IBM services and technology solutions for supporting … · IBM technology solutions as key...

IBM services and technology solutions for supporting GDPR program

1

IBM technology solutions as key enablers - PrivacyGDPR Program Work-stream IBM software

2.1 Privacy Risk Assessment and Risk Treatment plan

2.2 Roles & Responsibilities

2.3 Personal Data Catalogue2.3.1 Discovery on Non-Structured Data • IBM StoredIQ2.3.2 Discovery on Structured Data

• InfoSphere Information Server2.3.3 Definition of Data Catalogue2.3.4 Adding functional details2.3.5 Adding technology details

2.4 Applications adequacy2.4.1 Mapping of applications managing personal data

• InfoSphere Information Server2.4.2 Assessment of compliance &gap analysis2.4.3 Implementation of actions for compliance

2.5 Privacy documentation adequacy

2.6 Privacy processes review/design

2.7 Automation of privacy processes2.7.1 Selection of processes2.7.2 Selection of ICT solutions • InfoSphere Information Server

• InfoSphere Master Data Management• Case Manager• Filenet Platform• InfoSphere Optim

2.7.3 Implementation of ICT solutions

2.7.4.Reporting of facts and evidences

2.8 Data Management System – Data quality2.8.1 Define Life Cycle management requirements • InfoSphere Information Server

• InfoSphere Master Data Management• Case Manager• InfoSphere Optim

2.8.2 Embed Data Privacy rules into processes &systems2.8.3 Embed Data Privacy rules in Data Mgmt practice

2. Privacy Enforcement

2

IBM technology solutions as key enablers - Security3.1 Policy, Risk Analysis and Risk Treatment Plan

3.2 Preventive security measures3.2.1 Asset Management & classification of personal data • Guardium3.2.2 Training3.2.3 Data Security • Guardium3.2.4 Identity Governance & Management • Identity Governance and Intelligence (Crossideas)3.2.5 Access Management • Information Security Access Management3.2.6 Encryption & Pseudonymization • Guardium3.2.7 Server, End Point and Mobile Security • Bigfix

• Carbon Black• MaaS360

3.2.8 Data Loss Prevention3.2.9 Vulnerability of DBs, Systems, Networks • QRadar Vulnerability Manager

• Guardium3.2.10 Vulnerability of applications

• Appscan3.2.11 Secure coding & SW development3.2.12 Network Security • XGS3.2.13 Back Up & Restore • TSM3.2.14 Monitoring processes

• Guardium3.2.15 Audit processes3.2.16 Suppliers & Third Party management

3.3 Detection & Response security measures3.3.1 SIEM for Privacy Violation • QRadar SIEM 3.3.2 Privacy Incident Management Process • Resilient

• QRadar Incident Forensics3.3.3 Notification of data breach to Authority

• Resilient3.3.4 Communication of data breach to Individual

3.4 Continuity and Recovery security measures3.4.1 Business Continuity Plan for personal data mgmt

• IBM Business Continuity and Resiliency Services3.4.2 Disaster Recovery Plan for personal data mgmt

3. Security Enforcement

GDPR Program Work-stream IBM software

3

IBM Customer Confidential

Focus on IBM Security software

4

IBM Customer Confidential5

PREVENTION DETECTION RESPONSE

Help to continuously stop attacks and remediate

vulnerabilities

Identify the most important threats

with advanced analytics and forensics

Respond to incidents in integrated

and organized fashion


Other IBM prevention security software

Among the broad IBM Security portfolio, three SW are pivotal for compliance to the requirements

• Early identification of attack and potential data breaches

• Monitor & audit of the overall infrastructure

• Monitor and audit access to personal data, detection and alerting of non-compliant access

• Fine-grained control of data modification

• Fast incident response following a suspected or actual breach

• Orchestration of incident response processes including collection of forensic information, analysis, reporting and remediation

Pur

pose

s fo

r G

DP

RFo

cus

on

Sof

twar

e

6



Security & Traceability – Guardium for GDPRFine grained data access control

1. Identify and Mitigate Security Vulnerabilities

2. Discover & Classify Personal Data

3. Encrypt/Obfuscate (Pseudonimize)

5. Enforce right to access, modify,.. data

Discover and classify data, assess vulnerabilities, report

on entitlements

Encrypt, mask, and redact sensitive data

Monitor data and file activity

Block, mask, alert, and quarantine dynamically

Automate complianceand auditing

ANALYTICS

6. Compliance Reporting

4. Monitor and track data access and modification

7

Presenter

Presentation Notes

Another word about governance …. Central Add messaging to this slide? Overlay messaging onto this slide.


