This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Guardium Tech Talk:10.1.3 Overview - Speed compliance and simplify deployments
August 24, 2017
Kathy ZeidensteinGuardium Evangelist and Community Advocate
Joann RuvoloSenior Manager and UI Technical Lead, IBM Security Guardium
Title: TBA (It’s a surprise!)Date: Tuesday, October 3rd, 2017
Time: 11:00 EDT, 8:00 AM PDT (60 minutes)
Speakers: TBA
Register: TBA
Mark Your Calendars for the Next Tech Talk
3 IBM Security
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
z/OS S-TAP Overview
5 IBM Security
What’s New in V10.1.3 for z/OS Highlights (Tech talk tentatively November, 2017)
• Additional real time data protection option for Db2 – option to block SQL
from specific users to specific tables
• Enhanced event collection and reporting
Data Sets: More detailed member- level event reporting for PDS/PDSE data sets
(replace, copy, delete, etc), report on FTP events through z/OS Unix System
Services
IMS: High availability large database (HALDB) name reporting, filter on trusted
LTERMs and filter by region type beyond BMP
All three S-TAPs:
• Audit CICS Unit of Work ID for correlation of events across subsystems
• Data privacy: Server side control to avoid sending PII to the collector
• Enhance operations and diagnostics – all three S-TAPs
• Ease diagnostics gathering across roles- MUST GATHER can be instigated
from the collector or from the mainframe side
• Simulation mode to test the S-TAP without sending audit records to the
appliance
• z/OS S-TAPS now visible on the Deployment Health Topology in Guardium UI
6 IBM Security
Db2 for z/OS STAP Enhancements –Real-time blocking
Real• -time data protection for Db2 – option to block SQL from specific users to specific tables
Real -time, as this happens at the S-TAP level and does not require a verdict from the collector (contrast with
STAP TERMINATE)
Uses new access policy rule database type: DB 2 z/OS BLOCKING PROFILE
Authorized applicationAttackers,
vendors, insiders
7 IBM Security
Db2 for z/OS S-TAP Enhancements
• Enhanced event collection and reporting
Improved auditability to enterprise standards
• Collect Bind and rebind events similar to other events. Not subject to filtering!
• Indicator of whether an event is Dynamic or Static (when LOG FULL DETAILS is used)
Audit CICS Unit of Work ID for correlation of events across subsystems
• Performance and filtering
Db2 objects moved to Stage 1 filtering and other memory management enhancements
Expected to improve event throughput and lower CPU overhead resulting in improved tolerance for heavy SQL Event volumes
Internal lab results show significant decrease in both Db2 Class 2 and address space CPU usage of S-TAP V10.1.3 versus S-TAP V10.0
Important: Your mileage will vary!!! The improvement in CPU will vary under different workloads and environments
• Enhance operations and diagnostics
• Simulation mode to test the S-TAP without sending audit records to the appliance
• z/OS S-TAPS now visible on the Deployment Health Topology in the Guardium UI
8 IBM Security
z/OS S-TAPs now visible in Deployment Health Topology• All managed units and CM must be at 10.1.3 – S-TAP can be back level
Guardium DAM and VA Overview
10 IBM Security
Guardium 10.1.3 (GPU 230) - summary
• Quick start deployment (agent and compliance monitoring)
• VA improvements
VA for Cloudera
Mongo 3.4 support and latest mongo CIS benchmark tests
DB2 LUW CIS benchmark
Support for SQL Server on Linux and improved SQL server
• Agent enhancements
Improved discovery processing (better for Oracle RAC)
A-TAP improvements to support scripting
Threading improvements to reduce slowdown on db servers and better support enterprise load balancing
Teradata exit – (Teradata 16.10+) – see release notes for details.
SLES 12 S390x
• Limited use license of Privileged Identity Manager
• Cloud images offerings
• Classification privilege script
• ISO image available on PPA
11 IBM Security
VA Enhancements
• New Cloudera Hadoop VA tests (first in the industry)
Over 100 tests including CVEs, security configs, roles, OS file permissions Hive and Impala privilege
tests, configurations for HDFS, Sentry, Hive etc. .
2 datasources – Hive and Cloudera Manager
Datasource authentication support:
• Cloudera Manager - Native and LDAP authentication with SSL
• Hive – no-auth and LDAP/SSL, Kerberos
• CAS-based tests: SSL and Kerberos
12 IBM Security
VA Enhancements
SQL Server•Usability for SQL Server: CVE Tests recognize fixes in all service packsSupport for SQL Server on Linux (SQL Server 2017) (currently in preview)
New tests for MongoDB with the latest benchmarks •VA coverage for CIS_MongoDB_Benchmark_v 1.0.0.pdf benchmark. https://www.cisecurity.org/benchmark/mongodb/MongoDB 3.4 supportLDAP/SSL connection ( 10.1.2)Kerberos connection ( 10.1.3)
https://www.cisecurity.org/benchmark/ibm_db• 2/There are 10 new tests, plus 2 test enhancements. Now over 260 tests for Db2 LUW.New tests required additional privileges for VA.• /var/log/guard/gdmmonitor_scripts/gdmmonitor-db2.sql
• High level upgrade roadmap options: http://www-01.ibm.com/support/docview.wss?uid=swg21961114
• There is no direct upgrade from 8.2 to V10.1.3 (GPU 230). You must go through V9!
• Or, use the V10.1.3 ISO and rebuild/restore (take advantage of larger root partition (25GB) and new file format (EXT4)
• The upgrade process usually cannot be done simultaneously on all appliances and all S-TAPs. Therefore it requires multi-staged upgrade approach.
• During transition period, Guardium environment will operate in hybrid mode with Version 9.5 and Version 10.1.3 Guardium software (Mixed environment).
• Upgrade IBM Guardium environment in top-down order
• Upgrade of large enterprise environments requires thorough planning and preparation.
Upgrade strategy and logistics
Scope (be conservative)
Change control management
Required personnel availability
Contingency planning
Enterprise Upgrade Strategy (tech talk tentatively October 24th)
Group Builder -> Populate from Query Group PCI Admin Users Yes
56 IBM Security
Members from external datasource uploaded
Click OK to add members to group
57 IBM Security
Group is now populated from external datasource
58 IBM Security
Policy installation: approach
• Policy installation will occur automatically the first time a Quick Start policy is successfully installed on a target system
On standalone, Quick Start policy will be installed
On CM, Quick Start policy will be pushed down to all collectors
• Order of installed policies Quick Start policy will be installed after all the other installed policies (i.e., “Install last”
option)
However, if the default policy is the only policy installed, Quick Start will install its security policy over the default policy (i.e., “Install and Override” option)
• After a Reset to default
On standalone, original (hidden) Quick Start policy is automatically reinstalled
In CM deployment, there is no change to installed policy
• Policy installation schedule On standalone, Quick Start will schedule the policy installation, if one is not already
scheduled (scheduled and active or scheduled and paused)
From CM, Quick Start will schedule the policy installation on the collectors, even if one is already scheduled
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.