Protecting your Crown Jewels - IBM - · PDF file• Pass/fail statistics •...
Transcript of Protecting your Crown Jewels - IBM - · PDF file• Pass/fail statistics •...
IBM Security
March 22, 2016
Protecting your Crown Jewels
Howie Hirsch
Senior IT Specialist
IBM Security
© 2016 IBM Corporation 2
Agenda• Introductions
• Protect critical assets
• Mainframe information • Enterprise security intelligence
• Proof points and summary
© 2016 IBM Corporation 7
Data compromises occur quickly
It takes days or more to
discover compromises and
weeks or more
to contain
Source: Verizon Data Breach Investigations Report
Time span of events by percent of breaches
© 2016 IBM Corporation 8
Discover and Classify
Assess and Harden
Monitor and Enforce
Auditand Report
• Monitor and alert on attacks in real-time
• Monitor privileged users
• Monitor changed behavior
• Prevent cyberattacks
• Detect application-layer fraud
• Enforce change controls
• Forensics data mining
• Cross-DBMS policies
• Pre-built compliance reports (SOX, PCI, etc.)
• Enterprise integration
• SIEM integration
• Sign-off management
• Centralized audit repository
• No database changes
• Database vulnerability assessments
• Sensitive data encryption and masking
• Archive unneeded data
• Preconfigured tests based on best practices and standards
• Discover your database management systems
• Discover and classify sensitive data
• Continuously update security policies
IBM Security Information Governance solutions
Critical
DataServer
Infrastructure
© 2016 IBM Corporation 9
Real-time activity monitoring with IBM Security Guardium®
Central Manager Appliance
Data Repositories
ApplicationServers
Collector Appliances
Host-basedProbes (S-TAP®s)
Activity Monitoring
Continuous policy-based real-time monitoring of
all data traffic activities, including actions
by privileged users
Blocking and Masking
Automated data protection compliance
Vulnerability Assessment
Database infrastructure scanning for missing
patches, misconfigured privileges and other
vulnerabilities
© 2016 IBM Corporation 10
Key functionality
• Non-invasive/disruptive, cross-platform architecture
• Dynamically scalable
• Separation of Duties enforcement for DBA access
• Auto discover sensitive resources and data
• Detect or block unauthorized and suspicious activity
• Granular, real-time policies (who, what, when, how)
• Doesn’t rely on resident logs that are easily erased by attackers and rogue insiders
• No environment changes
• Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.
• Growing integration with broader security and compliance management vision
Real-time activity monitoring with IBM Security Guardium
© 2016 IBM Corporation 11
Real-time data activity monitoring across the enterprise
For data warehouses, Big Data
environments, and file shares
Applications Databases
DB2 IMS
Data Warehouses
NetezzaCICS
SiebelPeopleSoftE-Business
WebSphere
Database ToolsEnterprise
Content Managers
Big Data Environments
File Shares
VSAM
FTP
© 2016 IBM Corporation 12
Vulnerability assessmentsBased on best practices
IBM InfoSphere® Guardium
Vulnerability Assessment Appliance
Database Vulnerabilities
• Teradata
• Netezza®
• MySQL
• Postgres
• Oracle
• SQL Server
• DB2®
• Sybase
Web-based Reporting
• Pass/fail statistics
• Criticalit/recommended actions
• Filters and comparison
• History and trends
• Distribution/compliance workflow
Automated Database Assessments
• Privileges
• Authentication
• Configuration
• Patch levels
© 2016 IBM Corporation 14
PersNbr FstNEvtOwn LstNEvtOwn
10002 Michael Parker
10002 Michael Parker
Event Table
PersNbr FirstName LastName
10000 Patricia Zakhar
10001 Claude Monet
10002 Michael Parker
Personal Info Table
Ensuring data privacy with IBM Optim™ Data Masking
PersNbr FstNEvtOwn LstNEvtOwn
27645 Elliot Flynn
27645 Elliot Flynn
Event Table
PersNbr FirstName LastName
08054 Alice Bennett
19101 Carl Davis
27645 Elliot Flynn
• De-identify/mask sensitive data for test, development and production environment
• Retain behavioral characteristics and referential integrity of the data
• Renders the data valueless if stolen
• No need to risk using personal identifiable information
Personal Info Table
Live Data Masked Data
ROBERT SMITH
MASKJASON MICHAELS
© 2016 IBM Corporation 15
Data encryption for DB2 and IMS™
• Supports all levels of DB2 and IMS
• No application changes needed
