Embed Size (px)
Citation preview
© 2015 IBM Corporation
4 Things to Know about the New Guardium V10 for z/OS
Howie HirschSenior IT Specialist – Guardium for z/OSIBM Security
Barry DavisSenior Product Specialist Database ToolsMonitoring Compliance z/OS Lab Rocket Software
Guardium Tech TalkDecember 3, 2015
2© 2015 IBM Corporation
Sometime next year!
Next tech talk
3© 2015 IBM Corporation
Agenda
Why Guardium for z is critical
Guardium appliance enhancements for ease of use
What’s new in Guardium for DB2 for z/OS
What’s new in Guardium for IMS
What’s new in Guardium for Data Sets
4© 2015 IBM Corporation
Applications by the numbers
Mainframe legacy applications represent a massive exposure of core business information and functions
2/3 of ALL business transactions
for U.S. retail banksrun directly on mainframes
Who run’s DB2 on z/OS?
1 million active COBOL programs
80%active COBOL code
250+ billions lines of COBOL code today
65 of the world’s top banks
24 of the top 25 U.S. retailers
10 of the top 10 global insurance providers
“Millions of users unknowingly activate CICS every day, and if it were
to disappear the world economywould grind to a halt.”
Phil ManchesterPersonal Computing Magazine
5© 2015 IBM Corporation
Key concerns
Mainframe customers are more vulnerable than ever
“As mainframes become a major component in service-
oriented architectures, they are increasingly exposed
to malware. Web services on the mainframe have
significantly impacted security.”
Meenu Gupta
President, Mittal Technologies Inc.
The solution…
%concerned with privileged insiders50%concerned with advanced persistent threats21
%concerned with web-enabled z/OS apps29
%of customers agree that deploying multiple layers of defense provides the best mainframe protection86
6© 2015 IBM Corporation6
But…System z is already secure….why do we need more?
Separation of duties
– Privileged users “need to know” vs abuse or
mistake
– Trace-based auditing controlled by privileged users
– SAF plays a vital role in protection of data on z/OS,
but is not tamper-resistant and actionable
Achieving audit readiness is labor-intensive and
introduces latency
– RACF lacks sufficient granularity for reporting
– DB2 Audit Trace significantly improved in V10+, but
still requires externalization to SMF and customer
provided reporting infrastructure
Real time event collection
– Batch processing of audit data from external
sources prevents real time alerts
7© 2015 IBM Corporation
Guardium uses intelligence and automation to safeguard data
PROTECTComplete protection for sensitive
data, including compliance automation
ADAPTSeamlessly handle
changes within your IT environment
ANALYZEAutomatically
discover critical data and uncover risk
IBM CONFIDENTIAL: NDA until August 25, 2015
© 2015 IBM Corporation
Appliance-side experience
9© 2015 IBM Corporation
UI simplification and modernization
Assignable
tasks with
SOD
Customizable
Reports
Guided
Processes
At a glance
operational
dashboards
Enterprise wide
Quick Search
Drill-down
analytics
© 2015 IBM Corporation
Guardium for DB2 for z/OS
11© 2015 IBM Corporation
What’s new In IBM Security Guardium S-TAP for DB2 on z/OS V10 Summary
Performance, scalability, and availability improvements
– Reduce IFI Audit trace collection activity
– Change default for STAGE1_FILTER parameter from ‘N’ to ‘Y’
– Stream multiple streams of audit events to multiple appliances
– HOT FAILOVER - status is kept active for all connection
Improved data collection and filtering capabilities
– Control collection of HOST Variables
– Failed access / negative SQL support
– Database filters
– Commit/rollback collection
– Capture CICS login user
Enhanced data protection
– Quarantine SQL activity
12© 2015 IBM Corporation
Reduce IFI Audit trace collection activity
Use case: Reduce use the Instrumentation Facility Interface (IFI)
to collect data because of overhead and separation of duties
Use the common collector instead of IFI to collect the following
activities:
– COMMANDS
– SQL Events that result in a negative SQL code
– SET CURRENT SQLID
13© 2015 IBM Corporation
Reduce IFI Audit trace collection activity
DB2 STAP has been using the IFI Audit Trace to collect the
following audit events:• “Grant and Revokes” (Audit Trace class 2) – replaced with ASC collection V9.1 GA
• “DB2 Commands” (IFCID 90 and 91) – replaced with ASC collection V10.0 GA
• “All Failed Authorizations” (Audit Trace class 1) – replaced with ASC negative SQL
collection V10.0 GA
• “Failed AuthId Changes” (Audit Trace class 1) – replaced with ASC negative SQL
collection V10.0 GA
• “Set Current SQLID” (Audit Trace class 7 IFCID 55, 83, 87, 169)
– IFCID 55 replaced with ASC collection V10.0 GA.
