...

How to close your Security Gaps with QRadar/Guardium Integration Information Management

by user

on
Category:

movies and tv

25

views

Report

Comments

Transcript

How to close your Security Gaps with QRadar/Guardium Integration Information Management
Luis Casco-Arias- Product Manager
Steven Keim - Client Technical Professional
5 June 2013
IBM InfoSphere Guardium Tech Talk:
How to close your Security Gaps with
QRadar/Guardium Integration
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
2
June 5, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium
Deployment
Speakers: Boak Barkai and Yosef Rosenblit
Date &Time: Thursday, June 20, 2013
11:30 AM Eastern
Register here: http://bit.ly/Yf2TwY
 Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.
3
June 5, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
Understanding new dynamics in protecting the enterprise
A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
* Please feel free to pose questions in the chat room during the presentation
4
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Enterprise security dynamics are changing rapidly
Data Explosion
Consumerization
of IT
Everything is
Everywhere
Attack
Sophistication
Extending the Perimeter Shifts Protection Focus to Data
Moving from traditional perimeterbased security…
…to logical “perimeter” approach to
security—focusing on the data and
where it resides
Antivirus
IPS
Firewall
• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
• Focus needs to shift from the perimeter to the data that needs to be protected
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
Understanding new dynamics in protecting the enterprise
A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
6
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
I N T E G R AT I O N
The IBM Security Framework offers enterprises a roadmap to
address all key security and compliance foundational controls
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
Understanding new dynamics in protecting the enterprise
A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
8
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
QRadar is Security Intelligence
QRadar provides a single unified view and real-time analytics to rapidly
identify and correlate targeted attacks for rapid remediation or prevention
Security Devices
Servers & Hosts
Network & Virtual Activity
Event
Correlation
Offense
Identification
Database Activity
Application Activity
Configuration Info
Activity Baselining &
Anomaly Detection
Vulnerability Info
User Activity
Extensive Data Sources
+
Deep
Intelligence
=
Exceptionally Accurate and
Actionable Insight
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Security Intelligence: QRadar provides security visibility
IBM X-Force® Threat
Information Center
Identity and
User Context
Real-time Security Overview
w/ IP Reputation Correlation
Real-time Network Visualization
and Application Statistics
Inbound
Security Events
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring for
security & compliance
Data Repositories
 Continuous, policy-based, real-time
monitoring of all data traffic activities,
including actions by privileged users
(databases, warehouses, file
shares, Big Data)
 Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities
 Data protection compliance automation
Host-based
Probes (S-TAPs)
Collector
Appliance
Key Characteristics







Single Integrated Appliance
Non-invasive/disruptive, cross-platform architecture
Dynamically scalable
SOD enforcement for DBA access
Auto discover sensitive resources and data
Detect or block unauthorized & suspicious activity
Granular, real-time policies
 Who, what, when, how
 100% visibility including local DBA access
 Minimal performance impact
 Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
 No environment changes
 Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
 Growing integration with broader security and
compliance management vision
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Addressing the full data security and compliance lifecycle
TOP 5
USE
CASES
1. Tracking and Alerting on Privileged User Activity
2. Ensuring Data Integrity and Simplifying SOX Compliance
3. Boosting Efficiency of Effectiveness of Database Security and Auditing
4. Strengthening PCI-DSS Compliance
5. Automated Discovery of Sensitive Data and Vulnerability Assessments
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
Understanding new dynamics in protecting the enterprise
A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
13
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Sophisticated attacks require sophisticated defense, but ultimately,
sensitive data should be protected with a layered approach.
Data
servers
App
server
Web
servers
Hacker
Web
servers
Sensitive Data
Auth
server
(Rogue Sources)
App
server
Network
servers
IDS/IPS
Security
Privileged
User
DoS
User
•Customer
•Business Partner
•Employee
•Contractor
QRadar
Antispoofing
Port
Scanning
Data Servers
Web Server
Known
Vulnerabilities
Patternbased Attack
(DBAs,developers)
Cross Site
Scripting
Parameter
Tampering
Cookie
Poisoning
Intranet
DMZ
Sensitive Data
Unauthorized
Access
Guardium
Suspicious
Activity
SQL Injection
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
InfoSphere Guardium integrates with QRadar to add data security insights
to your security intelligence
In-depth data activity monitoring
and security insights from
InfoSphere Guardium
Security Devices
Servers & Hosts
 Databases
 Data Warehouses
 Hadoop/NoSQL
Big Data
environments
 File shares
 Applications
Network & Virtual Activity
Event
Correlation
Data
Activity
Database
Activity
Application Activity
Configuration Info
Offense
Identification
Activity Baselining &
Anomaly Detection
Vulnerability
Info
Vulnerability Info
User Activity
Extensive Data Sources
+
Deep
Intelligence
Specific vulnerability assessment
for database infrastructure
=
Exceptionally Accurate and
Actionable Insight
 Send real-time data activity security alerts from Guardium to QRadar in LEEF format
 Send data activity audit reports (syslog) from Guardium to Q1 to enhance analytics
 Share database vulnerability findings (CVE) between Guardium and QRadar in AXIS or SCAP
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Typical home grown solutions are costly and ineffective
Native
Database
Logging
Native
Database
Logging
Manual
remediation
dispatch
and tracking
• Pearl/UNIX Scripts/C++
• Scrape and parse the data
• Move to central repository
Native
Database
Logging
Native
Database
Logging
Create
reports
•
•
•
•
•
•
Manual
review
Significant labor cost to review data and maintain process
High performance impact on DBMS from native logging
Not real time
Does not meet auditor requirements for Separation of Duties
Audit trail is not secure
Inconsistent policies enterprise-wide
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
From the start, Guardium can save QRadar implementations on
operational costs while expanding monitoring scope
Improve analytics performance
by offloading data analysis
Save on storage
costs for duplicating
data audit logs
File
Shares
Big Data
Data
Warehouse
Databases
Applications
Network
Infrastructure
Real-time analysis
and preventive
measures
Network Security
Servers
Mainframe
User focused
log sources
Save on network
bandwidth for data
audit logs
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
InfoSphere Guardium complements QRadar Security Intelligence in
the most challenging use cases
QRadar target use case
InfoSphere Guardium complementary capabilities
Complex threat
detection
Alert on sensitive data access without affecting performance
Identify DB infrastructure vulnerability level for asset classification
Block and alert on suspicious data access
Malicious activity
identification
Monitor all traffic to/from data repositories, including content and metadata
Identify anomalous behavior from end-users, privileged users, system IDs
Prevent malicious access to sensitive data
User activity
monitoring
Monitor privileged and regular end-user data access activity in real time
Create policies that granularly restrict access
Alert on suspicious behavior
Compliance monitoring
Centralized and normalized granular audit of all data activities without
impact to resources
Automation of audit report review process
Report templates for major regulations
Fraud detection and
data loss prevention
Direct visibility into data traffic (metadata and content)
Policies for detection of fraudulent data access activity
Blocking and quarantining of users with suspicious data access patterns
Network and asset
discovery
Automatically discover all databases, sensitive data, and its entitlements
Classify data for policy enforcement and alert on findings
Identify vulnerability posture for database infrastructure
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
QRadar collects real-time alerts from InfoSphere Guardium
 Any inbound or outbound data traffic is
monitored and immediate alerts can be
sent when data access policy is violated
 Real-time log data from data activity
can be correlated with other activity in
context to identify and prevent attacks
Common real time data activity security events include :
• Failed Logins
• Unauthorized or abnormal access
• SQL Error codes because of SQL Injection
• Users trying to escalate privileges
• Alerting on creation of triggers and views to
access sensitive data
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Forensic Drill-downs on each Infosphere Guardium event
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Expanding Audit Information collection for QRadar SIEM
 Challenge
– Integrate database and data source audit information with SIEM forensics
– Formatting information from heterogeneous data sources is tedious and requires
expertise
 Solution
– Leverage Guardium unintrusive audit log collection for several data sources to feed
QRadar with normalized audit logs
– Guardium side:
• Sending custom reports via syslog to QRadar SIEM with “extra” data to match SIEM format
• Custom audit reports have richer context than native audit logs
– QRadar SIEM side:
• Ensure correct format is mapped through template
Normalized Audit Reports
(syslog)
File
Shares
Big Data
Data
Warehouse
Databases
*
Other
Sources
21
Audit Logs
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Discover and Classify Sensitive Data in Databases
• Discover database instances on network
• Catalog Search: Search the database catalog for
table or column name
– Example: Search for tables where column
name is like “%card%”
• Search by Permission: Search for the types of
access that have been granted to users or roles
• Search for Data: Match specific values or
patterns in the data
– Example: Search for objects matching
guardium://CREDIT_CARD (a built-in
pattern defining various credit card
patterns)
• Search for Unstructured Data: Match specific
values or patterns in an unstructured data file
(CSV, Text, HTTP, HTTPS, Samba)
• Classify Data: put data in actionable groups,
automatically or manually
22
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Example: Find, Classify, and Report
on Cardholder Data
Guardium
Agentless
Network Scan
10.10.9.*
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Guardium: Vulnerability Assessment Results
Historical
Progress or
Regression
Overall
Score
Detailed Scoring Matrix
Filter
control for
easy use
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Providing actionable insights from database infrastructure risk posture
 Guardium runs comprehensive vulnerability tests against database infrastructure
1. Database settings
2. Operating system
3. Observed behavior
 Guardium sends vulnerability results to Staging Server via SCP (Failed CVE lists)
 QRadar uploads the AXIS or SCAP schema from the staging server
 QRadar leverages risk information on the asset reports and policies
Vulnerability Assessment Scan
Tests
DB Tier
AXIS
or
SCAP
Database
User Activity
(Oracle, SQL
Server, DB2,
Informix, Sybase,
MySQL)
OS Tier
(Windows, Solaris,
AIX, HP-UX, Linux)
25
• Permissions
• Roles
• Configurations
• Versions
• Custom tests
• Configuration files
• Environment variables
• Registry settings
• Custom tests
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
Understanding new dynamics in protecting the enterprise
A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
26
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Summary
It’s increasingly critical to secure high value data and validate compliance
QRadar SIEM offers unparalleled visibility and security intelligence against threats
across all IT resources
InfoSphere Guardium complements QRadar security intelligence with real-time
actionable insights into data activity, which is not possible with traditional data
audit log analysis.
InfoSphere Guardium is a leadership solution for data security and compliance,
offering
• Scalable non-disruptive enterprise architecture
• Broad heterogeneous data source support
• Complete visibility and granular control
• Deep automation to reduce workload and
total cost of operations
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Information, training, and community
 InfoSphere Guardium YouTube Channel – includes overviews and technical demos
 InfoSphere Guardium newsletter
 developerWorks forum (very active)
 Guardium DAM User Group on Linked-In (very active)
 Community on developerWorks (includes content and links to a myriad of sources, articles,
etc)
 Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
 Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group.
Open, technical discussions with other users.
Send a note to [email protected] if
interested.
28
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
29
IBM InfoSphere Guardium Tech Talk
Italian
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring for
security & compliance
Data Repositories
 Continuous, policy-based, real-time
monitoring of all data traffic activities,
including actions by privileged users
(databases, warehouses, file
shares, Big Data)
 Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities
 Data protection compliance automation
Host-based
Probes (S-TAPs)
Collector
Appliance
Key Characteristics
 Single Integrated Appliance
 100% visibility including local DBA access
 Non-invasive/disruptive, cross-platform architecture
 Minimal performance impact
 Dynamically scalable
 Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
 SOD enforcement for DBA access
 Auto discover sensitive resources and data
 Detect or block unauthorized & suspicious activity
 Granular, real-time policies
 Who, what, when, how
30
April 11, 2013
IBM InfoSphere Guardium Tech Talk
 No environment changes
 Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
 Growing integration with broader security and
compliance management vision
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium
Deployment
Speakers: Boak Barkai and Yosef Rosenblit
Date &Time: Thursday, June 20, 2013
11:30 AM Eastern
Register here: http://bit.ly/Yf2TwY
 Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.
31
June 5, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Fly UP