Intelligent Data Protection at Scale

IBM Security Guardium Overview

© 2016 IBM Corporation

Data is challenging to secure

DYNAMIC DISTRIBUTED
Data multiplies Data is everywhere,
continuously and across applications
moves quickly and infrastructure
IN DEMAND
Users need to constantly access
and share data to do their jobs

© 2015 IBM Corporation 2

2014: 25% More Records Leaked Than 2013… Insane!

Source: IBM X-Force® Threat

Intelligence Quarterly, 1Q 2015

$5.85M average cost $201 average cost

of a U.S. data breach per compromised U.S. record

Source: 2014 ‘Cost of Data Breach Study: Global Analysis’, Ponemon Institute

© 2015 IBM Corporation 3

Who Are the Bad Guys?

38%
Outsiders
31.5%
Malicious 23.5%
insiders Inadvertent
actors

% of attacks came from people

55 who had insider access to an
organization’s systems

4 © 2015 IBM Corporation 4

Goal: Close the data exposure gap

92% of breaches are discovered by an external party

Guardium VA
Guardium for Applications
Guardium Encryption

Guardium Discovery
Guardium DAM

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

© 2015 IBM Corporation 5

Guardium uses intelligence and automation to safeguard data

ANALYZE ADAPT
Automatically Seamlessly handle
discover critical data changes within your IT
and uncover risk environment

PROTECT
Complete protection for sensitive
data, including compliance automation

© 2015 IBM Corporation 6

Guardium supports the whole data protection journey

Comprehensive Dynamic blocking, alerting, quarantine, encryption

data protection and integration with security intelligence

Sensitive Perform vulnerability assessment, discovery

data discovery and classification

Address Find and address PII, determine who is reading

data privacy data, leverage masking

Expand Big data platforms, file systems or other platforms

platform coverage also require monitoring, blocking, reporting

Acute Database monitoring focused on changed data,

compliance automated reporting
need

© 2015 IBM Corporation 7

 Guardium Product Family

© 2015 IBM Corporation

How we do it?
Discover Harden Monitor Protect

Data at Rest Configuration Data in Motion

Discovery
Masking Vulnerability Entitlements Activity Blocking Dynamic Data
Classificatio
Encryption Assessment Reporting Monitoring Quarantine Masking
n

Where is the How to secure What is actually How to protect

sensitive data? the repository? happening? sensitive data to
reduce risk?
How to protect Who can How to prevent
sensitive data? access? unauthorized
activities?

© 2015 IBM Corporation 9

Guardium solutions for each step
Data Security solutions to protect structured and unstructured data

Discovery Masking Vulnerability Entitlements Activity Blocking Dynamic Data

Classification Encryption Assessment Reporting Monitoring Quarantine Masking

Discover Harden Monitor Protect

“Base Product” Vulnerability Standard DAM Advanced DAM

DB and Data Discovery
Data Classification
Enterprise Integrator
Queries & Reports
Threshold Alerts
Compliance Workflow
Group Management
Security Integrations
IT Integrations
Data Level Security
Incident Management
User/Roles Management
HR Integrations
Portal Management
Self Monitoring
Data Export Options
Data Imports Options
Assessment
Assessment reports
Data Protection Subscription
Configuration Changes
Entitlement Reporting
Data Encryption
File-level encryption
Role-based access control
File access auditing
Optim Data Masking
Static masking
Semantic and format preserving
Data Activity Monitoring
Real-time alerts
App end-user identification
Normalized audit creation
Compliance reporting
Compliance workflow
Federate large deployment
Central control
Central audit collection
Blocking access
Masking sensitive data
Users Quarantine
Data Redaction
Redact sensitive documents
File Activity Monitoring
Monitor/alert on file activity

Packaged discovery, masking, and monitoring for Hadoop or Data Warehouses

© 2015 IBM Corporation 10

Guardium helps support the most complex of IT environments
Examples of supported databases, Big Data environments, files, etc

Applications Databases Data Warehouses Big Data Environments

CICS DB2 Netezza

Informix IMS PureData for
WebSphere
Analytics
DB2 BLU
Siebel
PeopleSoft
E-Business

Web Apps DB

Cloud Environments Enterprise

Database Tools Files
Content Managers

VSAM
z/OS Datasets FTP

Linux, Unix
Windows

© 2015 IBM Corporation 11

 Guardium Data Activity Monitoring

© 2015 IBM Corporation

IBM Security Guardium – Data Security & Privacy
Protect all data against unauthorized access and enable organizations to comply
with government regulations and industry standards

1 Prevent data breaches

Prevent disclosure or leakages of sensitive data

Ensure data privacy On Premise On Cloud

2 Prevent unauthorized changes to data
Data at Rest Data in Motion
Reduce the cost of compliance
3
Automate and centralize controls across diverse regulations
and heterogeneous environments Stored
(Databases, File Servers, Big Data, Data Over Network
Warehouses, Application Servers, (SQL, HTTP, SSH, FTP, email,. …)
Identify Risk Cloud/Virtual ..)