14© 2015 IBM Corporation
Change default for STAGE1_FILTER parameter from ‘N’ to ‘Y’
Use case: Want to filter as soon as possible to improve performance
STAGE1_FILTER controls where and how the filtering of AUDIT events occurs
– If set to Y, filter processing is completed at an earlier point
– In most filtering situations, STAGE1 filtering results in improved performance
– You no longer need to modify the ADHPARM configuration file
Parameter:
Syntax STAGE1_FILTER
STAGE1_FILTER(Y)
15© 2015 IBM Corporation
Multi-stream multi-appliance support
When multi-stream mode is enabled, S-TAP audit events can be spread
over multiple connected appliances.
The maximum number of multi-stream appliances that are supported is six
– (APPLIANCE_SERVER + APPLIANCE_SERVER_n where n can be 1 - 5)
New Parameters in OPTIONS (ADHPARM) member
– APPLIANCE_SERVER_LIST(FAILOVER|MULTI_STREAM|HOT_FAILOVER)
– When APPLIANCE_SERVER_LIST is set to FAILOVER
• only a single appliance connection is active at one time
– When APPLIANCE_SERVER_LIST is set to MULTI_STREAM
• an appliance connection is established for each server listed
16© 2015 IBM Corporation
z/OS
DatabaseS-TAP
S-TAP load balances
events to different collectors
using a round-robin
approach. Each send of
mega buffer is <=200
events using default
settings
Use aggregation to merge
events for reporting and
analysis
Events C <=200 events
Events A <=200 events
Events B <=200 events
Events D <=200 events
Events E <=200 events
Multi-stream, multi-appliance load distribution
Guardium
Collector
Guardium
Collector
Guardium
Collector
E
E
BA
A B
C
C
D
D
Guardium
Aggregator
17© 2015 IBM Corporation
HOT_FAILOVER support ( Enhancement APAR PI33682 )
When ‘HOT_FAILOVER’ mode is enabled, status is kept active for all connection
types to all appliances.
The maximum number of ‘HOT FAILOVER’ appliances is six
– (APPLIANCE_SERVER + APPLIANCE_SERVER_n where n can be 1 - 5)
New value (HOT_FAILOVER) for APPLIANCE_SERVER_LIST Parameter in
OPTIONS (ADHPARM) member
– Example:
APPLIANCE_SERVER_LIST(HOT_FAILOVER)
As with legacy FAILOVER, audit data is streamed to only one ‘active’ appliance.
When using HOT_FAILOVER, it is not required to have a policy on the
HOT_FAILOVER device.
APAR PI33682 available in June 2015 for STAP V9.x.
– Included in STAP V10 GA.
18© 2015 IBM Corporation
Control collection of HOST Variables
Use cases:
– Collection of host variables for some orgs is a security risk because they
contain ‘data’.
– Reduce performance impact of collecting them.
Defaults:
– Prior to V10 default: host variables were collected
– V10 default changed: Will not collect host variables
To include them:
– Specify, on a per-rule basis, whether host variable information will be
sent to the appliance for activity that matches that rule
No new parameters
19© 2015 IBM Corporation
Control collection of HOST Variables (continued)
20© 2015 IBM Corporation
Failed Access / Negative SQL Support
Use case: User wants to include or exclude negative SQL codes
Create a list of SQL codes in the UI to include or exclude
INCLUDE - any SQL activity that fails within the SQLCODE list will
be collected
EXCLUDE - any SQL activity that does not fall within the SQL code
lists will be collected
A policy can only contain all “includes” or all “excludes.”
No other filter criteria can be ANDed with the SQLCODE filter rule
No new parameters
21© 2015 IBM Corporation
Failed Access / Negative SQL Support (Continued)
22© 2015 IBM Corporation
Failed Access / Negative SQL Support (Continued)
23© 2015 IBM Corporation
Filter by DBName
Use Case:
You can specify database name filters, on a per rule basis, to be part of the current SQL
Activity filters.
– Included and excluded operations are supported.
– Wildcarding is supported.
Database filters
– Expand filters to support database name including wildcarding
No new parameters
24© 2015 IBM Corporation
Filter by DBName (continued)
25© 2015 IBM Corporation
Filter by DBName (continued)
26© 2015 IBM Corporation
Collecting COMMIT and ROLLBACK events
Security Guardium S-TAP for DB2 now enables you to collect COMMIT and ROLLBACK
events
– You can enable the collection of COMMIT and ROLLBACK events by setting the
COLLECT_COMMIT_ROLLBACK parameter to Y. (The default setting is N.)
– If enabled, all COMMIT and ROLLBACK events are streamed to the Guardium appliance.
– They are not subjected to STAGE 1 filtering.
Important: Collection of these events can potentially significantly increase the number
of events sent to the appliance. The increase will depend on the number of commit
events in the applications, which in some situations may be extensive.
27© 2015 IBM Corporation
CICS Userid Support
Use Case: Capture and report the CICS Login User ID
Support for: CICS versions TS 4.2, TS 5.1, and TS 5.2
Setup:
– Enable CICS Login User ID Reporting by adding the CICS_USERID parameter to the ADHPARM file
and setting the parameter to Y. Example: CICS_USERID(Y)
• The default variable (N) indicates that CICS Login User ID Reporting is not enabled.
– In the CICS Connection definition, ATTACHSEC parameter must be set to ATTACHSEC(IDENTIFY)
• For the user ID to be passed from the Terminal-Owning Region (TOR) to the Application-Owning
Region (AOR) to become available for collection.
28© 2015 IBM Corporation
CICS Userid Support
CICS Login User ID is reported in the DB2 Client Info field for SQL Statements
that are run in DB2 for CICS transactions.
29© 2015 IBM Corporation
Quarantine users SQL activity for specific period of time
Use case: Stop suspicious activity by a user while investigation takes
place or disable access during specific times
– Quarantine - the quarantined user will be denied access to run SQL statement in the
specified DB2 subsystem(s) during the specified time
Users can be quarantined for:
– A specific DB2 subsystem(s)
– A specified period of time
Setup: The quarantine action uses filter settings in the appliance policy (not
collection profile policy)
– Note: Quarantine does not take effect immediately – also known as ‘leakage’.
The SQL statement that produces the event to trigger the quarantine is
completed before the quarantine takes effect.
– The user’s SQL will receive a -807. The SQL activity is quarantined within the STAP
Agent if the filter criteria match.
30© 2015 IBM Corporation
z/OS
DatabaseS-TAP
1. User issues SQL
2. If the SQL passes the collection profile
filter, the event is streamed to the
Guardium collector
3. The collector checks this event against
the quarantine policy.
4. If a match, the collector adds this user
to a quarantine list and sends to the
S-TAP
5. The S-TAP stops further access from
this user until the quarantine period is
up.
select * from tab1
Quarantine user
Guardium
Collector
Guardium Policy:
Quarantine DBAUser when
accessing subsystem after
hours
4
5
1
2
select * from tab2
DBAUser:Time
3
Important: Because quarantining depends on data that passes the z/OS-side filtering, the z/OS collection profile must be a superset of
the events that would match the quarantine policy. If this is not heeded, it is possible that S-TAP would never send an event to the
collector that would match the policy rule, rendering the quarantine rule basically a no-op
31© 2015 IBM Corporation
Quarantine users SQL activity for specific period of time (cont.)
32© 2015 IBM Corporation
Guardium S-TAP for DB2 and Collector compatibility matrix
IBM Confidential
(1)Backward compatibility only. New features are not supported, such as use of Port 16022 introduced in V9.0.
(2)Must use Port 16022
(3)Must use Port 16022, or 16023 (encrypted connections)
(4)No support for S-TAP Terminate
( 5) Use of “All failed authorizations” field in policy to detect login failures is deprecated (but still supported in
V10). Update policies to use Failure Codes rule condition instead
© 2015 IBM Corporation
Guardium for IMS
34© 2015 IBM Corporation
What’s new In IBM Security Guardium S-TAP for IMS V10 Summary IMS Release Support
– Support for IMS V14
Performance, scalability, and availability improvements
– Stream multiple streams of audit events to multiple appliances
– Disabling the auditing of BMPs
– Limit DLI call auditing to the lowest hierarchical level of a path call
• Improved data collection capabilities
• Ability to audit DLI calls that return a non-blank DLI Status code
• APP EVENT – collect non-database application/user data
• Enhanced data protection
• Quarantining database DLI calls
• Improved Installabilty and serviceability
• Removed VSAM repository
• Collect APAR number and build date/time of key load modules
• Provide an easy way to collect appliance diagnostic information
• Easily obtain a z/OS memory dump
35© 2015 IBM Corporation
Disabling the auditing of BMPs
Use case: Our BMP region types are considered ‘trusted’ so we don’t want to
audit them
This optional feature permits users who have decided that BMPs are to be treated
as ‘trusted’ entities and are not to be audited.
