More Related Content Similar to Bridging the Gap Between Your Security Defenses and Critical Data (20) More from IBM Security (20) Bridging the Gap Between Your Security Defenses and Critical Data1. © 2015 IBM Corporation
Bridging the Gap Between Your
Security Defenses and Critical Data
The Benefits and Synergies of Guardium and QRadar
Sally E. Fabian
Security Technical Specialist – Data Security
IBM Security BU
Jose Bravo
NA Security Architect
IBM Security BU
2. 2 © 2015 IBM Corporation
Agenda
IT and Security trends
Guardium and QRadar working together to
detect and prevent data breaches
3. 3 © 2015 IBM Corporation
Sensitive data is at risk
70%
of organizations surveyed use live
customer data in non-production
environments (testing, Q/A, development)
Database Trends and Applications. Ensuring Protection for Sensitive Test Data
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
52%
of surveyed organizations
outsource development
50%
of organizations surveyed have no way
of knowing if data used in test was
compromised
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
$188
per record
cost of a data breach
The Ponemon Institute. 2013 Cost of Data Beach Study
$5.4M
Average cost of a data breach
The Ponemon Institute. 2013 Cost of Data Beach Study
4. 4 © 2015 IBM Corporation
Key Inputs: Poneman Report 2014
Reference: http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
How do you calculate the cost of data breach? To calculate the average cost of data breach, we collect
both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic
experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for
future products and services. Indirect costs include in-house investigations and communication, as well as
the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
5. 5 © 2015 IBM Corporation
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Time span of events by percent of breaches
Guardium Discovery
Guardium DAM
Guardium VA
Guardium DAM Adv. (block/mask)
Guardium Encryption
Market Overview
Minutes To Compromise, Months To Discover & Remediate
Time span of events by percent of breaches
6. 6 © 2015 IBM Corporation
Frequency of Attempted Security Attacks
47% work within
companies with more
than 1,000 employees
63% report to CIO, CTO
or IT Leader
Background of Respondents
7. 7 © 2015 IBM Corporation
Security Observations continued…
While talk of sophisticated attacks and widespread distributed denial-of-service
(DDoS) attempts made the year’s headlines, a large percentage of
breaches relied on tried and true techniques such as SQL injection. What continues
to be clear is that attackers, regardless of operational sophistication, will pursue a
path-of-least-resistance approach to reach their objectives.
-2012 X-Force Report
-http://www-03.ibm.com/security/xforce/downloads.html
Many of the breaches reported in the last year were a result of poorly applied
security fundamentals and policies and could have been mitigated by putting some
basic security hygiene into practice. Attackers seem to be capitalizing on this “lack
of security basics” by using a model of operational sophistication that allows them to
increase their return on exploit. The idea that even basic security hygiene is not
upheld in organizations, leads us to believe that, for a variety of reasons, companies
are struggling with a commitment to apply basic security fundamentals.
2013 X-Force Report
8. 8 © 2015 IBM Corporation
Most Organizations
Have Weak
Controls
94% of breaches involved database servers
85% of victims were unaware of the compromise for
weeks to months.
97% of data breaches were avoidable through
simple or intermediate controls.
98% of data breaches stemmed from external agents
92% of victims were notified by 3rd parties
of the breach.
96% of victims were not PCI DSS-compliant
at the time of the breach.
Source: 2012 Verizon Data Breach Investigations Report
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Key findings:
Where is the new
data store?
9. 9 © 2015 IBM Corporation
You need to understand the data in order
to protect it
Our philosophy:
Value
Is it used?
How often?
By who?
Risk
Sensitivity
Exposure
Volumes
Lifecycle
Production
Test/Dev
Archive
Analysis
Relevance
How old is it?
Is it still being used?
Who owns the data?
DATA
10. 10 © 2015 IBM Corporation
Data Security 101
Value
RiskFor the Business
To the business
Above the line
High value data with
low (or at least
acceptable) risk levels
Below the line
Risk levels are too high
given the business
value of the data
Low Value, High Risk
Dormant table with sensitive
data
Low Value, Low Risk
Temp table with no sensitive
data
High Value, High Risk
Table with sensitive data
that is used often by
business application
High Value, Low Risk
Table with no sensitive
data that is used often
by an important
business application
DATA
Need to understand the data in order to protect it
Value
11. 11 © 2015 IBM Corporation
Discovery & Classification
- What data is out there?
- How sensitive is it?
Activity Monitoring
- How exposed is the data?
- What data is being extracted?
Vulnerability Assessment
- How secure is the repository?
- Is it fully patched?
- Best practice configuration?
Value to the
Business
Risk
The Goal:
Reduce the risk and get all data
element above the ‘risk’ line
How?
1. Determine the VALUE 2. Determine the RISK 3. Reduce the RISK
Business Glossary
Insights on how data
is used by the business
Activity Monitoring
How often?
What data?
Integrations
Who uses the data?
Activity Monitoring
- Alert/Block suspicious Activities
- Prevent unauthorized access to data
- Report and Review all data
activities
Vulnerability Assessment
- Assessments & Remediation Steps
- Configuration “lock down”
- Purge dormant data
Encryption
- Encrypt data at rest
1. Understand the VALUE
2. Determine the RISK
3. Reduce the RISK
Understanding the Data – Value vs. Risk
1. Discover the DATA
12. 12 © 2015 IBM Corporation
Perimeter Security is Not Enough
Dynamic Data
(in use)
Static Data
(at rest)
13. 13 © 2015 IBM Corporation
Guardium
1. Reduce risk & prevent data breaches
– Mitigate external and internal threats
2. Ensure the integrity of sensitive data
– Prevent unauthorized changes to data, data infrastructure, configuration files
and logs
3. Reduce the cost of compliance
– Automate and centralize controls while simplifying audit review processes
4. Enable businesses to take advantage of new
technologies
– Cloud, mobile & Big Data are changing the dynamics in the market today
14. 14 © 2015 IBM Corporation
Guardium – Monitor, Mask, & Encrypt Information
Browser/ Glass
#3 Application Dynamic Data Masking
Protect Mobile Browser Sensitive Data
Dynamic Data Masking for Apps
Data Privacy
#1 Database & File Level Encryption
Access & Privileged User Controls
Unified Encryption Policies
Enterprise Key Management
Central Administration
Database Server Layer
DATABAS
E
#2 Data Monitoring & Protection
Data Monitoring & Alerting
Sensitive Data Discovery & Masking
Compliance Controls & Workflows
Blocking Unauthorized Access to Data
DB’s, Big Data, & File Shares
3 Layers of Defense with 1 Solution
WAREHOU
SE
BIG
DATA
FILE SHARES
15. 15 © 2015 IBM Corporation
Where is the
sensitive data?
How to prevent
unauthorized
activities?
How to protect
sensitive data
to reduce risk?
How to secure
the repository?
Discovery
Classification
Identity & Access
Management
Activity
Monitoring
Blocking
Quarantine
Masking
Encryption
Assessment
Masking/Encryption
Who should
have access?
What is actually
happening?
Discover Harden Monitor Block Mask
Security
Policies
Dormant
Entitlements
Dormant Data
Compliance Reporting
&
Security Alerts
Data Protection
&
Enforcement
How we do it?
16. 16 © 2015 IBM Corporation
Guardium Database Activity Monitoring Overview
STAP
Database
Server
Database Client
Guardium
Collector
Sniffer
Client requests
information from
DB Server
DB Server responds with
appropriate information
STAP makes a copy of
information and sends to
Guardium appliance
Guardium Analysis Engine
analyzes, parses then logs
appropriate data to the
internal repository
Sniffer can send control
signals to STAP
No changes to the database or application environment
Low overhead on the server
Ensures separation of duties
Intercept and copy SQL events to appliance where all the
processing occurs
Store audit/log information off server so it cannot be
erased or tampered
Granular real time alerting/blocking/masking
Agent is required to monitor privilege users (local
connections - shared memory, Name-Pipe, Bequeath)
QRadar
SIEM
17. 17 © 2015 IBM Corporation
Addressing key stakeholders
SECURITY
OPERATIONS
Real-time policies
Secure audit trail
Data mining and
forensics
Separation of duties
Best practices reports
Automated controls
Minimal impact
Change management
Performance optimization
100% Visibility and
Unified View
18. 18 © 2015 IBM Corporation
Audit Requirements PCI DSS
COBIT
(SOX)
ISO 27002
Data
Privacy &
Protection
Laws
NIST
SP 800-53
(FISMA)
1. Access to Sensitive Data
(Successful/Failed SELECTs)
2. Schema Changes (DDL)
(Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)
(Insert, Update, Delete)
4. Security Exceptions
(Failed logins, SQL errors, etc.)
5. Accounts, Roles &
Permissions (DCL)
(GRANT, REVOKE)
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
19. 19 © 2015 IBM Corporation
Who are the active users accessing SOX information?
Plan and Organize
Looks a little high
20. 20 © 2015 IBM Corporation
Assess Risk – Failed User Login Attempts
Looks a little high
21. 21 © 2015 IBM Corporation
Investigate and Disclose – DDL Distribution
22. 22 © 2015 IBM Corporation
Alert and Investigate – Policy Violation Report
23. 23 © 2015 IBM Corporation
Assess and Harden
24. 24 © 2015 IBM Corporation
Compliance Reports
25. 25 © 2015 IBM Corporation
Guardium & QRadar Integration – Real Time Policy Integration
Demo: http://youtu.be/dPkYuPKunWs
26. 26 © 2015 IBM Corporation
Summary
Protect sensitive information with Guardium Database Activity
Monitoring and Vulnerability Assessment
Use Q-Radar to monitor the enterprise and correlate security events
to one pane of glass
Benefit: Guardium Real Time Policy violations are forwarded to Q-
Radar providing actionable insights to reduce security risks at all
layers
Use Guardium as the “system of record” for Database Security and
Audit Events increasing compliance across the enterprise
28. 28 © 2015 IBM Corporation
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY