Guardium Tech Talk (PDFDrive)

IBM Security
Guardium Tech Talk:

Practical Tips for Managing Data Security Risk
using IBM Security Guardium
Joe DiPietro
Joe_DiPietro@us.ibm.com
1© 2015 IBM Corporation © 2015 IBM Corporation

IBM Security
Logistics
 This tech talk is being recorded. If you object, please hang up and leave the
webcast now.
 We’ll post a copy of slides and link to recording on the Guardium community
tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in the chat
to the Q and A group.
 We’ll try to answer questions in the chat or address them at speaker’s
discretion.
– If we cannot answer your question, please do include your email so we
can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
2 © 2015 IBM Corporation

IBM Security
Guardium community on developerWorks

Right
nav
bit.ly/guardwiki

IBM Security
Information, training, and community
 InfoSphere Guardium Tech Talks – at least one per month. Suggestions welcome!
 InfoSphere Guardium YouTube Channel – includes overviews, technical demos,
tech talk replays
 developerWorks forum (very active)
 Guardium DAM User Group on Linked In (very active)
 Community on developerWorks (includes discussion forum, content and links to a
myriad of sources, developerWorks articles, tech talk materials and schedules)
 Guardium on IBM Knowledge Center (was Info Center)
 Deployment Guide for InfoSphere Guardium Red Book
 Technical training courses (classroom and self-paced- provided by Business
Partners)
InfoSphere Guardium Virtual User Group. Open, technical

discussions with other users. Not recorded!
Send a note to krzeide@us.ibm.com if interested.

IBM Security
Reminder: Upcoming Guardium Tech Talk
July 30th, 2015: Guardium integration capabilities: A

use-case based discussion and deep
dive
Speaker: John Haldeman, Practice Lead, Information
Insights, LLC
Register here! https://ibm.biz/BdXaJc
 Link to more information about this and upcoming tech talks can be found on the InfoSphere
Guardium developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.

IBM Security
What we’ll discuss
 Understanding trends
 Defining risk in corporate information flow
 Quantifying risk and protection value
 Managing the risk using Guardium
 Scenarios and examples

IBM Security
Data Breaches …
2015 Ponemon Study
Pie Chart 2. Distribution of the benchmark

sample by root cause of the data breach
http://www-03.ibm.com/security/data-breach/
2015 Cost of Data Breach Study

IBM Security
Ponemon: Probability of a data breach: 1 in 4 companies…
 The three major reasons contributing to a higher cost of data breach in 2015:
– Cyber attacks have increased in frequency and in the cost to remediate the consequences
– The consequences of lost business are having a greater impact on the cost of data breach.
– Data breach costs associated with detection and escalation increased
http://www-03.ibm.com/security/data-breach/
8
2015 Cost of Data Breach Study © 2015 IBM Corporation
Attack Chain Stage:
IBM Security
Break-In
IBM Security Software Portfolio Simplistic View
Anatomy
Prevent of a breach Latch-on
Detect
Respond Expand
Gather
Exfiltrate

IBM Security
Business Impact – How Long Will It Take To Discover?

Will You Know They Are Inside?
The deficit gap

is widening
60% of cases, attackers are able to compromise an organization within

minutes1
12015 Verizon Data Breach Investigations report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf

IBM Security
Recommendations
1. Understand where your crown jewels are

located and calculate the risk
– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/
2. Look for (DAM) suspicious activity

– Hackers are inside networks long before Greater than
organizations understands what’s going on with 200 Days!!
their data
– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/
– https://www-
01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti
on.html
3. Have a plan for when data is exfiltrated

(From Ponemon Institute, sponsored by IBM)
– http://www-03.ibm.com/security/data-breach/
4. Encryption covers a multitude of sins… 2015 Ponemon Study

IBM Security
3 Types of Security Controls Are Required For “Crown Jewels”
1. Application security controls Risk By Type of User

– Separation of duties for Privilege
Application User & Application User
access
2. Database security Controls

– Continuously monitor direct access
to the database which will bypass
the application controls
3. System administrators
security controls
– Operating System controls to monitor
file access, copy, and modification

IBM Security
Risk
 Most corporate functions are electronically automated

 These functions live in databases. For example:
– HR
– Payroll
– Procurement
– Corporate intellectual property (IP)
– Customer data
– Health care information
– Etc
 Create a risk methodology to help understand what is important and
how much it costs to protect different assets

IBM Security
5 Point Checklist to Help Quantify Risk and Protect Crown Jewels
1. Identify your Crown Jewels (top data assets) in your organization

2. Assign a value to these assets
3. Identify specific threats to these assets
4. Identify vulnerabilities to these assets
5. Calculate your risk score to determine appropriate security
controls
 Risk is dependent on the asset values, threats and vulnerabilities

 Let’s use a simple example as it relates to the databases
 PCI is a very common example and we’ll relate this to credit card
processing

IBM Security
Step 1 – Identify Your PCI Assets (Crown Jewels) In This Case
 Identify all database servers that have PCI content

 These servers will have an asset value of $1,000,000
 Scan the network to discover all the database servers
Guardium Agentless
Network Scan
16 10.10.9.* © 2015 IBM Corporation
IBM Security
Step 1 – Identify Your PCI Assets
 Crawl each database to

identify if there is any PCI
Predefined rule to identify data using Luhn algorithm
PCI Cardholder data using
Luhn algorithm
 Rule name with:
– “guardium://CREDIT_CARD" and
– valid credit card number pattern in
the Search Expression box, the
classification policy will use the
Luhn algorithm
– A valid credit card number is a
string of 16 digits or four sets of
four digits, with each set separated
by a blank.
Database discovery and sensitive data finder

(Classifier) tech talk

IBM Security
PCI Data Found On This Server – 10.10.9.56

Where on this server? What Server?

IBM Security
We’ve Identified the Crown Jewels,

Now Identify the Vulnerabilities and Threats
 Vulnerabilities can be identified by security best practices
 Based on industry standards: DISA STIG & CIS Benchmark
 Extensive Library of pre-built tests for all supported platforms
 Customizable tests to address your specific corporate security policies
– Via custom Operating System scripts, SQL queries, environment variables, etc.
 Combination of tests ensures comprehensive coverage to support risk measurements :
1. Database settings
2. Operating system
Tests
• Permissions
DB Tier • Roles
(Oracle, SQL Server,
DB2, Informix,
• Configurations
Sybase, MySQL, • Versions
Database
Netezza,
Teradata)
• Custom tests
User Activity
OS Tier • Configuration files
(Windows, • Environment variables
• Getting Started with Vulnerability Assessment Tech Solaris, AIX, HP-
• Registry settings
talk UX, Linux, z/OS)
• Guardium Vulnerability Assessment Trial
• Custom tests
Download
IBM Security
Use Industry Best Practices Templates – STIG and CIS
STIG CIS Guardium

STIG Requirement CIS Requirement
Section Section Monitors
2,12:
Installation and patch levels; creation of objects
Monitor for current versions & patch levels; unauthorized Oracle
2: DBMS for unauthorized changes; monitor developer
changes; privileges granted to developers on production 
Integrity access to production; avoid ad-hoc queries on
systems; ad hoc queries. 2: SQL
Server production databases; change control process.
All actions traceable to a user; concept of least privilege

2, 11: No default accounts; passwords; DB hardening;
(users, roles & applications); no shared accounts;
Oracle guest accounts disabled; disable various
3: no default accounts; lock accounts after 3 failed logins;
extended stored procedures; SQL logins have
Access minimum password strength; passwords changed every 
1, 3, 4, 6, 8: strong passwords; assign permissions to roles
Control 90 days; restrict access by shared service accounts SQL Server rather than users; periodic scan of Role
(connection pooling); all DBA accounts authorized by
Members.
IAO.
Audit all DB operations with sufficient granularity to
detect intrusive activity; monitor all DBA connections; Review DBA Group membership; review and
12: Oracle
4: ensure audit data only readable by authorized personnel; control which applications access the database;
Database no unauthorized applications or batch jobs; unusual or review audit info regularly; audit privileged user 
4, 5: SQL
Auditing suspicious patterns of activity; monitor changes to DB activity (object access, ownership, add DB
Server
objects; review audit data daily; maintain audit data for 1 user, etc.).
year.
Remote admin connections must be encrypted (& 12: Oracle

5:
monitored); identify DB users when using connection 1, 2: SQL
Network Encryption ; change SQL Server default ports. 
pooling; separate DB accounts for replication; Server
Access
prevent developers from accessing sensitive data.
6: Verify file permissions on DB executables, configuration files 1: Oracle

Windows registry; deny Guest OS Group;
OS Per- & data files; ensure only authorized DBAs granted 1, 3: SQL 
OS Benchmark Configuration.
missions membership to DBMS privileged OS groups. Server
IBM Security
Guardium Risk Score For Vulnerabilities of This Asset
Historical Progress
or Regression
Overall Risk
Help Mitigate Risk
Score
by Measuring
Progress and
Validating Security
Detailed Scoring Matrix Controls

IBM Security
Next Step, Identify Additional Risks Like This Example

OnLineBanking
 There are many types of risks 10.10.9.27
Joe
 Unauthorized Users MS Excel
– Anyone that can connect to the

database to see the cardholder data
 Unauthorized IP Addresses
– Only certain servers are allowed to
communicate together
 Unauthorized Programs -- - - -
- -- -
-- - -- -
– Access by other programs bypasses Crown

Jewels
other security controls
 Monitoring Database Objects
– Only certain tables will contain
sensitive information
However, to simplify these risks, let’s call

23
it an unauthorized “connection” © 2015 IBM Corporation
IBM Security
Identifying An Unauthorized Connection…
 “Unauthorized connections” are very familiar process in the Credit

Card industry
 Simplified example with credit cards

– “unauthorized connections” = false charge on my credit card account
– Proactive notification for “unauthorized connections”
– Regular reporting to cardholders “unauthorized connections”
 Database Activity Monitoring (DAM) for unauthorized connections

– Proactive notification for “unauthorized connections”
– Regular reporting to stakeholders “unauthorized connections”

IBM Security
Credit Card Best Practices
Proactive
 Monitoring “unusual” transactions
– Countries you have never purchased in before
– Unusual “out of pattern” transactions
Post transaction reporting

 Regular reports to cardholders (it’s your money!)
– Identify transactions not made by cardholder
– Identify overcharges

IBM Security
Proactive - Credit Card Best Practices
 Proactive, Real Time New transaction

unusual country based on past
purchasing pattern :
New transaction 359.34 Latvian lats
unusually high: $12,534.23 “unauthorized connection”
“unauthorized connection”

IBM Security
Post Transaction Reporting Process for “Unauthorized

Connections”
 Credit card company summarizes information and produces a
report
 Report is delivered to cardholder on a predefined time period (ie.
Monthly)
 Cardholder reviews statement
– Sends payment based on all transactions that are on the statement
– Sends partial payment based on “disputed charges”
 “Disputed charges” may identify unauthorized activities
 “Disputed charges” are investigated and documented

IBM Security
Goal Of Reporting To Cardholders
 Involve cardholder in the process

 Reduce costs by preventing fraudulent charges
 Quickly identify activity that cardholder did not perform
 Increased accuracy - the card holder knows the most intimate
details of their activity
 Scale: credit card company uses few resources and leverages
subject mater experts in their process to be more efficient

IBM Security
Database Activity Monitoring Best Practices - Proactive
OnLineBanking
10.10.9.27
 Known: Joe
– Application Name (OnLineBanking) SQLPlus
– Application Server IP Address (10.10.9.244)

– Database user (APPUSER)
 Unknown
– NOT IP Addresses 10.10.9.244 (ie. 10.10.9.27)
– NOT Database user APPUSER (ie. Joe)
– NOT “OnLineBanking” Application name (ie. SQLPlus)
 Proactive policies can highlight

– Fraudulent activity quickly
– Improper operational procedures (ie. Outdated scripts, direct database access,
unauthorized applications, etc)
• YouTube video demo on Connection

Profiling
IBM Security “unauthorized connections”
Proactive Notification

IBM Security
Report of Unauthorized Connections…

Application Owners Are Critical to the Process

IBM Security
A Different Perspective…“Unauthorized Connections”
Unauthorized Unauthorized Unauthorized

Client IP Application DB Users

IBM Security
Reduce Risk By Sending Report Using “Audit Process”

IBM Security
Approval And Sign Off
34 One “unauthorized connection” is fully investigated © 2015 IBM Corporation

IBM Security
This Example Shows “Unauthorized Connections”
 For each unauthorized connection, you add to your risk score

 To reduce your risk score, stakeholders will “justify” the connection
as a valid and legitimate connection for their application
 Simple “connection” reporting is very effective to highlight
unauthorized application access
 Use workflow to ensure reporting process is being followed and
documented
 More details for risk tables…

IBM Security
Defining Risk Tables
 Threats to database can come from many places

 Start with a “coarse” level analysis and refine it over time to become more granular
 There are many complex risk formulas and processes, but start with a simplistic
approach to get something working for your organizational uniqueness
 Defining a small group of risk tables helps you quantify what you are protecting, and the
risk based on these different attributes…Here’s a sample:
– Asset Risk – How valuable is the asset that I’m trying to protect?
• SOX, PCI, HIPAA, Corporate Marketing Plans, Corporate Mergers and Acquisitions, etc
– User Risk – What roles do these users have?
• Database user, application developer, application user, power application user, unknown user, etc
– Object Risk – How sensitive is this piece of data within the database?
• SSN vs Cardholder information for PCI vs Patient Records vs Country ID, vs Mailing Address vs Mother’s Maiden Name,
etc
– Application Risk – How should this data be accessed, by what application?
• Accessing through the SAP system is different than a direct database connection with SQL/Plus or TOAD
– IP Address Risk – What IP address made this connection?
• Different IP Addresses have different levels of security (ie. Behind firewalls, DMZ, in a “trusted zone”, external Internet,
etc).

IBM Security
Defining Risk Tables – Asset Risk
 Assign risk rating for your critical assets

 Put an asset cost so that you understand how much protection to
allocated for this asset
Depending on the asset
class, we will assign cost
for these assets
SQL> select * from assetRisk order by riskvalue;;
ID SERVERIP SERVERDESC RISKVALUE RISKRATING ASSETCOST

---------- --------------- ------------------------- ---------- ---------- ------------
1 10.10.9.56 PCI Server 1 high 1,000,000
2 10.10.9.59 Corporate Strategy 1 high 2,000,000
3 10.10.9.252 SOX Server 1 high 500,000
4 10.10.9.58 HIPAA Server 1 high 900,000
5 10.10.9.58 Retail Banking 1 high 10,000,000
6 10.10.9.68 Development Server 2 medium 400,000
7 10.10.9.69 QA Server 2 medium 200,000
8 10.10.9.78 Training Server 3 low 100,000
9 10.10.9.79 SiteLocation Server 3 low 200,000
9 rows selected.
SQL>

IBM Security
Optionally Identify Server Processing Power in Your Risk Score
 Number of CPU’s can be tracked via Tap Monitor  CPU Tracker

IBM Security
Defining Risk Tables – Employee Risk
 Create UserRisk table

 Assign risk based on department
– riskRating
• 1 (high) Database Engineering = priv users (high risk)
• 2 (medium) Application Development = priv users (high risk)
• 3 (low) Business Analytics = power application users (medium risk)
Retail Banking = application users (low risk)
SQL> select * from Employee;
ID USERNAME DBUSER DEPTNUM DEPTNAME

---------- --------------- --------------- ------- -------------------------
1 Joe DiPietro joe 10 Database Engineering
2 John Smith john 20 Application Development
3 Sally Johnson sally 30 Business Analytics
4 Ron Harrison ron 40 Retail Banking LOB
SQL> select * from userRisk order by riskvalue;

Depending on the
ID EMPID DEPTNUM RISKVALUE RISKRATING
---------- ---------- ------- ---------- -------- department name, we
1 1 10 1 high
2 2 20 1 high
will assign risk for these
3 3 30 2 medium users connecting to the
4 4 40 3 low
database
39
SQL> © 2015 IBM Corporation
IBM Security
DB2 Entitlement Reports

Joe has a high risk, based on his role and
privilege (entitlements) to the database
-Column level privileges to the Creditcard
object that contains PCI Personal Account
Numbers (PAN)
-If this account is compromised or this
“authorized” user performs “unauthorized
activities” your data is in jeopardy…
-Monitoring “joe’s” activities is critical to
validate his actions

IBM Security
Defining Risk Tables Depending on the object

table, we will assign a risk
rating
SQL> select * from objectRisk order by riskvalue;
ID OBJECTNAME OBJECTDESC RISKVALUE RISKRATING

---------- --------------- ------------------------- ---------- --------
1 creditcard Holds Creditcard Info 1 high
3 accountNum Holds account numbers 1 high
4 address Holds Address Info 2 medium
5 policyValue Holds Total Policy Value 2 medium
SQL> select * from appNameRisk order by riskvalue;
ID APPNAME APPDESC RISKVALUE RISKRATING

---------- --------------- ---------------------------- ---------- --------
4 toad Toad - DBA tool 1 high
3 excel Microsoft Excel 1 high
5 sqlplus SQLPlus -Oracle DBA tool 1 high
2 retailBanking Retail Banking Application 3 low
6 rows selected.
Depending on the application, we will

assign a risk rating
*Identifying critical tables is essential in creating a risk profile
**Identifying “authorized” application that access these critical tables will help validate
41 your security controls © 2015 IBM Corporation
IBM Security
Different IP Networks Have Different Security
Classified network
Core network
DMZ network
Partner network
Internet

IBM Security
Identify Risk of Connections with Different Categories of IP Address

Guardium’s Access Map dynamically draws
network diagram based on timeframe of access!

IBM Security
Defining Risk Tables
SQL> select * from ipAddressRisk order by riskvalue;
ID IPADDRESS IPDESC RISKVALUE RISKRATING

---------- ---------------- ------------------------------------------------- ---------- --------
11 10.10.9.241 DMZ: Web Servers group 2 medium
4 10.10.9.58 Authorized Client IP: HIPAA Server 3 low
5 10.10.9.58 Authorized Client IP: Retail Banking 3 low
7 10.10.9.69 Authorized Client IP: QA Server 3 low
8 10.10.9.78 Authorized Client IP: Training Server 3 low
9 10.10.9.79 Authorized Client IP: SiteLocation Server 3 low
3 10.10.9.252 Authorized Client IP: SOX Server 3 low
2 10.10.9.59 Authorized Client IP: Corporate Strategy 3 low
1 10.10.9.56 Authorized Client IP: PCI and Retail Banking App 3 low
6 10.10.9.68 Authorized Client IP: Development Server 3 low
12 rows selected.
SQL>
Depending on the IP
Address, we will assign a
risk rating

IBM Security
Now Score The “Unauthorized Connection” Based on the Risk Tables
Unauthorized Unauthorized Unauthorized

Client IP Application DB Users

IBM Security
Calculating Risk
Core network – Not “Classified Network” 10.70.147.57

MS Excel – Unauthorized “High Risk” application
directly connecting to the database
Joe – “High Risk” user based on entitlement report
Joe Priv User 1 High High 1

Unauthorized Medium 2
Network 1 High
Low 3
UnAuthorized
Application 1 High
3 Total Risk Score Baseline 7
Security Policy - All connections at 7 or

lower shall be monitored and audited
IBM Security
Other Connections…
Joe Priv User 1High

Unauthorized
Network 1High
UnAuthorized
Application 1High
3Total Risk Score – Joe
Administrator Priv User 1High
Authorized Network 3Low
Authorized
Application 3Low
7Total Risk Score - Administrator
JOCONNOR App User 3Low
Authorized Network 3Low
Authorized
Application 3Low
9Total Risk Score - JOCONNOR
IBM Security
Creating Risk Map Based on IT Role
System Database Application Application Privilege Information Audit Risk &

Administrator Administrator Developer User User Security Compliance
System x x
Administrator
Database x x x
Administrator
Application x x x Other Risk Concerns
Developer 1. Weak security
Application x x x Unauthorized access to data
2.
User
3. Unauthorized remote access
Privilege User x x x
4. Inaccurate information
Information 5.
x Erroneous x or falsified data input
Security 6. Misuse by authorized end users
Audit 7. Incomplete processingx
Risk & 8. Duplicate transactions x
Compliance
9. Untimely processing
10. Communications system failure
11. Inadequate training
12. Inadequate support
48
13. etc… © 2015 IBM Corporation
IBM Security
High Risk Connections - Eliminating Risk Over “4”

Proactively block connections from “Unauthorized” IP Addresses, High Risk Applications
and/or Users
Application Servers
SQL
Privileged
Users Oracle, DB2,
Issue SQL MySQL, Sybase,
etc.
S-GATE
Hold SQL
Outsourced DBA Connection terminated
Check Policy
Policy Violation: On Appliance
Drop Connection
Session Terminated
IBM Security
Quick Review…
3 Types of Security Controls Are Required For “Crown Jewels”
1. Application security controls Risk By Type of User
– Separation of duties for Privilege
Application User & Application User
access
2. Database security Controls

– Continuously monitor direct access
to the database which will bypass
the application controls
3. System administrators
security controls
– Operating System controls to monitor
file access, copy, and modification

IBM Security
Application Security Controls - Guardium For Application
 Customer Service Representatives (CSRs) access company

applications remotely
 Guardium is installed in the middle to guarantee that application
screens undergo masking process
 CSRs utilize the application as usual
 Sensitive information unessential for CSR operation is masked out
Data Name: John Smith Name: John Smith Outsourced

Center SSN: 111-11-1111 SSN: *35
***** Call Center
Balance: $127.50
Guardium Balance: $127.50
Masking
Gateway
Guardium for Applications demo on

51 PeopleSoft © 2015 IBM Corporation
IBM Security
Application Security Controls - AppScan
IBM Security AppScan Trial download

IBM Security
Database Controls Can Cover 3 Types of Rules
Exception (ie. SQL Errors & more)

3
Result Set
2
1
SQL Query Database
Database Server
There are three types of rules:

1. An access rule applies to client requests
2. An extrusion rule evaluates data returned by the server
3. An exception rule evaluates exceptions returned by the server

IBM Security
System Admin Controls - Guardium Data Encryption (GDE)
Clear Text Block-Level MetaClear
File Name: Jsmith.doc fAiwD7nb$ Name: Jsmith.doc

System Created: 6/4/99 Nkxchsu^j2 Created: 6/4/99
Metadata Modified: 8/15/02 3nSJis*jmSL Modified: 8/15/02
Name: J Smith dfjdNk%(Amg dfjdNk%(Amg

CCN:60115793892 8nGmwlNskd 9f 8nGmwlNskd 9f
File Data Exp Date: 04/04 Nd&9Dm*Ndd Nd&9Dm*Ndd
Bal: $5,145,789 xIu2Ks0BKsjd xIu2Ks0BKsjd
SSN: 514-73-8970 Nac0&6mKcoS Nac0&6mKcoS
qCio9M*sdopF qCio9M*sdopF
 Protects Sensitive Information Without Disrupting Data Management

 High-Performance Encryption
 Root Access Control
 Data Access as an Intended Privilege
Guardium Data Encryption Tech Talk

54
(YouTube) (1 of 3) © 2015 IBM Corporation
IBM Security
Guardium Data Encryption (GDE) - System Administrator Controls

(Deny, Encrypt, Audit, Permit)
 WHO is attempting to access protected data?
– Configure groups, or applications who can access protected data
 WHAT data is being accessed?
– Configure appropriate file and directory access
 WHEN is the data being accessed?
– Configure a range of hours and days of the week for authorized access
 HOW is the data being accessed?
– Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, application or process, etc.
 EFFECT: Permit; Deny; Encrypt; Audit
 Root users can: 1

1. read directory (/SAPDirectory), $%#@!*(&^$%$%^
but it will be encrypted and audited &*()(*&^%$#@#$%
^&*DFGHJTR#$
2. Blocked access to directory (/NoAccess)
2

IBM Security
Operating System Switch User “SU” To Gain Access
System Administrators have a lot of power

• Be careful for “SU”
• Proactive Policies are required
Use Continuous Monitoring to identify high

56
risk users who can switch identity
© 2015 IBM Corporation
IBM Security
Summary
1. Understand where your crown jewels are

located and calculate the risk
– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/
2. Look for (DAM) suspicious activity

– Hackers are inside networks long before Greater than
200 Days!!
organizations understands what’s going on with
their data
– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/
– https://www-
01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti
on.html
3. Have a plan for when data is exfiltrated

(From Ponemon Institute, sponsored by IBM)
– http://www-03.ibm.com/security/data-breach/
4. Encryption covers a multitude of sins…

2015 Ponemon Study
IBM Security
Learn and try
Learn more about some of what we talked about today:

• YouTube video demo on Connection Profiling (part 1 of 3)
• developerWorks article on Guardium PCI accelerator
• Outliers and Quick Search demo on YouTube
• Database discovery and sensitive data finder (Classifier) tech talk
• Getting Started with Vulnerability Assessment Tech talk
• Guardium for Applications demo on PeopleSoft
• Guardium Data Encryption Tech Talk (YouTube) (1 of 3)
And try:
• IBM Security AppScan Trial download
• Guardium Vulnerability Assessment Trial Download

IBM Security
Learn more
Understand risk and compliance mandates

– Whitepapers:
Protect payment card data with InfoSphere
Help ensure HIPAA compliance with InfoSphere
Understanding encryption requirements of PCI DSS
– ebook:
Managing compliance to protect enterprise data
Talk to your sales rep about holistic data security

– Whitepaper
Secure Enterprise Data & Ensure Compliance
– ROI Study:
Forrester Total Economic Impact of
InfoSphere Guardium
– Website:
InfoSphere Guardium Database Security
59 59 © 2015 IBM Corporation

IBM Security
Dziękuję
Polish
Traditional Chinese
Thai
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian
60
Backup Slides

IBM Security
AppScan

IBM Security

IBM Security

IBM Security

IBM Security
Use Extrusion Rules On Result Sets for Pattern Access
Monitor for data access and exfiltration. Attackers who bypass perimeter controls
become “trusted insiders” in most organizations because the internal network is trusted
and unmonitored. Deploy network analysis and visibility (NAV) tools to gain insight into
how traffic is traversing your entire network.19
guardium://CREDIT_CARD
Empty Value: Enter the special value guardium://empty to test for an empty
value in the traffic. This is allowed only in the following fields: DB Name, DB
User, App User, OS User, Src App, Event Type, Event User Name, and App
Event Text.
Note: You can also use regular expressions in the following fields (DB user, App
User, SRC App, Field name, Object, App Event Values Text) by typing the special
value guardium://regexp/(regular expression) in the text box that corresponds to
the field.

IBM Security
Additional Slides for reference

IBM Security
IBM SmartCloud Virtual Guardium Users Group Community

IBM Security
Guardium community on developerWorks Right nav

bit.ly/guardwiki

IBM Security
Most approaches to data security and compliance miss the mark
Do nothing … however:

– Limited time, lots of regulation, growing costs of compliance
– Requirements for privacy/security by user role add complexity
– $3.5M per year average cost of compliance
– $5.5M USD average cost of a data breach
– $194 USD average cost of a data breach per compromised record
– 28,349 average number of breached records per incident
– 94% of compromised records originated in database servers
Leverage home grown approaches … however:
– Manual approaches lead to higher risk and inefficiency
– Requirements for privacy/security by user role add complexity
– New source of threats: outsourcing, web-facing applications,
stolen credentials, insiders
Implement a holistic data protect strategy
“
Don’t focus just on one or two databases but extend your efforts to become
enterprise-wide — encompassing hundreds and thousands of databases.
-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011
70 70 © 2015 IBM Corporation

Guardium Tech Talk (PDFDrive)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guardium Tech Talk (PDFDrive)

Uploaded by

Copyright:

Available Formats

IBM Security

Guardium Tech Talk:

1© 2015 IBM Corporation © 2015 IBM Corporation

2 © 2015 IBM Corporation

Guardium community on developerWorks

3 © 2015 IBM Corporation

Information, training, and community

InfoSphere Guardium Virtual User Group. Open, technical

444 © 2015 IBM Corporation

Reminder: Upcoming Guardium Tech Talk

July 30th, 2015: Guardium integration capabilities: A

5 © 2015 IBM Corporation

What we’ll discuss

 Defining risk in corporate information flow

 Quantifying risk and protection value

 Managing the risk using Guardium

 Scenarios and examples

6 © 2015 IBM Corporation

2015 Ponemon Study

Pie Chart 2. Distribution of the benchmark

7 © 2015 IBM Corporation

Ponemon: Probability of a data breach: 1 in 4 companies…

9 © 2015 IBM Corporation

Business Impact – How Long Will It Take To Discover?

The deficit gap

60% of cases, attackers are able to compromise an organization within

11 © 2015 IBM Corporation

1. Understand where your crown jewels are

2. Look for (DAM) suspicious activity

3. Have a plan for when data is exfiltrated

4. Encryption covers a multitude of sins… 2015 Ponemon Study

3 Types of Security Controls Are Required For “Crown Jewels”

1. Application security controls Risk By Type of User

2. Database security Controls

13 © 2015 IBM Corporation

 Most corporate functions are electronically automated

14 © 2015 IBM Corporation

5 Point Checklist to Help Quantify Risk and Protect Crown Jewels

1. Identify your Crown Jewels (top data assets) in your organization

 Risk is dependent on the asset values, threats and vulnerabilities

15 © 2015 IBM Corporation

Step 1 – Identify Your PCI Assets (Crown Jewels) In This Case

 Identify all database servers that have PCI content

Step 1 – Identify Your PCI Assets

 Crawl each database to

Database discovery and sensitive data finder

17 © 2015 IBM Corporation

PCI Data Found On This Server – 10.10.9.56

19 © 2015 IBM Corporation

We’ve Identified the Crown Jewels,

Use Industry Best Practices Templates – STIG and CIS

STIG CIS Guardium

All actions traceable to a user; concept of least privilege

Remote admin connections must be encrypted (& 12: Oracle

6: Verify file permissions on DB executables, configuration files 1: Oracle

Guardium Risk Score For Vulnerabilities of This Asset

22 © 2015 IBM Corporation

Next Step, Identify Additional Risks Like This Example

 Unauthorized Users MS Excel

– Anyone that can connect to the

– Access by other programs bypasses Crown

However, to simplify these risks, let’s call

Identifying An Unauthorized Connection…