Discovery sensitive information, identify dormant data,

assess configuration gaps and vulnerabilities
4

Data Sensitive
Repositories Documents

© 2015 IBM Corporation 13

Transparent, non-invasive, real-time Data Activity Monitoring

Application Servers
Guardium
Collector Appliance
Data Servers
(DB, Warehouses, Files, Big Data)

• DISCOVER
• MONITOR
• PROTECT
Guardium
host-based probes • AUTOMATE

Single Integrated Appliance 100% visibility including local privileged access

Non-invasive/disruptive, cross-platform architecture
Dynamically scalable
SOD enforcement for privileged access
Auto discover sensitive resources and data
Detect or block unauthorized & suspicious activity
Granular, real-time policies and normalized audit
Who, what, when, how
Minimal performance impact
Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
No environment changes
Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
Growing integration with broader security and
compliance management vision

© 2015 IBM Corporation 14

 Scalable, multi-tier architecture
Cloud Environments IBM z/OS Mainframe

Guardium
LOB Marketing Big Collector
Guardium
Data Analytics Collector

Asia Pacific data centers

Europe data centers Guardium
Americas data centers Central Manager
and Aggregator
.
Integration with LDAP/AD, IAM, change
management, SIEM, Archiving, etc
Guardium
Collector

Central management: Policies pushed to collectors from central manager

Central aggregation: Collectors aggregate data to central audit repository
Unified solution for both distributed and IBM System z: Enterprise-wide compliance
reporting, analytics and forensics
Enforcement (S-GATE): Prevents privileged users from accessing sensitive information
Heterogeneous data source support: Databases, Data Warehouses, Files, Big Data

15 © 2015 IBM Corporation 15

Architecture Overview

STAP makes a copy of information

and sends to Guardium appliance
Guardium
Collector

STAP Sniffer
Guardium Analysis Engine analyzes,
Sniffer can send parses then logs appropriate data to
Database Server control signals to the internal repository
STAP

Client requests DB Server responds with

information from DB appropriate information Key Message
Server

STAP is a light weight

agent/probe that copies
information to the Guardium
appliance where all the heavy
lifting is done

Sniffer = heavy lifting

Database Client

© 2015 IBM Corporation 16

Security Policy

Identification: who, what, when, where, and how of each transaction

Who: database user, application user, OS user
What: database, field name, sensitive object
When: time period, working hours, after hours
Where: client IP, server IP
How: access, data extrusion, SQL/login exception
Action: Enforcement of rule
Logging
Alerting
Access Control
Ignore

Identification + Action = Security Rule → Fine-Grained Security Policy

© 2015 IBM Corporation 17

Access Control

Session based monitoring:

Hold and check privilege
user sessions activity
(S-GATE/closed mode)
Allow known application
server session activity
(S-TAP/open mode)

Monitoring and
prevention of
unauthorized access
by privileged users
Session Terminated
Privileged User

© 2015 IBM Corporation 18

 Protect Databases: What is Fine Grain Access Control?
“Query Rewrite”

Column-Level Masking (only dept#)

Row-Level Masking (only dept #20)

NEW! •Dynamic Masking and Fine Grained Access Control for databases (DB2, MSSQL, Oracle)
v10

© 2015 IBM Corporation 19

Application End-User Identification

Out-of-the-box support for major

enterprise applications (Oracle EBS,
SAP, Siebel, PeopleSoft, Business
Objects, Cognos, …)
Guard App API and custom procedure
call monitoring for custom applications
Deterministic not time-based best guess
No change to applications

Identification of
user and potential
fraud in application
Application transactions
User

© 2015 IBM Corporation 20

Compliance Automation
Guided task flow to define an audit process
Automated scheduled tasks
and reports distribution
Comments, review, sign-off
Advanced workflow process (multiple states and transitions)

