for DB2 for z/OS are also provided.

20



DB2 Entitlement Reports

Here’s an example of a DB2 entitlement report..

21



Heterogeneous Database Entitlement Reports – Oracle Sample Reports

Here’s an Oracle report. And alisting for all the databases for which entitlement reporting is supported. Remember, you need VA Advanced or thiswill not appear in your console.

22



Audit Process Overview

Create a process to review entitlement reports and new connections to the database

Use separation of duties to validate the process

Included with DAMIncluded with VA

Entitlement Report can be used to identify “new”

connections to the database

Here’s an example of using the audit process (workflow) to automate review of entitlement reports. To ensure that no one person is solely in control of allowing new connections or entitlements, use Guardium separation of duties capability to automatically route the report through the appropriate approvers. The next few slides step through how to do that.



Audit Process Overview

Business Owner(PCI Role)

Information Security(InfoSec Role)

Guardium Admin(Admin Role)

Business Owner approves or rejects new connections to database

Information Security confirms Business Owner recommendation

Guardium Admin only makes changes for “authorized” connections

If there are no new connections, report will be empty and automatically approved…

(ie. Don’t waste anyone’s time)

One thing all auditors are going to want to see is a process that ensures all incidents are investigated and remediated. InfoSphere Guardium is unique in providing an integrated compliance workflow automationapplication that automates the process of ensuring all incidents are addressed; which reduces your operational costs while quickly providing the audit trail required for compliance.

The compliance workflow tool gives you the flexibility to define unique custom processes for their different organizations or efforts, for example a different escalation or review steps for different parts of the organization to ensure checks and balances. In this example, we are using this workflow process to ensure review and approval of new database connections. It needs to be routed from the businessd owner, through information security and then to the Guardium Admin who can actually move the new connections to the “approved connections” group.

The workflow process also provides enough granularity to handle individual line items in a report, like rerouting a subset of issues for escalation or outside review.

These capabilities enable the cost benefits of automation to be realized; even in large, complex organizations where you have a variety of different processes, and a variety of incidents with differing remediation profiles this custom workflow can fit seamlessly into your organizational processes.

24



Audit Process Trail Created For Authorization Process

Here are the connections

that need to be approved.

Here you can see the auditable review process signoffs.



Audit Process Trail Created For Authorization Process

Reviewer can add comments.

You can add your comments and sign results when routed to you.



Use Guardium API linkage with Reports to Automatically Add Connections

Four connections

added to group

Now that our 4 connections have been approved, the Guardium Administrator can move them into a group of ‘Authorized’ connections directly from the ‘unauthorized connections’ report. This is done by invoking the “create_member_to_group_by_desc” API directly from the report as shown here. Select the connections to add and, voila!, they are added to the authorized group and should no longer appear in the unauthorized connection report.

29



InfoSphere Guardium Architecture

Support Separation of DutiesCollect and normalize data for efficient storageSingle repository for all audit dataData is immediately available and highly secure


S-TAP – Software TapGuardium Appliance

Role Based GUIProvides access to

audit data(Information Security, Auditors, DBA, etc)

Secure Audit Records

(Light weight probe which copies information to the appliance)

Application Servers(SAP, Oracle EBS, Custom Apps, etc)

Agent RequiredAuditingReal time alertingBlockingDynamic Data Masking (DDM)

The Guardium appliance is hardened, by which we mean that there is no root access allowed to the data stored there. The heavy duty lifting of parsing and logging data traffic is done there. The appliance is easily deployableOnce setup, the Collector can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan these DBs and DB Servers for needed patches or configuration hardening, based on periodically updated vulnerability templates.

STAP Agents are very lightweight. They require nochanges to the Database or Applications. Collectors (appliance) handle the heavy lifting (parsing, logging, etc) to reduce the impact on the database server. They are OS-specific (aka Linux, Windows) The S-TAP is listening for network packets between the db client and the db server. The Guardium Admin configures each S-TAPto listen to the correct database ports and to interpret the specific type of database that Guardium needs to listen for. These configurations are called ‘inspection engines’. There is also an automatic discovery process to do the db discovery for you and configure the inspection engines with the correct ports. The S-TAPS Monitor ALL Access via network (TCP) or local connections (Bequeath, Shared memory, named pipes, etc). A Privileged User working on the server console won’t be detected by any solution that only monitors network traffic, so be careful of SPAN port solutions only.The GUI is a web-based and is out of the box customized for different roles such as PCI auditor. It’s also quite customizable with the ability add and delete portlets for specific functions. Those customizations can be rolled out to others.

