Upload
kevin-patterson
View
222
Download
1
Tags:
Embed Size (px)
Citation preview
Safeguarding Enterprise Data with Continuous, Real-Time Database Security, Monitoring & Compliance
Fakhreddine El Mourabiti – Data Governance / Europe
© 2012 IBM Corporation1
© 2012 IBM Corporation
IBM Security Systems
22© 2012 IBM Corporation CONFIDENTIAL
You know? you can do this online now.
Data is the key target for security breaches…..and Database Servers Are The Primary Source of
Breached Data
% of Records Breached (2010)
All other sources
7%
Database servers
92%
Laptops & backup tapes<1%
Desktop computer
<1%
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
2011 Data Breach Report from Verizon Business RISK Team
Database servers contain your client’s most valuable information
– Financial records– Customer information– Credit card and other account records– Personally identifiable information– Patient records
High volumes of structured data Easy to access
“Because that’s where the money is.” - Willie Sutton
WH
Y?
© 2012 IBM Corporation4CONFIDENTIAL
The Goals Continuously monitor access to sensitive data in databases, data warehouses, Hadoop big data environments and file shares to:
Prevent data breaches– Mitigate external and internal threats
11
22
33 Reduce cost of compliance - Automate and centralize controls
• Across heterogeneous environments such as databases, applications, data warehouses and Big Data platforms like Hadoop
• Across diverse regulations, such as PCI DSS, data privacy regulations,
HIPAA/HITECH etc. Simplify the audit review processes
- Simplify audit review processes
Ensure the integrity of sensitive data– Prevent unauthorized changes to data, data
infrastructure, configuration files and logs
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language
Why Organizations Buy Database Activity Monitoring
1. We have to do it (regulations – auditors)
2. We can’t afford the cost & effort of doing it manually (limited time and money)
3. We need consistency of audit reporting
It is him! They call him “El Auditor”
SECURITY OPERATIONS
Real-time policies Secure audit trail Data mining & forensics
Separation of duties Best practices reports Automated controls
Minimal impact Change management Performance optimization
Addressing Key Stakeholders Concerns
© 2012 IBM Corporation7CONFIDENTIAL
• How can we monitor user access and detect anomalies?
• How can we control privileged users with direct access?
• Can we store these audit logs in a secure repository?
• Can we have one central audit repository for all database types including Oracle, SQL Server, DB2 and more?
• How can we do all of this with minimal impact to our database and infrastructure?
5 Common Challenges around Database Auditing
© 2012 IBM Corporation
IBM Security Systems
88
Addressing the full database security lifecycle
Comply• Monitor database activity to verify
security controls• Automate reporting for proper
evidence in compliance process
33Identify Risk
• Perform an assessment to understand risk
• Harden the database to eliminate unnecessary risk
22Discover
• Discover databases on the network
• Discover where sensitive data is located
11
© 2012 IBM Corporation9CONFIDENTIAL
Integration with LDAP, IAM, SIEM, TSM, Remedy, …
NEW
Big Data Environments
DATA
InfoSphere BigInsight
s
The Solution: Non-Invasive, Agent-Based Monitoring
© 2012 IBM Corporation10CONFIDENTIAL
Providing complete and native data security solution for System i
NEW
• Monitors privileged user activity in real time
• Enables complete separation of duties • Helps satisfy auditor’s requirements and
ensure compliance to mandates like PCI easily and cost effectively.
Protect sensitive data on your System i deployments ensure compliance to mandates like PCI easily and cost effectivelyProtect sensitive data on your System i deployments ensure compliance to mandates like PCI easily and cost effectively
Extend platform coverage: New S-TAP for System i
© 2012 IBM Corporation11CONFIDENTIAL
Integration with IT Infrastructure for seamless operations
Directory Services(Active Directory, LDAP, TDS, etc)
SIEM(IBM QRadar, Arcsight, RSA
Envision, etc) SNMP Dashboards(Tivoli Netcool, HP Openview, etc)
Change Ticketing Systems
(Tivoli Request Mgr, Remedy, Peregrine, etc)
Vulnerability Standards
(CVE, STIG, CIS Benchmark)
Data Classification and Leak Protection
(Credit Card, Social Security, phone, custom, etc)
Security Management Platforms
(IBM QRadar, McAfee ePO )
Application Servers(IBM Websphere, IBM Cognos, Oracle
EBS, SAP, Siebel, Peoplesoft, etc )
Long Term Storage(IBM TSM, IBM Nettezza, EMC Centera,
FTP, SCP, etc)
Authentication(RSA SecurID, Radius, Kerberos,
LDAP)
Software Deployment(IBM Tivoli Provisioning Manager, RPM, Native
Distributions)
Send Alerts (CEF, CSV, Syslog, etc) Send
Events
• STAP
Perimeter Defenses & Identity Management No Longer Sufficient
49% of new vulnerabilities are Web application
vulnerabilities (X-Force)
Insider Threat(DBAs, developers, outsourcers, etc.)
“A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” William J. Lynn III, U.S. Deputy Defense Secretary
88% of F500 companies
have employees
infected with Zeus
(RSA)
#1 VM vulnerability is VM guest hopping
(hypervisor escape) (X-Force)
Kneber Botnet stole 68,000 credentials
& 2,000 SSL certificates over
4-week period(NetWitness)
SQL Injection is a leading attack vector
(X-Force)
Stuxnet exploited SQL Server vulnerability to attack control
systems
Epsilon data breach affects millions
(outsourced provider)
© 2012 IBM Corporation13CONFIDENTIAL
Why Enterprises are Dissatisfied with Traditional Approach
×Inefficient and costlyDatabase performance is impactedManual processes require valuable resources
×Provide little value to the businessLogs are complicated to inspectAny detection is not real-time
×No segregation of dutiesPrivileged users can bypass the systemAudit trail can be modified
© 2012 IBM Corporation14CONFIDENTIAL
WallsMoat
Observation Towers / Turret
Arrow Loop
GateGuards
Secure SettingsSecure SettingsActivity MonitoringActivity Monitoring
15
Vulnerability Assessment – Reporting
© 2012 IBM Corporation16CONFIDENTIAL
Auditing Database Configuration Changes
• Tracks changes to files, environment variables, registry settings, scripts, etc.
• 200+ pre-configured templates for all major OS/DBMS configurations– Easily customizable via scripts, SQL, etc. (ad hoc tests)
– Also checks OS permissions for Vulnerability Assessment (VA) tests
© 2012 IBM Corporation17CONFIDENTIAL
Should my customer service rep view 99 records in an hour?Monitoring Data Leakage from High-Value Databases
What exactly What exactly did Joe see?did Joe see?
Is this normal?Is this normal?
© 2012 IBM Corporation18CONFIDENTIAL
Tracking Privileged Users Who "su"
Challenge: How do you track users who 'switch' accounts (perhaps to cover their tracks)? Native database
logging/auditing & SIEM
tools can't capture OS
user information
Other database
monitoring solutions only
provide OS shell account
that was used What Guardium Shows You
User activity
© 2012 IBM Corporation19CONFIDENTIAL
Protect Stored Data: need to know only
Redact and Mask Sensitive Data
Issue SQL
User view of the data in the database
DB2, MySQL, Oracle, Sybase, SQL Server, etc.
SQLApplication Servers
Unauthorized Users
Outsourced DBA
Cross-DBMS policies Mask sensitive data No database changes No application changes
Actual data stored in the database
S-TAPS-TAP
Redact
© 2012 IBM Corporation20CONFIDENTIAL
Cross-DBMS, Data-Level Access Control (S-GATE)
S-GATES-GATEHold SQL
Connection terminated
Policy Violation:Drop Connection
Privileged Users
Issue SQL
Check PolicyOn Appliance
Oracle, DB2,
MySQL, Sybase,
etc.
SQLApplication Servers
Outsourced DBA
Session Terminated
Cross-DBMS policies Block privileged user actions No database changes No application changes Without risk of inline
appliances that can interfere with application traffic
Monitoring z/OS
-------- -----------
--- -----------
--- ------
Comprehensive
Sensitive Objects
Privileged Users
Complete control over what is audited
Typical User vs Privileged User Authorization
-------- -----------
--- -----------
--- ------
Sensitive Objects
RACF, Top Secret and ACF-2allow authorized users to have limited access to DB2
Privileged users have direct access to data. This requires granular control to verify access to sensitive data
Three key components for System z
1. Data Gathering• Collecting each SQL
statement
2. Data Filtering• Determining if the SQL
matches a monitoring policy
3. Data Movement• Packaging and sending
the SQL to the Guardium collector
23
-------- -----------
--- -----------
--- ------
1
Audit Interest
2
3
No Audit Interest
DB2 Subsystem
AdministrationRepository
Audited DB2
Subsystem
Collector
S-TAP
Audit Server
S-TAP
Agent
DB2 IFI Collection
Audit Trace
DB2 IFI Collection
Audit Trace
DB2 IFI Collection
Audit Trace
S-TAP for DB2 on z/OS Architecture
•Simplified Administration•Simplified Configuration•Improved Performance
Audited Table
TCP/IPSTREAMING
Process
ASC
Audit SQL Collector
Collector
S-TAP Windows Administration
GUI
S-TAP Server and
Collectors
Data collection, filtering, and
delivery
S-TAP for IMS on z/OS Architecture
SMF Data
IMS Online Regions
Audited DB/Segments
IMS DL/1 Batch
Regions
Recon Data
Audited DB/Segments
TCP/IPSTREAMING
Process
S-TAP for VSAM on z/OS Architecture
AdministrationRepository
AuditedTables
File System Dataset
Audited VSAM File system
z/OS
System, SMF, RACF
Collectors AuditedDatasets
IP ADDRESS & PORT #
Appliance
Audit Data Streaming
S-TAP Agent
TCP/IPSTREAMING
Process
Edit configuration
files
The Entire Picture
DB2 for z/OS Subsystem
Audited DB2 for z/OS
Subsystem
Collector
SQL Application
Select …
Fetch…
Fetch…
Update…
S-TAP
Stage 1
Filters
Evaluate SQL
- by user ?
All other evaluations sent to Stage2
S-TAP
Stage 2
Filters
- by object ?
DB2 IFICapture non-SQL
events
--- Gathering ------ Filtering ------- Moving ---
S-TAP
Streaming Process
S-TAP
Stage 0
Filters
Evaluate SQL
- by connection
- by plan
All other evaluations sent to Stage1
Policy Configuration
DB2 for z/OS Subsystem
Collector
Connection Types, Plans, Users, and Objects, to audit
-------- ------
ibm.com/guardium