Integration of
compliance process
and auditing role
Auditor

© 2015 IBM Corporation 21

Quick Search :

Analyze to automatically discover sensitive data and uncover risks

• Anomaly hours flagged

Automatically discover and red or yellow
classify sensitive data to Quick Search for Enterprise • Click bubble for Outlier view
expose compliance risks

Analyze data usage patterns

to uncover and remediate risks In-Context Actions

Understand who is accessing

data, spot anomalies and stop
data loss in real time
Guardium provides a convenient graphical interface
for identifying and responding to outliers detected
by the algorithm

© 2015 IBM Corporation 22

Central Management & Enterprise Integration

Finance

Human
Resources

Directory Services LDAP, Active Directory

Security Event
SMTP, SNMP, Syslog
Management

External Data Connector

Aggregator & Data Import (Integration with Change
Central Manager Sales Management)

Data Export CSV, XML, PDF

EMC Centera, Tivoli

Archive/Backup
Storage Manager, NAS
Remote Locations

© 2015 IBM Corporation 23

 Vulnerability Assessment

© 2015 IBM Corporation

Managing vulnerabilities in repositories is also a big challenge

Default
Username
and
Password

Unknown
Excessive
sensitive
Privilege
data

Implications

Data breach
Non Default
supported settings and Insider Theft
product misconfigur
versions ations
Audit Fail

Un-patched
Databases
Non
Compliance

© 2015 IBM Corporation 25

Leverage security industry best practice and benefits . . .

• DoD STIG
Enforce • CIS
• CVE • Privileges
• Configuration settings
• Security patches
Secure • Password policies
• OS Level file permission

User defined queries for custom tests to meet baseline for

• Organization
Established • Industry • Ownership and access for your files
Baseline • Application

• Advanced Forensics and Analytics using custom reports

Forensics • Understand your sensitive data risk and exposure

Zero Impact
Performance

© 2015 IBM Corporation 26

3 steps to easy deployment
Web Browser Results
• Pass/Fail Statistics
• Criticality and
recommended actions
• Filters and comparison
• History and trends
• Distribution/Compliance Data sources
Workflow • Oracle
• SQL Server
Review Automated DB Scans • DB2, DB2 z,
Reports DB2 i
• Sybase
• Teradata, Aster
• Informix,
Netezza
• MySQL
Assessment • Postgres
Tests • MongoDB, SAP
Guardium Vulnerability • Privileges HANA
Assessment • Authentication
Appliance • Configuration
• Patch levels

© 2015 IBM Corporation 27

Guardium: Vulnerability Assessment Report

Result History

Summary
Filters and
Outlining
Sort Controls
Results

Detailed Detailed
Test Descriptions
Results of Fixes

© 2015 IBM Corporation 28

 File Activity Monitoring

© 2015 IBM Corporation

Questions you should be able to answer about your data

Who has access to my repositories, folders, and documents?

Which documents contain sensitive data?
Who has been accessing the sensitive data?
Where is my sensitive data overexposed? How do I fix this?
Who is the likely data owner of a particular set of documents?
Who should have ownership of specific documents in my organization?
Who has unnecessarily permissive access to data?
Which documents are unused and possibly ready to archive?
? Who deleted specific files?
? ? How quickly can I provide access to auditable data?

? ?

© 2015 IBM Corporation 30

Protect critical files and documents
Understand your sensitive data
Collector
exposure

Get a full picture of ownership

and access for your files
Host-Based Probes
(FS-TAP)
Control access to critical files
Host-based Probes
through blocking and alerting
(S-TAP)
Gain visibility into all entitlements
and activity through custom
Guardium introduces new file activity monitoring to reports and advanced search
identify normal and abnormal behavior and drill into
the details

File activity monitoring helps you manage access to your unstructured data containing
NEW! critical and sensitive information. Provides complete visibility into activity by
providing extensive compliance and audit capabilities.