29

30




What Can Be Audited?Key Message

Information is based on a database session

Understand what needs to be audited

What needs to be audited?

Session information

User information

SQL statements

Responses– Failed Events– Result Sets

Database Server

Database Client

Activity from the DB client to the DB server

Client/Server network connections

Session starts (log in)

SQL Requests(commands)

Activity from the DB Server to the DB Client

Failed Login Messages

Result sets

SQL Errors

Session ends (log out)

Typical Database Session

Once STAP has been installed and the inspection engines configured, STAP will start forwarding all database traffic to the collector. This traffic is analyzed, parsed, and logged by the sniffer process on the collector, as follows:

Traffic sent by STAPDatabase Client -> Database Server•Client/server network connections•Sessions (logins/logouts)•SQL requests (commands)

Database Server-> Database Client•Failed login messages•SQL errors•Result sets

Traffic analyzed, parsed and logged by the snifferDatabase Client -> Database Server•Client/server network connections•Sessions (logins/logouts)•SQL requests (commands)

Database Server-> Database Client•Failed login messages•SQL errors•Result sets

© Copyright IBM Corporation 2010 30

31




Capture and Parsing Overview

S-TAP

Database Server

Database Client

GuardiumCollector

Analysis engine

Information is copied and sent to appliance

Select name, cardidfrom Creditcard


Sessions Commands

Objects Columns/Fields

Read Only Hardened Repository

(no direct access)

SQL


SelectJoe

Creditcardnamecardid


Parse SQL Statements

Joe

How do you get access to this information?

Here’s a simple example to illustrate the flow of a select statement. Remember, we learned that from the client to the server, we will pass on not just the ‘command’ (the Select statement in the above example) but relevant about the client/server network connection (client IP, server IP etc) and the session information (login, logout). This process does not introduce latency for the database server – it is completely unintrusive.

The Analysis Engine (colloquially known as ‘sniffer’) will parse the information and store it in the internal Guardium repository on the hardened appliance. There is no direct access to this data- you have to go to go through UI or API to run reports or set u palerts etc to make use of that data. As you will see in the next slide, the data is externalized as domains, entities and attributes, not usually the direct table names.

31

32



Reports/Query BuilderEntities and Attributes


Sessions Commands

Objects

Exceptions

Columns/Fields

Read Only Hardened Repository

(no direct access)

1.1.1.1 23345 10.12.1.12 1433 select name, cardid from Creditcard;

Network Packet

Parsed, analyzed, logged in repository

SQL

Returned Data

Entities and attributes

Traffic is filtered at different stages based on policy

rules

Query builder for reports

Policy rules determine where filtering occurs between the S-TAP and the time it gets logged. There are some filters that happen at the S-TAP level which can help reduce the traffic sent to the appliance. Network Information

Filter client/Server IPFilter TCP ports

Which sessions to monitor/ignore (based on OS User, DB User, etc.)What traffic (SQLs, Exceptions, Returned data) to audit , and in what granularity (based on

the command, the tables, the user, etc.)

Now that the audit data is in the repository of the hardened collector, how do you get at it.. ? There are many out of the box reports, but it’s good to have an understanding of how those reports are created so you can really take advantage of the stored audit data for your own needs.

The audit data is represented in the Guardium system as a collection of domains, with appropriate entities and attributes associated with that domain. (The Appendices Help book includes more details about this.) Each Guardium role typically has access to a subset of domains, depending on the function of that role within the company. Guardium admin role users typically have access to all reporting domains.

This slide shows use of the query builder for creating reports and how the entities and attributes appear on the builder.

32

33




Policy Primer - Accessing the Policy Builder

Notes:To access the Policy Builder:•As a user with the admin role go to Tools -> Policy Builder•As a user with the user role go to Protect-> Security Policies -> Policy builderNote:For a policy, or any changes to a policy, to take effect, it must be installed.

To install a policy:•Go to the Administration Console, Policy Installation•Highlight the policy that you would to install and choose Install from the drop down list

If the groups contained within the policy are updated regularly, the installation should be scheduled by clicking Modify Schedule to open the general-purpose scheduling utility. For example, if you are using ‘Populate from Query’ to update a group of privileged users nightly, the policy should be scheduled to be reinstalled after the group update.

More than one installed policy is permitted at the same time. All installed policies are available for action and are run sequentially. The only limitation is that policies defined as selective audit policies can not be mixed with polices not defined as selective audit policies. If trying to mix policies, an error message will result when installing these mixed policies. The order of appearance can be controlled during the policy installation, such as first, last or somewhere in between. But the order of appearance can not be edited at a later date.

Remember –The policy must be installed after any modifications (such as new or changed rules) for the changes to take effect. You would use install&override option on the installation.

© Copyright IBM Corporation 2010 33



3 Types of Policy Rules

SQL Query

Result Set

Database Server

Exception (SQL Errors and more)

There are three types of rules: 1. An access rule applies to client requests2. An extrusion rule evaluates data returned by the server3. An exception rule evaluates exceptions returned by the server

12

3

Concept information – Rule TypesThere are three types of rules, which will determine which fields are available in the policy rule builder.Access rule – An access rule evaluates client accesses and enables the creation of real time alerts.Exception rule - An exception rule evaluates real-time exceptions returned by the server. For example, it might test for five file permission exceptions within one minute.Extrusion rule - An extrusion rule) evaluates real-time data returned by the server (in response to requests). For example, it might test the returned data for numeric patterns that could be social security or credit card numbers. For extrusion rules only, portions of database query output (for example, credit card numbers) may be masked for certain users..

34



SAP PCI Policy Overview

This is a sample predefined policy. It has three different types of rules:

-Access Rules-Extrusion Rules-Exception Rules

Each of these types of rules helps security your environment. It’s also helpful to understand the impact on the system depending on what type of information you are trying to audit.

Concept information – Rule TypesThere are three types of rules, which will determine which fields are available in the policy rule builder.Access rule – An access rule evaluates client accesses and enables the creation of real time alerts.Exception rule - An exception rule evaluates real-time exceptions returned by the server. For example, it might test for five file permission exceptions within one minute.Extrusion rule - An extrusion rule) evaluates real-time data returned by the server (in response to requests). For example, it might test the returned data for numeric patterns that could be social security or credit card numbers. For extrusion rules only, portions of database query output (for example, credit card numbers) may be masked for certain users..

Note: 35



One Unauthorized Access Violates 4 Security Rules

This presentation doesn’t show all the individual rules, but some are included in the backup slides. This slide highlights a couple of rules that were violated as a result of the query that returns a credit card number. You can see that the credit card value is masked in the report.

36



Quiz question!

What are the three types of policy rules? Pick the best answer from below:

1. Masking, extrusion, access

2. Access, PCI, compliance

3. Access, exception, extrusion

4. None of the above

The correct answer is 3.



38IBM InfoSphere Guardium Tech Talk

21 Feb 2013










39




Deployment flexibility and scalability Central Manager (CM) contains central location for policies and definitions for

the entire federated system

“Aggregation”=Nightly audit data uploaded from Collectors

Built in redundancy for audit data (collector and aggregator)

Standalone unit Collector

Central Manager

AggregatorAggregator

CollectorsCollectors

Collectors (“Managed units”)

Central Manager and Aggregator (“Manager unit”)

Central Manager provides “Enterprise Views”

Appliance TypesCollectorUsed to collect database activity, analyze it in real time and log it in the internal repository for further analysis and/or reacting in real-time (alerting, blocking, etc.). Use this unit for the real-time capture and analysis of the database activity.Aggregator Used to collect and merge information from multiple appliances (collectors and other aggregators) to produce a holistic view of the entire environment and generate enterprise-level reports. The Aggregator does not collect data itself; it just aggregates data from multiple sources.Central Manager Use this Appliance to manage and control multiple Guardium appliances.With Central Manager (CM), manage the entire Guardium deployment (all the collectors and aggregators) from a single console (the CM console). This includes patch installation, software updates and the management and configuration of queries, reports, groups, users, policies, etc.Note:In many environments, the Central Manager is also the Aggregator. Central Manager and Aggregator can be installed on the same appliance.Hierarchical AggregationGuardium also supports hierarchical aggregation, where multiple aggregation appliances merge upwards to a higher-level, central aggregation appliance. This is useful for multi-level views. For example, you may need to deploy one aggregation appliance for North America aggregating multiple units, another aggregation appliance for Asia aggregating multiple units, and a central, global aggregation appliance merging the contents of the North America and Asia aggregation appliances into a single corporate view. To consolidate data, all aggregated Guardium servers export data to the aggregation appliance on a scheduled basis. The aggregation appliance imports that data into a single database on the aggregation appliance, so that reports run on the aggregation appliance are based on the data consolidated from all of the aggregated Guardium servers.

Aggregation Processv Accomplished by exporting data on a daily basis from the source appliances to the Aggregator (copying daily export files to the aggregator).v Aggregator then goes over the uploaded files, extracts each file and merges it into the internal repository on the aggregator.For example, if you are running Guardium in an enterprise deployment, you may have multiple Guardium servers monitoring different environments (differentgeographic locations or business units, for example). It may be useful to collect all data in a central location to facilitate an enterprise view of database usage. You can accomplish this by exporting data from a number of servers to another server that has been configured (during the initial installation procedures) as an aggregation appliance. In such a deployment, you typically run all reports, assessments, audit processes, and so forth, on the aggregation appliance to achieve a wider view, not always an enterprise view.



Central Manager


Admin Console -> System Need same shared secret to register

Included with CM/AGG

Once you have a Central Manager, you must connect the other machines into a Central Management system. For security reasons, it is a requirement that thecommunication between the machines be encrypted using the same "shared secret".To do this, do the following:1. For each machine (including the Central Manager), log into the Guardium GUI as the admin user2. Click on the Administrator Console tab3. Click on the System link in the left hand column menu4. Set the Shared Secret to the same string on all systems



Central Manager


Install PolicyPatch DistributionRegistrationetc

Admin Console -> System Need same shared secret to register


Here you can see the collectors that are connected in this central management system. From here, you can install policies, distribute patches, etc.

In a central management configuration, one Guardium unit is designated as theCentral Manager. That unit can be used to monitor and control other Guardium units, which are referred to as managed units. Unmanaged units are referred to asstandalone units.The concept of a "local machine" can refer to any machine in the Central Management system. There are some applications (Audit Processes, Queries,Portlets, etc.) which can be run on both the Managed Units and the Central Manager. In both cases, the definitions come from the Central Manager and thedata comes from the local machine (which could also be the Central Manager). Once a Central Management system is set up, you can use either the Central Manager or a Managed Unit to create or modify most definitions. Keep in mindthat most of the definitions reside on the Central Manager, regardless of which machine the actual editing is done from.





Here are reports that you can see to help manage the health of your central management system. The TAP Monitor tab is where administratos can access S-TAP reports



Enterprise S-TAP View



The "Detailed Enterprise S-TAP view" shows, from the Central Manager, information on all active and passive S-TAPs on all collectors and/or managed units.



Scale from small to VERY large

Enterprise Architecture with dynamic scalabilityNon-invasive/disruptive, cross-platform architectureNo environment changes


Integration with:•LDAP•SIEM•Change Mgt•Archiving•and more…

Guardium is designed to handle scalability and cross-geographical deployments. We talked about how the aggregators and central managers can help you scale out and scale up. Here’s how it could look in a large distributed environment.

Multiple STAPs and Collectors as needed to handle monitoring and auditing requirements for those systems

SGATE – blocking for only the traffic you need to block!STAP for Z – monitoring MainFrames as well as Distributed platforms – roll those results up into your

enteprise reports.Centralized Policy ManagementCentralized Audit Repository

ScalableAuditing millions of transactionsAdd Collectors when and where needed to handle whatever throughput and auditing requirements

you need

STAP Agents provide failover and redundancy options as we will talk about in the next slide.

44

45




1. Basic

2. Failover

3. Load Balancing

Failover, Load Balancing, and “Grid”

45

In many cases only a single Guardium appliance will be defined as the host for an S-TAP. Additional hosts can be defined to provide a fail over and load balancing capability.

Failover. S-TAP collects and sends data to a Guardium host in near real time. S-TAP buffers the data, so that it can continue to work if the Guardium host is momentarilyunavailable. If the primary host is unavailable for an extended period of time (time can be shorter if the buffer is filling up), S-TAP can fail over to a secondary Guardium host. It will continue to send data to the secondary host until either that appliance becomes unavailable, until the S-TAP is restarted or a connection to the primary server has been reestablished and remains up for a period of 5*connection_timeout_sec seconds.(configurable in guard_tap.ini file, default is 60 seconds). In this case STAP will fail over from secondary Guardium host back to Primary Guardium host.When a failover of S-TAP occurs, session information can also be sent over to the current active Guardium host.

45

46




1. Basic

4. Grid2. Failover

3. Load Balancing


46

Test with Load Balancers from

F5 & Cisco

sqlguard_ip=virtual IPsqlguard_port=16016

primary=1


primary=1

Same collector settings for all s-taps

3. There are optoins for load balancing you can set in the s-tap configuration file. (Participate_load_balancing=)0 = Report all traffic to a single appliance (the default).1 = Load balancing; distribute sessions evenly to all appliances, by client port number (all traffic for a single session must go to the same appliance).2 = Full redundancy; report all traffic to all appliances.3 = In an IP load balancer environment, if the Guardium appliance goes down, allows the IP load balancer to reconnect S-TAP to a different Guardium appliance/collector) – see Grid slide next.

46

47




1. Basic

4. Grid2. Failover

3. Load Balancing


47

Test with Load Balancers from

F5 & Cisco


primary=1


primary=1

Same collector settings for all s-taps

http://www.f5.com/pdf/deployment-guides/ibm-guardium-dg.pdf

Grid: Elasticity for supporting large deployments - Simplify configuration management for STAPs to a primary Virtual IP and a secondary, etc Virtual IP. Benefits: Better uptime, easier scalability, less configuration complexity and less chance of lost S-Tap data.

Tested with Cisco and F5. Seamlessly add audit capacity when adding/changing your database infrastructure such as during Enterprise deployments / upgradesAutomate the relationship between STAPs and the Collectors - Add or remove collectors with no effect on the deployment.Simply and consistently configure STAPs.Provide a high degree of failover and load balancing.From a capacity management perspective, add resources, monitor infrastructure, adjust capacity as needed (or when something fails ☺)

The main value is connection balancing. Guardium S-Tap is a long lived connection. When the initial connection setup happens, the F5 BIG-IP or other load balancer will direct the connection to the least loaded Guardium host. The load balancer will at connection setup time, choose the least loaded Guardium server based on connections.. The other benefits of this solution are that the BIG-IP or other supported load balancer will detect an outage, take that Guardium Appliance out of service and then send a TCP reset which will force a new connection. All of this happens without the intervention of an administrator.

A final benefit is that the configuration complexity is reduced. Instead of mapping the IP addresses of multiple Guardium hosts in the appropriate .INI file, only the Virtual IP address is included, load balancer does the rest.

Configure the S-TAP to work with Load Balancer environment:Sqlguard_ip = Virtual IP address/hostname of the Load balancer (depending on load balancer setup)Participate_load_balancing = 3 (to send pre-exsistingsession information on every failover to the appliance)All_can_control = 1 (in order to be able to edit STAP configurations through GUI)

47



Quiz question!

If you need to create corporate audit reports as well as manage a large number of Collectors, which configuration do you need? Pick BEST answer:

1. Central Manager directly managing Collectors

2. Aggregator connected to Collectors

3. A web application to roll up your reports

4. A Central Manager and one or more Aggregators

The correct answer is 4. Central managers cannot directly manage collectors. Note that answer 2 could work if you had a central manager on the same appliance on the aggregator but it doesn’t say that! But in either case you will likely need a Central Manager to help you manage policies and definitions across the enterprise and aggregators to roll up data/reports.












Where to find more information?

50




Roles and responsibilities – The TEAM

Guardium Access Manager

Guardium Admin

Guardium System Administrator

Compliance Advisor

Application Advisor

Database Advisor

Access control

Data collection and reporting

System health

Provide DBA level understanding and review

Provide application level understanding and review

Identify requirements for compliance

These may vary, and in some situations a single person may perform multiple roles, but each role will have tasks to perform.

Guardium Access Manager (user: accessmgr)This user controls access to the system. They cannot access data under this user, but they can perform user management.

Guardium AdminThis person is primarily responsible for the data collection and reporting, and will perform most of the tasks within the guardium

applicationThis is most often the responsibility of staff within the security department.

Guardium SysAdminThis person will be responsible for the administration of the Guardium system. They may or may not view the data on the system, but they are responsible for monitoring the health of the system (status,

usage, errors, etc.).DBA Advisor

This will be a DBA or DBA manager within your organization that will be the contact point for Guardium requests, and will work closely with the Guardium Admin. This person will have the following responsibilities:Helps identify sensitive objects (tables, views, procedures, etc.) in the databases.Provide database understanding – assistance with understanding commands, sensitive objects, etc.Receive database alerts if defined.Review error reports from database standpoint.Review database access reports.

Application AdvisorThis will be an Application developer that will be the contact point for issue relating to applications.This person will have the following responsibilities:

Helps identify sensitive objects (tables, views, procedures, etc.) in the databases.Provide application understanding of different application usersReceive application alerts if defined.Review error reports from application standpoint.Review application access reports for discrepancies.

Compliance AdvisorThis will be an auditor responsible for database activity compliance. This person will have the following responsibilities:

Identify the required reports for compliance.Ensure reports are distributed and signed off on a regular basis.Receive compliance alerts if defined.

50

51




Getting started on a monitoring project

0. Education and training

0. Education and training

1. Installation Planning

1. Installation Planning

Project ManagerDBA AdvisorSecurityAuditorNetwork AdminSystem AdminGuardium administrator

2. Appliance Installation

2. Appliance Installation

Project ManagerNetwork AdministratorGuardium Administrator

3. S-TAP agent Installation

3. S-TAP agent Installation

Guardium AdministratorDBA AdvisorDatabase server system administrator

4. Monitoring Requirements

4. Monitoring Requirements

Those responsible for monitoring, security and review of the logged data. This typically includes:Information SecurityAuditDBA AdvisorData Stewards/Architects

IT infrastructureGuardium SysAdminDisk storage Admin

5. Guardium Operations

5. Guardium Operations

1. Installation PlanningAnalyze RequirementsIdentify Database servers in scopeData centers, locations and network considerationsInstallation of the appliances (process, steps and requirements)Basic configuration of the appliancesDeployment plan of the Guardium appliancesInstallation of the S-TAP (process, steps and requirements)Basic configuration of the STAPAppliance Installation

Rack and connect each Guardium appliance to power and networkConfigure each Guardium appliance with Basic Configuration parameters.Verify systems are on the network(If applicable) Register all Guardium appliances to the “Central Manager”Review and complete basic configuration of each applianceS-TAP agent Installation

S-TAP agents are installed on database serversS-TAP agents are configured to capture traffic.Verification that the S-TAP is registered and is sending local traffic.Verify S-TAP traffic is captured by the collectorMonitoring RequirementsConfigure GroupsPrivileged usersCommandsApplicationsServers ipsSource programsSensitive objects

Setup of ReportsSetup of automated Audit processSetup of Policy rules based on the “Monitoring PlanAlerting processes and procedures

Guardium OperationsAggregationArchivingPurging

51












Where to find more information?




Default user view

Portlets

Search, Map and

Help

Navigate menus

Navigate tabs

Users access the appliance over a secure (HTTPS) connection, using a Web browser. All users are defined on the system by the access manager.The Guardium UI is web-based and includes many configurable portlets,, a few of which are highlighted above. A portlet can be a report, application, or tool. Each pane may contain any number of report portlets, and a single application or tool portlet. Note you can often double click on a report to drill down into further detail. When you log in for the first time, your portal displays with a layout determined by the roles that the access manager has assigned to your user account. Although the access manager controls the initial layout, you can customize your layout easily, changing the panes displayed and the placement of portlets on each pane. The upper right contains the icons for searching the UI, mapping the portlets and the help system.




Default user view – Quick Start

Portlets

One-page quick start to generate and install a policy, define vulnerability tests (if licensed) and define an audit process.

This user application permits a quick start to the Guardium solution. Based on a profile (one profile per user), this application generates a policy (and installs it), an assessment, and defines an audit process.




Default user view – Quick Start

Double-click for detailed reports

Governance, risk and compliance heat map

This high-level management report shows a snapshot of the current state of the Guardium system in terms of three areas that matter most: Governance, Risk, and Compliance (GRC). There are 16 speedometer views. Each has a title and a tool tip explaining what it reports on. Double-clicking on the view produces a drill-down tabular report with full details. The view is organized as a heatmap. Black color within the speedo view indicates that there is underlying datathat can be accessed by double-clicking on the view. White color within the speedo view indicates that there is no underlying data available.Compliance, there are two rows - the first for the database environment and the second for the appliance (for example, whether data is being backed up or not).A proper Governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, andprovides for corrective action in cases where the rules have been ignored or misconstrued. Risk Management is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Compliance is the process that records andmonitors the policies, procedures and controls needed to enable compliance with legislative or industry mandates as well as internal policies.




Default user viewBuild policies,

reportsDB discovery and

classification

VA and configuration

access (if licensed)

Create audit process workflows…

Create policies, alerts and see policy

violations




Tip: Use Portal Map or Portal Search to quickly find what you need

Someone’s custom portlet

Search

Map

The Map is basically a directory of the portlets in the UI. Search on most important word..




Help System

Download a help pdf for

offline reading

The Appendices Help book has

useful reference info such as APIs,

entities and attributes, etc

59




Default admin user view

Double-click for tabular

report

Configuration

Create groups, policies,

workflows…. Reports for daily monitoring

Policy violations and alerts here

60




Default access managerAdd users and roles

Configure data-level security

Granularity and flexibility in roles

Ability to create your own roles

Ability to create user hierarchies to ensure automatic filtering of results based on user’s database

Access managers define users and their roles in the system.I call out Data level security here because that’s a way you can define a hierarchy of users in the system and map that hierarchy to data sources. This allowsyou for example, to create a single report that will be automatically filtered based on the report receiver’s role in the hierarchy and whether they are associated with thedata in the report. The same report on database access could be sent to the Oracle DBA and the DB2 DBA and the Oracle DBA would see only data related to Oracle.. And the DB2 DBA would only see data related to DB2. And the DBA manager could see both sets of data.

62




Command Line Interface (CLI) and APIs (GuardAPI)

Command line interface used for configuration, troubleshooting and management of Guardium System

The extensive set of GuardAPIs can be used by a user with either admin or CLI Role for automation of repetitive tasks or for ongoing maintenance

– Creating datasources, adding user/members to groups, connection profiling, entitlement report automation and more

– Many are invokable from reports in the UI!

GuardAPIs are documented in the Appendices help book or from the Cli–To see a list of all grdapi commands, enter:

CLI> grdapi–To see the parameters for a particular command:

CLI> grdapi list_entry_location --help=true

The Guardium command line interface (CLI) is an administrative tool that allows for configuration, troubleshooting, and management of the Guardium system.Access to the CLI is either through the admin CLI account cli or one of the five CLI accounts (guardcli1,...,guardcli5). The five CLI accounts exist to aid in the separation of administrative duties. Access to the GuardAPI, which is a set of CLI commands to aid in the automation of repetitive tasks, requires the creation of a user by access manager and giving those accounts either the admin or cli role. Proper login to the CLI for the purpose of using GuardAPI requires the login with one of the five CLI accounts (guardcli1,...,guardcli5) and an additional login with guiuserby issuing the 'set guiuser' command.For information about creating a user with CLI authority, see this ‘how to’ in the Information Center http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.guardium.using.doc/topics/how-to-create-a-user-with-the-proper-entitlements-to-login-to-cli.htmlTo list all GuardAPI commands available, enter the grdapi command with no arguments or use the 'grdapi commands' command with no search argument.For example:CLI> grdapiTo display the parameters for a particular command, enter the command

followed by '--help=true'. For example:CLI> grdapi list_entry_location --help=true




APIs enable automation and ease maintenance

Invoke API to add

member to group

Example: Add a member to a group from a report

This example shows how you can use the API to add an ‘authorized’MapReduce job to a group so it won’t appear in this report anymore.

In this example, we wanted to add Hadoop MapReduce job names to a group after they have been vetted so they won’t appear in the ‘unauthorized list’ report anymore. There is configuration work to add APIs to reports if they are not already included with the system. We have a document on this process if you’re interested, contact me [email protected].




APIs enable automation and ease maintenance

-- Create group and members of the groupgrdapi create_group desc=SensitiveObjectsMonitored type=objects appid=Public owner=admingrdapi create_member_to_group_by_desc desc=SensitiveObjectsMonitoredmember=creditcardgrdapi create_member_to_group_by_desc desc="Cardholder Objects" member=creditcardgrdapi create_member_to_group_by_desc desc="Authorized Client IPs" member="10.10.9.56"grdapi create_member_to_group_by_desc desc="Authorized Client IPs" member="10.10.9.251"

Example: Add a member to a group from a script

This example shows how you can use the API to quickly get up and running with groups for PCI compliance.

66




Information and training

InfoSphere Guardium YouTube Channel – includes overviews and technical demos

InfoSphere Guardium newsletter

developerWorks forum (very active)

Guardium DAM User Group on Linked-In (very active)

Community on developerWorks (includes content and links to a myriad of sources, articles, etc)

Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)

Technical training courses (classroom and self-paced)

Business Partner bootcamps

Hands on! Ask your IBM sales rep about upcoming Proof of Technologies. For example:

March 12, KC, MO

March 19, Tulsa, OK

there are currently two Guardium certification tests.If you are looking into taking an IBM professional product certification exam, you may look into taking the 000-463 certification (http://www-03.ibm.com/certify/tests/ovr463.shtml).

Upon completion of the 000-463 certification, you will become an IBM Certified Guardium Specialist (http://www-03.ibm.com/certify/certs/28000701.shtml).

The certification requires deep knowledge of the IBM InfoSphere Guardium product. It is recommended that the individual to have experiences in implementing the product to take the exam. You can view the detailed topics here: http://www-03.ibm.com/certify/tests/obj463.shtmlDetails each topics are covered in the product manuals. You will also find the Guardium InforCenter a useful resource when you prepare for the exam: http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp




Next Guardium Tech Talk

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Roadmap to a successful V9 upgrade

Speakers: Vlad Langman and Abdiel Santos

Date &Time: Wednesday March 14, 2013

11:30 AM Eastern

Register here: http://bit.ly/Vkc8g2

6868




GraciasMerci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish

Thank you very much for time today.


Information Management

Backup

70



70

Discovering Sensitive Data in Databases

• Discover database instances on network

• Catalog Search: Search the database catalog for table or column name

– Example: Search for tables where column name is like “%card%”

• Search by Permission: Search for the types of access that have been granted to users or roles

• Search for Data: Match specific values or patterns in the data

– Example: Search for objects matching guardium://CREDIT_CARD (a built-in pattern defining various credit card patterns)

• Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)

7171




Identifying Fraud at the Application Layer

Issue: Application server uses generic service account to access DB– Doesn’t identify who initiated transaction (connection

pooling)Solution: Guardium tracks access to application user associated with specific SQL commands

– Out-of-the-box support for all major enterprise applications (Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects, Cognos…) and custom applications (WebSphere, WebLogic, ….)

– Deterministic vs. time-based “best guess”– No changes to applications

Application Server

Database Server

Joe Marc

User

Identifying fraud or Application Mis-Use

You need a solution that shows WHO did WHAT!

Native Auditing solutions and logging tools, don’t show this depth

Track access back to the application user associated with a specific command

Deterministically – not by ‘best guess’!

Whatever middleware you are using!

And with NO changes to the application or the database!

71

72




Enforcing Change Controls + Integrating with Change Management Systems

Tag DBA actions with ticket ID

Compare observed changes to

approved changes

Identify unauthorized changes (red)

or changes with invalid ticket IDs

72

73




Should my customer service rep view 99 records in an hour?Monitoring Data Leakage from High-Value Databases

Is this normal?

What exactly did Joe see?

Another Example

Traditional Solutions can’t identify suspicious behavior within legitimate traffic

Joe is viewing an abnormally high number of customer information!

We can even take a look at what he saw!

Notice that the audit information is masked,so that someone viewing these reports doesn’t also see the customer information that

we’re auditing Joe for…

Knowing what was breached and to what extent is what we’re looking for!

Native logs won’t give you this information!

73

74




Tracking privileged users who switch accounts

What InfoSphere Guardium shows you:

User activity

Privileged User

1. Joe logs in to Linux

2. He switches to the Oracle shell account

3. Logs into Oracle as system

4. Gives himself a big bonus!

Native database logging/auditing & SIEM tools can't capture OS user information

Other database monitoring solutions only provide OS shell account that was used

Do you have Privileged Users that use both generic DB accounts as well as generic OS accounts?

In many companies, users login with their OS account and then switch to a shell account that has the needed environment to access the database.

If they also use a generic database account,how do you track them back?!

Joe’s bumping his bonus!

Native auditing will only show you the DB Username

Other monitoring solutions can only show you the OS shell account that was used!

You need everything!

74



Query Based Test ResultsTest the database to validate that all triggers are actually owned by the table owner

SQL = Select count(*) from all_triggers where owner<> table_ownerIf the count exceeds a threshold of 7 items, fail the test

75



SAP PreDefined PCI Policy Rule (Access Rule) Track - PCI CardHolder Data

This is an example of an access rule

76



Unauthorized Users Accessing Credit Cards -- Guardium Verifies Credit Card Validity With Luhn Algorithm

77



PCI Track Data…Guardium Tracks PCI “Track Data”

DO NOT store the full contents of any track from the magnetic stripe

DO NOT store the card-validation code (three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data))

DO NOT store the PIN Verification Value (PVV)

78

IBM InfoSphere Guardium Tech Talk: Guardium 101 · Information Management – InfoSphere Guardium 6...

Documents

Transcript of IBM InfoSphere Guardium Tech Talk: Guardium 101 · Information Management – InfoSphere Guardium 6...