Managing Business Risks

Protecting Critical Data with IBM Data Risk Manager

 Data Risk Manager: An Integrated Platform for Business Data Risk

Critical Data
Discover critical data
(GDPR/PII, PCI, HIPAA, crown
jewels M&A etc.)

Moderate
Remediation Business
Address alerts and Low High Context
vulnerabilities, and
define action plans Business processes, lines of
business, applications, data
RISK owners, data locations
Threats and INDEX
Vulnerabilities
Discover vulnerabilities Controls and Monitoring
and threats from
security products
Security and Governance Controls -
Guardium Data Activity Monitoring,
Symantec DLP, QRadar, AppScan (future
plan)

2 IBM Security
 Having the conversation at the right level about … Business Risk Management

Enterprise Risk Collaborative effort

Chief Risk Officer (CRO)
• Business units and areas
managing valuable assets
• Business leaders and IT
teams that manage such
assets

Outcomes
MARKET CREDIT COMPLIANCE OPERATIONAL
RISK RISK
BUSINESS RISK
RISK RISK • Mitigate any potential
business disruptions
occurring due to
cyberattacks, and
• Allowing IT and Ops to
focus on technical execution

Ability to visualize business risks and affected sensitive information assets with an ability to focus
into details of Information and Data Risk – specific threats, incidents, and vulnerabilities

3 IBM Security
 IBM Data Risk Manager (IDRM) – know all there is to know about your data
Information Security Management and Governance

What?
Sensitive and
Valuable Data

Governance? Where?
Risks and Location
Mitigation

IDRM
Information Security Who?
Security? Key
Maturity of security Management and Stakeholders
controls Governance

How?
Why?
Controls and
Purpose and
Protection
Usage
Measures

4 IBM Security
 Business Risk – Critical data are the “Crown Jewels”

55%
Increase in data breaches since
2014
Crown Jewels
An organization’s most sensitive or business Source: Verizon data breach investigation report - 2015
critical information.
Today, many organizations are not aware
of what their Crown Jewel information is, At least 60% of enterprises will discover
where it resides, who has access to it,
a breach of sensitive data in 2015 60%
or how it is protected.

Possessing information about Crown Jewels Source: 2015 National Retail Federation/Forrester Research Inc.

is necessary in order to determine whether Crown Jewel Examples

adequate controls are in place.
Enterprise Executive
Crown Jewel protection is dependent • Intellectual property • Acquisition and
upon having access to vital information • Top-secret plans
divestiture plans
in order to apply proper controls. and formulas • Executive and board
deliberations

5 IBM Security
 What you don’t know can hurt you: the IDRM solution provides visibility
to potential risks and enables proactive measures to be applied
The “Ah-ha” Moment When the Board of Directors & C-
Suite realize their business is at risk

Which lines of Where does critical

business have the data reside? – Data
highest risk? centers and Geo’s

Data residency
information
Are the “Crown
Jewels” classified What applications and
and protected? processes access and
use them?
Controllers’ and
Processor’s applications
and processes

Who are the

owners of sensitive What compliance
data? issues do we have and
Roles and remediation action
responsibilities such items?
as Data Protection
Officer

6 IBM Security
 IBM Data Risk Manager (IDRM) – Functional Architecture

GOVERN
IDRM Dashboard Information Assets Risk Analytics Action Management

MODEL MANAGE
Business Context Modeler (BCM) Security Command and Control Center (SC3)

Enterprise Datasources and Assets Integration Controls Management

Model and Map Business Context Discovery and Classification LAB

Manage
Information Security Policy Management your area Risks and Issues Analysis
of work
Information Risk Modeling and Configuration Posture Assessment

Data Flow Modeling Action Center – Remediation Planning

IDRM Server Integration Exchange Microservices Diagnostic Tools

Knowledge Base Industry Models Solution Packages Templates and Reusable Assets

7 IBM Security
 Continuous Data Risk Management Program
Data Classification and Controls Integration Workflow with IDRM
<< Integrate >>
<< Discover >> << Classify >>

CMDB
Business Business Information
LAB
Context Asset Portfolio

Information Asset
Organization Discovery Policies Definition Definition -
Data Logical Grouping of
Infrastructure
LAB LAB Discovered Data Taxonomy Mapping Risk Modeling and
Native and Assignment Configuration
Filtering and
Metadata
IDRM Server Analysis LAB
Discovery

SIEM
>> Native IDRM Discovery >>>
Security Policy
Information Violations and
IBM Security Assets
Guardium Classification Vulnerabilities

Information Asset
Information Asset
Data Catalog Portfolio with Business
Portfolio
Risk
Process Activity or Task

Result – Work product or

Deliverable Labs: https://ibm.ent.box.com/file/280302725825

8 IBM Security
Demo – IDRM Dashboard
 What you don’t know can hurt you: have visibility into critical data

Information Asset Portfolio

visualized across Organization
Units, BUs or LoBs and by
Business Processes and
Sensitivity categories

Information Asset with risk score

and data classification labels

10 IBM Security
 Visibility into critical data, its residency, controls in place, business usage and
potential risks
Data Residency
Data platforms, instance hostnames, and
also geographical locations where critical
data is stored

Controls Integration and Visibility

Application of data-platform specific
Business Usage and Impact
controls such as Data Activity
Application, business processes that
Monitoring and Vulnerability
access and/or use critical data for
Assessment
business operations and processing

11 IBM Security
 … in addition to providing insight into roles and responsibilities across
the data lifecycle and ability to view data flows,…

Roles and Responsibilities

Business and data owners
across the data lifecycle
including resource names and
contact information

Data Flow Diagrams

Visualize critical data as it flows across the
enterprise and modeled based on business
context data

12 IBM Security
 … and “A-Ha” Driving visibility into business risks using Guardium

Information Asset with risk score

and data classification labels

Risk and Remediation Management

Understanding of detailed risk profile and
information asset valuation to determine
remediation steps and action items
prioritization

13 IBM Security
 IBM Data Risk Manager helping customers around the world uncover,
analyze, visualize, and take action to protect their most critical data

Mass Media Global Manufacturer

Conglomerate Uncover Analyze

Provided visibility into Discovered and classified

information asset risk posture customer data across 23
by developing sensitive data enterprise applications to
catalog and uncovering enable major business
database vulnerabilities IBM Data transformation initiative

Risk
Education Ministry Major Insurance Company
Manager

Developed Ministry-wide Established sustainable

portfolio of information assets discovery and classification
and its lifecycle to address process and accelerated
compliance and privacy Act data security solution
regulations
Visualize deployment

14 IBM Security
 IDRM Server – Sizing and Configuration
The recommended hardware configuration for a standalone Server VM is:

Processor Intel Quad-core XEON 2GHz or above

Number of Processors 2

Memory (RAM) 16 GB

Network Dual 1 Gbps

Storage 200 GB

RAID Level RAID 5

The recommended software configuration is (ova – virtual image):

Virtual Machine Host – VMWare ESXi/

Virtualization Software
VMWare Workstation

Architecture 64-bit OS/JVM

Connectivity Supports Internet and Intranet

Server VM should be accessible over internet

Deployment & Maintenance
for installation

15 IBM Security
 IDRM Server – Performance Considerations
Technical Considerations Baseline and Test Results

IBM DRM product suite performs discovery by scanning the data on the target system that
extracts only the metadata. The actual data is not scanned or extracted. The size of metadata
file is small and impact on network throughput is insignificant.
Impact on network
Assuming the target datasource has about 4000 tables, the following network performance
bandwidth during data scan
metrics is provided as baseline:

Data Upload: 500KB, Data Download: 9MB; throughput: 20KB/sec across segmented networks
(via VPN)

As baseline for performing metadata scans on user schema tables, the following CPU usage
metrics were observed for performing metadata scan of about 500 database tables:

 % CPU Peak usage: 2%

Impact on performance and  Average % CPU usage: 1.8%
CPU resources on the  Total scan time: approx. 4 minutes
database servers
Target Datasource configuration:

 Oracle 12c database installed on CentOS 6.7 Final operating system

 Number of CPU: 1
 Assigned Memory: 8GB RAM

16 IBM Security
Reference
 IDRM Server – Network Protocol Services

Port/Protocol Service Source Destination

ssh: command line access to administer and manage

22/TCP Remote Desktop IDRM Server
IDRM server
smtp: (optional) connect to smtp, if email integration is
25/TCP IDRM Server
required

shell: to receive syslog notifications from the Guardium

514/TCP or UDP Guardium Appliance (if installed) IDRM Server
appliance

IDRM client applications/ Remote

8009, 8080 /TCP http: for server admin page connectivity IDRM Server
Desktop

https: IDRM server connectivity to IDRM client IDRM client applications, IDRM IDRM Server and Guardium
8443/TCP
applications, Guardium appliance(s) Server Appliance

8762/TCP Native DB Scanner IDRM Server

IDRM Server and Guardium

8763/TCP Guardium Scanner
Appliance
IDRM Server and Symantec
8764/TCP Symantec Agent
appliance

8765/TCP Identity Manager Agent IDRM Server

IDRM Server and Guardium

8767/TCP DAM Listener Agent
Appliance
10001/TCP scp-config Guardium Appliance (if installed) IDRM Server

18 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.