Integration with ArcSight. Guardium Version 7.0

Transcription

1 Integration with ArcSight Guardium Version 7.0

2 Contents Contents...2 Preface...3 About this Document...3 Target Audience...3 Introduction...4 Benefits of SIEM integration with Guardium...4 SIEM integration with Guardium...5 Alerter Formatting...6 Syslog Forwarding...8 Export of CEF files...9 Create a Workflow Process...9 Export CEF File...10 Modify Policy Alerts...11 Add or Edit Rules...11 Policy Alert Examples...12 Example: SOX Failed Login to database...13 Example: SOX Grant Commands, Financial Servers Log INFO Violation...14 Example: PCI PCI Creditcard alert...15 Example: PCI Unauthorized Clients access Cardholder Objects - Alert...16 ArcSight Display...17 Policy Violations Output...18 Appendix...19 store remotelog...19 Version 7.0 Guardium 2

3 Preface About this Document This document describes how Guardium can provide information to the ArcSight security information and event management (SIEM) platform. To use Guardium with other SIEM products, contact Guardium Support to obtain the correct documentation. For a detailed description of all features of the Guardium system, see the version 7.0 online help manuals. Target Audience This document is intended for Guardium users and administrators. 230 Third Ave, Waltham, Massachusetts T F Copyright 2008 Guardium. All rights reserved. Information in this document is subject to change without notice. Guardium, Safeguarding Databases, S-TAP, and S-GATE are trademarks of Guardium, Inc. All other trademarks and trade names are the property of their respective companies Document Version 7.0 October 2, 2008 Part Number DOC-70-SIEM-nVision Version 7.0 Guardium 3

4 Introduction Benefits of SIEM integration with Guardium Until now, security information and event management (SIEM) users were faced with the challenge of importing raw logs generated by internal DBMS utilities. This is typically impractical because of the performance overhead of native DBMS logging utilities, the massive amounts of unfiltered information that they produce, and the lack of granular information required to identify unauthorized or suspicious activities. In addition, native database logging utilities are unable to identify end-user fraud and other abuses that occur via multi-tier enterprise applications such as Oracle e-business Suite, PeopleSoft and SAP rather than via direct access to the database. By combining Guardium s contextual knowledge of database activity patterns, structures and protocols, with your SIEM platform, you can now enhance your ability to: Proactively identify and mitigate risks from external attacks, trusted insiders and compliance breaches Implement automated controls for Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS) and data privacy regulations Manage system and network events alongside critical logs and events from the core of your data center enterprise databases and applications for enterprise-wide correlation, forensics, incident prioritization and reporting Version 7.0 Guardium 4

5 SIEM integration with Guardium Guardium can easily be setup, through the Guardium UI, to integrate with various SIEM tools. It is important to note that nothing changes on the Guardium Box, not the reports, not the policies. Users can keep on using their existing policies and keep on securing their database environment, only now they can also trigger alerts on and send reports to their ArcSight system. This integration can be done in one of the following ways: 1. Syslog forwarding (the most common method for alerts and events) 2. SNMP alerts (used to be common but is now being gradually abandoned, mostly for short messages and alerts) 3. Export of CSV files or CEF File to a remote repository (the most common way for detailed audit reports) This document describes how to integrate Guardium with the ArcSight SIEM platform using: Syslog Forwarding (alerts and events) Export of CEF files (detailed audit reports) Setting up Syslog forwarding requires three separate steps: 1. Alert Formatting 2. Syslog Forwarding 3. Export of CEF files 4. Modifying Policy Alerts In addition to the alerts being sent to Syslog, alerts can be viewed through Guardium s Policy Violations Report or the ArcSight Display. Version 7.0 Guardium 5

