© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

Guardium Tech Talk:

Practical Tips for Managing Data Security Risk

using IBM Security Guardium

Joe DiPietroJoe_DiPietro@us.ibm.com

© 2015 IBM Corporation

IBM Security

2

This tech talk is being recorded. If you object, please hang up and leave the

webcast now.

We’ll post a copy of slides and link to recording on the Guardium community

tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions in the chat

to the Q and A group.

We’ll try to answer questions in the chat or address them at speaker’s

discretion.

– If we cannot answer your question, please do include your email so we

can get back to you.

When speaker pauses for questions:

– We’ll go through existing questions in the chat

Logistics

© 2015 IBM Corporation

IBM Security

3

Guardium community on developerWorks

bit.ly/guardwiki

Right

nav

© 2015 IBM Corporation

IBM Security

44

Information, training, and community

InfoSphere Guardium Tech Talks – at least one per month. Suggestions welcome! InfoSphere Guardium YouTube Channel – includes overviews, technical demos,

tech talk replays developerWorks forum (very active) Guardium DAM User Group on Linked In (very active) Community on developerWorks (includes discussion forum, content and links to a

myriad of sources, developerWorks articles, tech talk materials and schedules) Guardium on IBM Knowledge Center (was Info Center) Deployment Guide for InfoSphere Guardium Red Book Technical training courses (classroom and self-paced- provided by Business

Partners)

InfoSphere Guardium Virtual User Group. Open, technical

discussions with other users. Not recorded!

Send a note to krzeide@us.ibm.com if interested.

4

© 2015 IBM Corporation

IBM Security

5

Link to more information about this and upcoming tech talks can be found on the InfoSphere Guardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

July 30th, 2015: Guardium integration capabilities: A use-case based discussion and deep dive

Speaker: John Haldeman, Practice Lead, Information Insights, LLC

Register here! https://ibm.biz/BdXaJc

Reminder: Upcoming Guardium Tech Talk

© 2015 IBM Corporation

IBM Security

6

What we’ll discuss

Understanding trends

Defining risk in corporate information flow

Quantifying risk and protection value

Managing the risk using Guardium

Scenarios and examples

© 2015 IBM Corporation

IBM Security

7

Data Breaches …

2015 Ponemon Study

http://www-03.ibm.com/security/data-breach/

2015 Cost of Data Breach Study

Pie Chart 2. Distribution of the benchmark sample by root cause of the data breach

© 2015 IBM Corporation

IBM Security

8

Ponemon: Probability of a data breach: 1 in 4 companies…

The three major reasons contributing to a higher cost of data breach in 2015:– Cyber attacks have increased in frequency and in the cost to remediate the consequences

– The consequences of lost business are having a greater impact on the cost of data breach.

– Data breach costs associated with detection and escalation increased

http://www-03.ibm.com/security/data-breach/

2015 Cost of Data Breach Study

© 2015 IBM Corporation

IBM Security

9

IBM Security Software Portfolio Simplistic View Break-In

Latch-on

Expand

Gather

Exfiltrate

Attack Chain Stage:

Prevent

Detect

Respond

Anatomy of a breach

© 2015 IBM Corporation

IBM Security

11

of cases, attackers are able to compromise an organization within

minutes160%12015 Verizon Data Breach Investigations report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf

Business Impact – How Long Will It Take To Discover? Will You Know They Are Inside?

The deficit gap is widening

© 2015 IBM Corporation

IBM Security

12

Recommendations

1. Understand where your crown jewels are

located and calculate the risk– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/

2. Look for (DAM) suspicious activity

– Hackers are inside networks long before

organizations understands what’s going on with

their data– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/

– https://www-

01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti

on.html

3. Have a plan for when data is exfiltrated

(From Ponemon Institute, sponsored by IBM)

– http://www-03.ibm.com/security/data-breach/

4. Encryption covers a multitude of sins…

Greater than 200 Days!!

2015 Ponemon Study

© 2015 IBM Corporation

IBM Security

13

3 Types of Security Controls Are Required For “Crown Jewels”

1. Application security controls

– Separation of duties for Privilege Application User & Application User access

2. Database security Controls

– Continuously monitor direct access to the database which will bypass the application controls

3. System administrators security controls

– Operating System controls to monitor file access, copy, and modification

Risk By Type of User

© 2015 IBM Corporation

IBM Security

14

Risk

Most corporate functions are electronically automated

These functions live in databases. For example:

– HR

– Payroll

– Procurement

– Corporate intellectual property (IP)

– Customer data

– Health care information

– Etc

Create a risk methodology to help understand what is important and

how much it costs to protect different assets

© 2015 IBM Corporation

IBM Security

15

5 Point Checklist to Help Quantify Risk and Protect Crown Jewels

1. Identify your Crown Jewels (top data assets) in your organization

2. Assign a value to these assets

3. Identify specific threats to these assets

4. Identify vulnerabilities to these assets

5. Calculate your risk score to determine appropriate security

controls

Risk is dependent on the asset values, threats and vulnerabilities

Let’s use a simple example as it relates to the databases

PCI is a very common example and we’ll relate this to credit card

processing

© 2015 IBM Corporation

IBM Security

16

Step 1 – Identify Your PCI Assets (Crown Jewels) In This Case

Identify all database servers that have PCI content

These servers will have an asset value of $1,000,000

Scan the network to discover all the database servers

Guardium AgentlessNetwork Scan

10.10.9.*

© 2015 IBM Corporation

IBM Security

17

Step 1 – Identify Your PCI Assets

Crawl each database to

identify if there is any PCI

data using Luhn algorithm

Rule name with: – “guardium://CREDIT_CARD" and

– valid credit card number pattern in

the Search Expression box, the

classification policy will use the

Luhn algorithm

– A valid credit card number is a

string of 16 digits or four sets of

four digits, with each set separated

by a blank.

Predefined rule to identify PCI Cardholder data using

Luhn algorithm

Database discovery and sensitive data finder (Classifier) tech talk

© 2015 IBM Corporation

IBM Security

19

PCI Data Found On This Server – 10.10.9.56

Where on this server? What Server?

© 2015 IBM Corporation

IBM Security

20

We’ve Identified the Crown Jewels, Now Identify the Vulnerabilities and Threats

Vulnerabilities can be identified by security best practices

Based on industry standards: DISA STIG & CIS Benchmark

Extensive Library of pre-built tests for all supported platforms

Customizable tests to address your specific corporate security policies– Via custom Operating System scripts, SQL queries, environment variables, etc.

Combination of tests ensures comprehensive coverage to support risk measurements :1. Database settings

2. Operating system

OS Tier(Windows,

Solaris, AIX, HP-

UX, Linux, z/OS)

DB Tier(Oracle, SQL Server,

DB2, Informix, Sybase, MySQL,

Netezza,Teradata)

Tests• Permissions

• Roles• Configurations

• Versions• Custom tests

• Configuration files• Environment variables

• Registry settings• Custom tests

Database User Activity

• Getting Started with Vulnerability Assessment Tech talk

• Guardium Vulnerability Assessment Trial Download

© 2015 IBM Corporation

IBM Security

2121

STIG

SectionSTIG Requirement

CIS

SectionCIS Requirement

Guardium

Monitors

2: DBMS

Integrity

Monitor for current versions & patch levels; unauthorized

changes; privileges granted to developers on production

systems; ad hoc queries.

2,12:

Oracle

2: SQL

Server

Installation and patch levels; creation of objects

for unauthorized changes; monitor developer

access to production; avoid ad-hoc queries on

production databases; change control process.

3:

Access

Control

All actions traceable to a user; concept of least privilege

(users, roles & applications); no shared accounts;

no default accounts; lock accounts after 3 failed logins;

minimum password strength; passwords changed every

90 days; restrict access by shared service accounts

(connection pooling); all DBA accounts authorized by

IAO.

2, 11:

Oracle

1, 3, 4, 6, 8:

SQL Server

No default accounts; passwords; DB hardening;

guest accounts disabled; disable various

extended stored procedures; SQL logins have

strong passwords; assign permissions to roles

rather than users; periodic scan of Role

Members.

4:

Database

Auditing

Audit all DB operations with sufficient granularity to

detect intrusive activity; monitor all DBA connections;

ensure audit data only readable by authorized personnel;

no unauthorized applications or batch jobs; unusual or

suspicious patterns of activity; monitor changes to DB

objects; review audit data daily; maintain audit data for 1

year.

12: Oracle

4, 5: SQL

Server

Review DBA Group membership; review and

control which applications access the database;

review audit info regularly; audit privileged user

activity (object access, ownership, add DB

user, etc.).

