Professional Documents
Culture Documents
Logistics
This tech talk is being recorded. If you object, please hang up and leave the
webcast now.
We’ll post a copy of slides and link to recording on the Guardium community
tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in the chat
to the Q and A group.
We’ll try to answer questions in the chat or address them at speaker’s
discretion.
– If we cannot answer your question, please do include your email so we
can get back to you.
When speaker pauses for questions:
– We’ll go through existing questions in the chat
InfoSphere Guardium Tech Talks – at least one per month. Suggestions welcome!
InfoSphere Guardium YouTube Channel – includes overviews, technical demos,
tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a
myriad of sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced- provided by Business
Partners)
Link to more information about this and upcoming tech talks can be found on the InfoSphere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Understanding trends
Data Breaches …
http://www-03.ibm.com/security/data-breach/
2015 Cost of Data Breach Study
The three major reasons contributing to a higher cost of data breach in 2015:
– Cyber attacks have increased in frequency and in the cost to remediate the consequences
– The consequences of lost business are having a greater impact on the cost of data breach.
– Data breach costs associated with detection and escalation increased
http://www-03.ibm.com/security/data-breach/
8
2015 Cost of Data Breach Study © 2015 IBM Corporation
Attack Chain Stage:
IBM Security
Break-In
IBM Security Software Portfolio Simplistic View
Anatomy
Prevent of a breach Latch-on
Detect
Respond Expand
Gather
Exfiltrate
Recommendations
3. System administrators
security controls
– Operating System controls to monitor
file access, copy, and modification
Risk
Guardium Agentless
Network Scan
16 10.10.9.* © 2015 IBM Corporation
IBM Security
Tests
• Permissions
DB Tier • Roles
(Oracle, SQL Server,
DB2, Informix,
• Configurations
Sybase, MySQL, • Versions
Database
Netezza,
Teradata)
• Custom tests
User Activity
OS Tier • Configuration files
(Windows, • Environment variables
• Getting Started with Vulnerability Assessment Tech Solaris, AIX, HP-
• Registry settings
talk UX, Linux, z/OS)
• Guardium Vulnerability Assessment Trial
• Custom tests
Download
20 © 2015 IBM Corporation
IBM Security
2,12:
Installation and patch levels; creation of objects
Monitor for current versions & patch levels; unauthorized Oracle
2: DBMS for unauthorized changes; monitor developer
changes; privileges granted to developers on production
Integrity access to production; avoid ad-hoc queries on
systems; ad hoc queries. 2: SQL
Server production databases; change control process.
Historical Progress
or Regression
Overall Risk
Help Mitigate Risk
Score
by Measuring
Progress and
Validating Security
Detailed Scoring Matrix Controls
Proactive
Monitoring “unusual” transactions
– Countries you have never purchased in before
– Unusual “out of pattern” transactions
OnLineBanking
10.10.9.27
Known: Joe
– Application Name (OnLineBanking) SQLPlus
Proactive Notification
Defining a small group of risk tables helps you quantify what you are protecting, and the
risk based on these different attributes…Here’s a sample:
– Asset Risk – How valuable is the asset that I’m trying to protect?
• SOX, PCI, HIPAA, Corporate Marketing Plans, Corporate Mergers and Acquisitions, etc
– User Risk – What roles do these users have?
• Database user, application developer, application user, power application user, unknown user, etc
– Object Risk – How sensitive is this piece of data within the database?
• SSN vs Cardholder information for PCI vs Patient Records vs Country ID, vs Mailing Address vs Mother’s Maiden Name,
etc
– Application Risk – How should this data be accessed, by what application?
• Accessing through the SAP system is different than a direct database connection with SQL/Plus or TOAD
– IP Address Risk – What IP address made this connection?
• Different IP Addresses have different levels of security (ie. Behind firewalls, DMZ, in a “trusted zone”, external Internet,
etc).
9 rows selected.
SQL>
6 rows selected.
**Identifying “authorized” application that access these critical tables will help validate
41 your security controls © 2015 IBM Corporation
IBM Security
Classified network
Core network
DMZ network
Partner network
Internet
12 rows selected.
SQL>
Depending on the IP
Address, we will assign a
risk rating
Calculating Risk
Other Connections…
Application Servers
SQL
Privileged
Users Oracle, DB2,
Issue SQL MySQL, Sybase,
etc.
S-GATE
Hold SQL
Check Policy
Policy Violation: On Appliance
Drop Connection
Session Terminated
49 © 2015 IBM Corporation
IBM Security
Quick Review…
3 Types of Security Controls Are Required For “Crown Jewels”
1. Application security controls Risk By Type of User
– Separation of duties for Privilege
Application User & Application User
access
3. System administrators
security controls
– Operating System controls to monitor
file access, copy, and modification
2
1
SQL Query Database
Database Server
Summary
And try:
• IBM Security AppScan Trial download
• Guardium Vulnerability Assessment Trial Download
Learn more
Dziękuję
Polish
Traditional Chinese
Thai
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian
60
60 © 2015 IBM Corporation
Backup Slides
AppScan
Monitor for data access and exfiltration. Attackers who bypass perimeter controls
become “trusted insiders” in most organizations because the internal network is trusted
and unmonitored. Deploy network analysis and visibility (NAV) tools to gain insight into
how traffic is traversing your entire network.19
guardium://CREDIT_CARD
Empty Value: Enter the special value guardium://empty to test for an empty
value in the traffic. This is allowed only in the following fields: DB Name, DB
User, App User, OS User, Src App, Event Type, Event User Name, and App
Event Text.
Note: You can also use regular expressions in the following fields (DB user, App
User, SRC App, Field name, Object, App Event Values Text) by typing the special
value guardium://regexp/(regular expression) in the text box that corresponds to
the field.
“
Don’t focus just on one or two databases but extend your efforts to become
enterprise-wide — encompassing hundreds and thousands of databases.
-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011
70 70 © 2015 IBM Corporation