Upload
ibm-security
View
357
Download
0
Tags:
Embed Size (px)
Citation preview
© 2015 IBM Corporation
Bridging the Gap Between Your
Security Defenses and Critical DataThe Benefits and Synergies of Guardium and QRadar
Sally E. Fabian
Security Technical Specialist – Data Security
IBM Security BU
Jose Bravo
NA Security Architect
IBM Security BU
2 © 2015 IBM Corporation
Agenda
IT and Security trends
Guardium and QRadar working together to
detect and prevent data breaches
3 © 2015 IBM Corporation
Sensitive data is at risk
70%of organizations surveyed use live
customer data in non-production
environments (testing, Q/A, development)
Database Trends and Applications. Ensuring Protection for Sensitive Test Data
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
52%of surveyed organizations
outsource development
50%of organizations surveyed have no way
of knowing if data used in test was
compromised
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
$188per record
cost of a data breach
The Ponemon Institute. 2013 Cost of Data Beach Study
$5.4MAverage cost of a data breach
The Ponemon Institute. 2013 Cost of Data Beach Study
4 © 2015 IBM Corporation
Key Inputs: Poneman Report 2014
Reference: http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
How do you calculate the cost of data breach? To calculate the average cost of data breach, we collect
both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic
experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for
future products and services. Indirect costs include in-house investigations and communication, as well as
the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
5 © 2015 IBM Corporation
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Time span of events by percent of breaches
Guardium DiscoveryGuardium DAM
Guardium VAGuardium DAM Adv. (block/mask) Guardium Encryption
Market Overview
Minutes To Compromise, Months To Discover & RemediateTime span of events by percent of breaches
6 © 2015 IBM Corporation
Frequency of Attempted Security Attacks
47% work within
companies with more
than 1,000 employees
63% report to CIO, CTO
or IT Leader
Background of Respondents
7 © 2015 IBM Corporation
Security Observations continued…
While talk of sophisticated attacks and widespread distributed denial-of-service
(DDoS) attempts made the year’s headlines, a large percentage of
breaches relied on tried and true techniques such as SQL injection. What continues
to be clear is that attackers, regardless of operational sophistication, will pursue a
path-of-least-resistance approach to reach their objectives.
-2012 X-Force Report
-http://www-03.ibm.com/security/xforce/downloads.html
Many of the breaches reported in the last year were a result of poorly applied
security fundamentals and policies and could have been mitigated by putting some
basic security hygiene into practice. Attackers seem to be capitalizing on this “lack
of security basics” by using a model of operational sophistication that allows them to
increase their return on exploit. The idea that even basic security hygiene is not
upheld in organizations, leads us to believe that, for a variety of reasons, companies
are struggling with a commitment to apply basic security fundamentals.
2013 X-Force Report
8 © 2015 IBM Corporation
Most Organizations
Have Weak
Controls
94% of breaches involved database servers
85% of victims were unaware of the compromise for
weeks to months.
97% of data breaches were avoidable through
simple or intermediate controls.
98% of data breaches stemmed from external agents
92% of victims were notified by 3rd parties
of the breach.
96% of victims were not PCI DSS-compliant
at the time of the breach.
Source: 2012 Verizon Data Breach Investigations Report
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Key findings: Where is the new
data store?
9 © 2015 IBM Corporation
You need to understand the data in order to protect it
Our philosophy:
ValueIs it used?
How often?
By who?
RiskSensitivity
Exposure
Volumes
LifecycleProduction
Test/Dev
Archive
Analysis
Relevance
How old is it?
Is it still being used?
Who owns the data?
DATA
10 © 2015 IBM Corporation
Data Security 101
Value
RiskFor the Business
To the business
Above the lineHigh value data with low (or at least acceptable) risk levels
Below the lineRisk levels are too high given the business value of the data
Low Value, High Risk
Dormant table with sensitive
data
Low Value, Low Risk
Temp table with no sensitive
data
High Value, High Risk
Table with sensitive data
that is used often by
business applicationHigh Value, Low Risk
Table with no sensitive
data that is used often
by an important
business application
DATA
Need to understand the data in order to protect it
Value
11 © 2015 IBM Corporation
Discovery & Classification- What data is out there? - How sensitive is it?
Activity Monitoring- How exposed is the data? - What data is being extracted?
Vulnerability Assessment- How secure is the repository?- Is it fully patched?- Best practice configuration?
Value to the Business
Risk
The Goal: Reduce the risk and get all data element above the ‘risk’ line
How?
1. Determine the VALUE 2. Determine the RISK 3. Reduce the RISK
Business Glossary Insights on how data is used by the business
Activity MonitoringHow often?What data?
IntegrationsWho uses the data?
Activity Monitoring- Alert/Block suspicious Activities- Prevent unauthorized access to data - Report and Review all data
activitiesVulnerability Assessment- Assessments & Remediation Steps- Configuration “lock down”- Purge dormant dataEncryption- Encrypt data at rest
1. Understand the VALUE
2. Determine the RISK
3. Reduce the RISK
Understanding the Data – Value vs. Risk
1. Discover the DATA
12 © 2015 IBM Corporation
Perimeter Security is Not Enough
Dynamic Data (in use)
Static Data(at rest)
13 © 2015 IBM Corporation
Guardium
1. Reduce risk & prevent data breaches– Mitigate external and internal threats
2. Ensure the integrity of sensitive data– Prevent unauthorized changes to data, data infrastructure, configuration files
and logs
3. Reduce the cost of compliance– Automate and centralize controls while simplifying audit review processes
4. Enable businesses to take advantage of new technologies
– Cloud, mobile & Big Data are changing the dynamics in the market today
14 © 2015 IBM Corporation
Guardium – Monitor, Mask, & Encrypt Information
Browser/ Glass
#3 Application Dynamic Data Masking
Protect Mobile Browser Sensitive Data
Dynamic Data Masking for Apps
Data Privacy
#1 Database & File Level Encryption
Access & Privileged User Controls
Unified Encryption Policies
Enterprise Key Management
Central Administration
Database Server Layer
DATABAS
E
#2 Data Monitoring & Protection
Data Monitoring & Alerting
Sensitive Data Discovery & Masking
Compliance Controls & Workflows
Blocking Unauthorized Access to Data
DB’s, Big Data, & File Shares
3 Layers of Defense with 1 Solution
WAREHOU
SE
BIG
DATA
FILE SHARES
15 © 2015 IBM Corporation
Where is the sensitive data?
How to prevent unauthorized
activities?
How to protect sensitive data to reduce risk?
How to secure the repository?
Discovery
Classification
Identity & Access
Management
Activity
Monitoring
Blocking
Quarantine
Masking
Encryption
Assessment
Masking/Encryption
Who should have access?
What is actually happening?
Discover Harden Monitor Block Mask
Security Policies
Dormant Entitlements
Dormant Data
Compliance Reporting&
Security Alerts
Data Protection&
Enforcement
How we do it?
16 © 2015 IBM Corporation
Guardium Database Activity Monitoring Overview
STAP
Database
Server
Database Client
Guardium
Collector
Sniffer
Client requests
information from
DB Server
DB Server responds with
appropriate information
STAP makes a copy of
information and sends to
Guardium appliance
Guardium Analysis Engine
analyzes, parses then logs
appropriate data to the
internal repository
Sniffer can send control
signals to STAP
No changes to the database or application environment
Low overhead on the server
Ensures separation of duties
Intercept and copy SQL events to appliance where all the
processing occurs
Store audit/log information off server so it cannot be
erased or tampered
Granular real time alerting/blocking/masking
Agent is required to monitor privilege users (local
connections - shared memory, Name-Pipe, Bequeath)
QRadar
SIEM
17 © 2015 IBM Corporation
Addressing key stakeholders
SECURITY
OPERATIONS
Real-time policies
Secure audit trail
Data mining and
forensics
Separation of duties
Best practices reports
Automated controls
Minimal impact
Change management
Performance optimization
100% Visibility and
Unified View
18 © 2015 IBM Corporation
Audit Requirements PCI DSSCOBIT
(SOX)ISO 27002
Data
Privacy &
Protection
Laws
NIST
SP 800-53
(FISMA)
1. Access to Sensitive Data(Successful/Failed SELECTs)
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)(Insert, Update, Delete)
4. Security Exceptions(Failed logins, SQL errors, etc.)
5. Accounts, Roles &
Permissions (DCL)(GRANT, REVOKE)
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
19 © 2015 IBM Corporation
Who are the active users accessing SOX information?
Plan and Organize
Looks a little high
20 © 2015 IBM Corporation
Assess Risk – Failed User Login Attempts
Looks a little high
21 © 2015 IBM Corporation
Investigate and Disclose – DDL Distribution
22 © 2015 IBM Corporation
Alert and Investigate – Policy Violation Report
23 © 2015 IBM Corporation
Assess and Harden
24 © 2015 IBM Corporation
Compliance Reports
25 © 2015 IBM Corporation
Guardium & QRadar Integration – Real Time Policy Integration
Demo: http://youtu.be/dPkYuPKunWs
26 © 2015 IBM Corporation
Summary
Protect sensitive information with Guardium Database Activity
Monitoring and Vulnerability Assessment
Use Q-Radar to monitor the enterprise and correlate security events
to one pane of glass
Benefit: Guardium Real Time Policy violations are forwarded to Q-
Radar providing actionable insights to reduce security risks at all
layers
Use Guardium as the “system of record” for Database Security and
Audit Events increasing compliance across the enterprise
27 © 2014 IBM Corporation
Q&A
27
28 © 2015 IBM Corporation
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY