IBM InfoSphere Guardium overview

© 2009 IBM Corporation

Guardium Database Monitoring & Protection

Karl Wehden IBM Infosphere Worldwide Data Governance Team 28 September 2010

1


Guardium Value Proposition: Continuously Monitor Access to High-Value Databases to …

1.  Prevent data breaches   Mitigate external & internal threats

2.  Assure data governance   Prevent unauthorized

changes to sensitive data

3.  Reduce cost of compliance   Automate & centralize controls →  Across DBMS platforms & applications →  Across SOX, PCI, SAS70, …

  Simplify processes


Perimeter Defenses No Longer Sufficient

3

“A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.”

Outsourcing

Web-Facing Apps

Legacy App Integration/SOA

Employee Self-Service, Partners & Suppliers

Insiders (DBAs, developers, outsourcers, etc.)

Stolen Credentials (Zeus, etc.)

- William J. Lynn III, U.S. Deputy Defense Secretary


Defense in Depth Strategy for Privacy and Security:

4

User access monitoring

Prevention of unauthorized access

Production data encryption

Unstructured data redaction

Non-production data masking

Archiving and retention compliance


Balanced Control Objectives

Visibility into Risk Costs Money:

•  The Introduction of unchecked detective controls can introduce significant cost

•  The lack of detective controls can create a comfortably underestimated level of risk

•  Evaluate the total cost of Control introduction:

–  Operational Cost –  Risk mitigation cost

–  Risk Avoidance benefit –  Model out for longer than the benefit of the tools selected

5


Top Data Protection Challenges


•  Gonzalez sentenced to xx years for Operation Get Rich or Die Tryin’ –  Heartland, 7-Eleven, Hannaford: Stole 130M cards via SQL injection, network

reconnaissance, malware, sniffers

–  Dave & Buster’s: Stole admin password file from POS service provider

–  TJX, OfficeMax + 6 other retailers: Stole 40M cards via SQL injection & war driving   Aided by former Barclay’s network security manager (“healthy childhood, white-collar success”)

–  San Diego case: International ring (Ukraine, Estonia, PRC, Philippines, Thailand)   “Maksik” Yastremskiy sentenced to 30 years in Turkish prison; hacked 11 Turkish banks

•  “Our most formidable challenge is getting companies to detect they have been compromised ...” Kimberly Kiefer Peretti, senior counsel, DoJ

“Largest Hacking Case Ever Prosecuted”

7

Albert Gonzalez, aka soupnazi

Stephen Watt, author of “blabla” sniffer: 2 years in prison & $170M in restitution

“Maksik” Yastremskiy: 30 years in Turkish prison


Chosen by Leading Organizations Worldwide •  5 of the top 5 global banks •  2 of the top 3 global retailers •  4 of the top 6 global insurers •  2 of the world’s favorite beverage brands •  The most recognized name in PCs •  25 of the world’s leading telcos

•  Top government agencies •  Top 3 auto maker •  #1 dedicated security company •  Leading energy suppliers •  Major health care providers •  Media & entertainment brands


Key Drivers for Guardium •  SOX (Health Care payers)

–  Prevent unauthorized changes to financial data

•  Consumer privacy –  Prevent unauthorized viewing of personal data, especially by privileged users

(DBAs, developers, outsourcers) –  New Massachusetts law requires monitoring controls to be in place for all

Personally Identifiable Information (PII) –  HITECH adds teeth to HIPAA regulations

•  PCI –  Track and monitor all access to cardholder data (Req.10) –  Protect stored cardholder data (Req. 3) –  Identify unpatched systems & enforce change controls (Req. 6) –  Compensating control for network segmentation (Req. 7) & column-level

encryption (Req. 3)

•  Cost savings –  Streamline compliance with automated & centralized controls –  < 6 months payback (typical)


Addressing the Full Database Security Lifecycle

10

Critical Data

Infrastructure

Audit &

Report

Assess &

Harden

Discover &

Classify

Monitor &

Enforce


Real-Time Database Security & Monitoring

SQL Server

•  Non-invasive architecture •  Outside database •  Minimal performance impact (2-3%) •  No DBMS or application changes

•  Cross-DBMS solution •  100% visibility including local DBA access

•  Enforces separation of duties •  Does not rely on DBMS-resident logs that can

easily be erased by attackers or rogue insiders •  Granular, real-time policies & auditing

•  Who, what, when, how •  Automated compliance reporting, sign-offs &

escalations (SOX, PCI, NIST, etc.)

DB2


Scalable Multi-Tier Architecture

Integration with LDAP/AD, IAM,

change management, SIEM, archiving, …


Thank You!


Reduces DBA workload

Real-time monitoring & alerting

Enforces Separation of Duties (SoD)

Minimal performance impact or changes

Heterogeneous support

Oracle Database Vault, Oracle Audit Vault IBM/Guardium

Extrusion/data leakage monitoring

Application monitoring (EBS, PeopleSoft, SAP, etc.)

IBM/Guardium vs. Oracle Database Security

Oracle is a registered trademark of Oracle Corporation and/or its affiliates.


Appendix

16


Blue Cross Blue Shield Case Study •  Who: BCBS organization with 475,000 members

•  Need: Secure financial data for SOX; secure patient data for HIPAA; adhere to NIST –  Monitor all access to critical databases, including access by privileged users –  Create a centralized audit trail for all database systems –  Produce detailed compliance reports for auditors –  Implement proactive security via real-time alerts

•  Environment: –  Oracle, SQL Server 2003/2005, IBM DB2, Sybase –  AIX & Windows –  LDAP & Microsoft MOM

•  Alternatives considered –  Native logging: Rejected due to performance overhead & need for centralized management –  Application Security Inc (AppSec): Preferred Guardium’s appliance model

•  Results: –  Monitoring 130 database instances on 100 servers (3 week implementation) –  Guardium helped client to interpret regulations and implement policies –  Integrated with Tivoli Storage Manager (TSM) for archiving of audit data

17


Global Manufacturer with 239% ROI

•  Who: F500 consumer food manufacturer ($15B revenue)

•  Need: Secure SAP & Siebel data –  Enforce change controls & implement consistent auditing across platforms

•  Environment: –  SAP, Siebel, Manugistics, IT2 + 21 other Key Financial Systems (KFS)

–  Oracle & IBM DB2 on AIX; SQL Server on Windows

•  Results: 239% ROI & 5.9 months payback, plus: –  Proactive security: Real-time alert when changes made to critical tables

–  Simplified compliance: Passed 4 audits (internal & external)   “The ability to associate changes with a ticket number makes our job a lot easier …

which is something the auditors ask about.” [Lead Security Analyst]

–  Strategic focus on data security   “There’s a new and sharper focus on database security within the IT organization.

Security is more top-of-mind among IT operations people and other staff such as developers.”

Commissioned Forrester Consulting Case Study


Safeguarding Customer Information for Washington Metropolitan Area Transit Authority (Metro)

•  Who: Operates 2nd largest U.S. rail transit system and transports more than a third of the federal government to work

•  Need: Metro needed to safeguard sensitive customer data and simplify compliance with PCI-DSS -- without impacting performance or changing database configurations –  Protecting customer data –  Passing audits more quickly and easily

–  Monitoring for potential fraud in PeopleSoft system

•  Environment: –  More than 9 million transactions per year (Level 1 merchant)

–  Complex, multi-tier heterogeneous environment

•  Alternatives considered: Native logging and auditing impractical

•  Customer Impact: “Our customers trust us to transport them safely and safeguard their personal information.” –  “We looked at native DBMS logging and auditing, but it’s impractical because of its high overhead,

especially when you’re capturing every SELECT in a high-volume environment like ours. In addition, native auditing doesn’t enforce separation of duties or prevent unauthorized access by privileged insiders.”

19


How Does Guardium Complement Tivoli? •  Guardium is part of the “Data and Information”

layer of the IBM Security Framework

•  Integrates with Tivoli Security & Information Event Manager (TSIEM) for sharing of policy violation alerts & selected log information

•  Use TSIEM for: –  Collecting logs & events from wide range of systems

(UNIX, Windows, z/OS, firewalls, etc.)

–  Enterprise-wide dashboard & reports; correlation

•  Use Guardium for: –  All database-related security & compliance functions:

real-time monitoring & auditing (including privileged user monitoring), vulnerability assessment, data discovery, configuration auditing, compliance reporting & workflow automation

–  Feeding policy violations & audit logs to TSIEM

20


IBM Acquires Guardium (11/30/09)

•  Joining IBM's Information Management business

•  Why Guardium? Unique ability to:   Safeguard critical enterprise information   Reduce operational costs by automating compliance processes   Simplify governance with centralized policies for heterogeneous infrastructures   Continuously monitor access and changes to high-value databases

•  Trusted information lies at the center of today’s business transformations   Guardium enables organizations to maintain trusted information infrastructures   Business analytics and trusted information drive smarter business outcomes   This supports IBM’s vision of creating a Smarter Planet: Smarter energy,

smarter healthcare, smarter cities, smarter finance, smarter IT, and more


How Guardium Fits with IBM’s IM Portfolio: Governance

22

Relating Information

Mastering Information

Integrating Information

Governing Information

Guardium

Optim InfoSphere


How Guardium Fits with IBM’s Security Portfolio

23

Tivoli Identity Manager, Access Manager, zSecure, SIEM, …

Guardium DB Monitoring, Optim TDM & DP, AME, SIEM, …

Rational AppScan, Ounce Suite, WebSphere DataPower, …

Server Protection, Network Intrusion Prevention System (IPS, …


PCI Compliance for McAfee.com •  Who: World’s largest dedicated security company •  Need: Safeguard millions of PCI transactions

–  Maintain strict SLAs with ISP customers (Comcast, COX, etc.) –  Automate PCI controls

•  Environment: Guardium deployed in less than 48 hours –  Multiple data centers; clustered databases –  Integrated with ArcSight SIEM –  Expanding coverage to SAP systems for SOX

•  Previous Solution: Central database audit repository with native DBMS logs –  Massive data volumes; performance & reliability issues; SOD issues

•  Results: –  “McAfee needed a solution with continuous real-time visibility into all sensitive

cardholder data – in order to quickly spot unauthorized activity and comply with PCI-DSS – but given our significant transaction volumes, performance and reliability considerations were crucial.”

–  “We were initially using a database auditing solution that collected information from native DBMS logs and stored it in an audit repository, but granular logging significantly impacted our database servers and the audit repository was simply unable to handle the massive transaction volume generated by our McAfee.com environment.”


Financial Services Firm with 1M+ Sessions/Day •  Who: Global NYSE-traded company with 75M customers •  Need: Enhance SOX compliance & data governance

–  Phase 1: Monitor all privileged user activities, especially DB changes. –  Phase 2: Focus on data privacy.

•  Environment: 4 data centers managed by IBM Global Services –  122 database instances on 100+ servers –  Oracle, IBM DB2, Sybase, SQL Server on AIX, HP-UX, Solaris, Windows –  PeopleSoft plus 75 in-house applications

•  Alternatives considered: Native auditing –  Not practical because of performance overhead; DB servers at 99% capacity

•  Results: Now auditing 1M+ sessions per day (GRANTs, DDL, etc.) –  Caught DBAs accessing databases with Excel & shared credentials –  Producing daily automated reports for SOX with sign-off by oversight teams –  Automated change control reconciliation using ticket IDs –  Passed 2 external audits


Securing Customer Data for European Telco •  Who: Global telco with 70M mobile customers; €30B revenue.

•  Need: Ensure privacy of call records for compliance with data privacy laws. –  Phase 1: Safeguard OSS systems

–  Phase 2: Safeguard BSS systems

•  Environment: 15 heterogeneous, geographically-distributed data centers –  Oracle, SQL Server, Informix, Sybase

–  HP-UX, HP Tru64, Solaris, Windows, UNIX

–  SAP, Remedy plus in-house applications (billing, Web portal, etc.)

•  Alternatives considered: Native auditing; Oracle Audit Vault. –  Not practical because of performance overhead; lack of granularity;

non-support for older versions; need for multi-DBMS support.

•  Results: –  Deployed to 12 initial data centers in only 2 weeks! –  Now auditing all traffic in high-traffic environment; centrally managed.

–  Passed several external audits

–  Future plans: Implement application user monitoring; 2-factor authentication; expand scope to other applications.


Simplifying Enterprise Security for Dell

•  Need: –  Improve database security for SOX, PCI & SAS70 –  Simplify & automate compliance controls

•  Guardium Deployment: –  Phase 1: Deployed to 300 DB servers in 10 data centers

(in 12 weeks) –  Phase 2: Deployed to additional 725 database servers

•  Environment : –  Oracle & SQL Server on Windows, Linux; Oracle RAC, SQL Server clusters –  Oracle EBS, JDE, Hyperion plus in-house applications

•  Previous Solution: Native logging (MS) or auditing (Oracle) with in-house scripts –  Supportability issues; DBA time required; massive data volumes; SOD issues.

•  Results: Automated compliance reporting; real-time alerting; centralized cross-DBMS policies; closed-loop change control with Remedy integration –  Guardium “successfully met Dell’s requirements without causing outages to any databases;

produced a significant reduction in auditing overhead in databases.”

Published case study in Dell Power Solutions


Addressing the Full Database Security Lifecycle

28

Critical Data

Infrastructure

Audit &

Report

Assess &

Harden

Discover &

Classify

Monitor &

Enforce


Granular Policies with Detective & Preventive Controls

Application Server

10.10.9.244

Database Server

10.10.9.56


Enforcing Change Control Policies

30

Tag DBA actions with ticket IDs

Compare observed changes to approved changes

Identify unauthorized changes (red)

or changes with invalid ticket IDs


Auditing Database Configuration Changes

•  Tracks changes to files, environment variables, registry settings, scripts, etc. that can affect security posture

•  200+ pre-configured, customizable templates for all major OS/DBMS configurations

31


Cross-DBMS, Data-Level Access Control (S-GATE)

S-GATE Hold SQL

Connection terminated

Policy Violation: Drop

Connection

Privileged Users

Issue SQL

Check Policy On Appliance

Oracle, DB2,

MySQL, Sybase,

etc.

SQL Application Servers

Outsourced DBA

Session Terminated

  Cross-DBMS policies   Block privileged user actions   No database changes   No application changes   Without risk of inline

appliances that can interfere with application traffic


Discovering & Classifying Sensitive Data

33

  Discover databases   Discover sensitive data   Policy-based actions

  Alerts   Add to group of

sensitive objects

© 2009 IBM Corporation 34

Identifying Fraud at the Application Layer

• Issue: Application server uses generic service account to access DB

–  Doesn’t identify who initiated transaction (connection pooling)

• Solution: Guardium tracks access to application user associated with specific SQL commands

–  Out-of-the-box support for all major enterprise applications (Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects, Cognos…) and custom applications (WebSphere …)

–  No changes required to applications –  Deterministic tracking of user IDs

  Does not rely on time-based “best-guess”

Application Server

Database Server

Joe Marc

User (Generic)


Automated Sign-offs & Escalations for Compliance

•  Automates entire compliance workflow •  Report distribution to oversight team •  Electronic sign-offs •  Escalations •  Comments & exception handling

•  Addresses auditors’ requirements to document oversight processes •  Results of audit process stored with audit data in secure audit repository •  Streamlines and simplifies compliance processes


Database Servers = Majority of Compromised Records

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

2009 Data Breach Report from Verizon Business RISK Team

SQL injection played a role in 79% of records

compromised during 2009

breaches

IBM InfoSphere Guardium overview

Technology

Transcript of IBM InfoSphere Guardium overview