IBM Security Guardium Tech Talk - United States · PDF fileConnection uses a Java driver. Many...

© 2015 IBM Corporation

What’s new in Vulnerability Assessment V10

Kathy Zeidenstein – Guardium EvangelistFrank Cavaliero - Database AdministratorLouis Lam - Database and VA ManagerVikalp Paliwal - VA Product Manager

November 5, 2015

IBM Security Guardium Tech Talk

2© 2015 IBM Corporation

Next tech talk: Hints and Tips: Upgrading to Guardium V10

Speakers: Vlad Langman, L3 Support ManagerOmar Raza, QA Engineer

Date and time: Thursday, November 19th11:30 AM US Eastern, 8:30 AM US Pacific

Register here: ibm.biz/BdHYnU

Reminder: Next Guardium Tech Talk

https://ibm.biz/BdHYnU

3© 2015 IBM Corporation3

► Guardium Vulnerability Assessment overview

► Vikalp Paliwal

► What is new in IBM Security Guardium Vulnerability Assessment v10

► Louis Lam

► New IBM Security Guardium Vulnerability Assessment v10 live demo

► Frank Cavaliero

► Q & A

Agenda

Data is the key target for breaches


Data is challenging to secure

DYNAMICData multiplies

continuously andmoves quickly

DISTRIBUTEDData is everywhere,across applicationsand infrastructure

IN DEMANDUsers need to constantly access and share data to do their jobs


D A T A S E C U R I T Y I N T E L L I G E N C E

Entitlements Reporting

Activity Monitoring

BlockingQuarantine

Dynamic DataMasking

Vulnerability Assessment

MaskingEncryption

DiscoveryClassification

Vulnerability AssessmentAssessment reportsData Protection Subscription

Configuration Changes

Data EncryptionFile-level encryptionRole-based access controlFile access auditing

Data MaskingStatic maskingSemantic and format preserving

Standard DAMData Activity MonitoringReal-time alertsApp end-user identificationNormalized audit creationCompliance reportingCompliance workflow

Advanced DAM Blocking access Masking sensitive data Users Quarantine

“Base Product” DB and Data Discovery Data ClassificationEntitlement Reporting Enterprise Integrator Queries & Reports Threshold Alerts Compliance Workflow Group Management Security Integrations IT Integrations Data Level Security Incident Management User/Roles Management HR Integrations Portal Management Self Monitoring Data Export Options Data Imports Options

Data Redaction Redact sensitive documents

Discover Harden Monitor Protect

Federate large deploymentCentral controlCentral audit collection

Standard FAMFile metadata discoverySensitive data classificationData activity monitoringReal-time alertsCompliance reportingCompliance workflow

Advanced FAM Blocking access

App Data Masking Masking on the browser

ANALYZE. PROTECT. ADAPT.Data Security solutions protect structured and unstructured sensitive data


Vulnerability Assessment Technology is used to support security threat management and compliance

Database

Network

Infrastructure

Endpoint

Applications

• In-depth assessments of databases and applications such as ERP

systems (for ex SAP or Oracle), especially, are not widely supported in

traditional VA solution, which focus on devices

• IT Security managers choosing a VA solution must make a dedicated

ongoing vulnerability signature support and maintenance for majority of

their asset base a critical requirement.

Vulnerability Assessment Solution

-Gartner - market guide for VA

“Secure your crown jewels”


Have you left the keys to the kingdom dangling from the front door?

Managing vulnerabilities is a data security critical success factor

Default Username

and Password

Excessive Privilege

Default settings

and misconfigu

rations

Un-patched

Databases

Non supported product versions

Unknown sensitive

data

Non Compliance

Audit Fail

Insider Theft

Data breach

Implications


ANALYZE. PROTECT. ADAPT.

ANALYTICS

IBM Security Guardium Vulnerability Assessment

Discovery and ClassificationEntitlement reporting

Vulnerability AssessmentRemediation Recommendation

Configuration Audit System

Database Protection Service

Compliance workflow automation and auditing


IBM Security Guardium Vulnerability Assessment :Analyze risk, automate compliance and harden your data environment

• Compliance Workflow

• Exception management

• Export to other security tools

Sensitive Data

Discovery

Extensible design

• Identifies Sensitive Data like credit

cards, transactions or PII

• Reporting on sensitive objects

• Discover database instances

• Using industry best-practices and primary research

• Predefined tests to uncover database vulnerabilities

• Entitlement reporting

• Recommendations for remediation

• Vulnerability Assessment scorecard

• Configuration audit system (CAS)

• View graphical representation of trends

• Includes Data Protection Service Updates

• Enables custom designed defined tests

• Tuning existing tests to match needs

• Report builder for custom reports

Comprehensive testing

and reporting

Collaborate to

protect


Identify vulnerabilities across multiple platforms from a single console

Automatically discover and classify sensitive data to expose compliance risks

Analyze misconfigurations and default settings to uncover risks

Understand who is entitled to access sensitive data

• New user experience supports comprehensive visibility, control and reporting

• Support 15 – Database, Datawarehouses, BigData (NoSQL) platforms

• More than 2000 vulnerability assessment tests

• STIG Benchmarks for oracle 11gr2 and SQL Server 2012

NEW!


Guardium support the most complex IT environmentsEnterprise wide Scalability

Applications Databases

DB2Informix

DB2z

Data Warehouses

NetezzaSiebelPeopleSoftE-Business

Big Data Environments

Cloud Environments

DB2i


Leverage security industry best practice and benefits . . .

Secure

• Privileges

• Configuration settings

• Security patches

• Password policies

• OS Level file permission

Enforce• DoD STIG

• CIS

• CVE

Performance Zero Impact

User defined queries for custom tests to meet baseline for

• Organization

• Industry

• Application

Established

Baseline

Forensics• Advanced Forensics and Analytics using custom reports

• Understand your sensitive data risk and exposure

• Ownership and access for your files


3 steps to easy deployment

Guardium Vulnerability

Assessment

Appliance

Review

Reports

Results• Pass/Fail Statistics

• Criticality and recommended actions

• Filters and comparison

• History and trends

• Distribution/Compliance Workflow

Automated DB Scans

Assessment Tests

• Privileges

• Authentication

• Configuration

• Patch levels

• Oracle

• SQL Server

• DB2

• DB2 z

• DB2 i

• Sybase

• Teradata

• Aster

• Informix

• Netezza

• MySQL

• Postgres

• MongoDB

• SAP HANA

Web Browser


Remove vulnerabilities by hardening your environment

Remediation

Patching

Harden

Password Policy

Reconfigure settings and parameters

Harden privileges

and grants

Harden OS Files Access


What is new in IBM Security Guardium Vulnerability Assessment v10

Support 15 types

of data sources to

choose from


MongoDB, Versions Supported and VA Test Coverage

About MongoDB :

Developed in 2007, MongoDB is a NoSQL, document-oriented database. They use JSON documents with dynamic

schemas (format called BSON). In MongoDB, a collection is equivalent of a RDBMS table while documents are equivalent

to records in an RDBMS table.

– NO other vendor offers VA for Mongo

MongoDB support:

– 2.4, 2.6 and 3.0

VA test Coverage:

– Built-in roles

– Database configuration

– Version and Patches

– CAS (File permission and ownership)

– CVE (Common Vulnerabilities and Exposures)


MongoDB - Deployment

First NoSQL database supported for VA.

First non-JDBC database connection. Connection uses a Java driver.

Many enhancements to the VA mechanism to support JSON syntax.

MongoDB data sources support SSL server and client/server connections with SSL client

certificates.

Our VA solution for MongoDB Clusters can be run on mongos, a primary node and all

secondary nodes for replica sets.

VA solution is certified by MongoDB.


DB2 for i

Guardium VA tests require IBM i systems to have the

following PTFs installed on the system

– IBM i 7.1 partitions:

• PTF Group SF99701 Level 26 or PTF Group SF99701 Level

25 with enabling PTFs SI50237, SI50251, SI50301 and

SI51156.

– IBM i 6.1 partitions:

• PTF Group SF99601 Level 30.


DB2 for i Support

Version support:

– IBM i 6.1, 7.1 and 7.2 partitions

VA test Coverage:

– Profiles with Special Authorities

– Profiles with access to Database Function Usage

– Password policies

– Database Objects privilege granted to PUBLIC

– Database Objects privilege granted to individual user

– Database Objects privilege granted with grant option

– Security APARs

Entitlement Report:

– Profiles with Special Authorities

– Group granted to user

– Database Objects privilege granted to PUBLIC

– Database Executable Objects privileges granted to PUBLIC

– Database Objects privilege granted to individual user

– Database Objects privilege granted with grant option


Aster Data - Teradata

IBM Confidential

About Aster Data :

Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data

created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map

Reduce. Most often associated with clickstream kinds of applications.

NO other vendor offers VA for Aster.

Aster support:

– 5.1 and 6.0

VA test Coverage :

– Default password

– System privileges and roles

– Database Object privileges granted to PUBLIC

– Database Object privileges granted to individual user

– Database Object privileges granted with grant option




Aster Data - Deployment A security assessment should be created to execute all tests on the queen node. All database

connections for Aster Data goes through the queen node only.

Testing on worker and loader nodes are only required when performing CAS tests (File permission

and File ownership).

Privilege tests loop through all the databases in a given Aster’s instance.

DPS will include metadata to enforce recommendation for customer to applying latest database

patches.


Aster Data – CAS Installation


SAP HANA

About SAP HANA

Is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's

architecture is designed to handle both high transaction rates and complex query processing on the same platform.

SAP HANA support:

– 1.00

VA test Coverage :

– Password policies

– Default SYSTEM password

– System privileges and roles

– Database Object privileges granted to PUBLIC

– Database Object privileges granted to individual user

– Database Object privileges granted with grant option




SAP HANA - Deployment

Tests are created by Guardium VA research team and cover all relevant best practices

from SAP HANA security guide.

Guardium is first to the market for VA solution on SAP HANA.

CAS is use for enforcing OS file level privileges, ownership and group.

V10 DPS will include metadata to enforce recommendation for customer to applying

latest SAP HANA database patches.


STIG Benchmarks

Guardium v10 covers the latest benchmarks that were recently published by STIG for

Oracle11gR2 and SQL Server 2012.

– http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx

http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx


STIG – Oracle

Guardium v10 supports STIG’s latest Oracle benchmark v8R12.

The external references for all existing and new tests are in sync with the latest STIG

benchmark.

Tests that reference STIG now have a separate STIG reference, STIG severity and STIG

IAControls field.

There are new Oracle tests created from the latest STIG benchmark.

The logic for many existing tests were modified to sync up with latest STIG

recommendations.


STIG – SQL Server

Guardium v10 supports STIG’s latest SQL Server 2012 benchmark v1R2.

The external references for all existing and new tests are in sync with the latest STIG

benchmark.

STIG external reference for SQL Server now begin with SQL% instead of DG% or DM%

Tests that reference STIG now have a separate STIG reference, STIG severity and STIG

SRG field.

New SQL Server tests were created from the latest STIG benchmark.

The logic for many existing tests were modified to sync up with the latest STIG

recommendations.


VA – Query timeout

When a test takes more than 10 minutes to execute, it will time out with a message specific

to the DBMS type driver. This mechanism can be turned off or modified using CLI

commands.

This feature is support on all query based tests (Test ID between 2000 and 3000).

– Aster, Informix and SAP HANA DBMS type is not support.

This feature was introduced in v9p500 for query based tests only. Version 10 added support

to a list of JAVA based privileges tests.

A GUI restart is required for this feature.

Recommendation: Do not set this timeout value to greater than 30 minutes.

CLI commands are:

show va query_timeout

store va query_timeout off

store va query_timeout on <min>


VA – Privileges test output

To avoid the rare case in which excessive violations cause memory issues, Guardium is

limiting the number of rows returned per test to 20,000 rows. This default can be overridden

using CLI commands.

This feature is supported on all query based tests (Test ID between 2000 and 3000). SAP

HANA DBMS type is not supported.

This feature was introduced in v9p500 for query based tests only. Version 10 added support

to a list of JAVA based privileges tests.

A GUI restart is required for this feature.

CLI commands are:

show va max_detail

store va max_detail off

store va max_detail on <num>


IBM Security Guardium Vulnerability Assessment demo

Frank Cavaliero

https://apps.na.collabserv.com/profiles/html/simpleSearch.do?searchFor=21250333&searchBy=userid

© 2015 IBM Corporation

Q&A 3 Key Take-Aways

IBM Security Guardium Vulnerability Assessment

Provides complete risk posture of data asset and help automate compliance requirements

Analyze, protect and adapt to all your data security challenges

Built on proven enterprise-ready, easily scalable architecture

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.

IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security

IBM Security Guardium Tech Talk - United States · PDF fileConnection uses a Java driver. Many...

Documents

Transcript of IBM Security Guardium Tech Talk - United States · PDF fileConnection uses a Java driver. Many...