IBM Security Guardium Tech Talk: Vulnerability Assessment for SAP HANAREST EASY BY AUTOMATING SAP HANA VULNERABILITY ASSESSMENTS

Kathy Zeidenstein

June 21, 2016

Guardium Community Advocate, IBM

Vikalp PaliwalOffering Manager, IBM Security Guardium

Peter DwyerPrincipal Technologist, Guardium Engineering

2 IBM Security

Worrying About Your Whitelists – Guardium Tips and Tricks for Deciding What to Trust

Speaker:John Haldeman, Enterprise Architect, Information Insights, LLC

Date and time: July 21, 201608:00 AM PDT, 11:00 AM EDT

Register here: http://ibm.biz/GTechwhitelist

Upcoming Tech Talks

3 IBM Security

Guardium community on developerWorks

bit.ly/guardwiki Right

nav

4 IBM Security

Agenda

• Why compliance needs Guardium Vulnerability Assessment – an overview

• SAP HANA Vulnerabilities

• VA for SAP HANA Demo with Remediation

• Other key Resources for VA

5 IBM Security

IBM Security Guardium: Analyze. Protect. Adapt.

Monitor and analyze data access

and configurations to uncover

threats

Protect data and files from

inappropriate access and data

leakage

Adapt and change to evolving

enterprise environments and

reduced security skills

6 IBM Security

D AT A S E C U R I T Y I N T E L L I G E N C E

D y n a m i cS t a t i c

Data at RestConfiguration

Data in Motion

Data Security Intelligence Scope

Harden Monitor ProtectDiscover

Risk Analysis Protect Risk Analysis Protect

Databases Datawarehouses Hadoop NoSQL in-memory-DB Files Apps

•Discover

•Classify

•Entitlements

•Forensics

•Compliance

•Vulnerability

Assessment

•Config Changes

history

•Encryption

•Remediation of

Vulnerabilities

•Patching

•Config Change

•Policy change

•Monitor data traffic

(DAP)

•Alert

•Audit data access

•Monitor config

changes

•Blocking (DLP)

•Dynamic Data Masking

(redaction, Q/W) – (DDM)

•Quarantine

•Virtual Patch

Governance driven by easy and quick to Adapt: Buy + Deploy + Manage + Use + Maintain

Enterprise GB Cloud Mobile Social

Why compliance needs Guardium Vulnerability Assessment – an overview

8 IBM Security

Re

q

Description IBM Security Guardium Capability

2 Do not use vendor-supplied defaults for system

passwords

Comprehensive suite of DBMS-specific tests based upon industry standards

(CIS, STIG)

3 Protect stored cardholder data Real-time database leak prevention

6 Develop and maintain secure systems and

applications

Centralized vulnerability and configuration assessment

7 Restrict access to cardholder data by business

need-to-know

Proactive, real-time access control (independent of native DBMS controls)

8 Assign a unique ID to each person with computer

access

Complements native DBMS controls with external, cross-DBMS controls

10 Track and monitor all access to network and

cardholder data

Continuous, granular auditing with scalable architecture to handle high

transaction volumes

11 Regularly test security systems and processes Integrated vulnerability scanning, file integrity monitoring & behavioral

vulnerability testing

12 Maintain a policy that addresses Information

Security for all

Robust automated controls for enforcing information security policies

How Guardium Vulnerability Assessment addresses PCI-DSS

VA

VA

VA

VA

VA

9 IBM Security

Audit Requirements PCI DSSCOBIT

(SOX)ISO 27002

Data Privacy

& Protection

Laws

NIST

SP 800-53

(FISMA)

1. Access to Sensitive Data(Successful/Failed SELECTs)

2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)

3. Data Changes (DML)(Insert, Update, Delete)

4. Security Exceptions(Failed logins, SQL errors, etc.)

5. Accounts, Roles & Permissions

(DCL)(GRANT, REVOKE)

SOX Compliance need to have right permissions and controls

DDL = Data Definition Language (aka schema changes)

DML = Data Manipulation Language (data value changes)

DCL = Data Control Language

VA

10 IBM Security

• Operationalization of a Data Protection by Design and by Default Process

• Requirement to conduct risk analysis and Data Protection Impact

Assessments (DPIA)

• Implementation of technical and organizational security measures

appropriate to the risks presented

• Breach notification obligations

• Increased obligations for data processors

• Increased rules on the transfer of data outside the European Economic

Area (EEA)

EU General Data Protection Regulation (GDPR) requires enhanced obligations on data controllers and processors

VA

*EU : European Union

11 IBM Security

Vulnerability Assessment Technology is used to support security threat management and compliance

Database

Network

Infrastructure

Endpoint

Applications

• In-depth assessments of databases and applications such as ERP

systems (for ex SAP or Oracle), especially, are not widely supported in

traditional VA solution, which focus on devices

• IT Security managers choosing a VA solution must make a dedicated

ongoing vulnerability signature support and maintenance for majority of

their asset base a critical requirement.

Vulnerability Assessment Solution

-Gartner - market guide for VA

“Secure your crown jewels”

12 IBM Security

Proactively identifying and mitigating risk to secure data assets

Guardium Vulnerability Assessment is used to support

data security threat management and compliance

For data security threat management : Use VA for

security configuration assessments to reduce overall

enterprise risk for sophisticated attacks

For compliance : Use VA for scanning requirements

for regulatory compliance

(like PCI DSS, GDPR, HIPAA, STIG, PHI, SOX)

13 IBM Security

ANALYZE. PROTECT. ADAPT.

14 IBM Security

Identify vulnerabilities across multiple platform from a single console

• Automatically discover and classify sensitive data to expose compliance risks

• Analyze mis-configurations and default settings to uncover risks

• Understand who is accessing data, spot anomalies and stop data loss in real time

• Supports exception and remediation processes with seamlessly integrated reporting and dash boarding

• Tracks National Vulnerability Database (CVE), XForce DB

• Supports virtual patching through exception

• Integrates with SIEM (Qradar), QVM, AppScan, other VM tools

• New user experience supports comprehensive visibility, control and reporting

• Support 15 – Database, Datawarehouses, BigData (NoSQL) platforms

• More than 2200 vulnerability assessment tests

• STIG Benchmarks for oracle 11gr2 and SQL Server 2012

• Latest Q2 DPS tests includes additional new test for Oracle, MySQL, Postgres, DB2z,i

NEW!

15 IBM Security

3 steps to easy deployment

1

2

3

16 IBM Security

Guardium support the most complex IT environmentsEnterprise wide Scalability

17 IBM Security

Leverage security industry best practice and benefits . . .

Secure

• Privileges, Authentication

• Configuration settings

• Security patches

• Password policies

• OS Level file permission

Enforce

• DISA STIG,

CVE and CIS

• SAP Security

Performance Zero Impact

User defined queries for custom tests to meet baseline for

• Organization

• Industry

• Application

Established

Baseline

Forensics• Advanced Forensics and Analytics using custom reports

• Understand your sensitive data risk and exposure

• Ownership and access for your files

18 IBM Security

VA Data sources

• Data source definitions are created to include JDBC connection parameters to connect to various DBMSs

and scan DB vulnerabilities

• Customizable report to review all defined data sources to have VA scans

• If multiple data sources need to be created or updated at the same time, it can be done via CSV upload

• Upload a CSV file containing the datasource information for bulk datasource creation / updates

19 IBM Security

Update latest discovered vulnerabilities

• Notifications are sent when latest vulnerability assessment tests become available.