• Applications need no awareness of keys
• Supports both secure key and clear key encryption
• Index access is unaffected by encryption
• Compatible with DB2 Load/Unload utilities and DB2 Tools
• EDITPROC, FIELDPROC, or UDF invocation
• Data encryption on disk
• Data on channel is encrypted (protects against channel/network sniffers)
• Existing authorization controls accessing this data are unaffected
• Assumption made that access is through the DBMS, or, direct access invokes the DBMS data exits
z/OS ICSF
IMS or DB2
Application Data
x @ v g
CMOS Crypto
Coprocessors
Encrypted Data in Database
P A U L
© 2016 IBM Corporation 16
Integrated and extensible encryption key lifecyle management
IBM EKMF provides single point of control,
policy and reporting:
• Proven experience in the enterprise key management space
• Standardized processes for compliance such as EMV and PCI to adhere to key banking and finance
standards
Trusted Key Entry (TKE) workstation provides a secure environment for the management of crypto hardware
and host master keys
ISKLM for z/OS® provides proven key serving and management for self-encrypting tape and disk storage
capabilities to devices
• Manage IBM and non-IBM products via Oasis Key Management Interoperability Protocol (KMIP)
• Align with PCI and NIST guidance
Disk StorageArray
TKE for Crypto Express Hardware Management
EKMF for Application Key Management
Tape DevicesEnterprise Tape
Library
EKMF ISKLM
EKMF, TKE and ISKLM provide an optimum integrated key lifecycle management solution
IBM Enterprise Key Management Foundation (EKMF) and IBM Security Key Lifecycle
Manager (ISKLM)
© 2016 IBM Corporation 17
SuspectedIncidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
AutomatedOffenseIdentification
• Unlimited data collection, storage and analysis
• Built-in data classification
• Automatic asset, service/user discovery and profiling
• Real-time correlation and threat intelligence
• Activity baselining and anomaly detection
• Out-of-the-box incident detection Embedded
Intelligence
© 2016 IBM Corporation 18
Identity and
User Context
Real-time Network Visualization
and Application Statistics
Inbound
Security Events
QRadar® provides security visibility and Security Intelligence
IBM X-Force® Threat
Information Center
Real-time Security Overview
w/ IP Reputation Correlation
© 2016 IBM Corporation 19
z System products enable integration with QRadar
RACF CA ACF2 CA Top Secretz/OS CICS DB2
Event sources from z Systems
Guardium
•DB2
•IMS™
•VSAM
zSecure•z/OS•RACF•ACF2, TSS•CICS®
Extensive Data Sources Deep IntelligenceExceptionally Accurateand Actionable Insight+ =
AppScan
• Web Apps
• Mobile Apps
• Web Services
• Desktop Apps
© 2016 IBM Corporation 20
1Social Engineer privileged
user ID for Joe.Admin
Anatomy of an attack
2 Attacker uses stolen PID
and logs on from new
unknown rogue IP address
AttackerRogue sources
Sensitive
Data
IBM zSecureIBM InfoSphere Guardium
• Correlates App ID violation with Joe.Admin activity
• Opens ticket to fix compromised AppID and investigate Joe.Admin
IBM Security QRadar
• Detects configuration changes creating backdoor
• Alerts QRadar with raised severity
IBM zSecure
• Detects abnormal activity violating several
data access policies
• Alerts QRadar with raised severity
IBM InfoSphere Guardium
Web servers
Authorized server
Authorized [email protected]
WebSphere® DB2
RACF
3Attacker looks at application
logs and access history
4Attacker tries to break into application to get
AppID
5Hacker uses AppID from
non-App server impersonating Joe.Admin to request large number
of credit card numbers
6Hacker tries to change configuration settings
(backdoor for later use)
• Determines new rogue sources
© 2016 IBM Corporation 21
Mainframe security requires a defense in depth solution
DomainsSecurity
Server
Operating
SystemData
Security
Intelligence
EndpointsRACF, ACF2,
Top Secretz/OS
DB2, IMS,
VSAMAll
IBM SolutionszSecure Admin,
Visual
zSecure Audit,
Alert
InfoSphere
Guardium
QRadar
SIEM
Automated cleanup of unused, obsolete and under-protected access permissions ●
Externalization of DB2 security into RACF, including automated clean-up
of prior DB2 access permissions
●
Separation of duties in provisioning access ●
Continuous, policy-based, real-time monitoring ● ●
Infrastructure scanning for missing patches, misconfigurations and other vulnerabilities ● ●
Automated Compliance Protection ● ●
Knowledge base for compliance reports with SOX, PCI DSS, etc. ● ●
Provides contextual and actionable surveillance to detect and remediate threats ●
Identifies changes in behavior against applications, hosts, servers and network. ●
Correlates, analyzes and reduces real-time data into actionable offenses ●
© 2016 IBM Corporation 23
The z Systems advantage
• 80% of the world’s corporate data is stored or originates on IBM z Systems
• 2/3 of business transactions for U.S. retail banks run directly on mainframes
• Businesses that run on z Systems
• 92 of the top 100 worldwide banks
• 10 of the top 10 global life/health insurance providers
• 23 out of the 25 largest airlines
• EAL5+ encryption and cryptographic hardware to secure data in motion and at rest
• Run over a thousand virtual Linux images
• Virtualization of services for cloud implementations
• 5 minutes per year downtime of an application running on z Systems
© 2016 IBM Corporation 24
“With end-to-end management of access rights on the z Systems platform, Nationwide benefits from an easier path to compliance. Tools such as zSecure and Guardium help us protect customer data at all times, while providing the proof points we need to meet audit requirements quickly and efficiently.”
- Mike Pighills, Head of IT Services, Nationwide
New mobile and internet
Banking applications hook directly into the mainframe for
24/7 availability
2 new account types launched just six months after
go-live
Eases compliance by enabling greater control and
audit ability of security
The transformation: In an era of truly 24/7, multi-channel retail banking, Nationwide needed to bring new banking
products to market more rapidly, and to handle growing numbers of customers and transactions faster and more efficiently. With
a radical transformation of core systems to embrace real-time banking on the IBM mainframe platform, Nationwide is all set for
a bigger and brighter future.IBM Software Solutions
•IBM DB2 for z/OS
•IBM InfoSphere Guardium S-TAP
•IBM Security zSecure
•IBM z/OS
•SAP for Banking
IBM Hardware Solutions
•IBM zEnterprise® 196
Nationwide: Banking on the mainframe to drive unprecedented transformation and growth
© 2016 IBM Corporation 25
IBM helps protect against new, complex security challenges
133
20
TOP 3 enterprise security software vendor in total revenue
+
24
IBM helps clients…
Optimize the security programIntegrate security silos, reduce complexity and lower costs
Stop advanced threatsUse analytics and insights for smarter integrated defense
Protect critical assetsUse context-aware and role-based controls to help prevent unauthorized access
Safeguard cloud and mobileEmploy cloud and mobile initiatives to build a new, stronger security posture
industry analyst reports rank
IBM Security as a LEADER
countries where IBM delivers
managed security services
clients protected including…
of the top 33 banks in Japan,
North America and Australia
10K
1
2
3
4
© 2016 IBM Corporation 26
Strategy, Risk and Compliance Cybersecurity Assessment and Response
Security Intelligence and Operations
Advanced Fraud Protection
Identity and Access Management
Data Security
Application Security
Network, Mobile and Endpoint Protection
Advanced Threat and Security Research
IBM has the world’s broadest and deepest security portfolio
DELIVERYMODELS
SECURITY TRENDS
ComplianceMandates
SkillsShortage
CloudAdvanced Threats
Mobile andInternet of Things
ManagementConsulting
SystemsIntegration
Integrated Products
Security as a Service
Managed Security
Partner Ecosystem
© 2016 IBM Corporation 27
Learn more about IBM Security zSecure solutions
zSecure website
zSecure product library
zSecure information center
IBM Mobile Solutions
zSecure latest release
zSecure forum
zSecure Redbook
Guardium Website
© 2016 IBM Corporation 28
Thank You
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty
of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall
have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability
in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product,
or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within
and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for
use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper
use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY