© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
Guardium Tech Talk:
Practical Tips for Managing Data Security Risk
using IBM Security Guardium
© 2015 IBM Corporation
IBM Security
2
This tech talk is being recorded. If you object, please hang up and leave the
webcast now.
We’ll post a copy of slides and link to recording on the Guardium community
tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in the chat
to the Q and A group.
We’ll try to answer questions in the chat or address them at speaker’s
discretion.
– If we cannot answer your question, please do include your email so we
can get back to you.
When speaker pauses for questions:
– We’ll go through existing questions in the chat
Logistics
© 2015 IBM Corporation
IBM Security
3
Guardium community on developerWorks
bit.ly/guardwiki
Right
nav
© 2015 IBM Corporation
IBM Security
44
Information, training, and community
InfoSphere Guardium Tech Talks – at least one per month. Suggestions welcome! InfoSphere Guardium YouTube Channel – includes overviews, technical demos,
tech talk replays developerWorks forum (very active) Guardium DAM User Group on Linked In (very active) Community on developerWorks (includes discussion forum, content and links to a
myriad of sources, developerWorks articles, tech talk materials and schedules) Guardium on IBM Knowledge Center (was Info Center) Deployment Guide for InfoSphere Guardium Red Book Technical training courses (classroom and self-paced- provided by Business
Partners)
InfoSphere Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.
4
© 2015 IBM Corporation
IBM Security
5
Link to more information about this and upcoming tech talks can be found on the InfoSphere Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
July 30th, 2015: Guardium integration capabilities: A use-case based discussion and deep dive
Speaker: John Haldeman, Practice Lead, Information Insights, LLC
Register here! https://ibm.biz/BdXaJc
Reminder: Upcoming Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
6
What we’ll discuss
Understanding trends
Defining risk in corporate information flow
Quantifying risk and protection value
Managing the risk using Guardium
Scenarios and examples
© 2015 IBM Corporation
IBM Security
7
Data Breaches …
2015 Ponemon Study
http://www-03.ibm.com/security/data-breach/
2015 Cost of Data Breach Study
Pie Chart 2. Distribution of the benchmark sample by root cause of the data breach
© 2015 IBM Corporation
IBM Security
8
Ponemon: Probability of a data breach: 1 in 4 companies…
The three major reasons contributing to a higher cost of data breach in 2015:– Cyber attacks have increased in frequency and in the cost to remediate the consequences
– The consequences of lost business are having a greater impact on the cost of data breach.
– Data breach costs associated with detection and escalation increased
http://www-03.ibm.com/security/data-breach/
2015 Cost of Data Breach Study
© 2015 IBM Corporation
IBM Security
9
IBM Security Software Portfolio Simplistic View Break-In
Latch-on
Expand
Gather
Exfiltrate
Attack Chain Stage:
Prevent
Detect
Respond
Anatomy of a breach
© 2015 IBM Corporation
IBM Security
11
of cases, attackers are able to compromise an organization within
minutes160%12015 Verizon Data Breach Investigations report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf
Business Impact – How Long Will It Take To Discover? Will You Know They Are Inside?
The deficit gap is widening
© 2015 IBM Corporation
IBM Security
12
Recommendations
1. Understand where your crown jewels are
located and calculate the risk– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/
2. Look for (DAM) suspicious activity
– Hackers are inside networks long before
organizations understands what’s going on with
their data– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/
– https://www-
01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti
on.html
3. Have a plan for when data is exfiltrated
(From Ponemon Institute, sponsored by IBM)
– http://www-03.ibm.com/security/data-breach/
4. Encryption covers a multitude of sins…
Greater than 200 Days!!
2015 Ponemon Study
© 2015 IBM Corporation
IBM Security
13
3 Types of Security Controls Are Required For “Crown Jewels”
1. Application security controls
– Separation of duties for Privilege Application User & Application User access
2. Database security Controls
– Continuously monitor direct access to the database which will bypass the application controls
3. System administrators security controls
– Operating System controls to monitor file access, copy, and modification
Risk By Type of User
© 2015 IBM Corporation
IBM Security
14
Risk
Most corporate functions are electronically automated
These functions live in databases. For example:
– HR
– Payroll
– Procurement
– Corporate intellectual property (IP)
– Customer data
– Health care information
– Etc
Create a risk methodology to help understand what is important and
how much it costs to protect different assets
© 2015 IBM Corporation
IBM Security
15
5 Point Checklist to Help Quantify Risk and Protect Crown Jewels
1. Identify your Crown Jewels (top data assets) in your organization
2. Assign a value to these assets
3. Identify specific threats to these assets
4. Identify vulnerabilities to these assets
5. Calculate your risk score to determine appropriate security
controls
Risk is dependent on the asset values, threats and vulnerabilities
Let’s use a simple example as it relates to the databases
PCI is a very common example and we’ll relate this to credit card
processing
© 2015 IBM Corporation
IBM Security
16
Step 1 – Identify Your PCI Assets (Crown Jewels) In This Case
Identify all database servers that have PCI content
These servers will have an asset value of $1,000,000
Scan the network to discover all the database servers
Guardium AgentlessNetwork Scan
10.10.9.*
© 2015 IBM Corporation
IBM Security
17
Step 1 – Identify Your PCI Assets
Crawl each database to
identify if there is any PCI
data using Luhn algorithm
Rule name with: – “guardium://CREDIT_CARD" and
– valid credit card number pattern in
the Search Expression box, the
classification policy will use the
Luhn algorithm
– A valid credit card number is a
string of 16 digits or four sets of
four digits, with each set separated
by a blank.
Predefined rule to identify PCI Cardholder data using
Luhn algorithm
Database discovery and sensitive data finder (Classifier) tech talk
© 2015 IBM Corporation
IBM Security
19
PCI Data Found On This Server – 10.10.9.56
Where on this server? What Server?
© 2015 IBM Corporation
IBM Security
20
We’ve Identified the Crown Jewels, Now Identify the Vulnerabilities and Threats
Vulnerabilities can be identified by security best practices
Based on industry standards: DISA STIG & CIS Benchmark
Extensive Library of pre-built tests for all supported platforms
Customizable tests to address your specific corporate security policies– Via custom Operating System scripts, SQL queries, environment variables, etc.
Combination of tests ensures comprehensive coverage to support risk measurements :1. Database settings
2. Operating system
OS Tier(Windows,
Solaris, AIX, HP-
UX, Linux, z/OS)
DB Tier(Oracle, SQL Server,
DB2, Informix, Sybase, MySQL,
Netezza,Teradata)
Tests• Permissions
• Roles• Configurations
• Versions• Custom tests
• Configuration files• Environment variables
• Registry settings• Custom tests
Database User Activity
• Getting Started with Vulnerability Assessment Tech talk
• Guardium Vulnerability Assessment Trial Download
© 2015 IBM Corporation
IBM Security
2121
STIG
SectionSTIG Requirement
CIS
SectionCIS Requirement
Guardium
Monitors
2: DBMS
Integrity
Monitor for current versions & patch levels; unauthorized
changes; privileges granted to developers on production
systems; ad hoc queries.
2,12:
Oracle
2: SQL
Server
Installation and patch levels; creation of objects
for unauthorized changes; monitor developer
access to production; avoid ad-hoc queries on
production databases; change control process.
3:
Access
Control
All actions traceable to a user; concept of least privilege
(users, roles & applications); no shared accounts;
no default accounts; lock accounts after 3 failed logins;
minimum password strength; passwords changed every
90 days; restrict access by shared service accounts
(connection pooling); all DBA accounts authorized by
IAO.
2, 11:
Oracle
1, 3, 4, 6, 8:
SQL Server
No default accounts; passwords; DB hardening;
guest accounts disabled; disable various
extended stored procedures; SQL logins have
strong passwords; assign permissions to roles
rather than users; periodic scan of Role
Members.
4:
Database
Auditing
Audit all DB operations with sufficient granularity to
detect intrusive activity; monitor all DBA connections;
ensure audit data only readable by authorized personnel;
no unauthorized applications or batch jobs; unusual or
suspicious patterns of activity; monitor changes to DB
objects; review audit data daily; maintain audit data for 1
year.
12: Oracle
4, 5: SQL
Server
Review DBA Group membership; review and
control which applications access the database;
review audit info regularly; audit privileged user
activity (object access, ownership, add DB
user, etc.).
5:
Network
Access
Remote admin connections must be encrypted (&
monitored); identify DB users when using connection
pooling; separate DB accounts for replication;
prevent developers from accessing sensitive data.
12: Oracle
1, 2: SQL
ServerEncryption ; change SQL Server default ports.
6:
OS Per-
missions
Verify file permissions on DB executables, configuration files
& data files; ensure only authorized DBAs granted
membership to DBMS privileged OS groups.
1: Oracle
1, 3: SQL
Server
Windows registry; deny Guest OS Group;
OS Benchmark Configuration.
Use Industry Best Practices Templates – STIG and CIS
© 2015 IBM Corporation
IBM Security
22
Guardium Risk Score For Vulnerabilities of This Asset
Historical Progress or Regression
Help Mitigate Risk by Measuring Progress and
Validating Security Controls
Overall Risk Score
Detailed Scoring Matrix
© 2015 IBM Corporation
IBM Security
23
Next Step, Identify Additional Risks Like This Example
There are many types of risks
Unauthorized Users
– Anyone that can connect to the
database to see the cardholder data
Unauthorized IP Addresses
– Only certain servers are allowed to
communicate together
Unauthorized Programs
– Access by other programs bypasses
other security controls
Monitoring Database Objects
– Only certain tables will contain
sensitive information
10.10.9.27
Joe
MS Excel
OnLineBanking
-- - - -- -- -
-- - -- -
However, to simplify these risks, let’s call it an unauthorized “connection”
Crown Jewels
© 2015 IBM Corporation
IBM Security
24
Identifying An Unauthorized Connection…
“Unauthorized connections” are very familiar process in the Credit
Card industry
Simplified example with credit cards
– “unauthorized connections” = false charge on my credit card account
– Proactive notification for “unauthorized connections”
– Regular reporting to cardholders “unauthorized connections”
Database Activity Monitoring (DAM) for unauthorized connections
– Proactive notification for “unauthorized connections”
– Regular reporting to stakeholders “unauthorized connections”
© 2015 IBM Corporation
IBM Security
25
Credit Card Best Practices
Proactive
Monitoring “unusual” transactions
– Countries you have never purchased in before
– Unusual “out of pattern” transactions
Post transaction reporting
Regular reports to cardholders (it’s your money!)
– Identify transactions not made by cardholder
– Identify overcharges
© 2015 IBM Corporation
IBM Security
26
Proactive - Credit Card Best Practices
Proactive, Real Time New transaction
unusual country based on past
purchasing pattern :
359.34 Latvian lats“unauthorized connection”
New transaction
unusually high: $12,534.23“unauthorized connection”
© 2015 IBM Corporation
IBM Security
27
Post Transaction Reporting Process for “Unauthorized Connections”
Credit card company summarizes information and produces a
report
Report is delivered to cardholder on a predefined time period (ie.
Monthly)
Cardholder reviews statement
– Sends payment based on all transactions that are on the statement
– Sends partial payment based on “disputed charges”
“Disputed charges” may identify unauthorized activities
“Disputed charges” are investigated and documented
© 2015 IBM Corporation
IBM Security
28
Goal Of Reporting To Cardholders
Involve cardholder in the process
Reduce costs by preventing fraudulent charges
Quickly identify activity that cardholder did not perform
Increased accuracy - the card holder knows the most intimate
details of their activity
Scale: credit card company uses few resources and leverages
subject mater experts in their process to be more efficient
© 2015 IBM Corporation
IBM Security
29
Database Activity Monitoring Best Practices - Proactive
Known:
– Application Name (OnLineBanking)
– Application Server IP Address (10.10.9.244)
– Database user (APPUSER)
Unknown
10.10.9.27
Joe
SQLPlus
– NOT IP Addresses 10.10.9.244 (ie. 10.10.9.27)
– NOT Database user APPUSER (ie. Joe)– NOT “OnLineBanking” Application name (ie. SQLPlus)
Proactive policies can highlight– Fraudulent activity quickly
– Improper operational procedures (ie. Outdated scripts, direct database access,
unauthorized applications, etc)
OnLineBanking
• YouTube video demo on Connection Profiling
© 2015 IBM Corporation
IBM Security
31
Report of Unauthorized Connections…Application Owners Are Critical to the Process
© 2015 IBM Corporation
IBM Security
32
A Different Perspective…“Unauthorized Connections”
Unauthorized
Application
Unauthorized
Client IP
Unauthorized
DB Users
© 2015 IBM Corporation
IBM Security
34
Approval And Sign Off
One “unauthorized connection” is fully investigated
© 2015 IBM Corporation
IBM Security
35
This Example Shows “Unauthorized Connections”
For each unauthorized connection, you add to your risk score
To reduce your risk score, stakeholders will “justify” the connection
as a valid and legitimate connection for their application
Simple “connection” reporting is very effective to highlight
unauthorized application access
Use workflow to ensure reporting process is being followed and
documented
More details for risk tables…
© 2015 IBM Corporation
IBM Security
36
Defining Risk Tables
Threats to database can come from many places
Start with a “coarse” level analysis and refine it over time to become more granular
There are many complex risk formulas and processes, but start with a simplistic approach to get something working for your organizational uniqueness
Defining a small group of risk tables helps you quantify what you are protecting, and the risk based on these different attributes…Here’s a sample:– Asset Risk – How valuable is the asset that I’m trying to protect?
• SOX, PCI, HIPAA, Corporate Marketing Plans, Corporate Mergers and Acquisitions, etc
– User Risk – What roles do these users have?• Database user, application developer, application user, power application user, unknown user, etc
– Object Risk – How sensitive is this piece of data within the database?• SSN vs Cardholder information for PCI vs Patient Records vs Country ID, vs Mailing Address vs Mother’s Maiden Name,
etc
– Application Risk – How should this data be accessed, by what application?• Accessing through the SAP system is different than a direct database connection with SQL/Plus or TOAD
– IP Address Risk – What IP address made this connection?• Different IP Addresses have different levels of security (ie. Behind firewalls, DMZ, in a “trusted zone”, external Internet,
etc).
© 2015 IBM Corporation
IBM Security
37
Defining Risk Tables – Asset Risk
Assign risk rating for your critical assets
Put an asset cost so that you understand how much protection to
allocated for this asset
SQL> select * from assetRisk order by riskvalue;;
ID SERVERIP SERVERDESC RISKVALUE RISKRATING ASSETCOST
---------- --------------- ------------------------- ---------- ---------- ------------
1 10.10.9.56 PCI Server 1 high 1,000,000
2 10.10.9.59 Corporate Strategy 1 high 2,000,000
3 10.10.9.252 SOX Server 1 high 500,000
4 10.10.9.58 HIPAA Server 1 high 900,000
5 10.10.9.58 Retail Banking 1 high 10,000,000
6 10.10.9.68 Development Server 2 medium 400,000
7 10.10.9.69 QA Server 2 medium 200,000
8 10.10.9.78 Training Server 3 low 100,000
9 10.10.9.79 SiteLocation Server 3 low 200,000
9 rows selected.
SQL>
Depending on the asset class, we will assign cost
for these assets
© 2015 IBM Corporation
IBM Security
38
Optionally Identify Server Processing Power in Your Risk Score
Number of CPU’s can be tracked via Tap Monitor CPU Tracker
© 2015 IBM Corporation
IBM Security
39
Defining Risk Tables – Employee Risk
Create UserRisk table
Assign risk based on department– riskRating
• 1 (high)
• 2 (medium)
• 3 (low)
SQL> select * from Employee;
ID USERNAME DBUSER DEPTNUM DEPTNAME
---------- --------------- --------------- ------- -------------------------
1 Joe DiPietro joe 10 Database Engineering
2 John Smith john 20 Application Development
3 Sally Johnson sally 30 Business Analytics
4 Ron Harrison ron 40 Retail Banking LOB
SQL> select * from userRisk order by riskvalue;
ID EMPID DEPTNUM RISKVALUE RISKRATING
---------- ---------- ------- ---------- --------
1 1 10 1 high
2 2 20 1 high
3 3 30 2 medium
4 4 40 3 low
SQL>
Depending on the department name, we
will assign risk for these users connecting to the
database
Database Engineering = priv users (high risk)Application Development = priv users (high risk)Business Analytics = power application users (medium risk)Retail Banking = application users (low risk)
© 2015 IBM Corporation
IBM Security
40
DB2 Entitlement Reports
Joe has a high risk, based on his role and privilege (entitlements) to the database-Column level privileges to the Creditcard object that contains PCI Personal Account Numbers (PAN)-If this account is compromised or this “authorized” user performs “unauthorized activities” your data is in jeopardy…-Monitoring “joe’s” activities is critical to validate his actions
© 2015 IBM Corporation
IBM Security
41
Defining Risk Tables
SQL> select * from objectRisk order by riskvalue;
ID OBJECTNAME OBJECTDESC RISKVALUE RISKRATING
---------- --------------- ------------------------- ---------- --------
1 creditcard Holds Creditcard Info 1 high
3 accountNum Holds account numbers 1 high
4 address Holds Address Info 2 medium
5 policyValue Holds Total Policy Value 2 medium
SQL> select * from appNameRisk order by riskvalue;
ID APPNAME APPDESC RISKVALUE RISKRATING
---------- --------------- ---------------------------- ---------- --------
4 toad Toad - DBA tool 1 high
3 excel Microsoft Excel 1 high
5 sqlplus SQLPlus -Oracle DBA tool 1 high
2 retailBanking Retail Banking Application 3 low
1 retailBanking Retail Banking Application 3 low
3 retailBanking Retail Banking Application 3 low
6 rows selected.
Depending on the object table, we will assign a risk
rating
Depending on the application, we will assign a risk rating
*Identifying critical tables is essential in creating a risk profile
**Identifying “authorized” application that access these critical tables will help validate your security controls
© 2015 IBM Corporation
IBM Security
42
Different IP Networks Have Different Security
Core network
DMZ network
Partner network
Classified network
Internet
© 2015 IBM Corporation
IBM Security
43
Identify Risk of Connections with Different Categories of IP Address
Guardium’s Access Map dynamically draws
network diagram based on timeframe of access!
© 2015 IBM Corporation
IBM Security
44
Defining Risk Tables
SQL> select * from ipAddressRisk order by riskvalue;
ID IPADDRESS IPDESC RISKVALUE RISKRATING
---------- ---------------- ------------------------------------------------- ---------- --------
11 10.10.9.241 DMZ: Web Servers group 2 medium
10 10.10.9.240 DMZ: Web Servers group 2 medium
12 10.10.9.242 DMZ: Web Servers group 2 medium
4 10.10.9.58 Authorized Client IP: HIPAA Server 3 low
5 10.10.9.58 Authorized Client IP: Retail Banking 3 low
7 10.10.9.69 Authorized Client IP: QA Server 3 low
8 10.10.9.78 Authorized Client IP: Training Server 3 low
9 10.10.9.79 Authorized Client IP: SiteLocation Server 3 low
3 10.10.9.252 Authorized Client IP: SOX Server 3 low
2 10.10.9.59 Authorized Client IP: Corporate Strategy 3 low
1 10.10.9.56 Authorized Client IP: PCI and Retail Banking App 3 low
6 10.10.9.68 Authorized Client IP: Development Server 3 low
12 rows selected.
SQL> Depending on the IP Address, we will assign a
risk rating
© 2015 IBM Corporation
IBM Security
45
Now Score The “Unauthorized Connection” Based on the Risk Tables
Unauthorized
Application
Unauthorized
Client IP
Unauthorized
DB Users
© 2015 IBM Corporation
IBM Security
46
Calculating Risk
MS Excel – Unauthorized “High Risk” application directly connecting to the database
Joe – “High Risk” user based on entitlement report
Joe Priv User 1 HighUnauthorized Network 1 HighUnAuthorized Application 1 High
3 Total Risk Score
High 1Medium 2Low 3
Baseline 7
Core network – Not “Classified Network” 10.70.147.57
Security Policy - All connections at 7 or lower shall be monitored and audited
© 2015 IBM Corporation
IBM Security
47
Other Connections…
Joe Priv User 1HighUnauthorized Network 1HighUnAuthorized Application 1High
3Total Risk Score – JoeAdministrator Priv User 1High
Authorized Network 3LowAuthorized Application 3Low
7Total Risk Score - AdministratorJOCONNOR App User 3Low
Authorized Network 3LowAuthorized Application 3Low
9Total Risk Score - JOCONNOR
© 2015 IBM Corporation
IBM Security
48
Creating Risk Map Based on IT Role
System Administrator
Database Administrator
Application Developer
Application User
Privilege User
Information Security
Audit Risk & Compliance
System Administrator
x x
Database Administrator
x x x
Application Developer
x x x
Application User
x x x
Privilege User x x x
Information Security
x x
Audit x
Risk & Compliance
x
Other Risk Concerns1. Weak security2. Unauthorized access to data3. Unauthorized remote access4. Inaccurate information5. Erroneous or falsified data input6. Misuse by authorized end users7. Incomplete processing8. Duplicate transactions9. Untimely processing10. Communications system failure11. Inadequate training12. Inadequate support13. etc…
© 2015 IBM Corporation
IBM Security
49
S-GATE
Hold SQL
Connection terminated
Policy Violation:Drop Connection
Privileged Users
Issue SQL
Check PolicyOn Appliance
Oracle, DB2, MySQL, Sybase,
etc.
Proactively block connections from “Unauthorized” IP Addresses, High Risk Applications
and/or Users
High Risk Connections - Eliminating Risk Over “4”
Session Terminated
SQLApplication Servers
Outsourced DBA
© 2015 IBM Corporation
IBM Security
50
Quick Review…3 Types of Security Controls Are Required For “Crown Jewels”
1. Application security controls
– Separation of duties for Privilege Application User & Application User access
2. Database security Controls
– Continuously monitor direct access to the database which will bypass the application controls
3. System administrators security controls
– Operating System controls to monitor file access, copy, and modification
Risk By Type of User
© 2015 IBM Corporation
IBM Security
51
Application Security Controls - Guardium For Application
Customer Service Representatives (CSRs) access company
applications remotely
Guardium is installed in the middle to guarantee that application
screens undergo masking process
CSRs utilize the application as usual
Sensitive information unessential for CSR operation is masked out
Data Center
Outsourced Call Center
Name:
SSN:
Balance:
John Smith
111-11-1111
$127.50
Name:
SSN:
Balance:
John Smith
35
$127.50
* * * * * *GuardiumMasking Gateway
Guardium for Applications demo on PeopleSoft
© 2015 IBM Corporation
IBM Security
52
Application Security Controls - AppScan
IBM Security AppScan Trial download
© 2015 IBM Corporation
IBM Security
53
Database Controls Can Cover 3 Types of Rules
SQL Query
Result Set
Database Server
Database
Exception (ie. SQL Errors & more)
There are three types of rules:
1. An access rule applies to client requests
2. An extrusion rule evaluates data returned by the server
3. An exception rule evaluates exceptions returned by the server
1
2
3
© 2015 IBM Corporation
IBM Security
54
System Admin Controls - Guardium Data Encryption (GDE)
Name: J Smith
CCN:60115793892
Exp Date: 04/04
Bal: $5,145,789
SSN: 514-73-8970
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
Clear Text
File Data
File System
Metadata
dfjdNk%(Amg
8nGmwlNskd 9f
Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
MetaClearBlock-Level
fAiwD7nb$
Nkxchsu^j2
3nSJis*jmSL
dfjdNk%(Amg
8nGmwlNskd 9f
Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
Protects Sensitive Information Without Disrupting Data Management
High-Performance Encryption
Root Access Control
Data Access as an Intended Privilege
Guardium Data Encryption Tech Talk (YouTube) (1 of 3)
© 2015 IBM Corporation
IBM Security
55
Guardium Data Encryption (GDE) - System Administrator Controls
(Deny, Encrypt, Audit, Permit)
WHO is attempting to access protected data?– Configure groups, or applications who can access protected data
WHAT data is being accessed?– Configure appropriate file and directory access
WHEN is the data being accessed?– Configure a range of hours and days of the week for authorized access
HOW is the data being accessed?– Configure allowable file system operations allowed to access the datae.g. read, write, delete, rename, application or process, etc.
EFFECT: Permit; Deny; Encrypt; Audit
$%#@!*(&^$%$%^&*()(*&^%$#@#$%^&*DFGHJTR#$
1
2
Root users can:1. read directory (/SAPDirectory),
but it will be encrypted and audited2. Blocked access to directory (/NoAccess)
© 2015 IBM Corporation
IBM Security
56
Operating System Switch User “SU” To Gain Access
System Administrators have a lot of power
• Be careful for “SU”
• Proactive Policies are required
Use Continuous Monitoring to identify high
risk users who can switch identity
© 2015 IBM Corporation
IBM Security
57
Summary
1. Understand where your crown jewels are
located and calculate the risk– http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/
2. Look for (DAM) suspicious activity
– Hackers are inside networks long before
organizations understands what’s going on with
their data– http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/
– https://www-
01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti
on.html
3. Have a plan for when data is exfiltrated
(From Ponemon Institute, sponsored by IBM)
– http://www-03.ibm.com/security/data-breach/
4. Encryption covers a multitude of sins…
Greater than 200 Days!!
2015 Ponemon Study
© 2015 IBM Corporation
IBM Security
58
Learn and try
• YouTube video demo on Connection Profiling (part 1 of 3) • developerWorks article on Guardium PCI accelerator• Outliers and Quick Search demo on YouTube• Database discovery and sensitive data finder (Classifier) tech talk• Getting Started with Vulnerability Assessment Tech talk• Guardium for Applications demo on PeopleSoft • Guardium Data Encryption Tech Talk (YouTube) (1 of 3)
Learn more about some of what we talked about today:
And try:
• IBM Security AppScan Trial download• Guardium Vulnerability Assessment Trial Download
© 2015 IBM Corporation
IBM Security
59 59
Understand risk and compliance mandates– Whitepapers:
Protect payment card data with InfoSphere Help ensure HIPAA compliance with InfoSphere Understanding encryption requirements of PCI DSS
– ebook:Managing compliance to protect enterprise data
Talk to your sales rep about holistic data security– Whitepaper
Secure Enterprise Data & Ensure Compliance
– ROI Study: Forrester Total Economic Impact of InfoSphere Guardium
– Website:InfoSphere Guardium Database Security
Learn more
© 2015 IBM Corporation
IBM Security
6060
Gracias
Merci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish
© 2015 IBM Corporation
IBM Security
66
Use Extrusion Rules On Result Sets for Pattern Access
Monitor for data access and exfiltration. Attackers who bypass perimeter controlsbecome “trusted insiders” in most organizations because the internal network is trustedand unmonitored. Deploy network analysis and visibility (NAV) tools to gain insight intohow traffic is traversing your entire network.19
guardium://CREDIT_CARD
Empty Value: Enter the special value guardium://empty to test for an emptyvalue in the traffic. This is allowed only in the following fields: DB Name, DBUser, App User, OS User, Src App, Event Type, Event User Name, and AppEvent Text.
Note: You can also use regular expressions in the following fields (DB user, AppUser, SRC App, Field name, Object, App Event Values Text) by typing the specialvalue guardium://regexp/(regular expression) in the text box that corresponds tothe field.
© 2015 IBM Corporation
IBM Security
69
Guardium community on developerWorks
bit.ly/guardwiki
Right nav
© 2015 IBM Corporation
IBM Security
70 70
Most approaches to data security and compliance miss the mark
Do nothing … however:– Limited time, lots of regulation, growing costs of compliance
– Requirements for privacy/security by user role add complexity
– $3.5M per year average cost of compliance
– $5.5M USD average cost of a data breach
– $194 USD average cost of a data breach per compromised record
– 28,349 average number of breached records per incident
– 94% of compromised records originated in database servers
Leverage home grown approaches … however:– Manual approaches lead to higher risk and inefficiency
– Requirements for privacy/security by user role add complexity
– New source of threats: outsourcing, web-facing applications, stolen credentials, insiders
Implement a holistic data protect strategy
Don’t focus just on one or two databases but extend your efforts to become
enterprise-wide — encompassing hundreds and thousands of databases.
-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“