Bridging the Gap Between Your Security Defenses and Critical Data

© 2015 IBM Corporation

Bridging the Gap Between Your

Security Defenses and Critical DataThe Benefits and Synergies of Guardium and QRadar

Sally E. Fabian

Security Technical Specialist – Data Security

IBM Security BU

Jose Bravo

NA Security Architect

IBM Security BU

2 © 2015 IBM Corporation

Agenda

IT and Security trends

Guardium and QRadar working together to

detect and prevent data breaches


Sensitive data is at risk

70%of organizations surveyed use live

customer data in non-production

environments (testing, Q/A, development)

Database Trends and Applications. Ensuring Protection for Sensitive Test Data

The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis

52%of surveyed organizations

outsource development

50%of organizations surveyed have no way

of knowing if data used in test was

compromised

The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis

$188per record

cost of a data breach

The Ponemon Institute. 2013 Cost of Data Beach Study

$5.4MAverage cost of a data breach

The Ponemon Institute. 2013 Cost of Data Beach Study


Key Inputs: Poneman Report 2014

Reference: http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

How do you calculate the cost of data breach? To calculate the average cost of data breach, we collect

both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic

experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for

future products and services. Indirect costs include in-house investigations and communication, as well as

the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.


http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

Time span of events by percent of breaches

Guardium DiscoveryGuardium DAM

Guardium VAGuardium DAM Adv. (block/mask) Guardium Encryption

Market Overview

Minutes To Compromise, Months To Discover & RemediateTime span of events by percent of breaches


Frequency of Attempted Security Attacks

47% work within

companies with more

than 1,000 employees

63% report to CIO, CTO

or IT Leader

Background of Respondents


Security Observations continued…

While talk of sophisticated attacks and widespread distributed denial-of-service

(DDoS) attempts made the year’s headlines, a large percentage of

breaches relied on tried and true techniques such as SQL injection. What continues

to be clear is that attackers, regardless of operational sophistication, will pursue a

path-of-least-resistance approach to reach their objectives.

-2012 X-Force Report

-http://www-03.ibm.com/security/xforce/downloads.html

Many of the breaches reported in the last year were a result of poorly applied

security fundamentals and policies and could have been mitigated by putting some

basic security hygiene into practice. Attackers seem to be capitalizing on this “lack

of security basics” by using a model of operational sophistication that allows them to

increase their return on exploit. The idea that even basic security hygiene is not

upheld in organizations, leads us to believe that, for a variety of reasons, companies

are struggling with a commitment to apply basic security fundamentals.

2013 X-Force Report

http://www-03.ibm.com/security/xforce/downloads.html


Most Organizations

Have Weak

Controls

94% of breaches involved database servers

85% of victims were unaware of the compromise for

weeks to months.

97% of data breaches were avoidable through

simple or intermediate controls.

98% of data breaches stemmed from external agents

92% of victims were notified by 3rd parties

of the breach.

96% of victims were not PCI DSS-compliant

at the time of the breach.

Source: 2012 Verizon Data Breach Investigations Report

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Key findings: Where is the new

data store?

Verizon Data Breach Investigations Report


You need to understand the data in order to protect it

Our philosophy:

ValueIs it used?

How often?

By who?

RiskSensitivity

Exposure

Volumes

LifecycleProduction

Test/Dev

Archive

Analysis

Relevance

How old is it?

Is it still being used?

Who owns the data?

DATA


Data Security 101

Value

RiskFor the Business

To the business

Above the lineHigh value data with low (or at least acceptable) risk levels

Below the lineRisk levels are too high given the business value of the data

Low Value, High Risk

Dormant table with sensitive

data

Low Value, Low Risk

Temp table with no sensitive

data

High Value, High Risk

Table with sensitive data

that is used often by

business applicationHigh Value, Low Risk

Table with no sensitive

data that is used often

by an important

business application

DATA

Need to understand the data in order to protect it

Value


Discovery & Classification- What data is out there? - How sensitive is it?

Activity Monitoring- How exposed is the data? - What data is being extracted?

Vulnerability Assessment- How secure is the repository?- Is it fully patched?- Best practice configuration?

Value to the Business

Risk

The Goal: Reduce the risk and get all data element above the ‘risk’ line

How?

1. Determine the VALUE 2. Determine the RISK 3. Reduce the RISK

Business Glossary Insights on how data is used by the business

Activity MonitoringHow often?What data?

IntegrationsWho uses the data?

Activity Monitoring- Alert/Block suspicious Activities- Prevent unauthorized access to data - Report and Review all data

activitiesVulnerability Assessment- Assessments & Remediation Steps- Configuration “lock down”- Purge dormant dataEncryption- Encrypt data at rest

1. Understand the VALUE

2. Determine the RISK

3. Reduce the RISK

Understanding the Data – Value vs. Risk

1. Discover the DATA


Perimeter Security is Not Enough

Dynamic Data (in use)

Static Data(at rest)


Guardium

1. Reduce risk & prevent data breaches– Mitigate external and internal threats

2. Ensure the integrity of sensitive data– Prevent unauthorized changes to data, data infrastructure, configuration files

and logs

3. Reduce the cost of compliance– Automate and centralize controls while simplifying audit review processes

4. Enable businesses to take advantage of new technologies

– Cloud, mobile & Big Data are changing the dynamics in the market today


Guardium – Monitor, Mask, & Encrypt Information

Browser/ Glass

#3 Application Dynamic Data Masking

Protect Mobile Browser Sensitive Data

Dynamic Data Masking for Apps

Data Privacy

#1 Database & File Level Encryption

Access & Privileged User Controls

Unified Encryption Policies

Enterprise Key Management

Central Administration

Database Server Layer

DATABAS

E

#2 Data Monitoring & Protection

Data Monitoring & Alerting

Sensitive Data Discovery & Masking

Compliance Controls & Workflows

Blocking Unauthorized Access to Data

DB’s, Big Data, & File Shares

3 Layers of Defense with 1 Solution

WAREHOU

SE

BIG

DATA

FILE SHARES


Where is the sensitive data?

How to prevent unauthorized

activities?

How to protect sensitive data to reduce risk?

How to secure the repository?

Discovery

Classification

Identity & Access

Management

Activity

Monitoring

Blocking

Quarantine

Masking

Encryption

Assessment

Masking/Encryption

Who should have access?

What is actually happening?

Discover Harden Monitor Block Mask

Security Policies

Dormant Entitlements

Dormant Data

Compliance Reporting&

Security Alerts

Data Protection&

Enforcement

How we do it?


Guardium Database Activity Monitoring Overview

STAP

Database

Server

Database Client

Guardium

Collector

Sniffer

Client requests

information from

DB Server

DB Server responds with

appropriate information

STAP makes a copy of

information and sends to

Guardium appliance

Guardium Analysis Engine

analyzes, parses then logs

appropriate data to the

internal repository

Sniffer can send control

signals to STAP

No changes to the database or application environment

Low overhead on the server

Ensures separation of duties

Intercept and copy SQL events to appliance where all the

processing occurs

Store audit/log information off server so it cannot be

erased or tampered

Granular real time alerting/blocking/masking

Agent is required to monitor privilege users (local

connections - shared memory, Name-Pipe, Bequeath)

QRadar

SIEM


Addressing key stakeholders

SECURITY

OPERATIONS

Real-time policies

Secure audit trail

Data mining and

forensics

Separation of duties

Best practices reports

Automated controls

Minimal impact

Change management

Performance optimization

100% Visibility and

Unified View


Audit Requirements PCI DSSCOBIT

(SOX)ISO 27002

Data

Privacy &

Protection

Laws

NIST

SP 800-53

(FISMA)

1. Access to Sensitive Data(Successful/Failed SELECTs)

2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)

3. Data Changes (DML)(Insert, Update, Delete)

4. Security Exceptions(Failed logins, SQL errors, etc.)

5. Accounts, Roles &

Permissions (DCL)(GRANT, REVOKE)

The Compliance Mandate – What do you need to monitor?

DDL = Data Definition Language (aka schema changes)

DML = Data Manipulation Language (data value changes)

DCL = Data Control Language


Who are the active users accessing SOX information?

Plan and Organize

Looks a little high


Assess Risk – Failed User Login Attempts

Looks a little high


Investigate and Disclose – DDL Distribution


Alert and Investigate – Policy Violation Report


Assess and Harden


Compliance Reports


Guardium & QRadar Integration – Real Time Policy Integration

Demo: http://youtu.be/dPkYuPKunWs


Summary

Protect sensitive information with Guardium Database Activity

Monitoring and Vulnerability Assessment

Use Q-Radar to monitor the enterprise and correlate security events

to one pane of glass

Benefit: Guardium Real Time Policy violations are forwarded to Q-

Radar providing actionable insights to reduce security risks at all

layers

Use Guardium as the “system of record” for Database Security and

Audit Events increasing compliance across the enterprise


Q&A

27


www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

Technology

Bridging the Gap Between Your Security Defenses and Critical Data