DSS ITSEC 2013 Conference 07.11.2013 - ALSO - Guardium INTRO

987 views

Published on

Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
987
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Atrodiet un identificējiet savu DB (prod & test env kopijas + pieredze rāda, ka arī produkcijas dati nonāk IS izstrādātājiem uz personālajiem datoriem !)
  • Vai esam droši par to kurā no datu bāzēm tiek glabāti sensitīvi dati (jebkuri kompānijas noteikti) - piemēram p.k., adrese, norēķinu informācija? Dalos pieredzē par Valsts nozīmes IS DB (MSSQL un Oracle)? Vai ir IS pārzinis? Kā ar izmaiņām – vai tās tiek dokumentētas. Šis ir gadījums kur Guardium var (jums to nezinot) maskēt informāciju vai pilnībā bloķēt pieeju tiem, ja šīs darbīas netiek veiktas uzreiz.
  • Pēc iepriekš definētiem nosacījumiem sistēma atpazīst Jūsu noteiktos sensitīvos datus – šajā gadījumā CreditCard Num.
  • DB konfigurācijas drošības pārbaude pirms to nodod lietošanā – vai DB administrators var visu atcerēties? Pilnībā uzticamies saviem DB administratoriem – būtu labi palīdzēt administratoriem ar DB drošības pārbaudi un norādīt tās lietas, ko pēc būtībās ne vienmēr var atcerēties, jo vairāk, ja nav izstrādātas konfigurācijas paraugi un liste ar jautājumiem, kam jāiziet cauri.
  • Sistēma nodrošina plašu klāstu ar DB konfigurācijas sagatavēm un pārbaudēm.
  • UpToDate DB ievainojamības pārbaude – regulāri atjauninājumi no IBM. Plāšs klāsts ar predefinētām pārbaudēm – cieši sadarbojas ar CAS.
  • Ievainojamības pārbaude – jaunākā informācija regulāri tiek saņemta no IBM par konkrēto DB un to versiju ievainojamībām – līdz ar to nodrošinot iespēju veikt regulāru iestatītu skanēšanu.
    Ne tikai kopsavilkums, bet arī konkrēti ieteikumi, kas jāizdara sistēmas administratoram.
  • Datu maskēšana atbilstoši pieejas tiesībām un lietotāju grupām – integrācija ar LDAP.
    DB administrātoram parasti ir superadmin tiesības, kas nozīmē, ka tas var redzēt arī sensitīvu informāciju.
  • Control also non-TCP local connections
  • Dažādi maskēšanas paņēmieni – konfigurējama jebkādai informācijai, ar jebkādiem aizstājējsimboliem, kā arī RANDOM pieeja, lai izvadītie rezultāti būtu tuvu realitātei (formātam) bet ne produkcijas datiem.
  • Kas notiek ar DB konfigurācijas izmaiņu pārvaldību – vai varam redzēt izmaiņu vēsturi un vietu, kur, kas, kāpēc tika mainīts? (faili un to sagataves, OS and SQL scripts, registry and env variables). Vai izmaiņas ir veiktas saskaņā ar ServiceDesk pieteikuma ID NR ? (Guardium nodrošina – redzēt konkrētas izmainītās vērtības, script output, failu nosaukumam, pieejas tiesību maiņa (owner,group), Failu CheckSum – pieejami templates).
  • Log faili tiek glabāti nemainīgi Guardium no 3-6 mēnešiem pēc nepieciešamības to eksportējot arī uz arhīvu.
    Pētot esošo auditācijas ierakstu aktivitātes – arī vēsturiski spēj sūtīt reālā laikā brīdinājumus, kā arī pieņemt predefinētus mērus.
    Mēs varam būt laimīgi, ja mums ir drošības pārvaldnieks ar nepieciešamo tehnisko nodrošinājumu ar kuru palīdzību rūpējas par šiem jautājumiem un arī, ja tas tiek darīts, vai viņš spētu pietiekami ātri identificēt aizdomīgas situācijas pirms cietusi organizācijas reputācija (data leakage/ news or TV). Guardium nav atkarīgs no lokālajiem servera log failiem, bet gan tos caurskata pie sevis. Nodrošinot nepieciešamo to uzglabāšanas ilgumu un nosūtīšanu uz citu repositoriju.
  • Let’s talk about our solution!
    Heterogeneous support for Databases and Applications
    S-TAP Agents
    lightweight cross platform support
    NO changes to Databases or Applications
    Also monitor direct access to databases by privileged users (such as SSH console access), which can’t be detected by solutions that only monitor at the switch level.
    Collectors handle the heavy lifting (continuous analysis, reporting and storage of audit data)
    reduces the impact on the database server
    Our solution does not rely on log or native audit data
    DBAs can (sometimes have to!) turn this off
    Logging greatly impacts performance on the Database Server as you increase granularity!
    Real-time alerting – not after the fact
    Monitor ALL Access
  • Piemēram, vai DB atbilst PCI-DSS (payment card industry data security standard) standartam.
  • Bieži aplikācijas kā Oracle EBS, PeopleSoft, SAP izmanto unikālu DB pieslēgšanās Lietotāja ID, tāpēc nav nosakāms, kurš lietotājs ir veicis konkrēto darbību. (Guardium seko līdzi sesijai starp App un DB)
  • Scalable Multi-Tier Architecture – no vienkāršas ar vienu Collector līdz vairākiem Aggrigator un centrālo collectoru vadības pārvaldību.
  • Let’s talk about our solution!
    Heterogeneous support for Databases and Applications
    STAP Agents
    lightweight cross platform support
    NO changes to the Database or Applications
    Collectors handle the heavy lifting
    reduces the impact on the database server
    No logging requirements
    DBAs can (sometimes have to!) turn this off
    Logging greatly impacts the Database Server as you increase granularity!
    Real-time alerting
    Monitor ALL Access
    A Privileged User working on the server console won’t be detected by any solution that only monitors network traffic!
  • DSS ITSEC 2013 Conference 07.11.2013 - ALSO - Guardium INTRO

    1. 1. InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions © 2009 IBM Corporation
    2. 2. Agenda • Any questions unresolved? • The Guardium Architecture • Integration with Existing Infrastructure • Summary © 2009 IBM Corporation
    3. 3. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    4. 4. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    5. 5. © 2009 IBM Corporation
    6. 6. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    7. 7. Sensitive data – credit card number © 2009 IBM Corporation
    8. 8. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    9. 9. © 2009 IBM Corporation
    10. 10. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    11. 11. © 2009 IBM Corporation
    12. 12. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    13. 13. © 2009 IBM Corporation
    14. 14. © 2009 IBM Corporation
    15. 15. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    16. 16. © 2009 IBM Corporation
    17. 17. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    18. 18. Real-Time Database Security & Monitoring DB2 Microsoft SQL Server Privileged Users • • • • 100% visibility including local DBA access No DBMS or application changes Minimal impact on DB performance Enforces separation of duties with tamper-proof audit repository • • • Granular policies, monitoring & auditing providing the Who, What, When & How Real-time, policy-based alerting Can stores between 3-6 months worth of audit data on the appliance itself and integrates with archiving systems © 2009 IBM Corporation
    19. 19. © 2009 IBM Corporation
    20. 20. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    21. 21. © 2009 IBM Corporation
    22. 22. Any questions unresolved? • How many DBs you have today? • Which of them has sensitive date ? • Are there any DB configuration defaults left? • Do you have up-to-date software ? • Can you completely trust your superusers? • Lack of configuration file versioning ? • Problems with log file integrity or real time alerting ? • Are there any requirements for security compliance ? • Who is who – is this really the DB user we thought ? © 2009 IBM Corporation
    23. 23. Application User Monitoring with Guardium Identify Users within Connection Pooling applications – – Uncover potential fraud Accurate audits of user access to sensitive tables Supported Enterprise Applications – Oracle E-Business Suite, PeopleSoft, Business Objects Web Intelligence, JD Edwards, SAP, Siebel, In-house custom applications Various Methods Used to Capture Application User ID – – – Collect unique ID from the underlying database via table, trigger, etc. Monitor calls to a procedures and fetch information from their parameters S-TAP probe on application or proxy server grabs the user ID © 2009 IBM Corporation
    24. 24. © 2009 IBM Corporation
    25. 25. © 2009 IBM Corporation
    26. 26. The Guardium Architecture © 2009 IBM Corporation
    27. 27. Integration with LDAP, Kerberos, SNMP/SMTP, ArcSight, RSA SecurID & enVision, McAfee ePO, IBM TSM, Tivoli, Remedy, etc. 27 © 2009 IBM Corporation
    28. 28. Integration with Existing Infrastructure © 2009 IBM Corporation
    29. 29. © 2009 IBM Corporation
    30. 30. Integration with Existing Infrastructure SNMP Dashboards Directory Services SIEM (HP OpenView, Tivoli, etc.) (Active Directory, LDAP, etc.) (ArcSight, EnVision, Tivoli, etc.) Change Ticketing Systems - Remedy, Peregrine, etc Authentication (RSA SecurID, RADIUS, Kerberos) Send Alerts (CEF, CSV, syslog) Vulnerability Standards (CVE , STIG, CIS Benchmark) Sensitive Data - ---- - - - xxx-xx-xxxx ------- Data Leak & Data Classification Software Deployment (Tivoli, RPM, Native Distributions) Long Term Storage (EMC Centera, IBM TSM FTP, SCP, etc.) McAfee (EPO) Application Servers (Oracle EBS, SAP, Siebel, Cognos, PeopleSoft, WebSphere, etc.) © 2009 IBM Corporation
    31. 31. Summary © 2009 IBM Corporation
    32. 32. © 2009 IBM Corporation
    33. 33. © 2009 IBM Corporation
    34. 34. © 2009 IBM Corporation
    35. 35. Guardium provides our customers with… • Real-time monitoring of all database access • Policy-based controls to rapidly detect unauthorized or suspicious activity • Automated compliance workflow to efficiently meet regulatory requirements • Centralized control and policy enforcement for most database and application environments • Informix, DB2, Oracle, SQL Server, z/OS, Sybase, etc • SAP, Siebel, Oracle EBS, PeopleSoft, WebSphere, etc © 2009 IBM Corporation
    36. 36. Top Regulations Impacting Database Security © 2009 IBM Corporation
    37. 37. Database Activity Monitoring (DAM) Supported Platforms © 2009 IBM Corporation
    38. 38. How are most databases audited today? Reliance on native audit logs within DBMS × Lacks visibility and granularity • Privileged users difficult to monitor • Tracing the “real user” of application is difficult • Level of audit detail is insufficient × Inefficient and costly • Impacts database performance • Cumbersome reporting, forensics and alerting • Different methods for each DB type × No segregation of duties • DBAs manage monitoring system • Privileged users can bypass the system • Audit trail is unsecured © 2009 IBM Corporation
    39. 39. What does Guardium monitor? • SQL Errors and failed logins • DDL commands (Create/Drop/Alter Tables) • SELECT queries • DML commands (Insert, Update, Delete) • DCL commands (Grant, Revoke) • Procedural languages • XML executed by database • Returned results sets 39 © 2009 IBM Corporation
    40. 40. Full Cycle of Securing Critical Data Infrastructure • Discover all databases, applications & clients • Discover & classify sensitive data Discover Assess & & Classify • Centralized governance • Compliance reporting • Sign-off management • Automated escalations • Secure audit repository • Data mining for forensics • Long-term retention The Database Security Lifecycle • Vulnerability assessment • Configuration assessment • Behavioral assessment • Baselining • Configuration lock-down & change tracking • Encryption Harden Audit Monitor & & Report • 100% visibility • Policy-based actions • Anomaly detection • Real-time prevention • Granular access controls Enforce © 2009 IBM Corporation
    41. 41. Full Cycle of Securing Critical Data Infrastructure • Discover all databases, applications & clients • Discover & classify sensitive data Assess Discover & & Classify • Centralized governance • Compliance reporting • Sign-off management • Automated escalations • Secure audit repository • Data mining for forensics • Long-term retention Harden • Vulnerability assessment • Configuration assessment • Behavioral assessment • Baselining • Configuration lock-down & change tracking • Encryption The Database Security Lifecycle Audit Monitor & & Report • 100% visibility • Policy-based actions • Anomaly detection • Real-time prevention • Granular access controls Enforce © 2009 IBM Corporation
    42. 42. Full Cycle of Securing Critical Data Infrastructure • Discover all databases, applications & clients • Discover & classify sensitive data Assess Discover & & Classify • Centralized governance • Compliance reporting • Sign-off management • Automated escalations • Secure audit repository • Data mining for forensics • Long-term retention Harden • Vulnerability assessment • Configuration assessment • Behavioral assessment • Baselining • Configuration lock-down & change tracking • Encryption The Database Security Lifecycle Monitor Audit & & Enforce • 100% visibility • Policy-based actions • Anomaly detection • Real-time prevention • Granular access controls Report 42 © 2009 IBM Corporation
    43. 43. Full Cycle of Securing Critical Data Infrastructure • Discover all databases, applications & clients • Discover & classify sensitive data Assess Discover & & Harden Classify • Centralized governance • Compliance reporting • Sign-off management • Automated escalations • Secure audit repository • Data mining for forensics • Long-term retention 43 • Vulnerability assessment • Configuration assessment • Behavioral assessment • Baselining • Configuration lock-down & change tracking • Encryption The Database Security Lifecycle Audit Monitor & & Report Enforce • 100% visibility • Policy-based actions • Anomaly detection • Real-time prevention • Granular access controls © 2009 IBM Corporation
    44. 44. Four Sets of Roles • Privileged Users • End Users • Developers, System Analysts and System Administrators • IT Operations © 2009 IBM Corporation
    45. 45. Privileged Users • Special high-level privileges • Typically database administrators (DBAs), superusers and system administrators • Should always be subject to intense scrutiny from the security organization and from auditors • Potential problem activities – Access to, deletion of, or changes to data – Access using inappropriate or nonapproved channels – Schema modifications – Unauthorized addition of user accounts or modification of existing accounts © 2009 IBM Corporation
    46. 46. End Users • Individuals who have legitimate access to data through some type of application • Present serious risks for deliberate as well as unwitting misuse of that data • Potential problem behaviors – Access to excessive amounts of data or data not needed for legitimate work – Access to data outside standard working hours – Access to data through inappropriate or nonapproved channels © 2009 IBM Corporation
    47. 47. Developers, System Analysts and System Administrators • These roles necessarily have extremely high levels of privilege and access – The potential for data breaches that compromise intellectual property or personal privacy • The ability to access or change systems that are in live production – poor performance – system crashes – security vulnerabilities • Potential problem activities – Access to live production systems © 2009 IBM Corporation
    48. 48. IT Operations • Have a significant impact on the proper functioning and management of enterprise databases • Their database-related activities should be audited in two key areas – Unapproved changes to databases or applications that access the database – Out-of-cycle patching of production systems © 2009 IBM Corporation
    49. 49. Summary • Risks related to data privacy breaches have never been greater • Fine-grained monitoring of database access is the best way to protect from data being compromised • A unified and consistent approach across the database infrastructure will save time, money, and increase security • Guardium continues to be the market leader because of comprehensive functionality and ease of implementation © 2009 IBM Corporation

    ×