Guardium value proposition for fss pn 12 02-10


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is one of our larger installations – but we have another global bank customer that is currently monitoring 3,000 database instances, distributed across NA, SA, EMEA and the Far East.
  • Deep automation to reduce workload (e.g., compliance workflow automation to streamline audit/oversight tasks such as electronic sign-offs, escalations, etc.) Comprehensive functionality (DAM, VA, configuration auditing, discovery, blocking) based on common back-end, workflow & Web console
  • Updates to Deck for RSA 2010 1- Use New logo and blue wash template 2- Update bullets with the new ones in slide below. ---------------------- OLD SCRIPT NOTES BELOW-------------------------------- Let’s talk about our solution! Heterogeneous support for Databases and Applications STAP Agents lightweight cross platform support NO changes to the Database or Applications Collectors handle the heavy lifting reduces the impact on the database server No logging requirements DBAs can (sometimes have to!) turn this off Logging greatly impacts the Database Server as you increase granularity! Real-time alerting Monitor ALL Access A Privileged User working on the server console won’t be detected by any solution that only monitors network traffic!
  • How does this look in a Large Distributed Environment? Multiple S-TAPs and Collectors S-GATE – blocking only the traffic you need to block (such as privileged users), without affecting application traffic (see example in upcoming demo) Z-TAP – monitoring applications on mainframes as well as access by privileged users Centralized, cross-platform policy management Centralized, cross-platform audit repository Scalable Auditing (not just monitoring) millions of transactions per day in real-world environments You can easily add Collectors when and where needed to handle whatever throughput and auditing requirements you need S-TAP Agents provide failover and redundancy options
  • This is an example of how to detect unauthorized access when someone uses the credentials belonging to the application’s generic service account, and connects directly to the database server using these credentials. These credentials should only be used by the application itself but in most organizations, these credentials are widely-known and often shared among privileged users such as DBAs, developers and outsourced personnel. This usage typically violates corporate policies – since there is no accountability with shared accounts, and the user gains the high level of privileges granted to the application -- but these policies are difficult or impossible to enforce without a DAM solution like Guardium n place. The example above shows how to construct a Guardium policy to detect when such usage occurs, and automatically alert security personnel. This policy is typically one of the first policies implemented in Guardium accounts. The policy says: “Alert me whenever someone accesses the database server belonging to the group called “Production Servers,” [this group can be defined and maintained externally, such as in LDAP], from an IP address that is NOT in the group of “Authorized Client IPs,” using the generic service account “APPUSER.” The policies can be even more granular if desired, specifying that the rule is violated whenever a specific SQL Command gets executed (SELECT in this case) and a specific object that is touched (Employee Table in this case). The drop down box also shows other actions that can be taken when the rule is violated, such as blocking (S-TAP TERMINATE), ALERT ONCE PER SESSION, or LOG FULL DETAILS (capture all information about subsequent SQL transactions including all returned data). This shows that Guardium provides both detective controls (alerts and fine-grained audit trail) as well as preventive controls (blocking). The screen shot above only shows a subset of all fields available when defining policies; the next slide shows all of the policy fields.
  • Guardium includes pre-defined policies for enterprise applications such as SAP and regulations such as PCI. This example shows all of the fields available in a Guardium policy, showing the granularity of information collected such as OS User (Domain account), App User, and Source Application (the application residing on the client that is used to access the database, such as Microsoft Excel). Guardium ships with a pre-defined group (SAP – PCI) that contains all of the SAP tables for which access must be monitored for PCI compliance, saving time and effort in locating these tables and defining the group.