6 Alerter Formatting In order for the SIEM product to recognize the information being sent, the generic real-time alert format for messages must be changed. This is an agreed upon format between the SIEM and Guardium so the SIEM can parse incoming messages and update its own database with the new event/data. For ArcSight, this integration equates to formatting the alerts to be in the standard ArcSight Common Events Format (CEF), more details below. To customize the message template used to generate alerts: 1. Select Administration Console > Global Profile to open the Global Profile panel. 2. For ArcSight integration, replace the default alert format in the Message Template text box with: CEF:0 Guardium Version 7.0 %%ruleid %%ruledescription %%severity 8 start=%%sessionstart duser=%%dbuser dst=%%serverip dpt=%%serverport src=%%clientip spt=%%clientport proto=%%netprotocol msg=%%ruledescription Note: Default alert format: (to rollback changes if necessary) Alert based on rule ID %%ruledescription Category: %%category Classification: %%classification Severity %%severity Rule # %%ruleid [%%ruledescription ] Request Info: [ Session start: %%sessionstart Server Type: %%servertype Client IP %%clientip ServerIP: %%serverip Client PORT: %%clientport Server Port: %%serverport Net Protocol: %%netprotocol DB Protocol: %%DBProtocol DB Protocol Version: %%DBProtocolVersion DB User: %%DBUser Application User Name %%AppUserName Source Program: %%SourceProgram Authorization Code: %%AuthorizationCode Request Type: %%requesttype Last Error: %%lasterror SQL: %%SQLString To add to baseline: %%addbaselineconstruct Version 7.0 Guardium 6

7 3. Click Apply when you are done. 4. Changes will not take effect until the inspection engines are restarted. To do that now, select Administration Console > Inspection Engines > Restart Inspection Engines. Version 7.0 Guardium 7

8 Syslog Forwarding The Guardium appliance can be configured to send Syslog messages to remote systems, using the store remotelog CLI command. Specific types of Syslog messages can be sent to specific hosts. The Syslog message type is determined from the facility.priority of the message. The following CLI commands provide an example for pointing the Syslog to host See the section store remotelog for additional options for controlling remote logging. Note: The following example sends the facility.priority of all.all to host Your SIEM, in this case ArcSight, might not be configured to listen and accept all facilities and all priorities. You should always check with the SIEM administrator to validate the facilities and priorities that the SIEM is listening to. CollectorA.guardium.com> show remotelog Not configured. ok CollectorA.guardium.com> store remotelog add all.all ok CollectorA.guardium.com> show remotelog Ok Version 7.0 Guardium 8

9 Export of CEF files Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to a CEF file format. Report output can be exported to CEF (Common Event Format) files. Additionally, CEF file output can be written to syslog. If the remote syslog capability is used, this will result in the immediate forwarding of the output CEF file to the remote syslog locations. Create a Workflow Process 1. Navigate to the Audit Process Finder: Select: Tools > Config & Control > Audit Process Finder. 2. Click the New button to add a process or select an existing process from the drop down list. 3. Click the Report radio button to open and enable the Export to CEF file and Write to Syslog options. Note: See the Guardium Help guide, Comply > Compliance Workflow Automation, to find out more about exporting audit task output to CEFs, creating a workflow process, and filing in the fields on the input window. Version 7.0 Guardium 9

10 Export CEF File CEF files created by a workflow process can also be exported on a schedule to the ArcSight host. 1. Create a Workflow Process (as described in previous section) Note: make sure you check the Export to CEF File radio button Note: make sure you uncheck the Write to Syslog otherwise Syslog messages will be generated instead of a file 2. Navigate to the CSV/CEF Export: Select: Administrative Console > CSV/CEF Export 3. Fill in the remaining fields to define the SIEM host, destination directory, and login credentials. 4. Click the Apply button to save the configuration. 5. If a successful configuration has been entered, the Modify Schedule button will become active. Click the Modify Schedule button to schedule the exports of CEFs on a regular basis. Note: See the Guardium Help guide, Guardium Administrative Guide > CSV/CEF Export, to find help additional help on filling in the required fields for CEF exports and defining schedules Version 7.0 Guardium 10

11 Modify Policy Alerts In order to have a policy alert routed to Syslog, exception rules, access rules, and extrusion rules must be modified to trigger notifications to be sent to Syslog. This can be accomplished by navigating to the Policy Builder and then selecting Edit Rules for the desired policy. Add or Edit Rules 1. Navigate to the Policy Finder: Users, select: Protect > Security Policies > Policy Builder. Administrators, select: Tools > Config & Control > Policy Builder. 2. From the Policy Description list, select the policy to be edited. 3. Click the Edit Rules button to open the Policy Rules panel. 4. Do one of the following: To edit a rule, click the Edit this rule individually button. To add a new rule, click one of the following buttons: Add Access Rule Add Exception Rule Add Extrusion Rule (will only be available if the administrator has configured the inspection engine to examine returned data) Note: See the Guardium Help guide, Protect > Policies, to find out more about adding or editing policy rules and various fields on the input window. Version 7.0 Guardium 11

12 5. Alert actions send notifications to one or more recipients. For each alert action, multiple notifications can be sent to , SNMP, Syslog, or a custom notification. Triggering alerts to be sent requires one of the four alerting actions to be selected from the drop down selection box. Note: See the Guardium Help guide, Protect > Policies, to find out more about choosing the appropriate alerting action. 6. If an alerting action is specified, the Notification pane opens, and at least one notification type must be defined. To send alert to Syslog, select SYSLOG from the drop down list. Note: See the Guardium Help guide, Protect > Policies, to find out more about choosing the appropriate notification. For instructions on how to add notifications, see Notifications, in the Common Tools book. Policy Alert Examples Use the following examples as guides to help define policy alerts for your system. SOX - Failed Login to database PCI - PCI Creditcard alert PCI - Unauthorized Clients access Cardholder Objects - Alert Version 7.0 Guardium 12

13 Example: SOX Failed Login to database This example will send a notification to Syslog when a failed login to a database occurs more than 3 times in the last 2 minutes. Version 7.0 Guardium 13

14 Example: SOX Grant Commands, Financial Servers Log INFO Violation This example will send a notification to Syslog when a Public Grant Commands are issued within a database. Version 7.0 Guardium 14

15 Example: PCI PCI Creditcard alert This alert will send a notification to the Syslog when creditcard information has been accessed based on inspecting the return data streams (Extrusion Rule) and identifying pattern of [0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}. Version 7.0 Guardium 15

16 Example: PCI Unauthorized Clients access Cardholder Objects - Alert This example will send a notification to Syslog when a Client IP, not in the group of Authorized Client IPs, tries to access any of the Cardholder Objects. Version 7.0 Guardium 16

17 ArcSight Display After syslog messages are transported they will show up in ArcSight. Displayed below includes one of the examples: SOX Grant Commands, Financial Servers Log INFO Violation. Version 7.0 Guardium 17

18 Policy Violations Output For every policy rule violation logged during the reporting period, the Policy Violations report provides the Timestamp from the Policy Rule Violation entity, Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. With this report, users can group violations and create incidents, set the severity of each violation, and assign incidents to users. Version 7.0 Guardium 18

19 Appendix store remotelog The store remotelog CLI command controls the use of remote logging. In addition to system messages, statistical alerts and policy rule violation messages can be written to Syslog (optionally). For each facility.priority combination (see the lists under Parameters, below), messages can be directed to a specific host. If you enable remote logging, be sure that the receiving host has enabled this capability (see the Notes, below). Syntax store remotelog [help add clear] facility.priority host Parameters help - Displays supported facilities and priorities. add - Adds the specified facility.priority combination to the list of messages to be sent to the specified remote host. clear - Clears the specified facility.priority combination from the list of messages being sent to the specified host. facility - May be one of the following: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, Syslog, user, uucp. The majority of messages issued by the Guardium appliance will be from the daemon facility. priority - May be one of the following: alert, all, crit, debug, emerg, err, info, notice, warning. The standard Guardium severity codes for alerts and violations map as follows: Guardium Severity Syslog priority INFO info LOW warning MED err HIGH alert host - identifies the host to receive this facility.priority combination. Notes: To configure the receiving system to accept remote logging, edit /etc/sysconfig/syslog on that system to include the -r option. For example: SYSLOGD_OPTIONS="-r -m 0 Then restart the syslog daemon: /etc/init.d/syslog restart The standard syslog file in Linux is named: /var/log/messagesone Version 7.0 Guardium 19