IBM Security Guardium Tech Talk - United States · PDF fileConnection uses a Java driver. Many...
Transcript of IBM Security Guardium Tech Talk - United States · PDF fileConnection uses a Java driver. Many...
© 2015 IBM Corporation
What’s new in Vulnerability Assessment V10
Kathy Zeidenstein – Guardium EvangelistFrank Cavaliero - Database AdministratorLouis Lam - Database and VA ManagerVikalp Paliwal - VA Product Manager
November 5, 2015
IBM Security Guardium Tech Talk
2© 2015 IBM Corporation
Next tech talk: Hints and Tips: Upgrading to Guardium V10
Speakers: Vlad Langman, L3 Support ManagerOmar Raza, QA Engineer
Date and time: Thursday, November 19th11:30 AM US Eastern, 8:30 AM US Pacific
Register here: ibm.biz/BdHYnU
Reminder: Next Guardium Tech Talk
3© 2015 IBM Corporation3
► Guardium Vulnerability Assessment overview
► Vikalp Paliwal
► What is new in IBM Security Guardium Vulnerability Assessment v10
► Louis Lam
► New IBM Security Guardium Vulnerability Assessment v10 live demo
► Frank Cavaliero
► Q & A
Agenda
Data is the key target for breaches
4© 2015 IBM Corporation
Data is challenging to secure
DYNAMICData multiplies
continuously andmoves quickly
DISTRIBUTEDData is everywhere,across applicationsand infrastructure
IN DEMANDUsers need to constantly access and share data to do their jobs
5© 2015 IBM Corporation
D A T A S E C U R I T Y I N T E L L I G E N C E
Entitlements Reporting
Activity Monitoring
BlockingQuarantine
Dynamic DataMasking
Vulnerability Assessment
MaskingEncryption
DiscoveryClassification
Vulnerability AssessmentAssessment reportsData Protection Subscription
Configuration Changes
Data EncryptionFile-level encryptionRole-based access controlFile access auditing
Data MaskingStatic maskingSemantic and format preserving
Standard DAMData Activity MonitoringReal-time alertsApp end-user identificationNormalized audit creationCompliance reportingCompliance workflow
Advanced DAM Blocking access Masking sensitive data Users Quarantine
“Base Product” DB and Data Discovery Data ClassificationEntitlement Reporting Enterprise Integrator Queries & Reports Threshold Alerts Compliance Workflow Group Management Security Integrations IT Integrations Data Level Security Incident Management User/Roles Management HR Integrations Portal Management Self Monitoring Data Export Options Data Imports Options
Data Redaction Redact sensitive documents
Discover Harden Monitor Protect
Federate large deploymentCentral controlCentral audit collection
Standard FAMFile metadata discoverySensitive data classificationData activity monitoringReal-time alertsCompliance reportingCompliance workflow
Advanced FAM Blocking access
App Data Masking Masking on the browser
ANALYZE. PROTECT. ADAPT.Data Security solutions protect structured and unstructured sensitive data
6© 2015 IBM Corporation
Vulnerability Assessment Technology is used to support security threat management and compliance
Database
Network
Infrastructure
Endpoint
Applications
• In-depth assessments of databases and applications such as ERP
systems (for ex SAP or Oracle), especially, are not widely supported in
traditional VA solution, which focus on devices
• IT Security managers choosing a VA solution must make a dedicated
ongoing vulnerability signature support and maintenance for majority of
their asset base a critical requirement.
Vulnerability Assessment Solution
-Gartner - market guide for VA
“Secure your crown jewels”
7© 2015 IBM Corporation
Have you left the keys to the kingdom dangling from the front door?
Managing vulnerabilities is a data security critical success factor
Default Username
and Password
Excessive Privilege
Default settings
and misconfigu
rations
Un-patched
Databases
Non supported product versions
Unknown sensitive
data
Non Compliance
Audit Fail
Insider Theft
Data breach
Implications
8© 2015 IBM Corporation
ANALYZE. PROTECT. ADAPT.