• DPS packages are updated regularly

• Download quarterly DPS package from IBM Fix Central website

• Easily upload DPS package from Guardium appliance GUI

20 IBM Security

Guardium provides test for latest SAP HANA vulnerabilities

SAP HANA support:

v1.00, v1.01+110

(both cloud and on premise)

VA test Coverage (65 tests in total):

Password policies

Default SYSTEM password, System privileges and roles

Database Object privileges granted to PUBLIC

Database Object privileges granted to individual user

Database Object privileges granted with grant option

Version and Patches

HTTP, JS specific vulnerabilities

CAS (File permission and ownership)

Enforce strict guidelines from

STIG, CIS, CVE and SAP Security

for SAP HANA vulnerabilities

21 IBM Security

• Assessments can be scheduled to run via audit process (compliance workflow) and be sent to compliance

and remediation teams for fixing the vulnerabilities

• VA provides detailed result for all vulnerabilities test which can used for remediation purposes

SAP HANA Vulnerability Assessment tests provides SAP Security guidelines

22 IBM Security

Detailed Remediation recommendations for fixing the vulnerabilities and harden risk

• Customizable report can be generated to list all failed VA tests, filtered/sorted by different test categories, test

score, severity, datasources…etc.

• Reports can be scheduled to send to a list of users via email with CSV/PDF attachments, link to report, or to

SIEM system, AppSCAN, QVM or any other VM solution

• Through workflow compliance . Audit process, failed vulnerability assessment reports can be sent to DBA’s

for remediation

23 IBM Security

Audit Process – schedule VA reports sent to list of users

• Schedule Audit Process to run regularly (e.g. every

1st day of month; every Saturday 2am…etc.); or

adhoc review

• Send results to a list of users

• Results can be CSV,

CEF, PDF attachments

in emails, link to report,

or send to SIEM

24 IBM Security

Test Exceptions• For any failed vulnerability tests, a test exception (or virtual patching) can be created for specific data sources

• Expiration date can be set for each test exception

• E.g. FAILED VA test : ‘Deactivate the SYSTEM User’ for SAP HANA. Need an exception until end of month to deactivate the

account. Set it to PASS for this exception timeframe.

• Report on Test Exceptions with explanations can be generated

• On VA report, test exception can be created by simply right-clicking on failed VA test; or by API

DEMO of VA for SAP HANA

26 IBM Security

Vulnerability Assessment – Dashboard Samples - Reports can be graphically

displayed and sent to or shared with CISO, CSO, Compliance Execs…

27 IBM Security

New Guardium VA Material

V10 Solution Brief:

http://www-01.ibm.com/common/ssi/cgi-

bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGS03063USEN&attachment=WGS03063USEN.PDF

V10 Guardium Vulnerability Assessment Data Sheet

http://www-01.ibm.com/common/ssi/cgi-

bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGD03074USEN&attachment=WGD03074USEN.PDF

Guardium VA Demo for MongoDB : https://www.youtube.com/watch?v=uEMF6bnb4Sk

Guardium VA demo for DB2 z/OS : https://www.youtube.com/watch?v=0WqIXK5GWZo

Guardium VA demo and tech talk for DB2 for i: http://ibm.biz/GTechIBMi

© 2016 IBM Corporation

Learn More

• ibm.com/guardium

• What’s new in Guardium

V10 article on

developerworks (updated

for 10.1)

• Release notes

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express

or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,

creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these

materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may

change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and

other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks

or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.

Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or

product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are

designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT

OF ANY PARTY.

FOLLOW US ON:

THANK YOU

Backup

31 IBM Security

Req Description IBM Security Guardium Capability

2 Do not use vendor-supplied defaults for system passwords Comprehensive suite of DBMS-specific tests based upon industry standards (CIS, STIG)

• Configure system parameters to prevent misuse

• Encrypt non-console admin access

Checks for default passwords, unpatched systems, misconfigured privileges, etc.

Audits usage and alerts on misuse

Locks configurations after vulnerabilities remediated

Monitors encrypted traffic (Oracle, ASO, SSL, etc.) without need for key storage

3 Protect stored cardholder data Real-time database leak prevention

Continuous, real-time, policy-based monitoring with proactive security (alerts, blocking unauthorized access)

Compensating control for column-level encryption

Auto-discovers & classifies PCI data; Identifies sensitive PCI data in query result stream

6 Develop and maintain secure systems and applications Centralized vulnerability and configuration assessment

• Establish a process to identify security vulnerabilities

• Follow change control procedures for all configuration changes

• Separation of duties (development, test, and production)

Ensures current patches applied and vulnerable SPs identified; “Virtual Patching”

Alerts on all configuration changes, inside and outside databases

Enforces separation of duties with real-time alerting and granular access controls

7 Restrict access to cardholder data by business need-to-know Proactive, real-time access control (independent of native DBMS controls)

Policies defined by source IP or application, OS or DB user, time, SQL command, object, etc.

Blocks any unauthorized user, including administrators, from accessing cardholder data

Compensating control for unsegmented networks

Entitlement reporting to collect and understand user rights information across heterogeneous databases

8 Assign a unique ID to each person with computer access Complements native DBMS controls with external, cross-DBMS controls

• Enforce password policies

• Limit repeated access attempts

Alerts on credential sharing, failed logins, account creation, privilege escalation

Verifies password policies are enforced; can lock accounts or terminate sessions

10 Track and monitor all access to network and cardholder data Continuous, granular auditing with scalable architecture to handle high transaction volumes

Fine-grained audit trail of all database activities (SELECT, DDS, DML, DCL, logins, logouts, etc.)

No reliance on native trace or audit logs: minimal performance Impact (2-3%), enforces separation of duties

Tracks all network and local connections, including direct access by DBAs (shared memory, etc.)

Audit information stored securely in hardened appliance to prevent anti-forensics or tampering

Identifies fraud by resolving end-user IDs in connection-pooling apps (SAP, Cognos, PeopleSoft, etc.)

Integrates with LDAP, IAM, TCIM, TSM, SIEM, change management, CMDBs, etc.)

Compliance workflow automation (electronic sign-offs, escalations) demonstrates oversight process

PCI Accelerator provides pre-configured reports based on best practices

11 Regularly test security systems and processes Integrated vulnerability scanning, file integrity monitoring & behavioral vulnerability testing

• Run internal and external vulnerability scans

• Deploy integrity monitoring to detect mods of critical system files

Includes hundreds of pre-configured vulnerability tests for all major DBMS/OS combinations

Tracks changes to DB configuration files, environment/registry variables, executables and OS files

12 Maintain a policy that addresses Information Security for all Robust automated controls for enforcing information security policies

• Monitor/Analyze alerts and distribute to appropriate personnel

• Monitor and control all access to data

Real-time alerts, correlation alerts, centralized aggregation of all audit data, SIEM integration

Automated sign-offs demonstrate formal oversight process

100% visibility & control over all database transactions (with blocking)

How Guardium Vulnerability Assessment addresses PCI-DSS

VA

VA

VA

VA

VA

32 IBM Security

Filters and

Sort

Controls

Result

History

Current Test

Results

Detailed

Remediation

Suggestions

Prioritized

Breakdown

Detailed

Test

Results

SAP HANA vulnerability assessment report

Harden databases by identifying un-patched and misconfigured systems

Download report

in PDF/XML

33 IBM Security

HR ApplicationApplication Name, URL,

Type HR DatabaseDatabase Name, IP, type

Application Specific Vulnerability 1

Application Specific Vulnerability 2

Application Specific Vulnerability 3

Application Specific Vulnerability 4

Application Specific Vulnerability 5

Database Vulnerability 1

Database Vulnerability 2

Database Vulnerability 3

Database Vulnerability 4

Database Vulnerability 5

Guardium VA and AppScan ASE Integration – Use Case

Using Guardium VAUsing AppScan ASE

34 IBM Security

You can manage imported issues, display the About This Issue, edit attributes of those issues