5:

Network

Access

Remote admin connections must be encrypted (&

monitored); identify DB users when using connection

pooling; separate DB accounts for replication;

prevent developers from accessing sensitive data.

12: Oracle

1, 2: SQL

ServerEncryption ; change SQL Server default ports.

6:

OS Per-

missions

Verify file permissions on DB executables, configuration files

& data files; ensure only authorized DBAs granted

membership to DBMS privileged OS groups.

1: Oracle

1, 3: SQL

Server

Windows registry; deny Guest OS Group;

OS Benchmark Configuration.

Use Industry Best Practices Templates – STIG and CIS

© 2015 IBM Corporation

IBM Security

22

Guardium Risk Score For Vulnerabilities of This Asset

Historical Progress or Regression

Help Mitigate Risk by Measuring Progress and

Validating Security Controls

Overall Risk Score

Detailed Scoring Matrix

© 2015 IBM Corporation

IBM Security

23

Next Step, Identify Additional Risks Like This Example

There are many types of risks

Unauthorized Users

– Anyone that can connect to the

database to see the cardholder data

Unauthorized IP Addresses

– Only certain servers are allowed to

communicate together

Unauthorized Programs

– Access by other programs bypasses

other security controls

Monitoring Database Objects

– Only certain tables will contain

sensitive information

10.10.9.27

Joe

MS Excel

OnLineBanking

-- - - -- -- -

-- - -- -

However, to simplify these risks, let’s call it an unauthorized “connection”

Crown Jewels

© 2015 IBM Corporation

IBM Security

24

Identifying An Unauthorized Connection…

“Unauthorized connections” are very familiar process in the Credit

Card industry

Simplified example with credit cards

– “unauthorized connections” = false charge on my credit card account

– Proactive notification for “unauthorized connections”

– Regular reporting to cardholders “unauthorized connections”

Database Activity Monitoring (DAM) for unauthorized connections

– Proactive notification for “unauthorized connections”

– Regular reporting to stakeholders “unauthorized connections”

© 2015 IBM Corporation

IBM Security

25

Credit Card Best Practices

Proactive

Monitoring “unusual” transactions

– Countries you have never purchased in before

– Unusual “out of pattern” transactions

Post transaction reporting

Regular reports to cardholders (it’s your money!)

– Identify transactions not made by cardholder

– Identify overcharges

© 2015 IBM Corporation

IBM Security

26

Proactive - Credit Card Best Practices

Proactive, Real Time New transaction

unusual country based on past

purchasing pattern :

359.34 Latvian lats“unauthorized connection”

New transaction

unusually high: $12,534.23“unauthorized connection”

© 2015 IBM Corporation

IBM Security

27

Post Transaction Reporting Process for “Unauthorized Connections”

Credit card company summarizes information and produces a

report

Report is delivered to cardholder on a predefined time period (ie.

Monthly)

Cardholder reviews statement

– Sends payment based on all transactions that are on the statement

– Sends partial payment based on “disputed charges”

“Disputed charges” may identify unauthorized activities

“Disputed charges” are investigated and documented

© 2015 IBM Corporation

IBM Security

28

Goal Of Reporting To Cardholders

Involve cardholder in the process

Reduce costs by preventing fraudulent charges

Quickly identify activity that cardholder did not perform

Increased accuracy - the card holder knows the most intimate

details of their activity

Scale: credit card company uses few resources and leverages

subject mater experts in their process to be more efficient

© 2015 IBM Corporation

IBM Security

29

Database Activity Monitoring Best Practices - Proactive

Known:

– Application Name (OnLineBanking)

– Application Server IP Address (10.10.9.244)

– Database user (APPUSER)

Unknown

10.10.9.27

Joe

SQLPlus

– NOT IP Addresses 10.10.9.244 (ie. 10.10.9.27)

– NOT Database user APPUSER (ie. Joe)– NOT “OnLineBanking” Application name (ie. SQLPlus)

Proactive policies can highlight– Fraudulent activity quickly

– Improper operational procedures (ie. Outdated scripts, direct database access,

unauthorized applications, etc)

OnLineBanking

• YouTube video demo on Connection Profiling

© 2015 IBM Corporation

IBM Security

30

Proactive Notification

“unauthorized connections”

© 2015 IBM Corporation

IBM Security

31

Report of Unauthorized Connections…Application Owners Are Critical to the Process

© 2015 IBM Corporation

IBM Security

32

A Different Perspective…“Unauthorized Connections”

Unauthorized

Application

Unauthorized

Client IP

Unauthorized

DB Users

© 2015 IBM Corporation

IBM Security

33

Reduce Risk By Sending Report Using “Audit Process”

© 2015 IBM Corporation

IBM Security

34

Approval And Sign Off

One “unauthorized connection” is fully investigated

© 2015 IBM Corporation

IBM Security

35

This Example Shows “Unauthorized Connections”

For each unauthorized connection, you add to your risk score

To reduce your risk score, stakeholders will “justify” the connection

as a valid and legitimate connection for their application

Simple “connection” reporting is very effective to highlight

unauthorized application access

Use workflow to ensure reporting process is being followed and

documented

More details for risk tables…

© 2015 IBM Corporation

IBM Security

36

Defining Risk Tables

Threats to database can come from many places

Start with a “coarse” level analysis and refine it over time to become more granular

There are many complex risk formulas and processes, but start with a simplistic approach to get something working for your organizational uniqueness

Defining a small group of risk tables helps you quantify what you are protecting, and the risk based on these different attributes…Here’s a sample:– Asset Risk – How valuable is the asset that I’m trying to protect?

• SOX, PCI, HIPAA, Corporate Marketing Plans, Corporate Mergers and Acquisitions, etc

– User Risk – What roles do these users have?• Database user, application developer, application user, power application user, unknown user, etc

– Object Risk – How sensitive is this piece of data within the database?• SSN vs Cardholder information for PCI vs Patient Records vs Country ID, vs Mailing Address vs Mother’s Maiden Name,

etc

– Application Risk – How should this data be accessed, by what application?• Accessing through the SAP system is different than a direct database connection with SQL/Plus or TOAD

– IP Address Risk – What IP address made this connection?• Different IP Addresses have different levels of security (ie. Behind firewalls, DMZ, in a “trusted zone”, external Internet,

etc).

© 2015 IBM Corporation

IBM Security

37

Defining Risk Tables – Asset Risk

Assign risk rating for your critical assets

Put an asset cost so that you understand how much protection to

allocated for this asset

SQL> select * from assetRisk order by riskvalue;;

ID SERVERIP SERVERDESC RISKVALUE RISKRATING ASSETCOST

---------- --------------- ------------------------- ---------- ---------- ------------

1 10.10.9.56 PCI Server 1 high 1,000,000

2 10.10.9.59 Corporate Strategy 1 high 2,000,000

3 10.10.9.252 SOX Server 1 high 500,000

4 10.10.9.58 HIPAA Server 1 high 900,000

5 10.10.9.58 Retail Banking 1 high 10,000,000

6 10.10.9.68 Development Server 2 medium 400,000

7 10.10.9.69 QA Server 2 medium 200,000

8 10.10.9.78 Training Server 3 low 100,000

9 10.10.9.79 SiteLocation Server 3 low 200,000

9 rows selected.

SQL>

Depending on the asset class, we will assign cost

for these assets

© 2015 IBM Corporation

IBM Security

38

Optionally Identify Server Processing Power in Your Risk Score

Number of CPU’s can be tracked via Tap Monitor CPU Tracker

© 2015 IBM Corporation

IBM Security

39

Defining Risk Tables – Employee Risk

Create UserRisk table

Assign risk based on department– riskRating

• 1 (high)

• 2 (medium)

• 3 (low)

SQL> select * from Employee;

ID USERNAME DBUSER DEPTNUM DEPTNAME

---------- --------------- --------------- ------- -------------------------

1 Joe DiPietro joe 10 Database Engineering

2 John Smith john 20 Application Development

3 Sally Johnson sally 30 Business Analytics

4 Ron Harrison ron 40 Retail Banking LOB

SQL> select * from userRisk order by riskvalue;

ID EMPID DEPTNUM RISKVALUE RISKRATING

---------- ---------- ------- ---------- --------

1 1 10 1 high

2 2 20 1 high

3 3 30 2 medium

4 4 40 3 low

SQL>

Depending on the department name, we

will assign risk for these users connecting to the

database

Database Engineering = priv users (high risk)Application Development = priv users (high risk)Business Analytics = power application users (medium risk)Retail Banking = application users (low risk)

© 2015 IBM Corporation

IBM Security

40

DB2 Entitlement Reports

Joe has a high risk, based on his role and privilege (entitlements) to the database-Column level privileges to the Creditcard object that contains PCI Personal Account Numbers (PAN)-If this account is compromised or this “authorized” user performs “unauthorized activities” your data is in jeopardy…-Monitoring “joe’s” activities is critical to validate his actions

© 2015 IBM Corporation

IBM Security

41

Defining Risk Tables

SQL> select * from objectRisk order by riskvalue;

ID OBJECTNAME OBJECTDESC RISKVALUE RISKRATING

---------- --------------- ------------------------- ---------- --------

1 creditcard Holds Creditcard Info 1 high

3 accountNum Holds account numbers 1 high

4 address Holds Address Info 2 medium

5 policyValue Holds Total Policy Value 2 medium

SQL> select * from appNameRisk order by riskvalue;

ID APPNAME APPDESC RISKVALUE RISKRATING

---------- --------------- ---------------------------- ---------- --------

4 toad Toad - DBA tool 1 high

3 excel Microsoft Excel 1 high

5 sqlplus SQLPlus -Oracle DBA tool 1 high

2 retailBanking Retail Banking Application 3 low

1 retailBanking Retail Banking Application 3 low

3 retailBanking Retail Banking Application 3 low

6 rows selected.

Depending on the object table, we will assign a risk

rating

Depending on the application, we will assign a risk rating

*Identifying critical tables is essential in creating a risk profile

**Identifying “authorized” application that access these critical tables will help validate your security controls

© 2015 IBM Corporation

IBM Security

42

Different IP Networks Have Different Security

Core network

DMZ network

Partner network

Classified network

Internet

© 2015 IBM Corporation

IBM Security

43

Identify Risk of Connections with Different Categories of IP Address

Guardium’s Access Map dynamically draws

network diagram based on timeframe of access!

© 2015 IBM Corporation

IBM Security

44

Defining Risk Tables

SQL> select * from ipAddressRisk order by riskvalue;

ID IPADDRESS IPDESC RISKVALUE RISKRATING

---------- ---------------- ------------------------------------------------- ---------- --------

11 10.10.9.241 DMZ: Web Servers group 2 medium

10 10.10.9.240 DMZ: Web Servers group 2 medium

12 10.10.9.242 DMZ: Web Servers group 2 medium

4 10.10.9.58 Authorized Client IP: HIPAA Server 3 low

5 10.10.9.58 Authorized Client IP: Retail Banking 3 low

7 10.10.9.69 Authorized Client IP: QA Server 3 low

8 10.10.9.78 Authorized Client IP: Training Server 3 low

9 10.10.9.79 Authorized Client IP: SiteLocation Server 3 low

3 10.10.9.252 Authorized Client IP: SOX Server 3 low

2 10.10.9.59 Authorized Client IP: Corporate Strategy 3 low

1 10.10.9.56 Authorized Client IP: PCI and Retail Banking App 3 low

6 10.10.9.68 Authorized Client IP: Development Server 3 low

12 rows selected.

SQL> Depending on the IP Address, we will assign a

risk rating

© 2015 IBM Corporation

IBM Security

45

Now Score The “Unauthorized Connection” Based on the Risk Tables

Unauthorized

Application

Unauthorized

Client IP

Unauthorized

DB Users

© 2015 IBM Corporation

IBM Security

46

Calculating Risk

MS Excel – Unauthorized “High Risk” application directly connecting to the database

Joe – “High Risk” user based on entitlement report

Joe Priv User 1 HighUnauthorized Network 1 HighUnAuthorized Application 1 High

3 Total Risk Score

High 1Medium 2Low 3

Baseline 7

Core network – Not “Classified Network” 10.70.147.57

Security Policy - All connections at 7 or lower shall be monitored and audited

© 2015 IBM Corporation

IBM Security

47

Other Connections…

Joe Priv User 1HighUnauthorized Network 1HighUnAuthorized Application 1High

3Total Risk Score – JoeAdministrator Priv User 1High

Authorized Network 3LowAuthorized Application 3Low

7Total Risk Score - AdministratorJOCONNOR App User 3Low

Authorized Network 3LowAuthorized Application 3Low

9Total Risk Score - JOCONNOR

© 2015 IBM Corporation

IBM Security

48

Creating Risk Map Based on IT Role

System Administrator

Database Administrator

Application Developer

Application User

Privilege User

Information Security

Audit Risk & Compliance

System Administrator

x x

Database Administrator

x x x

Application Developer

x x x

Application User

x x x

Privilege User x x x

Information Security

x x

Audit x

Risk & Compliance

x

Other Risk Concerns1. Weak security2. Unauthorized access to data3. Unauthorized remote access4. Inaccurate information5. Erroneous or falsified data input6. Misuse by authorized end users7. Incomplete processing8. Duplicate transactions9. Untimely processing10. Communications system failure11. Inadequate training12. Inadequate support13. etc…

© 2015 IBM Corporation

IBM Security

49

S-GATE

Hold SQL

Connection terminated

Policy Violation:Drop Connection

Privileged Users

Issue SQL

Check PolicyOn Appliance

Oracle, DB2, MySQL, Sybase,

etc.

Proactively block connections from “Unauthorized” IP Addresses, High Risk Applications

and/or Users

High Risk Connections - Eliminating Risk Over “4”

Session Terminated

SQLApplication Servers

Outsourced DBA

© 2015 IBM Corporation

IBM Security

50

Quick Review…3 Types of Security Controls Are Required For “Crown Jewels”

1. Application security controls

– Separation of duties for Privilege Application User & Application User access

2. Database security Controls

– Continuously monitor direct access to the database which will bypass the application controls

3. System administrators security controls

– Operating System controls to monitor file access, copy, and modification

Risk By Type of User

© 2015 IBM Corporation

IBM Security

51

Application Security Controls - Guardium For Application

Customer Service Representatives (CSRs) access company

applications remotely

Guardium is installed in the middle to guarantee that application

screens undergo masking process

CSRs utilize the application as usual

Sensitive information unessential for CSR operation is masked out

Data Center

Outsourced Call Center

Name:

SSN:

Balance:

John Smith

111-11-1111

$127.50

Name:

SSN:

Balance:

John Smith

35

$127.50

* * * * * *GuardiumMasking Gateway

Guardium for Applications demo on PeopleSoft

© 2015 IBM Corporation

IBM Security

52

Application Security Controls - AppScan

IBM Security AppScan Trial download

© 2015 IBM Corporation

IBM Security

53

Database Controls Can Cover 3 Types of Rules

SQL Query

Result Set

Database Server

Database

Exception (ie. SQL Errors & more)

There are three types of rules:

1. An access rule applies to client requests

2. An extrusion rule evaluates data returned by the server

3. An exception rule evaluates exceptions returned by the server

1

2

3

© 2015 IBM Corporation

IBM Security

54

System Admin Controls - Guardium Data Encryption (GDE)

Name: J Smith

CCN:60115793892

Exp Date: 04/04

Bal: $5,145,789

SSN: 514-73-8970

Name: Jsmith.doc

Created: 6/4/99

Modified: 8/15/02

Clear Text

File Data

File System

Metadata

dfjdNk%(Amg

8nGmwlNskd 9f

Nd&9Dm*Ndd

xIu2Ks0BKsjd

Nac0&6mKcoS

qCio9M*sdopF

Name: Jsmith.doc

Created: 6/4/99

Modified: 8/15/02

MetaClearBlock-Level

fAiwD7nb$

Nkxchsu^j2

3nSJis*jmSL

dfjdNk%(Amg

8nGmwlNskd 9f

Nd&9Dm*Ndd

xIu2Ks0BKsjd

Nac0&6mKcoS

qCio9M*sdopF

Protects Sensitive Information Without Disrupting Data Management

High-Performance Encryption

Root Access Control

Data Access as an Intended Privilege

Guardium Data Encryption Tech Talk (YouTube) (1 of 3)

© 2015 IBM Corporation

IBM Security

55

Guardium Data Encryption (GDE) - System Administrator Controls

(Deny, Encrypt, Audit, Permit)

WHO is attempting to access protected data?– Configure groups, or applications who can access protected data

WHAT data is being accessed?– Configure appropriate file and directory access

WHEN is the data being accessed?– Configure a range of hours and days of the week for authorized access

HOW is the data being accessed?– Configure allowable file system operations allowed to access the datae.g. read, write, delete, rename, application or process, etc.

EFFECT: Permit; Deny; Encrypt; Audit

$%#@!*(&^$%$%^&*()(*&^%$#@#$%^&*DFGHJTR#$

1

2

Root users can:1. read directory (/SAPDirectory),

but it will be encrypted and audited2. Blocked access to directory (/NoAccess)

© 2015 IBM Corporation

IBM Security

56

Operating System Switch User “SU” To Gain Access

System Administrators have a lot of power

• Be careful for “SU”

• Proactive Policies are required

Use Continuous Monitoring to identify high

risk users who can switch identity

© 2015 IBM Corporation

IBM Security

57

Summary

1. Understand where your crown jewels are

located and calculate the risk– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/

2. Look for (DAM) suspicious activity

– Hackers are inside networks long before

organizations understands what’s going on with

their data– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/

– https://www-

01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti

on.html

3. Have a plan for when data is exfiltrated

(From Ponemon Institute, sponsored by IBM)

– http://www-03.ibm.com/security/data-breach/

4. Encryption covers a multitude of sins…

Greater than 200 Days!!

2015 Ponemon Study

© 2015 IBM Corporation

IBM Security

58

Learn and try

• YouTube video demo on Connection Profiling (part 1 of 3) • developerWorks article on Guardium PCI accelerator• Outliers and Quick Search demo on YouTube• Database discovery and sensitive data finder (Classifier) tech talk• Getting Started with Vulnerability Assessment Tech talk• Guardium for Applications demo on PeopleSoft • Guardium Data Encryption Tech Talk (YouTube) (1 of 3)

Learn more about some of what we talked about today:

And try:

• IBM Security AppScan Trial download• Guardium Vulnerability Assessment Trial Download

© 2015 IBM Corporation

IBM Security

59 59

Understand risk and compliance mandates– Whitepapers:

Protect payment card data with InfoSphere Help ensure HIPAA compliance with InfoSphere Understanding encryption requirements of PCI DSS

– ebook:Managing compliance to protect enterprise data

Talk to your sales rep about holistic data security– Whitepaper

Secure Enterprise Data & Ensure Compliance

– ROI Study: Forrester Total Economic Impact of InfoSphere Guardium

– Website:InfoSphere Guardium Database Security

Learn more

© 2015 IBM Corporation

IBM Security

6060

Gracias

Merci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish

61 © 2015 IBM Corporation

Backup Slides

© 2015 IBM Corporation

IBM Security

62

AppScan

© 2015 IBM Corporation

IBM Security

63

© 2015 IBM Corporation

IBM Security

64

© 2015 IBM Corporation

IBM Security

65

© 2015 IBM Corporation

IBM Security

66

Use Extrusion Rules On Result Sets for Pattern Access

Monitor for data access and exfiltration. Attackers who bypass perimeter controlsbecome “trusted insiders” in most organizations because the internal network is trustedand unmonitored. Deploy network analysis and visibility (NAV) tools to gain insight intohow traffic is traversing your entire network.19

guardium://CREDIT_CARD

Empty Value: Enter the special value guardium://empty to test for an emptyvalue in the traffic. This is allowed only in the following fields: DB Name, DBUser, App User, OS User, Src App, Event Type, Event User Name, and AppEvent Text.

Note: You can also use regular expressions in the following fields (DB user, AppUser, SRC App, Field name, Object, App Event Values Text) by typing the specialvalue guardium://regexp/(regular expression) in the text box that corresponds tothe field.

© 2015 IBM Corporation

IBM Security

67

Additional Slides for reference

© 2015 IBM Corporation

IBM Security

68

IBM SmartCloud Virtual Guardium Users Group Community

© 2015 IBM Corporation

IBM Security

69

Guardium community on developerWorks

bit.ly/guardwiki

Right nav

© 2015 IBM Corporation

IBM Security

70 70

Most approaches to data security and compliance miss the mark

Do nothing … however:– Limited time, lots of regulation, growing costs of compliance

– Requirements for privacy/security by user role add complexity

– $3.5M per year average cost of compliance

– $5.5M USD average cost of a data breach

– $194 USD average cost of a data breach per compromised record

– 28,349 average number of breached records per incident

– 94% of compromised records originated in database servers

Leverage home grown approaches … however:– Manual approaches lead to higher risk and inefficiency

– Requirements for privacy/security by user role add complexity

– New source of threats: outsourcing, web-facing applications, stolen credentials, insiders

Implement a holistic data protect strategy

Don’t focus just on one or two databases but extend your efforts to become

enterprise-wide — encompassing hundreds and thousands of databases.

-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“