© 2015 IBM Corporation 31

File Activity Monitoring
Out of the box reports for Activity, Discovery, and Entitlements

© 2015 International Business Machines Corporation

© 2015 IBM Corporation 32

 Guardium Integration

© 2015 IBM Corporation

Guardium enhances and differentiates most security
solutions
Total Visibility: Product Portfolio, Services and Research

Consulting
System Integration

Security Services
Guardium Data
Activity Monitoring

Managed Services
Guardium Vulnerability
Assessment

Guardium Encryption and

Privacy

Outsourcing
Strategic
© 2015 IBM Corporation 34
 Guardium & QRadar
Optimizing security while expanding monitoring scope for data sources
Improve analytics performance
by offloading data analysis

Save on storage costs for

duplicating data audit logs
Save on network bandwidth for
data audit logs

Network
Data Application Network Security Servers Mainframe Identity
Database Infrastructure
File Big Data Warehouse

Real-time analysis and

preventive measures No need to turn audit logs on DB.
Guardium Save on DB/App performance
Normalized audit logs

© 2015 IBM Corporation 35

 Q&A
3 Key Take-Aways

IBM Security Guardium

Provides complete risk posture of data asset and
help automate compliance requirements

Analyze, protect and adapt to all your data security

challenges

Built on proven enterprise-ready, easily scalable

architecture

© 2015 IBM Corporation

Guardium is THE Leader in the Data Protection Market
Market Leader
Analysts and market presence

Proven success
Successfully installed in the largest and most challenging
environments in the world
Database Audit Wave:
Reliable IBM #1 Leader -
Both the technology and the company “InfoSphere Guardium offers
support for almost any of the
features one might find in an
Complete auditing and real-time
All data platforms under one roof, easier to manage, faster to deploy protection solution.”

Scalable
Enterprise-ready, lower TCO and clear ROI
(automation, integration and centralization) Data Masking MQ:
IBM #1 Leader -
“Most frequently
Integrated referenced by
- Seamlessly integrated with IT and processes. customers.”

- Out of the box integration with other security tools

- Integrated discovery, risk assessment, monitoring, blocking and masking
with built-in compliance reporting and review workflow

© 2015 IBM Corporation 37

Client success stories
ANALYZE
A leading global bank uses
Guardium to analyze and protect
data in a dynamic environment
using real-time monitoring of more
than 5K heterogeneous data
sources, including Big Data
sources, without affecting the
performance of critical apps.
PROTECT
An auto manufacturer uses
Guardium to analyze and protect
data by monitoring and auditing
500 production databases.
They have increased security, while
reducing staff security requirements
from 10 FTEs to 1 FTE.
ADAPT
An insurance company deployed
IBM Security Guardium across 130
databases in just 3 weeks.
They can now get compliance
reports for PCI, SOX, and HIPAA
in just a few moments.
© 2015 IBM Corporation 38
Learn more about IBM Security

enterprise security software

TOP 3 vendor in total revenue
Visit our website
ibm.com/guardium
industry analyst reports rank
20 IBM Security as a LEADER Watch our videos
https://ibm.biz/youtubeguardium
countries where IBM delivers
133 managed security services
Read new blog posts
SecurityIntelligence.com
10K clients protected including…

of the top 33 banks in Japan, Follow us on Twitter

24 North America, and Australia @ibmsecurity

© 2015 IBM Corporation 39

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU
www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Legal notices and disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this Information concerning non-IBM products was obtained from the suppliers of those
document may be reproduced or transmitted in any form without written permission from products, their published announcements or other publicly available sources. IBM has
IBM. not tested those products in connection with this publication and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by Questions on the capabilities of non-IBM products should be addressed to the suppliers
GSA ADP Schedule Contract with IBM. of those products. IBM does not warrant the quality of any third-party products, or the
Information in these presentations (including information relating to products that have ability of any such third-party products to interoperate with IBM’s products. IBM
not yet been announced by IBM) has been reviewed for accuracy as of the date of initial EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
publication and could include unintentional technical or typographical errors. IBM shall INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
have no responsibility to update this information. THIS document is distributed "AS IS" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
without any warranty, either express or implied. In no event shall IBM be liable for any The provision of the information contained herein is not intended to, and does not, grant
damage arising from the use of this information, including but not limited to, loss of data, any right or license under any IBM patents, copyrights, trademarks or other intellectual
business interruption, loss of profit or loss of opportunity. property right.
IBM products and services are warranted according to the terms and conditions of the Other company, product, or service names may be trademarks or service marks of
agreements under which they are provided. others. A current list of IBM trademarks is available at “Copyright and
trademark information” www.ibm.com/legal/copytrade.shtml
Any statements regarding IBM’s future direction, intent or product plans are subject to
change or withdrawal without notice. Performance data contained herein was generally
obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may
have achieved. Actual performance, cost, savings or other results in other operating
environments may vary. References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent
session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to,
nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements
and to obtain advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products will ensure that
the customer is in compliance with any law.