Safeguarding Enterprise Data with Continuous, Real-Time Database Security, Monitoring & Compliance Fakhreddine El Mourabiti – Data Governance / Europe.

Safeguarding Enterprise Data with Continuous, Real-Time Database Security, Monitoring & Compliance

Fakhreddine El Mourabiti – Data Governance / Europe

[email protected]

© 2012 IBM Corporation1

© 2012 IBM Corporation

IBM Security Systems

22© 2012 IBM Corporation CONFIDENTIAL

You know? you can do this online now.

Data is the key target for security breaches…..and Database Servers Are The Primary Source of

Breached Data

% of Records Breached (2010)

All other sources

7%

Database servers

92%

Laptops & backup tapes<1%

Desktop computer

<1%

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

2011 Data Breach Report from Verizon Business RISK Team

Database servers contain your client’s most valuable information

– Financial records– Customer information– Credit card and other account records– Personally identifiable information– Patient records

High volumes of structured data Easy to access

“Because that’s where the money is.” - Willie Sutton

WH

Y?

© 2012 IBM Corporation4CONFIDENTIAL

The Goals Continuously monitor access to sensitive data in databases, data warehouses, Hadoop big data environments and file shares to:

Prevent data breaches– Mitigate external and internal threats

11

22

33 Reduce cost of compliance - Automate and centralize controls

• Across heterogeneous environments such as databases, applications, data warehouses and Big Data platforms like Hadoop

• Across diverse regulations, such as PCI DSS, data privacy regulations,

HIPAA/HITECH etc. Simplify the audit review processes

- Simplify audit review processes

Ensure the integrity of sensitive data– Prevent unauthorized changes to data, data

infrastructure, configuration files and logs

The Compliance Mandate – What do you need to monitor?

DDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language

Why Organizations Buy Database Activity Monitoring

1. We have to do it (regulations – auditors)

2. We can’t afford the cost & effort of doing it manually (limited time and money)

3. We need consistency of audit reporting

It is him! They call him “El Auditor”

SECURITY OPERATIONS

Real-time policies Secure audit trail Data mining & forensics

Separation of duties Best practices reports Automated controls

Minimal impact Change management Performance optimization

Addressing Key Stakeholders Concerns

© 2012 IBM Corporation7CONFIDENTIAL

• How can we monitor user access and detect anomalies?

• How can we control privileged users with direct access?

• Can we store these audit logs in a secure repository?

• Can we have one central audit repository for all database types including Oracle, SQL Server, DB2 and more?

• How can we do all of this with minimal impact to our database and infrastructure?

5 Common Challenges around Database Auditing

© 2012 IBM Corporation

IBM Security Systems

88

Addressing the full database security lifecycle

Comply• Monitor database activity to verify

security controls• Automate reporting for proper

evidence in compliance process

33Identify Risk

• Perform an assessment to understand risk

• Harden the database to eliminate unnecessary risk

22Discover

• Discover databases on the network

• Discover where sensitive data is located

11

© 2012 IBM Corporation9CONFIDENTIAL

Integration with LDAP, IAM, SIEM, TSM, Remedy, …

NEW

Big Data Environments

DATA

InfoSphere BigInsight

s

The Solution: Non-Invasive, Agent-Based Monitoring

© 2012 IBM Corporation10CONFIDENTIAL

Providing complete and native data security solution for System i

NEW

• Monitors privileged user activity in real time

• Enables complete separation of duties • Helps satisfy auditor’s requirements and

ensure compliance to mandates like PCI easily and cost effectively.

Protect sensitive data on your System i deployments ensure compliance to mandates like PCI easily and cost effectivelyProtect sensitive data on your System i deployments ensure compliance to mandates like PCI easily and cost effectively

Extend platform coverage: New S-TAP for System i

© 2012 IBM Corporation11CONFIDENTIAL

Integration with IT Infrastructure for seamless operations

Directory Services(Active Directory, LDAP, TDS, etc)

SIEM(IBM QRadar, Arcsight, RSA

Envision, etc) SNMP Dashboards(Tivoli Netcool, HP Openview, etc)

Change Ticketing Systems

(Tivoli Request Mgr, Remedy, Peregrine, etc)

Vulnerability Standards

(CVE, STIG, CIS Benchmark)

Data Classification and Leak Protection

(Credit Card, Social Security, phone, custom, etc)

Security Management Platforms

(IBM QRadar, McAfee ePO )

Application Servers(IBM Websphere, IBM Cognos, Oracle

EBS, SAP, Siebel, Peoplesoft, etc )

Long Term Storage(IBM TSM, IBM Nettezza, EMC Centera,

FTP, SCP, etc)

Authentication(RSA SecurID, Radius, Kerberos,

LDAP)

Software Deployment(IBM Tivoli Provisioning Manager, RPM, Native

Distributions)

Send Alerts (CEF, CSV, Syslog, etc) Send

Events

• STAP

Perimeter Defenses & Identity Management No Longer Sufficient

49% of new vulnerabilities are Web application

vulnerabilities (X-Force)

Insider Threat(DBAs, developers, outsourcers, etc.)

“A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” William J. Lynn III, U.S. Deputy Defense Secretary

88% of F500 companies

have employees

infected with Zeus

(RSA)

#1 VM vulnerability is VM guest hopping

(hypervisor escape) (X-Force)

Kneber Botnet stole 68,000 credentials

& 2,000 SSL certificates over

4-week period(NetWitness)

SQL Injection is a leading attack vector

(X-Force)

Stuxnet exploited SQL Server vulnerability to attack control

systems

Epsilon data breach affects millions

(outsourced provider)

© 2012 IBM Corporation13CONFIDENTIAL

Why Enterprises are Dissatisfied with Traditional Approach

×Inefficient and costlyDatabase performance is impactedManual processes require valuable resources

×Provide little value to the businessLogs are complicated to inspectAny detection is not real-time

×No segregation of dutiesPrivileged users can bypass the systemAudit trail can be modified

© 2012 IBM Corporation14CONFIDENTIAL

WallsMoat

Observation Towers / Turret

Arrow Loop

GateGuards

Secure SettingsSecure SettingsActivity MonitoringActivity Monitoring

15

Vulnerability Assessment – Reporting

© 2012 IBM Corporation16CONFIDENTIAL

Auditing Database Configuration Changes

• Tracks changes to files, environment variables, registry settings, scripts, etc.

• 200+ pre-configured templates for all major OS/DBMS configurations– Easily customizable via scripts, SQL, etc. (ad hoc tests)

– Also checks OS permissions for Vulnerability Assessment (VA) tests

© 2012 IBM Corporation17CONFIDENTIAL

Should my customer service rep view 99 records in an hour?Monitoring Data Leakage from High-Value Databases

What exactly What exactly did Joe see?did Joe see?

Is this normal?Is this normal?

© 2012 IBM Corporation18CONFIDENTIAL

Tracking Privileged Users Who "su"

Challenge: How do you track users who 'switch' accounts (perhaps to cover their tracks)? Native database

logging/auditing & SIEM

tools can't capture OS

user information

Other database

monitoring solutions only

provide OS shell account

that was used What Guardium Shows You

User activity

© 2012 IBM Corporation19CONFIDENTIAL

Protect Stored Data: need to know only

Redact and Mask Sensitive Data

Issue SQL

User view of the data in the database

DB2, MySQL, Oracle, Sybase, SQL Server, etc.

SQLApplication Servers

Unauthorized Users

Outsourced DBA

Cross-DBMS policies Mask sensitive data No database changes No application changes

Actual data stored in the database

S-TAPS-TAP

Redact

© 2012 IBM Corporation20CONFIDENTIAL

Cross-DBMS, Data-Level Access Control (S-GATE)

S-GATES-GATEHold SQL

Connection terminated

Policy Violation:Drop Connection

Privileged Users

Issue SQL

Check PolicyOn Appliance

Oracle, DB2,

MySQL, Sybase,

etc.

SQLApplication Servers

Outsourced DBA

Session Terminated

Cross-DBMS policies Block privileged user actions No database changes No application changes Without risk of inline

appliances that can interfere with application traffic

Monitoring z/OS

-------- -----------

--- -----------

--- ------

Comprehensive

Sensitive Objects

Privileged Users

Complete control over what is audited

Typical User vs Privileged User Authorization

-------- -----------

--- -----------

--- ------

Sensitive Objects

RACF, Top Secret and ACF-2allow authorized users to have limited access to DB2

Privileged users have direct access to data. This requires granular control to verify access to sensitive data

Three key components for System z

1. Data Gathering• Collecting each SQL

statement

2. Data Filtering• Determining if the SQL

matches a monitoring policy

3. Data Movement• Packaging and sending

the SQL to the Guardium collector

23

-------- -----------

--- -----------

--- ------

1

Audit Interest

2

3

No Audit Interest

DB2 Subsystem

AdministrationRepository

Audited DB2

Subsystem

Collector

S-TAP

Audit Server

S-TAP

Agent

DB2 IFI Collection

Audit Trace

DB2 IFI Collection

Audit Trace

DB2 IFI Collection

Audit Trace

S-TAP for DB2 on z/OS Architecture

•Simplified Administration•Simplified Configuration•Improved Performance

Audited Table

TCP/IPSTREAMING

Process

ASC

Audit SQL Collector

Collector

S-TAP Windows Administration

GUI

S-TAP Server and

Collectors

Data collection, filtering, and

delivery

S-TAP for IMS on z/OS Architecture

SMF Data

IMS Online Regions

Audited DB/Segments

IMS DL/1 Batch

Regions

Recon Data

Audited DB/Segments

TCP/IPSTREAMING

Process

S-TAP for VSAM on z/OS Architecture

AdministrationRepository

AuditedTables

File System Dataset

Audited VSAM File system

z/OS

System, SMF, RACF

Collectors AuditedDatasets

IP ADDRESS & PORT #

Appliance

Audit Data Streaming

S-TAP Agent

TCP/IPSTREAMING

Process

Edit configuration

files

The Entire Picture

DB2 for z/OS Subsystem

Audited DB2 for z/OS

Subsystem

Collector

SQL Application

Select …

Fetch…

Fetch…

Update…

S-TAP

Stage 1

Filters

Evaluate SQL

- by user ?

All other evaluations sent to Stage2

S-TAP

Stage 2

Filters

- by object ?

DB2 IFICapture non-SQL

events

--- Gathering ------ Filtering ------- Moving ---

S-TAP

Streaming Process

S-TAP

Stage 0

Filters

Evaluate SQL

- by connection

- by plan

All other evaluations sent to Stage1

Policy Configuration

DB2 for z/OS Subsystem

Collector

Connection Types, Plans, Users, and Objects, to audit

-------- ------

ibm.com/guardium