ANALYTICS
IBM Security Guardium Vulnerability Assessment
Discovery and ClassificationEntitlement reporting
Vulnerability AssessmentRemediation Recommendation
Configuration Audit System
Database Protection Service
Compliance workflow automation and auditing
9© 2015 IBM Corporation
IBM Security Guardium Vulnerability Assessment :Analyze risk, automate compliance and harden your data environment
• Compliance Workflow
• Exception management
• Export to other security tools
Sensitive Data
Discovery
Extensible design
• Identifies Sensitive Data like credit
cards, transactions or PII
• Reporting on sensitive objects
• Discover database instances
• Using industry best-practices and primary research
• Predefined tests to uncover database vulnerabilities
• Entitlement reporting
• Recommendations for remediation
• Vulnerability Assessment scorecard
• Configuration audit system (CAS)
• View graphical representation of trends
• Includes Data Protection Service Updates
• Enables custom designed defined tests
• Tuning existing tests to match needs
• Report builder for custom reports
Comprehensive testing
and reporting
Collaborate to
protect
10© 2015 IBM Corporation
Identify vulnerabilities across multiple platforms from a single console
Automatically discover and classify sensitive data to expose compliance risks
Analyze misconfigurations and default settings to uncover risks
Understand who is entitled to access sensitive data
• New user experience supports comprehensive visibility, control and reporting
• Support 15 – Database, Datawarehouses, BigData (NoSQL) platforms
• More than 2000 vulnerability assessment tests
• STIG Benchmarks for oracle 11gr2 and SQL Server 2012
NEW!
11© 2015 IBM Corporation
Guardium support the most complex IT environmentsEnterprise wide Scalability
Applications Databases
DB2Informix
DB2z
Data Warehouses
NetezzaSiebelPeopleSoftE-Business
Big Data Environments
Cloud Environments
DB2i
12© 2015 IBM Corporation
Leverage security industry best practice and benefits . . .
Secure
• Privileges
• Configuration settings
• Security patches
• Password policies
• OS Level file permission
Enforce• DoD STIG
• CIS
• CVE
Performance Zero Impact
User defined queries for custom tests to meet baseline for
• Organization
• Industry
• Application
Established
Baseline
Forensics• Advanced Forensics and Analytics using custom reports
• Understand your sensitive data risk and exposure
• Ownership and access for your files
13© 2015 IBM Corporation
3 steps to easy deployment
Guardium Vulnerability
Assessment
Appliance
Review
Reports
Results• Pass/Fail Statistics
• Criticality and recommended actions
• Filters and comparison
• History and trends
• Distribution/Compliance Workflow
Automated DB Scans
Assessment Tests
• Privileges
• Authentication
• Configuration
• Patch levels
• Oracle
• SQL Server
• DB2
• DB2 z
• DB2 i
• Sybase
• Teradata
• Aster
• Informix
• Netezza
• MySQL
• Postgres
• MongoDB
• SAP HANA
Web Browser
14© 2015 IBM Corporation
Remove vulnerabilities by hardening your environment
Remediation
Patching
Harden
Password Policy
Reconfigure settings and parameters
Harden privileges
and grants
Harden OS Files Access
15© 2015 IBM Corporation
What is new in IBM Security Guardium Vulnerability Assessment v10
Support 15 types
of data sources to
choose from
16© 2015 IBM Corporation
MongoDB, Versions Supported and VA Test Coverage
About MongoDB :
Developed in 2007, MongoDB is a NoSQL, document-oriented database. They use JSON documents with dynamic
schemas (format called BSON). In MongoDB, a collection is equivalent of a RDBMS table while documents are equivalent
to records in an RDBMS table.
– NO other vendor offers VA for Mongo
MongoDB support:
– 2.4, 2.6 and 3.0
VA test Coverage:
– Built-in roles
– Database configuration
– Version and Patches
– CAS (File permission and ownership)
– CVE (Common Vulnerabilities and Exposures)
17© 2015 IBM Corporation
MongoDB - Deployment
First NoSQL database supported for VA.
First non-JDBC database connection. Connection uses a Java driver.
Many enhancements to the VA mechanism to support JSON syntax.
MongoDB data sources support SSL server and client/server connections with SSL client
certificates.
Our VA solution for MongoDB Clusters can be run on mongos, a primary node and all
secondary nodes for replica sets.
VA solution is certified by MongoDB.
18© 2015 IBM Corporation
DB2 for i
Guardium VA tests require IBM i systems to have the
following PTFs installed on the system
– IBM i 7.1 partitions:
• PTF Group SF99701 Level 26 or PTF Group SF99701 Level
25 with enabling PTFs SI50237, SI50251, SI50301 and
SI51156.
– IBM i 6.1 partitions:
• PTF Group SF99601 Level 30.
19© 2015 IBM Corporation
DB2 for i Support
Version support:
– IBM i 6.1, 7.1 and 7.2 partitions
VA test Coverage:
– Profiles with Special Authorities
– Profiles with access to Database Function Usage
– Password policies
– Database Objects privilege granted to PUBLIC
– Database Objects privilege granted to individual user
– Database Objects privilege granted with grant option
– Security APARs
Entitlement Report:
– Profiles with Special Authorities
– Group granted to user
– Database Objects privilege granted to PUBLIC
– Database Executable Objects privileges granted to PUBLIC
– Database Objects privilege granted to individual user
– Database Objects privilege granted with grant option
20© 2015 IBM Corporation
Aster Data - Teradata
IBM Confidential
About Aster Data :
Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data
created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map
Reduce. Most often associated with clickstream kinds of applications.
NO other vendor offers VA for Aster.
Aster support:
– 5.1 and 6.0
VA test Coverage :
– Default password
– System privileges and roles
– Database Object privileges granted to PUBLIC
– Database Object privileges granted to individual user
– Database Object privileges granted with grant option
– Version and Patches
– CAS (File permission and ownership)
21© 2015 IBM Corporation
Aster Data - Deployment A security assessment should be created to execute all tests on the queen node. All database
connections for Aster Data goes through the queen node only.
Testing on worker and loader nodes are only required when performing CAS tests (File permission
and File ownership).
Privilege tests loop through all the databases in a given Aster’s instance.
DPS will include metadata to enforce recommendation for customer to applying latest database
patches.
22© 2015 IBM Corporation
Aster Data – CAS Installation
23© 2015 IBM Corporation
SAP HANA
About SAP HANA
Is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's
architecture is designed to handle both high transaction rates and complex query processing on the same platform.
SAP HANA support:
– 1.00
VA test Coverage :
– Password policies
– Default SYSTEM password
– System privileges and roles
– Database Object privileges granted to PUBLIC
– Database Object privileges granted to individual user
– Database Object privileges granted with grant option
– Version and Patches
– CAS (File permission and ownership)
24© 2015 IBM Corporation
SAP HANA - Deployment
Tests are created by Guardium VA research team and cover all relevant best practices
from SAP HANA security guide.
Guardium is first to the market for VA solution on SAP HANA.
CAS is use for enforcing OS file level privileges, ownership and group.
V10 DPS will include metadata to enforce recommendation for customer to applying
latest SAP HANA database patches.
25© 2015 IBM Corporation
STIG Benchmarks
Guardium v10 covers the latest benchmarks that were recently published by STIG for
Oracle11gR2 and SQL Server 2012.
– http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx
26© 2015 IBM Corporation
STIG – Oracle
Guardium v10 supports STIG’s latest Oracle benchmark v8R12.
The external references for all existing and new tests are in sync with the latest STIG
benchmark.
Tests that reference STIG now have a separate STIG reference, STIG severity and STIG
IAControls field.
There are new Oracle tests created from the latest STIG benchmark.
The logic for many existing tests were modified to sync up with latest STIG
recommendations.
27© 2015 IBM Corporation
STIG – SQL Server
Guardium v10 supports STIG’s latest SQL Server 2012 benchmark v1R2.
The external references for all existing and new tests are in sync with the latest STIG
benchmark.
STIG external reference for SQL Server now begin with SQL% instead of DG% or DM%
Tests that reference STIG now have a separate STIG reference, STIG severity and STIG
SRG field.
New SQL Server tests were created from the latest STIG benchmark.
The logic for many existing tests were modified to sync up with the latest STIG
recommendations.
28© 2015 IBM Corporation
VA – Query timeout
When a test takes more than 10 minutes to execute, it will time out with a message specific
to the DBMS type driver. This mechanism can be turned off or modified using CLI
commands.
This feature is support on all query based tests (Test ID between 2000 and 3000).
– Aster, Informix and SAP HANA DBMS type is not support.
This feature was introduced in v9p500 for query based tests only. Version 10 added support
to a list of JAVA based privileges tests.
A GUI restart is required for this feature.
Recommendation: Do not set this timeout value to greater than 30 minutes.
CLI commands are:
show va query_timeout
store va query_timeout off
store va query_timeout on <min>
29© 2015 IBM Corporation
VA – Privileges test output
To avoid the rare case in which excessive violations cause memory issues, Guardium is
limiting the number of rows returned per test to 20,000 rows. This default can be overridden
using CLI commands.
This feature is supported on all query based tests (Test ID between 2000 and 3000). SAP
HANA DBMS type is not supported.
This feature was introduced in v9p500 for query based tests only. Version 10 added support
to a list of JAVA based privileges tests.
A GUI restart is required for this feature.
CLI commands are:
show va max_detail
store va max_detail off
store va max_detail on <num>
30© 2015 IBM Corporation
IBM Security Guardium Vulnerability Assessment demo
Frank Cavaliero
© 2015 IBM Corporation
Q&A 3 Key Take-Aways
IBM Security Guardium Vulnerability Assessment
Provides complete risk posture of data asset and help automate compliance requirements
Analyze, protect and adapt to all your data security challenges
Built on proven enterprise-ready, easily scalable architecture
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security