Can reduce the cost of auditing by reducing the code path of DLI calls that are
known not to require examination
A user can turn off auditing of BMPs by:
– Selecting the “NOBMP = Turn off auditing of DLI calls generated by an IMS BMP” box, of
the Create/Change IMS Policy ‘Add Audit’ panel
– Results in request sent to z/OS agent during IMS policy pushdown
– When filtering criterion is being prepared into an executable filter, the NOBMP flag is
placed in the filter anchor area accessible to the IMS Control region
The default value is ALL BMPs are eligible for auditing
36© 2015 IBM Corporation
Disabling the auditing of BMPs – Appliance Policy info (NOBMP)
37© 2015 IBM Corporation
Limit DLI call auditing to the lowest hierarchical level of a path call
Use case: Restrict visibility to only the last segment of the hierarchical path
instead of multiple segments
Optionally limit the audit data to the segment that occupies the lowest hierarchical
level of a DLI path call
Setup:
– You can turn off auditing of complete hierarchical paths by selecting:
• “NOHLVL = Turn off auditing of all hierarchal levels of IMS DLI path calls” box of the
Create/Change IMS Policy ‘Add Audit’ panel.
– Request sent to z/OS agent during IMS policy pushdown
The default value is ALL segments in the hierarchical path
38© 2015 IBM Corporation
Limit DLI call auditing to the lowest hierarchical level of a path call- Appliance Policy Info (NOHLVL)
39© 2015 IBM Corporation
Ability to audit DLI calls that return a non-blank DLI Status code
• Use case: Obtain DLI call audit information when the DLI
call has failed. Can help determine if bad actors are trying to
learn the topology.
• Automated optional security layer to report on DLI calls
which result in an IMS warning or failure.
• Provides the details of the DLI call and warning or failure status
code being returned to the appliance
• Stage 0 filtering
• Setup:
• Specify one or more DLI Status codes which should be
considered “acceptable” and cause the AUI code to collect the
DLI call information
40© 2015 IBM Corporation
Ability to audit DLI calls that return a non-blank DLI Status code- Appliance Policy Info – Add DLI Call Codes
41© 2015 IBM Corporation
APP_EVENT - Collect non-database application/user data
Use case: Want IMS application user programs to send non-database
application/user data to the appliance where it can be stored and related to DLI DB
calls
Allows user programs to transmit and store application or user oriented events,
such as, but not limited to (example only):
– an alternate user name
– a client Host IP address
– an application name to the Guardium appliance
42© 2015 IBM Corporation
APP_EVENT - Collect non-database application/user data (cont.)
Setup:
– Changes to the customer application programs and the IMS database environment must
be made
IMS Database
– Add database AUIAPPEV to the IMS Online system
• Same procedures and utilities as any other database that is to be accessed by the IMS
Online system
IMS PCB
– A PCB must be added to all application programs that are intended to use this feature
Application Program
– The user should perform a DLI READ call by using the PCB for database AUIAPPEV
– Populate the I/O area with the information that is to be sent to the Guardium appliance.
– The READ call is used once per scheduling of a transaction
43© 2015 IBM Corporation
DLI User Quarantining
Use case: Stop suspicious activity by a user while investigation takes place or disable
access during specific times
– Quarantine - the quarantined user will be denied access to run DB DLI calls during the specified time
Users can be quarantined for:
– A specific IMS subsystem(s)
– A specified period of time
Setup: The quarantine action uses filter settings in the appliance policy (not collection profile
policy)
– Note: Quarantine does not take effect immediately – also known as ‘leakage’.
The call that produces the event to trigger the quarantine is completed before the quarantine
takes effect.
Restrictions: DLI calls that are made to IMS Fast Path databases by using IMS Fast Path
exclusive transactions or BMPs cannot be quarantined.
44© 2015 IBM Corporation
Removal of the VSAM repository
Use case: Simplifies installation by removing the
requirement to allocate and use the z/OS based repository
The VSAM repository was used to store checkpoint records
that were used by log-stream processing, IMS SLDS
processing, and SMF file processing
This checkpoint information will be stored in memory with
checkpoint persistence that is maintained in the Guardium
collector, reportable by IMS Checkpoint Results report …
45© 2015 IBM Corporation
Guardium Appliance – New Report - IMS Checkpoint Results
46© 2015 IBM Corporation
Guardium S-TAP for IMS and Collector compatibility matrix
IBM Confidential
(1)Backward compatibility only. New features are not supported,
such as use of Port 16022 introduced in V9.0.
(2)Must use Port 16022
(3)Must use Port 16022, or 16023 (encrypted connections)
Guardium collector version STAP 8.2 STAP 9.0 STAP 9.1 STAP 10.0
8.2 Y1 N N N
9.0 Y1 Y2 N N
9.1, 9.5 (32 and 64 bit) N Y2 Y3 Y3
10 (64 bit only) N Y2 Y3 Y3
© 2015 IBM Corporation
Guardium for Data Sets
48© 2015 IBM Corporation
What’s new In Guardium S-TAP for Data Sets V10 Summary
Availability, scalability
– Stream multiple streams of audit events to multiple appliances
Improved data collection and filtering
– Tape data set support
– PDS and PDS/E member name reporting
– Non-VSAM EXCP counts
– DDNAME reporting and filtering
Serviceability
– SMF validation at start-up
49© 2015 IBM Corporation
S-TAP multi-stream load balancing support
When multi-stream mode is enabled, S-TAP audit events can be spread over multiple
connected appliances.
The maximum number of multi-stream appliances that are supported is six
– (APPLIANCE_SERVER + APPLIANCE_SERVER_n where n can be 1 - 5)
New Parameters in OPTIONS member
– APPLIANCE_SERVER_LIST(FAILOVER|MULTI_STREAM)
– When APPLIANCE_SERVER_LIST is set to FAILOVER
• only a single appliance connection is active at one time
– When APPLIANCE_SERVER_LIST is set to MULTI_STREAM
• an appliance connection is established for each server listed
50© 2015 IBM Corporation
Tape data set support
STAP for Data Sets V10.0 now monitors and reports on access to data sets that reside on
tape
No new parameters required
51© 2015 IBM Corporation
PDS and PDS/E member name reporting
If a PDS or PDSE member is allocated and opened,
– Member name will be reported as part of the non-VSAM data set EOV/CLOSE event record
In cases of programs that can access/update multiple members, such as IEBCOPY
– Member name(s) will not be reported.
In most if not all cases that TSO ISPF will not show the member name
– It will only show up if you specify a specific member HLQ.DSNAME(MEMBER)
52© 2015 IBM Corporation
Non-VSAM EXCP counts
53© 2015 IBM Corporation
DDNAME reporting and filtering
54© 2015 IBM Corporation
SMF environment validation at start-up
STAP for Data Sets now verifies that the necessary SMF record types are being generated
by the system at agent start-up
55© 2015 IBM Corporation
Guardium S-TAP for VSAM or Data Sets and Collector compatibility matrix
Guardium collector version STAP 8.2 STAP 9.0 STAP 9.1 STAP 10.0
8.2 Y1 Y1 N N
9.0 Y1 Y2 Y2 N
9.1, 9.5 (32 and 64 bit) N N Y 3 Y3
10 (64 bit only) N N Y3 Y3
IBM Confidential
(1)Backward compatibility only. New features are not supported,
such as use of Port 16022 introduced in V9.0.
(2)Must use Port 16022
(3)Must use Port 16022, or 16023 (encrypted connections)
56© 2015 IBM Corporation
Resources
S-TAP manuals are in the Guardium Knowledge Center
under the heading S-TAP for z/OS User’s Guides. PDFs
are in the IBM publications center.
– DB2 (PDF)
– IMS (PDF)
– Data Sets (PDF)
What’s new in Guardium V10 developerWorks article
includes a summary of enhancements as well.
57© 2015 IBM Corporation
57
Information, training, and community cheat sheet
Guardium Tech Talks – at least one per month. Suggestions welcome!
Guardium YouTube Channel – includes overviews, technical demos, tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced)
IBM Security Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.57
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
