Safeguarding Enterprise Data with Continuous, Real-Time Database Security, Monitoring & Compliance

radiographerfictionData Management

Oct 31, 2013 (3 years and 10 months ago)

85 views

Safeguarding Enterprise Data with
Continuous, Real
-
Time Database
Security, Monitoring & Compliance



Fakhreddine El Mourabiti


Data Governance / Europe

fmourabiti@be.ibm.com


© 2012 IBM Corporation

1

© 2012 IBM Corporation

IBM Security Systems

2

© 2012 IBM Corporation

CONFIDENTIAL

You know? you can do
this online now.

Data is the key target for security breaches…..

and Database Servers Are The Primary Source of
Breached Data

http://www.verizonbusiness.com/resources/reports/rp_data
-
breach
-
investigations
-
report
-
2012_en_xg.pdf

2011 Data Breach Report from Verizon Business RISK Team


Database servers contain your client

s
most valuable information


Financial records


Customer information


Credit card and other account records


Personally identifiable information


Patient records


High volumes of structured data


Easy to access


Because that

s 睨ere the money is.





-

Willie Sutton

WHY?

© 2012 IBM Corporation

4

CONFIDENTIAL

The Goals

Continuously monitor access to sensitive data in databases, data warehouses,


Hadoop big data environments and file shares to:



Prevent data breaches


Mitigate external and internal threats

1

2

3

Reduce cost of compliance


-

Automate and centralize controls


Across heterogeneous environments such as databases, applications, data
warehouses and Big Data platforms like Hadoop


Across diverse regulations, such as PCI DSS, data privacy regulations,
HIPAA/HITECH etc.

Simplify the audit review processes


-

Simplify audit review processes


Ensure the integrity of sensitive data


Prevent unauthorized changes to data, data
infrastructure, configuration files and logs

Audit Requirements

COBIT
(SOX)

PCI
-
DSS

ISO 27002

Data
Privacy &
Protection

Laws

NIST

SP 800
-
53
(FISMA)

1. Access to Sensitive Data

(Successful/Failed SELECTs)









2. Schema Changes (DDL)

(Create/Drop/Alter Tables, etc.)











3. Data Changes (DML)

(Insert, Update, Delete)





4. Security Exceptions

(Failed logins, SQL errors, etc.)











5. Accounts, Roles &
Permissions (DCL)
(GRANT,
REVOKE)











The Compliance Mandate


What do you need to monitor?

DDL = Data Definition Language (aka schema changes)

DML = Data Manipulation Language (data value changes)

DCL = Data Control Language

Why Organizations Buy Database Activity Monitoring


1.
We have to do it (regulations


auditors)

2.
We can

t afford the cost & effort of doing it
manually (limited time and money)

3.
We need consistency of audit reporting

It is him! They call him

El Auditor


SECURITY
OPERATIONS



Real
-
time policies



Secure audit trail



Data mining & forensics



Separation of duties



Best practices reports



Automated controls



Minimal impact



Change management



Performance optimization

Addressing Key Stakeholders Concerns

© 2012 IBM Corporation

7

CONFIDENTIAL


How can we monitor user access and detect anomalies?


How can we control privileged users with direct access?


Can we store these audit logs in a secure repository?


Can we have one central audit repository for all
database types including Oracle, SQL Server, DB2 and
more?


How can we do all of this with minimal impact to our
database and infrastructure?

5 Common Challenges around Database Auditing

© 2012 IBM Corporation

IBM Security Systems

8

Addressing the full database security
lifecycle

Comply


Monitor database activity to verify
security controls


Automate reporting for proper
evidence in compliance process

3

Identify Risk


Perform an assessment to
understand risk


Harden the database to eliminate
unnecessary risk

2

Discover


Discover databases on the
network


Discover where sensitive
data is located

1

© 2012 IBM Corporation

9

CONFIDENTIAL

Integration with
LDAP, IAM,
SIEM, TSM,
Remedy, …













NEW

Big Data
Environments

DATA

InfoSphere
BigInsights

The Solution: Non
-
Invasive, Agent
-
Based Monitoring

© 2012 IBM Corporation

10

CONFIDENTIAL

Providing complete and native data security solution for System i


NEW




Monitors privileged user activity in real
time


Enables complete separation of duties


Helps satisfy auditor

s requirements
and ensure compliance to mandates like
PCI easily and cost effectively.


Protect sensitive data on your System i deployments ensure
compliance to mandates like PCI easily and cost effectively

Extend
platform coverage: New
S
-
TAP for

System i

© 2012 IBM Corporation

11

CONFIDENTIAL

Integration with IT Infrastructure for seamless operations

Directory Services

(Active Directory, LDAP, TDS, etc)

SIEM

(IBM QRadar, Arcsight, RSA
Envision, etc)

SNMP Dashboards

(Tivoli Netcool, HP Openview, etc)

Change Ticketing
Systems

(Tivoli Request Mgr, Remedy,
Peregrine, etc)

Vulnerability
Standards

(CVE, STIG, CIS Benchmark)

Data Classification
and Leak Protection

(Credit Card, Social Security, phone,
custom, etc)

Security Management
Platforms

(IBM QRadar, McAfee ePO )

Application Servers

(IBM Websphere, IBM Cognos, Oracle
EBS, SAP, Siebel, Peoplesoft, etc )

Long Term Storage

(IBM TSM, IBM Nettezza, EMC Centera,
FTP, SCP, etc)

Authentication

(RSA SecurID, Radius, Kerberos,
LDAP)

Software Deployment

(IBM Tivoli Provisioning Manager, RPM, Native
Distributions)

Send Alerts
(CEF, CSV,
Syslog, etc)

Send
Events



STAP

Perimeter Defenses & Identity Management No Longer Sufficient

49% of new vulnerabilities
are
Web application

vulnerabilities

(X
-
Force)

Insider Threat

(DBAs, developers,
outsourcers, etc.)


A fortress mentality will not work in cyber. We cannot retreat behind a

Maginot Line of firewalls.


William J. Lynn III, U.S. Deputy Defense Secretary

88%
of F500
companies
have
employees
infected
with Zeus

(RSA)

#1 VM vulnerability is

VM guest hopping

(hypervisor escape)

(X
-
Force)

Kneber Botnet
stole
68,000 credentials

& 2,000 SSL
certificates

over

4
-
week period

(NetWitness)

SQL Injection

is a
leading attack vector

(X
-
Force)

Stuxnet

exploited

SQL Server
vulnerability to attack
control systems

Epsilon
data breach
affects

millions
(
outsourced
provider)

© 2012 IBM Corporation

13

CONFIDENTIAL

Why Enterprises are Dissatisfied with Traditional Approach

×
Inefficient and costly


Database performance is impacted


Manual processes require valuable resources

×
Provide little value to the business


Logs are complicated to inspect


Any detection is not real
-
time

×
No segregation of duties


Privileged users can bypass the system


Audit trail can be modified

© 2012 IBM Corporation

14

CONFIDENTIAL

Walls

Moat

Observation
Towers / Turret

Arrow Loop

Gate

Guards

Secure Settings

Activity Monitoring

15

Vulnerability Assessment


Reporting

© 2012 IBM Corporation

16

CONFIDENTIAL

Auditing Database Configuration Changes


Tracks changes to files, environment variables, registry settings,
scripts, etc.


200+ pre
-
configured templates for all major OS/DBMS configurations


Easily customizable via scripts, SQL, etc. (ad hoc tests)


Also checks OS permissions for Vulnerability Assessment (VA) tests


© 2012 IBM Corporation

17

CONFIDENTIAL

Should my customer service rep view 99 records in an hour?

Monitoring Data Leakage from High
-
Value Databases

What exactly
did Joe see?

Is this normal?

© 2012 IBM Corporation

18

CONFIDENTIAL

Tracking Privileged Users Who "su"


Challenge: How do
you track users
who 'switch'
accounts (perhaps
to cover their
tracks)?


Native database
logging/auditing & SIEM
tools can't capture OS
user information


Other database
monitoring solutions only
provide OS shell account
that was used

What Guardium Shows You

User activity

© 2012 IBM Corporation

19

CONFIDENTIAL

Protect Stored Data: need to know only

Redact and Mask

Sensitive Data

Issue SQL

User view of the data in the database


DB2, MySQL,
Oracle, Sybase,
SQL Server, etc.

SQL

Application
Servers

Unauthorized
Users

Outsourced DBA


Cross
-
DBMS policies


Mask sensitive data


No database changes


No application changes

Actual data
stored in the
database

S
-
TAP

Redact

© 2012 IBM Corporation

20

CONFIDENTIAL

Cross
-
DBMS, Data
-
Level Access Control (S
-
GATE)

S
-
GATE

Hold SQL

Connection terminated

Policy Violation:

Drop Connection

Privileged
Users

Issue SQL

Check Policy

On Appliance

Oracle,
DB2,
MySQL,
Sybase,
etc.

SQL

Application Servers

Outsourced DBA

Session Terminated


Cross
-
DBMS policies


Block privileged user actions


No database changes


No application changes


Without risk of inline
appliances that can interfere
with application traffic

Monitoring z/OS

-----

---

--

----

-----

---

--

----

-----

---

--

----

Comprehensive

Sensitive Objects

Privileged Users

Complete control over what is audited

Typical User vs Privileged User Authorization

-----

---

--

----

-----

---

--

----

-----

---

--

----

Sensitive Objects

RACF, Top Secret and ACF
-
2

allow authorized users to have

limited access to DB2

Privileged users have direct access to
data. This requires granular control

to verify access to sensitive data

Three key components for System z

1.
Data Gathering


Collecting each SQL
statement


2.
Data Filtering


Determining if the SQL
matches a monitoring
policy


3.
Data Movement


Packaging and sending
the SQL to the Guardium
collector


23

-----

---

--

----

-----

---

--

----

-----

---

--

----

1

Audit
Interest

2

3

No Audit
Interest

DB2
Subsystem

Administration

Repository

Audited DB2

Subsystem

Collector

S
-
TAP

Audit Server

S
-
TAP

Agent

DB2 IFI
Collection
Audit Trace

DB2 IFI
Collection
Audit Trace

DB2 IFI
Collection
Audit Trace

S
-
TAP for DB2 on z/OS Architecture



Simplified Administration


Simplified Configuration


Improved Performance

Audited
Table

TCP/IP

STREAMING
Process

ASC

Audit SQL
Collector

Collector

S
-
TAP Windows
Administration
GUI

S
-
TAP Server
and

Collectors





Data collection,
filtering, and
delivery

S
-
TAP for IMS on z/OS Architecture

SMF Data

IMS Online
Regions

Audited
DB/Segments

IMS DL/1
Batch
Regions

Recon Data

Audited
DB/Segments

TCP/IP

STREAMING
Process

S
-
TAP for VSAM on z/OS Architecture



Administration

Repository



Audited

Tables


File System
Dataset

Audited VSAM
File system

z/OS


System,
SMF,
RACF
Collectors


Audited

Datasets


IP ADDRESS & PORT #


Appliance

Audit Data
Streaming

S
-
TAP Agent



TCP/IP

STREAMING
Process

Edit configuration

files

The Entire Picture

DB2 for z/OS
Subsystem

Audited DB2 for z/OS

Subsystem

Collector

SQL
Application

Select …

Fetch…

Fetch…

Update…

S
-
TAP

Stage 1


Filters

Evaluate SQL


-

by user ?


All other
evaluations
sent to
Stage2


S
-
TAP

Stage 2

Filters

-

by object ?



DB2 IFI

Capture non
-
SQL
events

---

Gathering
---

---

Filtering
----

---

Moving
---

S
-
TAP

Streaming
Process

S
-
TAP

Stage 0


Filters

Evaluate SQL


-

by connection


-

by plan

All other
evaluations sent
to
Stage1


Policy Configuration

DB2 for z/OS
Subsystem

Collector

Connection Types,
Plans, Users, and
Objects, to audit

-----

---

--

----



ibm.com/guardium