Embed Size (px)
Citation preview
Guardium Tech Talk:10.1.3 Overview - Speed compliance and simplify deployments
August 24, 2017
Kathy ZeidensteinGuardium Evangelist and Community Advocate
Joann RuvoloSenior Manager and UI Technical Lead, IBM Security Guardium
https://w3-connections.ibm.com/blogs/30f982c3-616f-4b5b-9978-
3b711e1fda79/entry/2017july19?lang=en_us
2 IBM Security
Title: TBA (It’s a surprise!)Date: Tuesday, October 3rd, 2017
Time: 11:00 EDT, 8:00 AM PDT (60 minutes)
Speakers: TBA
Register: TBA
Mark Your Calendars for the Next Tech Talk
3 IBM Security
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
z/OS S-TAP Overview
5 IBM Security
What’s New in V10.1.3 for z/OS Highlights (Tech talk tentatively November, 2017)
• Additional real time data protection option for Db2 – option to block SQL
from specific users to specific tables
• Enhanced event collection and reporting
Data Sets: More detailed member- level event reporting for PDS/PDSE data sets
(replace, copy, delete, etc), report on FTP events through z/OS Unix System
Services
IMS: High availability large database (HALDB) name reporting, filter on trusted
LTERMs and filter by region type beyond BMP
All three S-TAPs:
• Audit CICS Unit of Work ID for correlation of events across subsystems
• Data privacy: Server side control to avoid sending PII to the collector
• Enhance operations and diagnostics – all three S-TAPs
• Ease diagnostics gathering across roles- MUST GATHER can be instigated
from the collector or from the mainframe side
• Simulation mode to test the S-TAP without sending audit records to the
appliance
• z/OS S-TAPS now visible on the Deployment Health Topology in Guardium UI
6 IBM Security
Db2 for z/OS STAP Enhancements –Real-time blocking
Real• -time data protection for Db2 – option to block SQL from specific users to specific tables
Real -time, as this happens at the S-TAP level and does not require a verdict from the collector (contrast with
STAP TERMINATE)
Uses new access policy rule database type: DB 2 z/OS BLOCKING PROFILE
Authorized applicationAttackers,
vendors, insiders
7 IBM Security
Db2 for z/OS S-TAP Enhancements
• Enhanced event collection and reporting
Improved auditability to enterprise standards
• Collect Bind and rebind events similar to other events. Not subject to filtering!
• Indicator of whether an event is Dynamic or Static (when LOG FULL DETAILS is used)
Audit CICS Unit of Work ID for correlation of events across subsystems
• Performance and filtering
Db2 objects moved to Stage 1 filtering and other memory management enhancements
Expected to improve event throughput and lower CPU overhead resulting in improved tolerance for heavy SQL Event volumes
Internal lab results show significant decrease in both Db2 Class 2 and address space CPU usage of S-TAP V10.1.3 versus S-TAP V10.0
Important: Your mileage will vary!!! The improvement in CPU will vary under different workloads and environments
• Enhance operations and diagnostics
• Simulation mode to test the S-TAP without sending audit records to the appliance
• z/OS S-TAPS now visible on the Deployment Health Topology in the Guardium UI
8 IBM Security
z/OS S-TAPs now visible in Deployment Health Topology• All managed units and CM must be at 10.1.3 – S-TAP can be back level
Guardium DAM and VA Overview
10 IBM Security
Guardium 10.1.3 (GPU 230) - summary
• Quick start deployment (agent and compliance monitoring)
• VA improvements
VA for Cloudera
Mongo 3.4 support and latest mongo CIS benchmark tests
DB2 LUW CIS benchmark
Support for SQL Server on Linux and improved SQL server
• Agent enhancements
Improved discovery processing (better for Oracle RAC)
A-TAP improvements to support scripting
Threading improvements to reduce slowdown on db servers and better support enterprise load balancing
Teradata exit – (Teradata 16.10+) – see release notes for details.
SLES 12 S390x
• Limited use license of Privileged Identity Manager
• Cloud images offerings
• Classification privilege script
• ISO image available on PPA
11 IBM Security
VA Enhancements
• New Cloudera Hadoop VA tests (first in the industry)
Over 100 tests including CVEs, security configs, roles, OS file permissions Hive and Impala privilege
tests, configurations for HDFS, Sentry, Hive etc. .
2 datasources – Hive and Cloudera Manager
Datasource authentication support:
• Cloudera Manager - Native and LDAP authentication with SSL
• Hive – no-auth and LDAP/SSL, Kerberos
• CAS-based tests: SSL and Kerberos
12 IBM Security
VA Enhancements
SQL Server•Usability for SQL Server: CVE Tests recognize fixes in all service packsSupport for SQL Server on Linux (SQL Server 2017) (currently in preview)
New tests for MongoDB with the latest benchmarks •VA coverage for CIS_MongoDB_Benchmark_v 1.0.0.pdf benchmark. https://www.cisecurity.org/benchmark/mongodb/MongoDB 3.4 supportLDAP/SSL connection ( 10.1.2)Kerberos connection ( 10.1.3)
Latest CIS Db• 2 LUW benchmarksVA coverage for CIS_IBM_DB 2_10_Benchmark_v1.1.0.pdf latest benchmark.
https://www.cisecurity.org/benchmark/ibm_db• 2/There are 10 new tests, plus 2 test enhancements. Now over 260 tests for Db2 LUW.New tests required additional privileges for VA.• /var/log/guard/gdmmonitor_scripts/gdmmonitor-db2.sql
13 IBM Security
Kerberos authentication
• Setup>Tools and Views>Kerberos
Configurations
• Datasource builder
For more information:
https://www.ibm.com/support/knowledgecenter/SSMP
HH_10.1.0/com.ibm.guardium.doc/discover/kerberos_
configuration.html
14 IBM Security
Limited Use License of IBM Privileged Identity Manager
What is PIM? A brokerage of privileged shared IDs
Value of the integration with Guardium:
• Leverage richer user information for forensic analysis of privileged user access to data
• Identify who was using the shared ID at the time of an incident
What do you get?
Only for use with Guardium•
For each collector up to • 50 authorized users
mapped to shared IDs in PIM
Try it:
https://www.ibm.com/developerwork
s/library/se-manage-audit-privileged-
users-pim-guardium/index.html
15 IBM Security
Enterprise Load Balancing enhancement to support failover groups
• Benefits Provides additional controls over load distribution by enabling use of failover groups. (Currently, failover
only happens within an MU group)
Separate collector pools for primary and failover use cases.
Automatic relocation of S-TAPs from failover to primary collectors once primary collector is active again.
• This feature requires only CM to be upgraded to 10.1.3 (no S-TAP changes are required)
16 IBM Security
Recommended procedure
1. On the CM, create groups of collectors you want to use as Primary and groups of collectors
you want to use for Failover (Manage>Central Management>Managed Unit
Groups)
2. On the CM, create S-TAP groups using the Group Builder UI or from here: Manage>Central
Management>Enterprise Load Balance>Associate S-TAPs and Managed Units (click on
the plus icon)
3. Associate groups of S-TAPs to Primary Groups (Manage>Central Management>Enterprise
Load Balance>Associate S-TAPs and Managed Units)
4. Then assign Primary Groups to failover groups in the same UI.
5. Enable the ‘Failover Groups’ support (Manage>Central Management>Enterprise Load
Balance>Enterprise Load Balance Properties )
6. Install a new S-TAP (or restart an existing one) ELB will allocate collector(s) from the Primary collector groups associated with this S-TAP
If ELB can’t find collector(s) from the Primary group (e.g. All loaded or not available), It will allocate collector(s) from the failover
group(s) associated with that S-TAP.
Periodically(and if ENABLE_RELOCATION is enabled) ELB will look for S-TAPs currently assigned to collectors from Failover
groups and relocate them to vacant collector(s) from a Primary group.
17 IBM Security
Enable enterprise load balancing with failover walkthrough
1. Create managed unit groups
2. Create S-TAP groups
18 IBM Security
Enable enterprise load balancing with failover, continued.
3 and 4. Associate S-TAPs to primary group. Then optionally to failover group.
5. Enable failover groups
19 IBM Security
UNIX S-TAP Discovery Improvements
Guardium, with auto-discovery enabled, enables S-TAP to discover
running instances on that server, including the information that
you need to automatically populate the inspection engine
definitions.
Now uses more reliable methods of determining DB
configuration Better handling of zones
Rewritten with Oracle RAC in mind Success! 10.1.2 Unix S-TAP Discovery failed to generate inspection
engines for an Oracle Exadata (cloud RAC) instance. We had
customer try 10.1.3 Unix S-TAP Discovery and it successfully
generated the inspection engines for the Exadata instance.
20 IBM Security
A-TAP Changes
A-TAP provides the functionality to intercept traffic after it is decrypted. A-
TAP also provides interception for shared memory, depending on database
and platform. Activated/deactivated using guardctl utility.
Scripting around guardctl can hide unfamiliar Guardium concepts from the DBAs
Changes in 10.1.3 to support scripting much better:
Well-defined error codes representing unique problem states
Eliminates the need to process the text output to determine corrective action
https://www.ibm.com/support/knowledgecenter/SSMPHH_10.1.0/com.ibm.guard
ium.doc.stap/stap/atap_guardctl_reference_return_codes.html
New options to avoid printing to stdout (-q),and to print name/value pairs and return
value of command (-v)
-qv together allows a wrapper script to use guardctl as a utility interface to A-
TAP and provide its own user experience
Repair option automates the manual steps required when a bad thing happens:
The database was upgraded while A-TAP was active (don’t do this).
guardctl ….. --db-instance=<name> repair
21 IBM Security
Example of output
22 IBM Security
IBM Guardium
Multi-Cloud
Data Protection
Data Protection
Encryption
Key Management
Ready for Cloud - Discover, monitor and protect data in cloud and hybrid environments
• Guardium has ready to use and easily
shareable VMs for all major cloud
vendors
IBM, AWS, Azure, Google, Oracle
(soon)
• New Licensing exclusively for Cloud-
based Appliances on Major Cloud
Platforms
Deployment guides: http://www-
01.ibm.com/support/docview.wss?uid=s
wg27049576
Hardware Requirements for Appliances:
http://www-
01.ibm.com/support/docview.wss?uid=s
wg27047802
See previous tech talk with live demo:
http://ibm.biz/GuardMCDP
Protect cloud environments
GuardiumMulti-Cloud
Data Protection
On-Prem
23 IBM Security
Classification privilege scripts
In 10.1.3, use the same scripts for both entitlement reporting and Vulnerability
Assessment tests since the entitlements script is no longer being updated.
New in 10.1.3 is a new set of scripts for classification (sensitive data finder).
Important: Each DBMS script has very specific instructions in the script
header that must be followed.
1. From the CLI, run the following command:
fileserver <your desktop IP> 3600
2. Then go to a browser and enter the URL for the type of scripts you want to
upload and choose the file that matches your database type.
Vulnerability Assessment and Entitlements:
http://<appliance ip>/log/debug-logs/gdmmonitor_scripts/
Classification:
http://<appliance ip>/log/debug-logs/classification_role/
24 IBM Security
• High level upgrade roadmap options: http://www-01.ibm.com/support/docview.wss?uid=swg21961114
• There is no direct upgrade from 8.2 to V10.1.3 (GPU 230). You must go through V9!
• Or, use the V10.1.3 ISO and rebuild/restore (take advantage of larger root partition (25GB) and new file format (EXT4)
• The upgrade process usually cannot be done simultaneously on all appliances and all S-TAPs. Therefore it requires multi-staged upgrade approach.
• During transition period, Guardium environment will operate in hybrid mode with Version 9.5 and Version 10.1.3 Guardium software (Mixed environment).
• Upgrade IBM Guardium environment in top-down order
• Upgrade of large enterprise environments requires thorough planning and preparation.
Upgrade strategy and logistics
Scope (be conservative)
Change control management
Required personnel availability
Contingency planning
Enterprise Upgrade Strategy (tech talk tentatively October 24th)
Quick Start Agent Deployment
26 IBM Security
When can I use Quick Start agent deployment?
The purpose of Quick Start agent deployment is to automate S-TAP
installation. It uses existing capabilities such as GIM listener. It is not
intended for highly customized environments. Consider this feature
when:
• You use GIM agents in listener mode on the database servers
• You are not using database encryption or other capabilities that
require A-TAP or exits.
• The default GIM parameters meet your requirements.
27 IBM Security
Deploying S-TAP on DB server - Comparison
1.Upload modules
2.GIM Auto-detect
3.Remote Activation
4.Setup-by Client or Setup-by
Modules
• Manual selection of clients and
modules
• Scroll through a overwhelming list of
parameters
5.Track the status of installed modules
by “GIM Client Status” report
Automatic flow:
1. Upload modules
2. Discover and Deploy Agents
Interactive flow:
1. Upload modules
2. Discover
3. Confirm db servers and deploy
Traditional flowQuick Start flows
28 IBM Security
A visual representation of the simplified approachTraditional
Quick start
29 IBM Security
Prerequisite steps
1. Upload the installation bundles to the GIM Server machine (eg Central
Manager).
Behind the scenes, Deploy Monitoring Agents will pick the latest matching bundle in
the list.
2. Install GIM clients in listener mode on the database servers.
Default installation port for deployment UI is 8445. Can be customized.
3. Make sure databases are started. Behind the scenes, the Deploy Monitoring agents will run the database discovery and create
inspection engines.
Knowledge Center:
https://www.ibm.com/support/knowledgecenter/SSMPHH_10.1.0/com.ibm.guardium.doc.st
ap/gim/deploy_monitoring_agents.html#concept_n2f_3zn_gz
30 IBM Security
How to find it?
Search “quick start” or
“Deployment Monitoring Agents”
31 IBM Security
Two flows in the deployment
Discovery and deployment in two steps.
• Lets you exclude any DB servers for
deployment from the discovered list.
Automatic Interactive (recommended)
Discovery and deployment all in one click.
32 IBM Security
Interactive Flow: Discover the Database Servers
You can input multiple ranges for the GIM
discovery
33 IBM Security
Interactive Flow: Confirm the Database servers
Confirm the list of DB servers to install S-TAPs.
34 IBM Security
Interactive Flow: Confirm the default params of installation
You can use enterprise load balancing or associate a specific collector for these S-TAPs.
35 IBM Security
Monitor the installation status on same screen
36 IBM Security
Created Inspection Engines on S-TAP
Created inspection engines •
can be viewed in same
grid.
No need to go to each •
collector
37 IBM Security
Verify the installations in deployment health topology view
Before install
After Install
Quick Start agent deployment demo on YouTube: https://youtu.be/S1Xbat4pmLk
Quick Start Compliance Overview
39 IBM Security
Quick Start compliance monitoring
Compliance type
Groups
Security policies
Discover sensitive
data scenarios
Reports
Compliance MonitoringDatabases on DB servers
with S-TAPs installed
Configure and demonstrate compliance quickly for new deployments with minimal input
40 IBM Security
When could I use this?
New deployments•
New or existing customers
New database servers or existing database servers for new compliance monitoring (e.g., GDPR, PCI)
Positioning with respect to accelerators•
The intent for both Quick Start Compliance Monitoring and the Accelerators is to jump start customers in the
compliance space
Compliance Monitoring leverages the accelerators
New security policies were created, based on the accelerator (compliance type) policies•
Reports for the compliance type are accessed via the • Accelerator navigation menu
Compliance Monitoring goes beyond the accelerators
Facilitates actual monitoring, by installing security policies and defining the policy installation schedule•
Simplifies the population of key groups used in the security policies•
Facilitates finding sensitive data by creating discovery scenarios and their associated audit process schedule•
Supports (bulk) • datasource creation (required for discovering sensitive data) with minimal input
Integrated and centralized views from a compliance and database perspective •
Demo time
Questions?
43 IBM Security
Prerequisites
• Only supported on Guardium systems running
v10.1.3 or later
Not dependent on v10.1.3 S-TAPs
• Only accessible from a Central Manager or
standalone system
• Only accessible when logged-in as a userid
with admin role
• Quick Start security policies can only be
installed with existing policies if the existing
policies have the following settings:
• Only works with these supported databases
Active traffic
• Only TCP net protocol traffic, no encrypted traffic,
no local traffic
Discovered instances
• No databases with a port range
• MIN_PORT and MAX_PORT must be the same
Active Traffic Discovered Instances
Informix x x
MS SQL SERVER x x
MySQL x x
Oracle x x
Sybase x x
TERADATA x x
DB2 LUW x
Netezza x
PostGreSQL x
Knowledge Center:
https://www.ibm.com/support/knowledgecenter/SSMPHH_10.1.0/com.ibm.guardium.doc/monitor/compliance_monitoring.html
Backup slides for Quick Start Compliance Monitoring
Quick Start Scenarios
46 IBM Security
Scenario 1: set up compliance monitoring in 4 easy steps
1
2
3
4
47 IBM Security
Scenario 2: populate key groups in Quick Start security policy
48 IBM Security
Three new approaches for populating groups
Only available in Quick Start or other new UI pages
49 IBM Security
Scenario 3: set up sensitive data discovery in 3 easy steps
1
2
3
50 IBM Security
Results of sensitive data discovery setup
Population of groups
52 IBM Security
Population of groups
Goal is to ensure meaningful monitoring, therefore the policy groups should be populated•No traffic is captured for empty groups
Design points•Raise the awareness of empty groups
Make it easy to populate groups
Approach•The groups and whether they should be populated are displayed from the compliance dashboard with a link to populate
Four ways for user to populate groups
Manually add•
Import from csv•
Copy from another group•
Import from external database•
Server IP group will automatically be populated upon database(s) being associated with compliance type
Sensitive objects group will automatically be populated by discover sensitive data scenario
Hierarchical groups are not supported
53 IBM Security
Import from CSV
54 IBM Security
Import from external datasource
Only input required from user: datasource, table name, and column name from external database.
Use Group type and group description from group to be populated.
55 IBM Security
Artifacts are automatically created / updated with generated names as follows
• Automatically created based on input Custom table
Custom domain
Custom query
Populate from query in Group Builder
• Data uploaded / copied from External datasource to custom table
Custom table to group
• Naming conventions
UI screen Artifact Naming convention for generated name (caps) Naming example Scheduled
Custom Table Builder -> Edit Data Custom table tableName_columnName_datasourceId USERS_ADMIN_20014
Custom Table Builder -> Upload Data
Custom table
Custom datasource
tableName_columnName_datasourceId
datasourceName_datasourceType(CustomDomain)
USERS_ADMIN_20014
user_repository_DB2(Custom Domain) Yes
Custom Domain Builder Custom domain groupType_tableName_columnName_datasourceId USERS_USERS_ADMIN_20014
Custom Query Builder Custom query groupType_tableName_columnName_datasourceId USERS_USERS_ADMIN_20014
Group Builder -> Populate from Query Group PCI Admin Users Yes
56 IBM Security
Members from external datasource uploaded
Click OK to add members to group
57 IBM Security
Group is now populated from external datasource
58 IBM Security
Policy installation: approach
• Policy installation will occur automatically the first time a Quick Start policy is successfully installed on a target system
On standalone, Quick Start policy will be installed
On CM, Quick Start policy will be pushed down to all collectors
• Order of installed policies Quick Start policy will be installed after all the other installed policies (i.e., “Install last”
option)
However, if the default policy is the only policy installed, Quick Start will install its security policy over the default policy (i.e., “Install and Override” option)
• After a Reset to default
On standalone, original (hidden) Quick Start policy is automatically reinstalled
In CM deployment, there is no change to installed policy
• Policy installation schedule On standalone, Quick Start will schedule the policy installation, if one is not already
scheduled (scheduled and active or scheduled and paused)
From CM, Quick Start will schedule the policy installation on the collectors, even if one is already scheduled
Default schedule is daily at 10:30 AM
59 IBM Security
User Activity Audit Trail
New audit trail records introduced:
• Install Policy
• Setup compliance
• Uninstall policy
60 IBM Security
Compliance
dashboard
Databases
view
Note: New databases are
included in compliance
monitoring periodically and
not in real-time
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