Prioritized Breakdown

Detailed Test Results

Result History

Detailed Remediation Suggestions

Filters and Sort Controls

Current Test Results

1. Guardium Vulnerability AssessmentIdentify and mitigate security vulnerabilities in data stores

8

Presenter

Presentation Notes

For the next use case: You are all probably familiar with network vulnerability scans. One of the best practices that has been adopted in the security community in the last couple of years is to conduct database vulnerability assessments. This allows you to harden your database infrastructure by discovering and fixing unpatched and misconfigured systems, making it more difficult to penetrate these systems. InfoSphere Guardium allows you to scan, once again on a manual or scheduled basis, specified databases to identify these types of issues using a regularly updated IBM Knowledge Base. Since operational requirements causes database configuration to constantly change, InfoSphere Guardium allows you to regularly identify issues without the use of the highly skilled DBAs typically required to identify configuration issues. Once you have completed an assessment you are presented with a variety of very helpful information, including: Overall test score for a quick quantitative measure of your security posture Your test history to ensure you are continuously improving A break down of your test results by both priority and functionality, which is very helpful in developing a remediation plan that aligns with your resources And detailed results for each test, including a description of the test, suggested remediation if you failed the tests, and helpful external pointers like CVE identifiers You get a very complete at-a-glance picture of the security posture of your database infrastructure without spending lots of time, effort, and cost.


2. Guardium Data Activity MonitorAnalyze and automatically discover sensitive data and uncover risks

Automatically discover unregistered data repositories

Automatically discover sensitive data in databases and file systems

Classify sensitive data according to existing categories

Add membership to controlled data groups or categories subject to security policies

Comprehensive visibility, control and reporting

Sensitive Data Finder

Auto-discovery

9

Presenter

Presentation Notes

Metadata is part of the voiceover for bullet 1. Discover sensitive data and uncover risk Understand your sensitive data and where it resides Automate identification and classification of sensitive data Determine who is accessing sensitive data and spot anomalies with real-time activity monitoring Find compliance risks (automated) Uncover risks and take action using automated forensics Discovering the data environment composition: you cannot govern what you do not understand. Find un-catalogued databases and classifying sensitive information within them, including the entitlements 2) Track activity against sensitive data: maintaining security on a continuous basis by monitoring all transactions, 3) Protecting against threats and data loss: automating controls to protect our sensitive data with real-time policy assessment with appropriate remediation (Fine-Grained Policies with Real-Time Alerts. Prevent policy violations in real-time (blocking)). Expanding Fraud Identification at the Application Layer. Identify inappropriate use by authorized and privileged users. 4) And finally, helping understand the security/risk posture and hardening the data environment


3. Guardium Data EncryptionEncrypt / Obfuscate (Pseudonimize)

10


4. Guardium Data Activity Monitor (DAM) for DatabasesMonitor and track data access and modification

• Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users to detect unauthorized or suspicious activity

• Behavior analysis to detect outliers and spot anomalies

• Real-time alerting to prevent Data Loss

• Compliance automation

• Prepackaged compliance reports for SOX, PCI, etc

• Does not rely on resident logs that can easily be erased by attackers, rogue insiders

• SOD enforcement for DBA access

• Non-invasive/disruptive, cross-platform architecture

• Dynamically scalable

• Minimal performance impact11

Presenter

Presentation Notes

So now we come to the part were we should rip the benefits of the first two steps, because once you know about your data, you protect it, you will need to prove that your policies are effective. This is where the auditors are going to start asking questions. This is the most likely step companies skip, or do poorly because it is labor intensive and complex. And thus we have many failed audits or breaches which end up in fines, liability, PR nightmares, lost of trust in the brand. Just to illustrate the urgency for this step: DBA user groups have reported that less than 40% of organizations have mechanism to prevent privileged user tampering on databases or applications. Most companies we encounter have no database security monitoring solution in place, or they have attempted to build a “home grown” solution based on native auditing. Although it can be done, these projects are really not effective: They require lots of labor, time, and expertise to setup and maintain in a heterogeneous large environment Turning on native logging impacts the performance of the DB (10%-45%) Audit analysis means that you are responding after the fact. Which is Too late. And to top it off, there is No SOD…. Audit logs can be tampered by the DBAs at will. Add to this data explosion into unstructured repositories (like Big Data) and cloud based virtualized systems and you get a real mess. InfoSphere Guardium’s real-time database monitoring platform helps clients safeguard their data, monitor database activity across heterogeneous environments, and reduce operational costs by automating regulatory compliance tasks ************************ Real time monitoring and auditing has to be implemented to be able to respond to any Data breach. InfoSphere Guardium enables clients to maintain trusted information infrastructures by continuously monitoring access and activity to protect high-value databases against threats from legitimate users and potential hackers. InfoSphere Guardium’s real-time database monitoring platform helps clients safeguard their data, monitor database activity across heterogeneous environments, and reduce operational costs by automating regulatory compliance tasks Secures and protects high-value databases, identifies application-layer fraud Enables consistent enforcement of governance policies; demonstrates compliance Lowers compliance costs and effort compared to manual auditing, with no impact on existing business processes InfoSphere Guardium complements IBM’s offerings for: Extends Test Data Management solutions by monitoring sensitive data access in test environments Extends Data Growth solutions with ability to monitor both active and inactive (archived) data Extends Data masking and protection solutions enabling consistent governance and compliance with regulatory mandates such as PCI, HIPAA, DPP and more Extends capabilities to automatically locate all databases, in both production and test environments, for monitoring and protection


EmployeeTableSELECT

5. Guardium Data Activity Monitor (DAM) for DatabasesEnforce right to access, modify, delete data

12

Presenter

Presentation Notes

Example of detecting access to the database server from someone using the App Server credentials. Alerting is one of the options you have for policy rules. You can set up pretty fine-grained rules. Alerts can be sent to email, syslog and/or to a SIEM system such as QRAdar. They will also appear on the Incident Management tab of the Guardium UI. Be careful about how yo uset the Action – Alert per match could end up sending a lot of emails to someone depending on the type of SQL statement. Notes: The most common type of exception rule created is to alert on x number of failed login attempts within x minutes; for example 3 failed login attempts within 5 minutes. To create this alert, create a new exception rule as follows: Action = Alert Per Match Minimum Count = 3 Reset Interval = 5 Excpt. Type = LOGIN_FAILED DB User = . <period>. Placing a period in DB User causes to the system to place a counter on DB User, so that you will only receive an alert the same user attempts to login three times with in five minutes. Otherwise, it will alert whenever there are three failed logins from any three users within five minutes, which could result in a great deal of false positives.


5. Guardium Data Activity Monitor (DAM) for DatabasesEnforce right to access, modify, delete data

No database changes No application changes No network changes Without the performance or

availability risks of an in-line database firewall

Session Terminated13

Presenter

Presentation Notes

The InfoSphere Guardium solution supports a wide range of responsive actions from the pull-down menu in the policy development interface. We just looked at an example of specifying a real time alert, but a wide variety of other responsive actions exist, including blocking the transaction in real-time and quarantining the user. The latter goes beyond blocking the transaction, and blocks the user from accessing the resources in question for a fixed period of time; avoiding the cat and mouse game that can occur if a perpetrator is blocked. In those cases they then seek ways to avoid your control, so quarantine gives your security team time to investigate and remediate the issue. But let’s take a moment to examine how a transaction can be blocked in real time. In most cases, the blocking policies are written so that your production traffic (from applications) is not examined, since that is known to be secure. Other traffic, in this case a DBA trying to directly access our product database, is held by the blocking version of our software probe, the Data-Level Access Control Product or SGATE, while the transaction is compared to your specified policy by the Collector. If a policy violation is detected, a message is sent back to the Data-Level Access Control software and the connection is terminated. You can see what the sequence of events looks like to the DBA in this GUI window, where they are using a desktop tool like SQLplus. When they try to access the sensitive credit card information, the transaction is blocked and the session is terminated. Unlike database software-based-approaches to prevention, such as those of Oracle or McAfee, the DLAC approach requires no changes to the database or application, which is a fundamental requirement of many organizations. And, unlike the in-line appliance approach of companies like Oracle or Imperva, it requires no network changes, nor the insertion of appliances that can introduce performance issues or a single point of failure.


Understand your sensitive data exposure

Get a full picture of ownership and access for your files

Control access to critical files through blocking and alerting

Gain visibility into all file entitlements and activity through custom reports and advanced search

Guardium introduces new file activity monitoring to identify normal and abnormal behavior and drill into

the details

4-5. Guardium Data Activity Monitor (DAM) for FilesMonitor and track data access and modification Enforce right to access, modify, delete data

• File Activity Monitoring helps you manage access to your unstructured data containing critical and sensitive information.

• Provides complete visibility into activity by providing extensive compliance and audit capabilities.

14


Guardium GDPR Accelerator A pre-defined knowledge set mapped to GDPR obligations

Data Discovery and Classification for Personal Data

Predefined Policies and Groups for GDPR Personal Data

Auditing and Monitoring reports for GDPR Personal Data

Support for GDPR Impact Assessment

Compliance workflows and Audit Process Builder for notifications to auditors, controllers and DPO

Guardium GDPR Accelerator

15


Prioritized incidents

EmbeddedIntelligence

IDENTIFICATION• Data collection,

storage, and analysis• Real-time correlation

and threat intelligence• Automatic asset, service and

user discovery and profiling• Activity baselining and

anomaly detection

REMEDIATION• Incident forensics• Around-the-clock

management, monitoring and protection

• Incident response

EXTENSIVE DATA SOURCES

Servers & mainframes

Data activity

Network and virtual activity

Application activity

Configuration data

Security devices

Users &identities

Vulnerabilities and threats

Global threat intelligence

Security & Traceability – QRadar Sense Analytics Infrastructure control and advanced treath detection

16

Presenter

Presentation Notes

QRadar SIEM excels at taking in massive amounts of enterprise-wide security data and using it’s advanced intelligence and analytics to build a prioritized list of incidents requiring immediate attention. Inside the Offenses tab, Security teams can simply right-click any of the entries within the dashboard to see any of the underlying event and flow data to start determining a remediation plan or determine the result was a false positive.� With the arrival of QRadar Incident Forensics, there’s a new option for seeing even more supporting data extracted from the associated network packet data. This problems a new level of clarity to the incident and allows investigators to discover less obvious data connections and previously hidden relationships between multiple IDs. �Using Internet search engine technology, QRadar Incident Forensics presents a simplified user interface accepting free-form text and Boolean logic operators. The search criteria can use any packet capture metadata, reconstructed file metadata or keywords that would reside within a document, email, chat session, etc. Results are normally returned in minutes if not seconds. QRadar Incident Forensics does to full packet capture data what QRadar SIEM does to event and flow data—it helps security teams discover the malicious or anomalous conditions really, really quickly. Product: QRadar Sense Analytics Engine, QRadar Incident Forensics, QRadar Incidence Response, IBM Managed Security Services


Security & Traceability – QRadar Sense AnalyticsOne platform to drive security intelligence and analytics

Advanced Threat

Detection

Insider Threat

Detection

Risk and Vulnerability Management

Incident Forensics

Incident Response

Compliance

Reporting

Securing Cloud

Third-Party Usage

17

Presenter

Presentation Notes

This is just a summary of what we’ve been trying to communicate over the course of this presentation. The benefits to adopting or switching to QRadar Security Intelligence include: Faster identification of high priority issues – so you can quickly build an effective remediation plan Consolidation of data silos – so you can see the relationships between event and threat data and tune your implementation for even greater accuracy Ability to address regulation mandates – so you can pass any audit coming your way Stop insider fraud and abuse – so you can contain and control and data tampering, loss, etc., Tighten your security profile by reviewing assets configurations and removing vulnerabilities – so you are less exposed to commonly occurring attacks


Save on network bandwidth for data audit logs

Guardium & QRadar integration Optimizing security while expanding monitoring scope for data sources

MainframeNetwork

InfrastructureData

WarehouseBig DataFile

Guardium

IdentityDatabase Application

Improve analytics performance by offloading data analysis

Save on storage costs for duplicating data audit logs

No need to turn audit logs on DB. Save on DB/App performance

Real-time analysis and preventive measures

Normalized audit logs

18

Presenter

Presentation Notes

You may already be familiar with how Guardium complement and enhances QRadar by providing real-time insights into data risks and threats, while providing complete and normalized audit records to all data sources, from databases, datawarehouses, big data, and now files. This complete visibility is something they cannot get otherwise, without affecting the performance and security of the data source itself. Just as you thought things could not get better, now we added bidirectional support. Now we can consume QRadar events and risk information. What good is that? Well, QRadar has a wealth of threat and security information about the IT environment as a whole. They are simplifying preventive analysis of threats. So, why not use that information to augment our alertnesss on the data side. If QRadar knows or detects rogue users or IP addresses that pose a risk, Guardium should know about it to change the risk severity in its policies on data sources automatically.


Guardium & QRadar integration Real-time policy integration

19


AppScanIBM Endpoint Manager

!

Integrated vulnerability scanner

Network discovery and asset information

IBM Security Context

3rd Partyvulnerability

solutions

Database User Activity OS Tier

(Windows, Solaris, AIX, HP-UX, Linux)

• Permissions• Roles• Configurations• Versions• Custom tests• Configuration files• Environment variables• Registry settings• Custom tests

DB Tier(Oracle, SQL Server,

DB2, Informix, Sybase, MySQL)

Tests

VA

Guardium & QRadar integration Guardium Classification, VA e QRadar Vulnerability Manager

20

Presenter

Presentation Notes

Guardium assesses vulnerabilities in 3 areas: 1) At the database layer: looking for default permissions, bad configuration, outdated versions, or even custom tests 2) At the OS level: also looking for missing patches, bad registry entries or environmental variables, or security configuration issues. 3) And from the observed behavior from the database activity monitoring analysis: like repeated failed login attempts. Many of these tests are known issues and have a Common Vulnerability Event number or CVE assigned. Guardium sends a filtered report with CVE failures per resource to QRadar through a staging server. These reports can be sent using the AXIS format or the SCAP schema. QRadar SIEM can use these “Failed CVE reports” to determine the risk level of particular resources. QRadar Vulnerability Manager is a new offering that allows customers to consolidate and model their security posture view, by collecting vulnerability and configuration information from a wide set of sources. Traditionally, vulnerability scanners have focused on network, OS, or application vulnerabilities (in this priority order), and they have almost forgotten the database, which as you know by now, where most targeted attacks end up. Fortunately, Guardium VA provides a very complete vulnerability assessment for database and OS infrastructure, that can help QVM differentiate against competition, since there are very few DB vulnerability assessment vendors. *********************** SCP= secure copy QVM key features: Contains an embedded, well proven, scalable, analyst recognised, PCI certified scanner Detects 70,000+ vulnerabilities Tracks National Vulnerability Database (CVE) Present in all QRadar log and flow collectors and processors Integrated external scanner Complete vulnerability view supporting 3rd party vulnerability system data feeds Supports exception and remediation processes of VM with seamlessly integrated reporting and dash boarding


Incident Management – IBM ResilientHow to handle and respond to security incidents


Help to continuously stop attacks and remediate

vulnerabilities

Identify the most important threats

with advanced analytics and forensics

Respond to incidents in integrated

and organized fashion

Unites Security Operations and Incident ResponseResilient will extend IBM’s offerings to create one of the industry’s most complete solutions to prevent, detect, and respond to threats

Delivers a Single Hub for Response ManagementResilient will allow security teams to orchestrate response processes, and resolve incidents faster, more effectively, and more intelligently

Integrates Seamlessly with IBM and 3rd Party Solutions Resilient integrates with QRadar and other IBM and 3rd party solutions so organizations of various sizes can successfully resolve attacks

21


IBM Resilient’s unique value

Resilient has the largest knowledge base of regulations regarding Data Breach incidents!

22

Presenter

Presentation Notes

Resilient is the industry standard solution for incident response. Our IRP integrates all other security technologies into a single hub, allowing easy workflow configuration and process automation. It arms security teams with best-in-class response capabilities. We bring a unique perspective to IR in the fact that we align people, process, and technology together to drive improved response. Empowers security teams to analyze, respond, resolve and mitigate incidents faster. Integrates all other security technologies into a single hub, allowing easy workflow configuration and process automation. Bottom line: Resilient helps you save time, automate your IR processes, and empower your security team. One customer went from 20 days (on average) to close a security incident to less than 5 days


IBM Resilient Incident Response Platform

Security Module• Industry standard

workflows (NIST, SANS)

• Threat intelligence feeds

• Organizational SOPs

• Community best practices

Action Module

• Automate processes

• Enrich incident details

• Gather forensics• Enact mitigation

Privacy Module

• Global breach regulations

• Contractual obligations• Third-party

requirements• Organizational SOPs• Privacy best practices

23

Presenter

Presentation Notes

This is just a summary of what we’ve been trying to communicate over the course of this presentation. The benefits to adopting or switching to QRadar Security Intelligence include: Faster identification of high priority issues – so you can quickly build an effective remediation plan Consolidation of data silos – so you can see the relationships between event and threat data and tune your implementation for even greater accuracy Ability to address regulation mandates – so you can pass any audit coming your way Stop insider fraud and abuse – so you can contain and control and data tampering, loss, etc., Tighten your security profile by reviewing assets configurations and removing vulnerabilities – so you are less exposed to commonly occurring attacks


IBM Resilient: an example

24


IBM Resilient: an example

Address to send

Link to pre-define form

Contact info

25

IBM services and technology solutions for supporting … · IBM technology solutions as key...

Documents

Transcript of IBM services and technology solutions for supporting … · IBM technology solutions as key...