IBM Security

March 22, 2016

Protecting your Crown Jewels

Howie Hirsch

Senior IT Specialist

IBM Security

hshirsch@us.ibm.com

© 2016 IBM Corporation 2

Agenda• Introductions

• Protect critical assets

• Mainframe information • Enterprise security intelligence

• Proof points and summary

Protect Critical AssetsMainframe Information

© 2016 IBM Corporation 7

Data compromises occur quickly

It takes days or more to

discover compromises and

weeks or more

to contain

Source: Verizon Data Breach Investigations Report

Time span of events by percent of breaches

© 2016 IBM Corporation 8

Discover and Classify

Assess and Harden

Monitor and Enforce

Auditand Report

• Monitor and alert on attacks in real-time

• Monitor privileged users

• Monitor changed behavior

• Prevent cyberattacks

• Detect application-layer fraud

• Enforce change controls

• Forensics data mining

• Cross-DBMS policies

• Pre-built compliance reports (SOX, PCI, etc.)

• Enterprise integration

• SIEM integration

• Sign-off management

• Centralized audit repository

• No database changes

• Database vulnerability assessments

• Sensitive data encryption and masking

• Archive unneeded data

• Preconfigured tests based on best practices and standards

• Discover your database management systems

• Discover and classify sensitive data

• Continuously update security policies

IBM Security Information Governance solutions

Critical

DataServer

Infrastructure

© 2016 IBM Corporation 9

Real-time activity monitoring with IBM Security Guardium®

Central Manager Appliance

Data Repositories

ApplicationServers

Collector Appliances

Host-basedProbes (S-TAP®s)

Activity Monitoring

Continuous policy-based real-time monitoring of

all data traffic activities, including actions

by privileged users

Blocking and Masking

Automated data protection compliance

Vulnerability Assessment

Database infrastructure scanning for missing

patches, misconfigured privileges and other

vulnerabilities

© 2016 IBM Corporation 10

Key functionality

• Non-invasive/disruptive, cross-platform architecture

• Dynamically scalable

• Separation of Duties enforcement for DBA access

• Auto discover sensitive resources and data

• Detect or block unauthorized and suspicious activity

• Granular, real-time policies (who, what, when, how)

• Doesn’t rely on resident logs that are easily erased by attackers and rogue insiders

• No environment changes

• Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.

• Growing integration with broader security and compliance management vision

Real-time activity monitoring with IBM Security Guardium

© 2016 IBM Corporation 11

Real-time data activity monitoring across the enterprise

For data warehouses, Big Data

environments, and file shares

Applications Databases

DB2 IMS

Data Warehouses

NetezzaCICS

SiebelPeopleSoftE-Business

WebSphere

Database ToolsEnterprise

Content Managers

Big Data Environments

File Shares

VSAM

FTP

© 2016 IBM Corporation 12

Vulnerability assessmentsBased on best practices

IBM InfoSphere® Guardium

Vulnerability Assessment Appliance

Database Vulnerabilities

• Teradata

• Netezza®

• MySQL

• Postgres

• Oracle

• SQL Server

• DB2®

• Sybase

Web-based Reporting

• Pass/fail statistics

• Criticalit/recommended actions

• Filters and comparison

• History and trends

• Distribution/compliance workflow

Automated Database Assessments

• Privileges

• Authentication

• Configuration

• Patch levels

© 2016 IBM Corporation 13

Vulnerability Assessment – integration with zSecure™

© 2016 IBM Corporation 14

PersNbr FstNEvtOwn LstNEvtOwn

10002 Michael Parker

10002 Michael Parker

Event Table

PersNbr FirstName LastName

10000 Patricia Zakhar

10001 Claude Monet

10002 Michael Parker

Personal Info Table

Ensuring data privacy with IBM Optim™ Data Masking

PersNbr FstNEvtOwn LstNEvtOwn

27645 Elliot Flynn

27645 Elliot Flynn

Event Table

PersNbr FirstName LastName

08054 Alice Bennett

19101 Carl Davis

27645 Elliot Flynn

• De-identify/mask sensitive data for test, development and production environment

• Retain behavioral characteristics and referential integrity of the data

• Renders the data valueless if stolen

• No need to risk using personal identifiable information

Personal Info Table

Live Data Masked Data

ROBERT SMITH

MASKJASON MICHAELS

© 2016 IBM Corporation 15

Data encryption for DB2 and IMS™

• Supports all levels of DB2 and IMS

• No application changes needed

• Applications need no awareness of keys

• Supports both secure key and clear key encryption

• Index access is unaffected by encryption

• Compatible with DB2 Load/Unload utilities and DB2 Tools

• EDITPROC, FIELDPROC, or UDF invocation

• Data encryption on disk

• Data on channel is encrypted (protects against channel/network sniffers)

• Existing authorization controls accessing this data are unaffected

• Assumption made that access is through the DBMS, or, direct access invokes the DBMS data exits

z/OS ICSF

IMS or DB2

Application Data

x @ v g

CMOS Crypto

Coprocessors

Encrypted Data in Database

P A U L

© 2016 IBM Corporation 16

Integrated and extensible encryption key lifecyle management

IBM EKMF provides single point of control,

policy and reporting:

• Proven experience in the enterprise key management space

• Standardized processes for compliance such as EMV and PCI to adhere to key banking and finance

standards

Trusted Key Entry (TKE) workstation provides a secure environment for the management of crypto hardware

and host master keys

ISKLM for z/OS® provides proven key serving and management for self-encrypting tape and disk storage

capabilities to devices

• Manage IBM and non-IBM products via Oasis Key Management Interoperability Protocol (KMIP)

• Align with PCI and NIST guidance

Disk StorageArray

TKE for Crypto Express Hardware Management

EKMF for Application Key Management

Tape DevicesEnterprise Tape

Library

EKMF ISKLM

EKMF, TKE and ISKLM provide an optimum integrated key lifecycle management solution

IBM Enterprise Key Management Foundation (EKMF) and IBM Security Key Lifecycle

Manager (ISKLM)

© 2016 IBM Corporation 17

SuspectedIncidents

Prioritized Incidents

Embedded intelligence offers automated offense identification

Servers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

Extensive Data Sources

AutomatedOffenseIdentification

• Unlimited data collection, storage and analysis

• Built-in data classification

• Automatic asset, service/user discovery and profiling

• Real-time correlation and threat intelligence

• Activity baselining and anomaly detection

• Out-of-the-box incident detection Embedded

Intelligence

© 2016 IBM Corporation 18

Identity and

User Context

Real-time Network Visualization

and Application Statistics

Inbound

Security Events

QRadar® provides security visibility and Security Intelligence

IBM X-Force® Threat

Information Center

Real-time Security Overview

w/ IP Reputation Correlation

© 2016 IBM Corporation 19

z System products enable integration with QRadar

RACF CA ACF2 CA Top Secretz/OS CICS DB2

Event sources from z Systems

Guardium

•DB2

•IMS™

•VSAM

zSecure•z/OS•RACF•ACF2, TSS•CICS®

Extensive Data Sources Deep IntelligenceExceptionally Accurateand Actionable Insight+ =

AppScan

• Web Apps

• Mobile Apps

• Web Services

• Desktop Apps

© 2016 IBM Corporation 20

1Social Engineer privileged

user ID for Joe.Admin

Anatomy of an attack

2 Attacker uses stolen PID

and logs on from new

unknown rogue IP address

AttackerRogue sources

Sensitive

Data

IBM zSecureIBM InfoSphere Guardium

• Correlates App ID violation with Joe.Admin activity

• Opens ticket to fix compromised AppID and investigate Joe.Admin

IBM Security QRadar

• Detects configuration changes creating backdoor

• Alerts QRadar with raised severity

IBM zSecure

• Detects abnormal activity violating several

data access policies

• Alerts QRadar with raised severity

IBM InfoSphere Guardium

Web servers

Authorized server

Authorized UserJoe.Admin@company.com

WebSphere® DB2

RACF

3Attacker looks at application

logs and access history

4Attacker tries to break into application to get

AppID

5Hacker uses AppID from

non-App server impersonating Joe.Admin to request large number

of credit card numbers

6Hacker tries to change configuration settings

(backdoor for later use)

• Determines new rogue sources

© 2016 IBM Corporation 21

Mainframe security requires a defense in depth solution

DomainsSecurity

Server

Operating

SystemData

Security

Intelligence

EndpointsRACF, ACF2,

Top Secretz/OS

DB2, IMS,

VSAMAll

IBM SolutionszSecure Admin,

Visual

zSecure Audit,

Alert

InfoSphere

Guardium

QRadar

SIEM

Automated cleanup of unused, obsolete and under-protected access permissions ●

Externalization of DB2 security into RACF, including automated clean-up

of prior DB2 access permissions

●

Separation of duties in provisioning access ●

Continuous, policy-based, real-time monitoring ● ●

Infrastructure scanning for missing patches, misconfigurations and other vulnerabilities ● ●

Automated Compliance Protection ● ●

Knowledge base for compliance reports with SOX, PCI DSS, etc. ● ●

Provides contextual and actionable surveillance to detect and remediate threats ●

Identifies changes in behavior against applications, hosts, servers and network. ●

Correlates, analyzes and reduces real-time data into actionable offenses ●

Proof Points and Summary

© 2016 IBM Corporation 23

The z Systems advantage

• 80% of the world’s corporate data is stored or originates on IBM z Systems

• 2/3 of business transactions for U.S. retail banks run directly on mainframes

• Businesses that run on z Systems

• 92 of the top 100 worldwide banks

• 10 of the top 10 global life/health insurance providers

• 23 out of the 25 largest airlines

• EAL5+ encryption and cryptographic hardware to secure data in motion and at rest

• Run over a thousand virtual Linux images

• Virtualization of services for cloud implementations

• 5 minutes per year downtime of an application running on z Systems

© 2016 IBM Corporation 24

“With end-to-end management of access rights on the z Systems platform, Nationwide benefits from an easier path to compliance. Tools such as zSecure and Guardium help us protect customer data at all times, while providing the proof points we need to meet audit requirements quickly and efficiently.”

- Mike Pighills, Head of IT Services, Nationwide

New mobile and internet

Banking applications hook directly into the mainframe for

24/7 availability

2 new account types launched just six months after

go-live

Eases compliance by enabling greater control and

audit ability of security

The transformation: In an era of truly 24/7, multi-channel retail banking, Nationwide needed to bring new banking

products to market more rapidly, and to handle growing numbers of customers and transactions faster and more efficiently. With

a radical transformation of core systems to embrace real-time banking on the IBM mainframe platform, Nationwide is all set for

a bigger and brighter future.IBM Software Solutions

•IBM DB2 for z/OS

•IBM InfoSphere Guardium S-TAP

•IBM Security zSecure

•IBM z/OS

•SAP for Banking

IBM Hardware Solutions

•IBM zEnterprise® 196

Nationwide: Banking on the mainframe to drive unprecedented transformation and growth

© 2016 IBM Corporation 25

IBM helps protect against new, complex security challenges

133

20

TOP 3 enterprise security software vendor in total revenue

+

24

IBM helps clients…

Optimize the security programIntegrate security silos, reduce complexity and lower costs

Stop advanced threatsUse analytics and insights for smarter integrated defense

Protect critical assetsUse context-aware and role-based controls to help prevent unauthorized access

Safeguard cloud and mobileEmploy cloud and mobile initiatives to build a new, stronger security posture

industry analyst reports rank

IBM Security as a LEADER

countries where IBM delivers

managed security services

clients protected including…

of the top 33 banks in Japan,

North America and Australia

10K

1

2

3

4

© 2016 IBM Corporation 26

Strategy, Risk and Compliance Cybersecurity Assessment and Response

Security Intelligence and Operations

Advanced Fraud Protection

Identity and Access Management

Data Security

Application Security

Network, Mobile and Endpoint Protection

Advanced Threat and Security Research

IBM has the world’s broadest and deepest security portfolio

DELIVERYMODELS

SECURITY TRENDS

ComplianceMandates

SkillsShortage

CloudAdvanced Threats

Mobile andInternet of Things

ManagementConsulting

SystemsIntegration

Integrated Products

Security as a Service

Managed Security

Partner Ecosystem

© 2016 IBM Corporation 27

Learn more about IBM Security zSecure solutions

zSecure website

zSecure product library

zSecure information center

IBM Mobile Solutions

zSecure latest release

zSecure forum

zSecure Redbook

Guardium Website

© 2016 IBM Corporation 28

Thank You

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty

of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall

have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM

software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities

referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability

in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product,

or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within

and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for

use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper

use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and

may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY