guardium tech talk: ibm security guardium® and … dam user group on linked in (very active)...
TRANSCRIPT
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
Guardium Tech Talk:
IBM Security Guardium® and QRadar® – Enhancing
insights using bidirectional integration
Walid Rjaibi
CTO, IBM Security Guardium
Johan Varno
Product Architect, IBM Security Integrator
September 8th, 2015
© 2015 IBM Corporation
IBM Security
2
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
When speaker pauses for questions:
– We’ll go through existing questions in the chat
Logistics
© 2015 IBM Corporation
IBM Security
3
Guardium community on developerWorks
bit.ly/guardwiki
Right nav
© 2015 IBM Corporation
IBM Security
4
Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: What's new in Guardium DAM V10: A Technical Overview
Speakers: Kathy Zeidenstein, Evangelist and Community Advocate
David Rozenblat, Director of Guardium Development
Date and time: Thursday, September 17th11:30 AM US Eastern
Register here: https://ibm.biz/BdX3Qx
Reminder: Next Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
5
Agenda
Data Security Drivers
Guardium & QRadar Overview
Guardium & QRadar Bi-directional Integration
© 2015 IBM Corporation
IBM Security
6
Data Security Drivers
Cyber attack
Organized crime
Corporate espionage
Government-sponsored attacks
Social engineering
External ThreatsSharp rise in external attacks
from non-traditional sources
Administrative mistakes
Careless inside behavior
Internal breaches
Disgruntled employees actions
Mix of private / corporate data
Internal ThreatsOngoing risk of careless and
malicious insider behavior
National regulations
Industry standards
Local mandates
ComplianceGrowing need to address a
steadily increasing number of
mandates
© 2015 IBM Corporation
IBM Security
7
Data Security Drivers
83% of CISOs say that the challenge posed by external threats has increased in the last three years
© 2015 IBM Corporation
IBM Security
8
Data Security Drivers
2014: 25% more records leaked than 2013… insane!
© 2015 IBM Corporation
IBM Security
9
Data Security Drivers
Time span of events by percent of breaches
GuardiumQRadar
GuardiumQRadar
Minutes To Compromise, Months To Discover & Remediate*Time span of events by percent of breaches
*Verizon data breach report 2012
© 2015 IBM Corporation
IBM Security
10
Guardium Capabilities Overview
Data at Rest Configuration Data in Motion
Where is the sensitive data?
How to protect sensitive data to reduce risk?
How to secure the repository?
Entitlements Reporting
Activity Monitoring
BlockingDynamic Data
MaskingVulnerability Assessment
Who should have access?
What is actually happening?
EncryptionDiscovery
Classification
How to prevent unauthorized
activities?
How to protect sensitive data?
Harden Monitor ProtectDiscover
© 2015 IBM Corporation
IBM Security
11
QRadar Capabilities Overview
Southbound APIs
Northbound APIs
IBM QRadar Security Intelligence Platform
Real Time Structured Security Data Unstructured Operational / Security Data
LEEF AXIS Configuration NetFlow Offense
Security
Intelligence
Operating
System
Reporting Engine Workflow Rules Engine Real-Time Viewer
Analytics Engine
Warehouse Archival
Normalization
LogManagement
Security Intelligence
Network Activity
Monitoring
RiskManagement
Vulnerability Management
Network Forensics
Future
© 2015 IBM Corporation
IBM Security
12
Traditional Guardium & QRadar Integration
Traditional Guardium & QRadar integration is a one way information flow where
Guardium sends alerts and Vulnerability Assessment (VA) reports to QRadar
A one-way Information Flow
One Way
Guardium QRadarAlerts & VA reports
Data
Warehouse
File
Shares
Big Data
S-TAP
S-TAP
S-TAP
© 2015 IBM Corporation
IBM Security
13
Traditional Guardium & QRadar Integration
Policy Violation:Alert to QRadar
10.0.1.8
Bad Actor10.0.1.8
Issue SQL
Check PolicyOn Appliance
IBM QRadarSecurity Intelligence
Platform
Guardium
Oracle, DB2,
MySQL, Sybase,
etc.
Common alerting use cases for databases:
• Failed logins
• Unauthorized access
• SQL Error codes (e.g., SQL injection attacks)
• Users trying to escalate their privileges
• Users creating triggers and views to indirectly access sensitive data
© 2015 IBM Corporation
IBM Security
14
Traditional Guardium & QRadar Integration
© 2015 IBM Corporation
IBM Security
15
The New Guardium & QRadar Integration
Guardium QRadarAlerts & VA reports
Data
Warehouse
File
Shares
Big Data
S-TAP
S-TAP
S-TAP
Guardium policy updates
It is now possible to have the Guardium data protection policies updated
automatically and nearly in real time in response to security intelligence events
from QRadar
A two-way Information Flow
© 2015 IBM Corporation
IBM Security
16
The New Guardium & QRadar Integration
Machine 10.0.1.8 was compromised
10.0.1.8
Issue SQL
Check PolicyOn Appliance
IBM QRadarSecurity Intelligence
Platform
Guardium
Oracle, DB2,
MySQL, Sybase,
etc.
Common use cases:
• Block access from a machine that became compromised
• Increase audit levels for access by a user id that became suspicious
• Increase audit levels for access by a privileged shared user id that was on-
boarded in a Privileged Identity Management (PIM) system
Hold SQL
Block access from 10.0.1.8
Connection terminated
© 2015 IBM Corporation
IBM Security
17
The New Guardium & QRadar Integration
* Intelligence sources* Rules & events
Scenario:QRadar determines that certain IP addresses are untrusted and that Guardium should block access from them
TCP/JSON
SDI1. Map from QRadar event to Guardium group2. Select attribute in event payload to be added to Guardium
group3. Reload Guardium policy for change to take effect
QRadar Event1: Guardium groupXX, attributeYY, policyZZQRadar Event2: Guardium groupAA, attributeBB, policyCC
REST
Solution Architecture: The solution builds upon IBM Security Integrator (SDI) to bridge QRadar and Guardium
© 2015 IBM Corporation
IBM Security
18
IBM Security Directory Integrator
© 2015 IBM Corporation
IBM Security
19
The New Guardium & QRadar Integration
Solution Deployment: The solution requires SDI 7.1.1 or later with the latest fixpak installed
1. Guardium Create the desired policy and associated group Set up a client ID and secret for SDI to invoke Guardium REST API (Guardium REST API article:
http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html
2. QRadar Configure a forwarding destination Configure rules to dispatch QRadar events to the solution
3. Security Directory Integrator (SDI) Install the solution configuration files
© 2015 IBM Corporation
IBM Security
20
The New Guardium & QRadar Integration
Solution Deployment: The SDI configuration files are available with an accompanying white paper on developerworks. The customer copies these files to the configs sub-folder of the SDI Solution Directory
Configuration File Description
QRTrigger.xml The SDI Config xml file containing the AssemblyLines and other
assets used by the SDI Server to power the solution
QRTrigger.properties Properties file that sets the ports used by the QRadar listener
process, as well as the status REST service
QRGuardium.xml The SDI Config xml file with the response logic for Guardium
integration
QRGuardium.properties Properties file for various settings needed to communicate with
Guardium
eventAction.rules Properties file that ties QRadar Events to the appropriate action to be
taken
© 2015 IBM Corporation
IBM Security
21
The New Guardium & QRadar Integration
Parameter Name Description
guardium.url The URL to the Guardium instance.
guardium.username User name/id used to authenticate to Guardium.
guardium.password Password associated with the username.
guardium.client.id Client Id registered with Guardium.
guardium.client.secret Client secret provided for the Client Id
Parameter Name Description
listener.port The port used by the QRListener AL to receiving incoming TCP messages from
QRadar.
The default value is 1198.
metrics.port The port used by the Metrics AL to accept incoming HTTP client GET requests.
The default value is 1598
QRTrigger.properties
QRGuardium.properties
© 2015 IBM Corporation
IBM Security
22
The New Guardium & QRadar Integration
Starting the solution: The solution is started by navigating to the TDI Installation Directory and executing the following command.
On Windows
ibmdisrv -c configs/QRTrigger.xml -d
On Unix
./ibmdisrv -c configs/QRTrigger.xml -d
23 © 2015 IBM Corporation
Slide walkthrough demo
© 2015 IBM Corporation
IBM Security
24
The New Guardium & QRadar Integration
QRadar Dashboard…
© 2015 IBM Corporation
IBM Security
25
The New Guardium & QRadar Integration
Configure QRadar Events for Forwarding…
© 2015 IBM Corporation
IBM Security
26
The New Guardium & QRadar Integration
Configure Guardium policy to use the group that will be written to
© 2015 IBM Corporation
IBM Security
27
The New Guardium & QRadar Integration
Mapping QRadar Events to Actions in Guardium…
Ignore most events.Process event named “Data Leak Prevention Detected”:Add IP address in QR field “src” to Guardium group “Server_IP” and reload Guardium policy “ServerBlackList” so that it picks up the new group member.
© 2015 IBM Corporation
IBM Security
28
The New Guardium & QRadar Integration
Guardium Policy Group is initially empty
© 2015 IBM Corporation
IBM Security
29
The New Guardium & QRadar Integration
Starting the solution…
SDI starts and loads the QRTrigger solution which listens for TCP messages from QRadar
© 2015 IBM Corporation
IBM Security
30
The New Guardium & QRadar Integration
The QR-listener is receiving messages and adding them to the Guardium group
© 2015 IBM Corporation
IBM Security
31
The New Guardium & QRadar Integration
Verify that Guardium groups have been updated
© 2015 IBM Corporation
IBM Security
32
Summary
Near real-time, automated, threat remediation to protect sensitive corporate data based on QRadar best of breed security intelligence
Sensitive data protected near real time against new threats by a single automated central policy update that applies to all sensitive data targets protected by Guardium
Significantly reduces the time between threat discovery and threat remediation
Flexible solution that can address many security scenarios
Possible attack
through the
application
Several login failures to
an application (e.g. SAP)
could indicate someone
to look out for at the
database layer and
heighten controls on
databases connected to
SAP resource.
Detect database
attacks before
reaching DB
Detection of an SQL
injection at the network or
application layer can help
apply blocking rules to
data extraction
Virtual patching
remediation
Detecting vulnerabilities
at the application layer
can help put rules in
place to be in the lookout
for exploitation
Sam
ple
Use
Cas
es
© 2015 IBM Corporation
IBM Security
33
Resources
Installation and Configuration guide: Updating Guardium Policies based on events from
QRadar: https://ibm.biz/BdXMsK
developerWorks article on using Guardium REST APIs
http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html
Guardium and QRadar integration overview and demo:
https://www.youtube.com/watch?v=M0P12R2Kkjc
Guardium and QRadar integration configuration:
https://www.youtube.com/watch?v=IA4UbJnN9KE
Video demo: QRadar and Guardium Vulnerability Tests
http://www.ibm.com/developerworks/library/se-gqradar/index.html
Guardium, QRadar and Privileged Identity Manager Integration demo:
https://www.youtube.com/watch?v=TedDkWnAArc
Guardium Knowledge Center topic on customizing LEEF format and sending alerts and audit
results to QRadar. http://www-
01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/administer/topi
cs/configuring_global_profile.html?lang=en
© 2015 IBM Corporation
IBM Security
3434
Information, training, and community cheat sheet
Guardium Tech Talks – at least one per month. Suggestions welcome!
Guardium YouTube Channel – includes overviews, technical demos, tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced- provided by Business Partners)
InfoSphere Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.
34
© 2015 IBM Corporation
IBM Security
35
Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: What's new in Guardium DAM V10: A Technical Overview
Speakers: Kathy Zeidenstein, Evangelist and Community Advocate
David Rozenblat, Director of Guardium Development
Date and time: Thursday, September 17th11:30 AM US Eastern
Register here: https://ibm.biz/BdX3Qx
Reminder: Next Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
36
Gracias
Merci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish