Guardium-QRadar Integration Techtalk 060513 PDF

Luis Casco-Arias- Product Manager
Steven Keim - Client Technical Professional

5 June 2013
IBM InfoSphere Guardium Tech Talk:

How to close your Security Gaps with
QRadar/Guardium Integration
Information Management
2013 IBM Corporation

Information Management InfoSphere Guardium
Logistics
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
Well post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
Well try to answer questions in the chat or address them at
speakers discretion.
If we cannot answer your question, please do include your email
so we can get back to you.
When speaker pauses for questions:
Well go through existing questions in the chat
2 June 5, 2013 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium

Deployment
Speakers: Boak Barkai and Yosef Rosenblit
Date &Time: Thursday, June 20, 2013
11:30 AM Eastern
Register here: http://bit.ly/Yf2TwY
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Agenda
Understanding new dynamics in protecting the enterprise

A comprehensive approach to security and compliance
Two key components: SIEM and Data Security
Value of the integrated QRadar SIEM and InfoSphere Guardium solution
Demo: Anatomy of an Attack and how to detect and prevent breaches
Q&A
* Please feel free to pose questions in the chat room during the presentation
4 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation

Enterprise security dynamics are changing rapidly

Consumerization Everything is Attack
Data Explosion
of IT Everywhere Sophistication
Extending the Perimeter Shifts Protection Focus to Data

Moving from traditional perimeter- to logical perimeter approach to
based security securityfocusing on the data and
where it resides
Antivirus
IPS
Firewall
Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
Focus needs to shift from the perimeter to the data that needs to be protected
Agenda

Q&A

The IBM Security Framework offers enterprises a roadmap to

address all key security and compliance foundational controls
I N T E G R AT I O N

Agenda

Q&A

QRadar is Security Intelligence
QRadar provides a single unified view and real-time analytics to rapidly

identify and correlate targeted attacks for rapid remediation or prevention
Security Devices
Servers & Hosts

Event
Network & Virtual Activity Correlation
Database Activity Offense
Identification
Application Activity Activity Baselining &
Configuration Info
Anomaly Detection
Vulnerability Info
User Activity
Deep Exceptionally Accurate and

Extensive Data Sources + Intelligence = Actionable Insight

Security Intelligence: QRadar provides security visibility

IBM X-Force Threat Real-time Security Overview
Information Center w/ IP Reputation Correlation
Identity and Inbound

Real-time Network Visualization
User Context Security Events
and Application Statistics
IBM InfoSphere Guardium provides real-time data activity monitoring for

security & compliance
Data Repositories
Continuous, policy-based, real-time (databases, warehouses, file
shares, Big Data)
monitoring of all data traffic activities,
including actions by privileged users
Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities
Host-based
Data protection compliance automation Probes (S-TAPs) Collector
Appliance
Key Characteristics
Single Integrated Appliance 100% visibility including local DBA access
Non-invasive/disruptive, cross-platform architecture Minimal performance impact
Dynamically scalable Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
SOD enforcement for DBA access
No environment changes
Auto discover sensitive resources and data
Prepackaged vulnerability knowledge base and
Detect or block unauthorized & suspicious activity
compliance reports for SOX, PCI, etc.
Granular, real-time policies
Growing integration with broader security and
Who, what, when, how compliance management vision

Addressing the full data security and compliance lifecycle
1. Tracking and Alerting on Privileged User Activity

2. Ensuring Data Integrity and Simplifying SOX Compliance
TOP 5
3. Boosting Efficiency of Effectiveness of Database Security and Auditing
USE 4. Strengthening PCI-DSS Compliance
CASES 5. Automated Discovery of Sensitive Data and Vulnerability Assessments
Agenda

Q&A

Sophisticated attacks require sophisticated defense, but ultimately,

sensitive data should be protected with a layered approach.
Data
servers
App
server
Web
servers
Hacker Auth
(Rogue Sources)
Sensitive Data
server
Network App
servers server
Web
servers
IDS/IPS Data Servers

Security
DoS
Privileged Intranet
User
DMZ
User Anti- Web Server
Cross Site
(DBAs,developers)
Customer spoofing Known
Scripting Sensitive Data
Business Partner Vulnerabilities
Employee Port Unauthorized
Contractor Scanning Parameter Access
Pattern- Tampering
based Attack Guardium Suspicious
Cookie Activity
Poisoning
QRadar SQL Injection

InfoSphere Guardium integrates with QRadar to add data security insights

to your security intelligence
In-depth data activity monitoring
and security insights from
InfoSphere Guardium
Security Devices
Servers & Hosts

Databases
Event
Data Warehouses
Network & Virtual Activity Correlation
Hadoop/NoSQL
Data Activity
Database Activity Offense
Big Data
environments Identification
File shares Application Activity Activity Baselining &
Applications
Configuration Info
Anomaly Detection
Vulnerability Info
Vulnerability Info
User Activity Specific vulnerability assessment

for database infrastructure
Deep Exceptionally Accurate and

Extensive Data Sources + Intelligence = Actionable Insight
Send real-time data activity security alerts from Guardium to QRadar in LEEF format
Send data activity audit reports (syslog) from Guardium to Q1 to enhance analytics
Share database vulnerability findings (CVE) between Guardium and QRadar in AXIS or SCAP

Typical home grown solutions are costly and ineffective
Native
Database Manual
Logging remediation
Native dispatch
Database and tracking
Logging Pearl/UNIX Scripts/C++
Scrape and parse the data
Move to central repository
Native
Database Create Manual
Logging reports review
Native
Database Significant labor cost to review data and maintain process
Logging High performance impact on DBMS from native logging
Not real time
Does not meet auditor requirements for Separation of Duties
Audit trail is not secure
Inconsistent policies enterprise-wide

From the start, Guardium can save QRadar implementations on

operational costs while expanding monitoring scope
Improve analytics performance
by offloading data analysis
Save on storage
costs for duplicating
data audit logs
File Data Network User focused

Shares Big Data Warehouse Databases Applications Infrastructure Network Security Servers Mainframe log sources
Save on network
bandwidth for data
Real-time analysis audit logs
and preventive
measures

InfoSphere Guardium complements QRadar Security Intelligence in

the most challenging use cases
QRadar target use case InfoSphere Guardium complementary capabilities
Alert on sensitive data access without affecting performance
Complex threat
Identify DB infrastructure vulnerability level for asset classification
detection Block and alert on suspicious data access
Monitor all traffic to/from data repositories, including content and metadata
Malicious activity
Identify anomalous behavior from end-users, privileged users, system IDs
identification Prevent malicious access to sensitive data
Monitor privileged and regular end-user data access activity in real time
User activity
Create policies that granularly restrict access
monitoring Alert on suspicious behavior
Centralized and normalized granular audit of all data activities without
impact to resources
Compliance monitoring Automation of audit report review process
Report templates for major regulations
Direct visibility into data traffic (metadata and content)
Fraud detection and
Policies for detection of fraudulent data access activity
data loss prevention Blocking and quarantining of users with suspicious data access patterns
Automatically discover all databases, sensitive data, and its entitlements
Network and asset
Classify data for policy enforcement and alert on findings
discovery Identify vulnerability posture for database infrastructure

QRadar collects real-time alerts from InfoSphere Guardium

Any inbound or outbound data traffic is
Common real time data activity security events include :
monitored and immediate alerts can be Failed Logins
sent when data access policy is violated Unauthorized or abnormal access
SQL Error codes because of SQL Injection
Real-time log data from data activity Users trying to escalate privileges
Alerting on creation of triggers and views to
can be correlated with other activity in access sensitive data
context to identify and prevent attacks

Forensic Drill-downs on each Infosphere Guardium event

Expanding Audit Information collection for QRadar SIEM

Challenge
Integrate database and data source audit information with SIEM forensics
Formatting information from heterogeneous data sources is tedious and requires
expertise
Solution
Leverage Guardium unintrusive audit log collection for several data sources to feed
QRadar with normalized audit logs
Guardium side:
Sending custom reports via syslog to QRadar SIEM with extra data to match SIEM format
Custom audit reports have richer context than native audit logs
QRadar SIEM side:

Ensure correct format is mapped through template
Normalized Audit Reports

File (syslog)
Shares
Big Data
Data
Warehouse
Databases
*
Other
Sources
Audit Logs
21 2013 IBM Corporation
Discover and Classify Sensitive Data in Databases

Discover database instances on network
Catalog Search: Search the database catalog for
table or column name
Example: Search for tables where column
name is like %card%
Search by Permission: Search for the types of
access that have been granted to users or roles
Search for Data: Match specific values or
patterns in the data
Example: Search for objects matching
guardium://CREDIT_CARD (a built-in
pattern defining various credit card
patterns)
Search for Unstructured Data: Match specific
values or patterns in an unstructured data file
(CSV, Text, HTTP, HTTPS, Samba)
Classify Data: put data in actionable groups,
automatically or manually

Example: Find, Classify, and Report

on Cardholder Data
Guardium Agentless
Network Scan
10.10.9.*

Guardium: Vulnerability Assessment Results
Historical
Overall Progress or
Score Regression
Detailed Scoring Matrix
Filter
control for
easy use

Providing actionable insights from database infrastructure risk posture

Guardium runs comprehensive vulnerability tests against database infrastructure
1. Database settings
2. Operating system
3. Observed behavior
Guardium sends vulnerability results to Staging Server via SCP (Failed CVE lists)
QRadar uploads the AXIS or SCAP schema from the staging server
QRadar leverages risk information on the asset reports and policies
Vulnerability Assessment Scan Tests

DB Tier Permissions
Roles
(Oracle, SQL Configurations
Server, DB2, Versions
AXIS Database Informix, Sybase, Custom tests
User Activity MySQL)
or
SCAP
OS Tier Configuration files
(Windows, Solaris, Environment variables
AIX, HP-UX, Linux) Registry settings
Custom tests

Agenda

Q&A

Summary
Its increasingly critical to secure high value data and validate compliance
QRadar SIEM offers unparalleled visibility and security intelligence against threats
across all IT resources
InfoSphere Guardium complements QRadar security intelligence with real-time

actionable insights into data activity, which is not possible with traditional data
audit log analysis.
InfoSphere Guardium is a leadership solution for data security and compliance,

offering
Scalable non-disruptive enterprise architecture
Broad heterogeneous data source support
Complete visibility and granular control
Deep automation to reduce workload and
total cost of operations

Information, training, and community
InfoSphere Guardium YouTube Channel includes overviews and technical demos

InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a myriad of sources, articles,
etc)
Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group.

Open, technical discussions with other users.
Send a note to bamealm@us.ibm.com if
interested.

Dzikuj
Polish
Traditional Chinese
Thai
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian

IBM InfoSphere Guardium provides real-time data activity monitoring for

security & compliance
Data Repositories
Continuous, policy-based, real-time (databases, warehouses, file
shares, Big Data)
monitoring of all data traffic activities,
including actions by privileged users
Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities
Host-based
Data protection compliance automation Probes (S-TAPs) Collector
Appliance
Key Characteristics
Single Integrated Appliance 100% visibility including local DBA access

Non-invasive/disruptive, cross-platform architecture Minimal performance impact
Dynamically scalable Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
SOD enforcement for DBA access
No environment changes
Auto discover sensitive resources and data
Prepackaged vulnerability knowledge base and
Detect or block unauthorized & suspicious activity
compliance reports for SOX, PCI, etc.
Granular, real-time policies
Growing integration with broader security and
Who, what, when, how compliance management vision
30 April 11, 2013 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium

Deployment
Speakers: Boak Barkai and Yosef Rosenblit
Date &Time: Thursday, June 20, 2013
11:30 AM Eastern
Register here: http://bit.ly/Yf2TwY
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.

Guardium-QRadar Integration Techtalk 060513 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guardium-QRadar Integration Techtalk 060513 PDF

Uploaded by

Copyright:

Available Formats

Luis Casco-Arias- Product Manager

Steven Keim - Client Technical Professional

IBM InfoSphere Guardium Tech Talk:

2013 IBM Corporation

Reminder: Guardium Tech Talks

Next tech talk: Planning an InfoSphere Guardium

Understanding new dynamics in protecting the enterprise

4 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation

Enterprise security dynamics are changing rapidly

Extending the Perimeter Shifts Protection Focus to Data

Understanding new dynamics in protecting the enterprise

6 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation

The IBM Security Framework offers enterprises a roadmap to

2013 IBM Corporation

Understanding new dynamics in protecting the enterprise

8 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation

QRadar is Security Intelligence

QRadar provides a single unified view and real-time analytics to rapidly

Servers & Hosts

Deep Exceptionally Accurate and

2013 IBM Corporation

Security Intelligence: QRadar provides security visibility

Identity and Inbound

IBM InfoSphere Guardium provides real-time data activity monitoring for

2013 IBM Corporation

Addressing the full data security and compliance lifecycle

1. Tracking and Alerting on Privileged User Activity

Understanding new dynamics in protecting the enterprise

13 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation

Sophisticated attacks require sophisticated defense, but ultimately,

IDS/IPS Data Servers

2013 IBM Corporation

InfoSphere Guardium integrates with QRadar to add data security insights

Servers & Hosts

User Activity Specific vulnerability assessment

Deep Exceptionally Accurate and

2013 IBM Corporation

Typical home grown solutions are costly and ineffective

2013 IBM Corporation

From the start, Guardium can save QRadar implementations on

File Data Network User focused

2013 IBM Corporation

InfoSphere Guardium complements QRadar Security Intelligence in

2013 IBM Corporation

QRadar collects real-time alerts from InfoSphere Guardium

2013 IBM Corporation

Forensic Drill-downs on each Infosphere Guardium event

2013 IBM Corporation

Expanding Audit Information collection for QRadar SIEM

QRadar SIEM side:

Normalized Audit Reports

Discover and Classify Sensitive Data in Databases

22 2013 IBM Corporation

Example: Find, Classify, and Report

2013 IBM Corporation

Guardium: Vulnerability Assessment Results

Detailed Scoring Matrix

2013 IBM Corporation

Providing actionable insights from database infrastructure risk posture

Vulnerability Assessment Scan Tests

25 2013 IBM Corporation

Understanding new dynamics in protecting the enterprise

26 IBM InfoSphere Guardium Tech Talk 2013 IBM Corporation