  • Updates to Deck for RSA 2010 1- Use New logo and blue wash template ---------------------- OLD SCRIPT NOTES BELOW---------------------
  • Guardium value proposition for fss pn 12 02-10

    1. 1. Safeguarding Enterprise Data withReal-Time Database Security &Continuous MonitoringThe Guardium Value Propositionfor Financial Services Firms Information Management © 2011 IBM Corporation
    2. 2. Information ManagementOutline  Value Proposition  Market Background  Case Studies  Summary  Appendix: Architecture © 2010 IBM Corporation
    3. 3. Information ManagementGuardium Value Proposition for Financial Services 1. Prevent data breaches & fraud • Mitigate external & internal threats • Secure customer & credit card data, ACH data, strategic plans & IP 1. Assure data governance • Prevent unauthorized changes to financial & ERP data 1. Reduce cost of compliance • Automate & centralize controls • Simplify processes • … Without performance impact or changes to databases & applications © 2010 IBM Corporation
    4. 4. Information ManagementKey Compliance Drivers for Financial Services  SOX, MAR (NAIC), COBIT/Best Practices … – Prevent unauthorized changes to financial, CRM, ERP & HR data – Includes changes to both data (DML) and schemas (DDL)  Consumer privacy laws, GLBA, FTC “Red Flag Rule” … – Prevent unauthorized access to personal information (PII), especially by privileged users such as DBAs, developers & outsourced personnel  PCI – Track and monitor all access to cardholder data (Req.10) – Protect stored cardholder data (Req. 3) – Identify unpatched systems & enforce change controls (Req. 6) – Compensating control for column-level encryption (Req. 3) – Compensating control for network segmentation (Req. 7) – Regularly test systems (Req. 11)  Reduce compliance costs & effort – Streamline compliance with automated & centralized controls – Rapid ROI with < 6 months payback (typical) © 2010 IBM Corporation
    5. 5. Information ManagementOracle Survey: Most Organizations Have Very Weak Database Controls  3 of 4 organizations can’t prevent privileged users from reading or tampering with data in their databases  2 of 3 can’t detect or prove that privileged DB users aren’t abusing their privileges  Only 1 of 4 use automated tools to monitor databases for security issues on a regular basis  Close to half said an end-user with common desktop or ad hoc tools either could gain unauthorized direct access to sensitive information (or they werent sure about it)  Majority don’t apply Critical Patch Updates in timely manner Source: 2010 Independent Oracle User Group (IOUG) Data Security Survey, based on survey of 430 members. © 2010 IBM Corporation
    6. 6. Database Servers Are The Primary Source of Breached Data Source of Breached Records SQL injection played a role in 79% SQL injection played a role in 79% of records compromised during of records compromised during 2009 breaches 2009 breaches “Although much angst and security “Although much angst and security funding is given to …. mobile funding is given to …. mobile devices and end-user systems, devices and end-user systems, these assets are simply not these assets are simply not a major point of compromise.” a major point of compromise.”2010 Data Breach Report from Verizon Business RISK Team … up from 75% in 2009 Report © 2010 IBM Corporation
    7. 7. Integration/SOA Legacy App Web-Facing AppsPerimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Employee Self-Service, Partners & Suppliers pplication ials tc.) © 2010 IBM Corporation
    8. 8. PCI Compliance Still a Major Challenge Organizations struggle most with: – Req. 10: Track & monitor all access to cardholder data • Typically have no problem with audit logging for network devices & OS’s • But massive amount of audit data at DB layer => how to identify “needle in haystack”? – Req. 3: Protect stored cardholder data • Encryption is a challenge due to performance, key management & application changes ¾ of organizations don’t realize they aren’t compliant – Most appear overconfident when assessing security practices – Organizations are better at “planning and doing” than monitoring ongoing compliance It’s difficult & cost prohibitive to assess all “need to know” entitlements – Need automated approaches SQL injection and backdoors and are top 2 threat actions in actual payment card breaches Most organizations treat compliance as an event, rather than a continuous processSource: Verizon 2010 Payment Card Industry Compliance Report, based on roughly 200 assessments. © 2010 IBM Corporation
    9. 9. Cost of a Data Breach  Forrester survey of 305 IT decision makers  Secrets (e.g., strategic plans) are twice as valuable as custodial data (personal information, credit card data, etc.) – 2/3 of value in corporate information portfolio from non-regulated data (secrets)  Companies focus mainly on preventing accidents (email, etc.) – But deliberate theft of information by employees is much more costly – Damage caused by rogue IT administrator = $482K (average) – Average cost of accidental leakage = $12K  Most CISOs don’t really know if their controls really work  Note: Survey does not address other costs such as fines – Australian bank was fined $500K by VISA – Heartland breach cost = $140M © 2010 IBM Corporation
    10. 10. Chosen by Leading Financial Services Organizations Worldwide • 5 of the top 5 global banks • Major healthcare payers • 4 of the top 6 global insurers • 25 of the world’s leading telcos • A leading global cardholder brand • World’s favorite beverage brands • Major investment & brokerage firms • A top 3 auto maker • Leading payment processing firms • A top 3 aerospace company • Government financial organizations • Leading energy suppliers © 2010 IBM Corporation
    11. 11. Information ManagementFinancial Services Firm with 1M+ Sessions/Day  Who: Global NYSE-traded company with 75M customers  Need: Enhance SOX compliance, data governance & data privacy – Phase 1: Monitor all privileged user activities, especially DB changes. – Phase 2: Focus on data privacy.  Environment: 4 data centers managed by IBM Global Services – 122 database instances on 100+ servers – Oracle, IBM DB2, Sybase, SQL Server on AIX, HP-UX, Solaris, Windows – PeopleSoft plus 75 in-house applications  Alternatives considered: Native auditing – Not practical because of performance overhead; DB servers at 99% capacity  Results: Now auditing 1M+ sessions per day (GRANTs, DDL, etc.) – Caught DBAs accessing databases with Excel & shared credentials – Producing daily automated reports for SOX with sign-off by oversight teams – Automated change control reconciliation using ticket IDs from change ticketing system – Passed multiple external audits © 2010 IBM Corporation
    12. 12. Information ManagementTop 5 Global Bank with Multiple Business Units via M&A  Who: Major global bank with multiple business units via mergers & acquisitions – Retail & corporate banking – Investment banking – Mortgage banking  Need: Ensure privacy & integrity of all critical enterprise data – Financial & HR data; ERP data; credit card data; PII; strategic & intellectual property – Address PCI (Reqts. 3, 6 & 10); SOX; international data privacy laws; internal standards  Environment – Oracle, SQL Server, Sybase, DB2 UDB; DB2 on z & iSeries; Informix; MySQL; Teradata – Solaris, HP-UX, AIX, Windows, Linux – Now monitoring ~2,000 database instances  Alternatives considered – Native logging/auditing from Oracle – Symantec/ESM plus products from smaller vendors  Results – Saving $1.5M per year in storage costs for native audit trails – Saved $20M+ by using Guardium as compensating control for DB encryption (PCI) – Guardium now a standard part of bank infrastructure – Culture change – awareness of data security – New processes to investigate insider threats © 2010 IBM Corporation
    13. 13. Information ManagementRegional Bank for SOX, PCI, GLB, FINRA, …  Who: Regional bank with 800 branches  Need: Ensure privileged users are not inappropriately accessing or jeopardizing the integrity of enterprise data such as: – Financial and transactional data – Credit card – PAN data (magnetic stripe) – ACH transaction data – HR data  Environment – Oracle (initial focus), SQL Server, DB2 on mainframe, MySQL – Solaris, AIX, Windows, Linux  Alternatives considered – Lumigent (incumbent solution that relies on native logs) – Native logging/auditing from Oracle  Results – Monitoring for unauthorized or suspicious activities – Passing audits faster – Planning to expand to data leak prevention (data-level blocking) © 2010 IBM Corporation
    14. 14. Information ManagementSecuring SAP & Siebel: 239% ROI and <6 Months Payback  Who: F500 organization ($15B revenue)  Need: Secure SAP & Siebel data for SOX – Enforce change controls & implement consistent auditing across platforms  Environment – SAP, Siebel, Manugistics, IT2 + 21 other Key Financial Systems (KFS) – Oracle & IBM DB2 on AIX; SQL Server on Windows Commissioned Forrester Consulting Case Study  Results: 239% ROI & 5.9 months payback, plus: – Proactive security: Real-time alert when changes made to critical tables – Simplified compliance: Passed 4 audits (internal & external) • “The ability to associate changes with a ticket number makes our job a lot easier … which is something the auditors ask about.” [Lead Security Analyst] – Strategic focus on data security • “There’s a new and sharper focus on database security within the IT organization. Security is more top-of-mind among IT operations people and other staff such as developers.” © 2010 IBM Corporation
    15. 15. Addressing the Full Lifecycle of Database Security & Compliance © 2010 IBM Corporation
    16. 16. What Sets Guardium Apart Most widely-deployed solution, with continuous enhancements based on feedback from the most demanding data center environments worldwide Rated by Forrester as “a Leader across the board” with #1 scores for Architecture, Product Offering (Functionality) & Product Strategy – Forrester expects Guardium “to maintain its leadership in supporting large heterogeneous environments, delivering high performance and scalability, simplifying administration, and performing real-time database protection.”1  Available as physical or virtual (software-only) appliance Key architectural advantages: enterprise solution – Scalable multi-tier architecture – Broad heterogeneous support – Full visibility into all database activities – Advanced analytics/forensics based on centralized audit data warehouse – Deep automation to reduce TCO & workload – Comprehensive, integrated lifecycle solution (common back-end, workflow & Web console) 1 Source: “The Forrester Wave™: Enterprise Database Auditing and Real-Time Protection, Q4 2007” © 2010 IBM Corporation
    17. 17. Appendix: Guardium Architecture & Examples © 2010 IBM Corporation
    18. 18. Which Database Audit Tools are Enterprises Using Today? Manual remediation, Create Manual dispatch reports review and tracking © 2010 IBM Corporation
    19. 19. What Are the Challenges with Current Approaches?  No separation of duties -- DBAs & hackers can easily tamper with logs to cover their tracks  Performance impact of native logging on the DBMS  Limited scope & granularity of log data  Not real-time  No preventive controls  Another data store to secure and manage ($$$)  Inconsistent policies across apps, DBMS platforms, compliance initiatives  Can’t identify end-user fraud for connection-pooled applications that use generic service accounts (SAP, PeopleSoft, etc.)  Lack of DBMS & application expertise on security teams  Last-minute audit scrambles -- significant labor cost to clean & review data, create reports, maintain oversight processes © 2010 IBM Corporation
    20. 20. Non-Invasive, Real-Time Database Security & Monitoring• Continuously monitors all database activities • Supports Separation of Duties (including local access by superusers) Activity logs can’t be erased by attackers •• Heterogeneous, cross-DBMS solution or DBAs• Does not rely on native DBMS audit logs • Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)• Minimal performance impact (2-3%) • Granular, real-time policies & auditing• No DBMS or application changes • Who, what, when, where, how © 2010 IBM Corporation
    21. 21. Scalable Multi-Tier Architecture Oracle on Linux for System z Integration with LDAP, IAM, SIEM, CMDB, change ticketing, … © 2010 IBM Corporation
    22. 22. Granular Policies with Detective & Preventive Controls APPUSER EmployeeTable Database Select Application Server Server Sample Alert © 2010 IBM Corporation
    23. 23. PCI Example: Pre-Defined Policy for TrackingAll Access to Cardholder Data in SAP © 2010 IBM Corporation
    24. 24. Sample Report Showing Application User ID & Drill-Down Info Drill down: show all tables that were accessed by this user Who accessed the ADRP table (which contains PII data)? © 2010 IBM Corporation
    25. 25. IBM/Guardium vs. Oracle Database Security Oracle Database Vault, Oracle Audit Vault IBM/Guardium Heterogeneous support Minimal performance impact or changes Enforces Separation of Duties (SoD) Real-time monitoring & alerting Application monitoring (EBS, PeopleSoft, SAP, etc.)Oracle is a registered trademark of Oracle Corporation and/or its affiliates. © 2010 IBM Corporation
    26. 26. © 2010 IBM Corporation