IBM Security Guardium Tech Talk What s new in Vulnerability Assessment V10 Kathy Zeidenstein Guardium Evangelist Frank Cavaliero - Database Administrator Louis Lam - Database and VA Manager Vikalp Paliwal - VA Product Manager November 5, 2015
Reminder: Next Guardium Tech Talk Next tech talk: Hints and Tips: Upgrading to Guardium V10 Speakers: Vlad Langman, L3 Support Manager Omar Raza, QA Engineer Date and time: Thursday, November 19th 11:30 AM US Eastern, 8:30 AM US Pacific Register here: ibm.biz/bdhynu 2
Agenda Data is the key target for breaches Guardium Vulnerability Assessment overview Vikalp Paliwal What is new in IBM Security Guardium Vulnerability Assessment v10 Louis Lam New IBM Security Guardium Vulnerability Assessment v10 live demo Q & A Frank Cavaliero 3 3
Data is challenging to secure DYNAMIC Data multiplies continuously and moves quickly IN DEMAND Users need to constantly access and share data to do their jobs DISTRIBUTED Data is everywhere, across applications and infrastructure 4
ANALYZE. PROTECT. ADAPT. Data Security solutions protect structured and unstructured sensitive data Discovery Classification Masking Encryption Vulnerability Assessment Entitlements Reporting D A T A S E C U R I T Y I N T E L L I G E N C E Vulnerability Assessment Assessment reports Data Protection Subscription Configuration Changes Data Encryption File-level encryption Role-based access control File access auditing Data Masking Static masking Semantic and format preserving Activity Monitoring Standard DAM Data Activity Monitoring Real-time alerts App end-user identification Normalized audit creation Blocking Quarantine Dynamic Data Masking Discover Harden Monitor Protect Base Product DB and Data Discovery Data Classification Entitlement Reporting Enterprise Integrator Queries & Reports Threshold Alerts Compliance Workflow Group Management Security Integrations IT Integrations Data Level Security Incident Management User/Roles Management HR Integrations Portal Management Self Monitoring Data Export Options Data Imports Options Compliance reporting Compliance Federate large workflow deployment Central control Central audit collection Standard FAM File metadata discovery Sensitive data classification Data activity monitoring Real-time alerts Compliance reporting Compliance workflow Advanced DAM Blocking access Masking sensitive data Users Quarantine Data Redaction Redact sensitive documents App Data Masking Masking on the browser Advanced FAM Blocking access 5
Vulnerability Assessment Technology is used to support security threat management and compliance Secure your crown jewels Network Vulnerability Assessment Solution Applications Database Infrastructure In-depth assessments of databases and applications such as ERP systems (for ex SAP or Oracle), especially, are not widely supported in traditional VA solution, which focus on devices Endpoint IT Security managers choosing a VA solution must make a dedicated ongoing vulnerability signature support and maintenance for majority of their asset base a critical requirement. -Gartner - market guide for VA 6
Have you left the keys to the kingdom dangling from the front door? Default Username and Password Managing vulnerabilities is a data security critical success factor Unknown sensitive data Excessive Privilege Implications Data breach Non supported product versions Default settings and misconfigu rations Audit Fail Insider Theft Unpatched Databases Non Compliance 7
ANALYZE. PROTECT. ADAPT. Discovery and Classification Entitlement reporting IBM Security Guardium Vulnerability Assessment Vulnerability Assessment Remediation Recommendation Configuration Audit System Database Protection Service ANALYTICS Compliance workflow automation and auditing 8
IBM Security Guardium Vulnerability Assessment : Analyze risk, automate compliance and harden your data environment Sensitive Data Discovery Identifies Sensitive Data like credit cards, transactions or PII Reporting on sensitive objects Discover database instances Extensible design Enables custom designed defined tests Tuning existing tests to match needs Report builder for custom reports Compliance Workflow Exception management Export to other security tools Comprehensive testing and reporting Using industry best-practices and primary research Predefined tests to uncover database vulnerabilities Entitlement reporting Recommendations for remediation Vulnerability Assessment scorecard Configuration audit system (CAS) View graphical representation of trends Includes Data Protection Service Updates Collaborate to protect 9
Identify vulnerabilities across multiple platforms from a single console Automatically discover and classify sensitive data to expose compliance risks Analyze misconfigurations and default settings to uncover risks Understand who is entitled to access sensitive data NEW! New user experience supports comprehensive visibility, control and reporting Support 15 Database, Datawarehouses, BigData (NoSQL) platforms More than 2000 vulnerability assessment tests STIG Benchmarks for oracle 11gr2 and SQL Server 2012 10
Guardium support the most complex IT environments Enterprise wide Scalability Applications Databases Data Warehouses Big Data Environments Siebel PeopleSoft E-Business DB2 Informix DB2i DB2z Netezza Cloud Environments 11
Leverage security industry best practice and benefits... Enforce DoD STIG CIS CVE Secure Privileges Configuration settings Security patches Password policies OS Level file permission Established Baseline User defined queries for custom tests to meet baseline for Organization Industry Application Ownership and access for your files Advanced Forensics and Analytics using custom reports Forensics Understand your sensitive data risk and exposure Performance Zero Impact 12
3 steps to easy deployment Web Browser Review Reports Guardium Vulnerability Assessment Appliance Results Pass/Fail Statistics Criticality and recommended actions Filters and comparison History and trends Distribution/Compliance Workflow Automated DB Scans Assessment Tests Privileges Authentication Configuration Patch levels Oracle SQL Server DB2 DB2 z DB2 i Sybase Teradata Aster Informix Netezza MySQL Postgres MongoDB SAP HANA 13
Remove vulnerabilities by hardening your environment Patching Harden OS Files Access Harden Password Policy Remediation Harden privileges and grants Reconfigure settings and parameters 14
What is new in IBM Security Guardium Vulnerability Assessment v10 Support 15 types of data sources to choose from 15
MongoDB, Versions Supported and VA Test Coverage About MongoDB : Developed in 2007, MongoDB is a NoSQL, document-oriented database. They use JSON documents with dynamic schemas (format called BSON). In MongoDB, a collection is equivalent of a RDBMS table while documents are equivalent to records in an RDBMS table. NO other vendor offers VA for Mongo MongoDB support: 2.4, 2.6 and 3.0 VA test Coverage: Built-in roles Database configuration Version and Patches CAS (File permission and ownership) CVE (Common Vulnerabilities and Exposures) 16
MongoDB - Deployment First NoSQL database supported for VA. First non-jdbc database connection. Connection uses a Java driver. Many enhancements to the VA mechanism to support JSON syntax. MongoDB data sources support SSL server and client/server connections with SSL client certificates. Our VA solution for MongoDB Clusters can be run on mongos, a primary node and all secondary nodes for replica sets. VA solution is certified by MongoDB. 17
DB2 for i Guardium VA tests require IBM i systems to have the following PTFs installed on the system IBM i 7.1 partitions: PTF Group SF99701 Level 26 or PTF Group SF99701 Level 25 with enabling PTFs SI50237, SI50251, SI50301 and SI51156. IBM i 6.1 partitions: PTF Group SF99601 Level 30. 18
DB2 for i Support Version support: IBM i 6.1, 7.1 and 7.2 partitions VA test Coverage: Profiles with Special Authorities Profiles with access to Database Function Usage Password policies Database Objects privilege granted to PUBLIC Database Objects privilege granted to individual user Database Objects privilege granted with grant option Security APARs Entitlement Report: Profiles with Special Authorities Group granted to user Database Objects privilege granted to PUBLIC Database Executable Objects privileges granted to PUBLIC Database Objects privilege granted to individual user Database Objects privilege granted with grant option 19
Aster Data - Teradata About Aster Data : Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Most often associated with clickstream kinds of applications. NO other vendor offers VA for Aster. Aster support: 5.1 and 6.0 VA test Coverage : Default password System privileges and roles Database Object privileges granted to PUBLIC Database Object privileges granted to individual user Database Object privileges granted with grant option Version and Patches CAS (File permission and ownership) IBM Confidential 20
Aster Data - Deployment A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data goes through the queen node only. Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership). Privilege tests loop through all the databases in a given Aster s instance. DPS will include metadata to enforce recommendation for customer to applying latest database patches. 21
Aster Data CAS Installation 22
SAP HANA About SAP HANA Is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's architecture is designed to handle both high transaction rates and complex query processing on the same platform. SAP HANA support: 1.00 VA test Coverage : Password policies Default SYSTEM password System privileges and roles Database Object privileges granted to PUBLIC Database Object privileges granted to individual user Database Object privileges granted with grant option Version and Patches CAS (File permission and ownership) 23
SAP HANA - Deployment Tests are created by Guardium VA research team and cover all relevant best practices from SAP HANA security guide. Guardium is first to the market for VA solution on SAP HANA. CAS is use for enforcing OS file level privileges, ownership and group. V10 DPS will include metadata to enforce recommendation for customer to applying latest SAP HANA database patches. 24
STIG Benchmarks Guardium v10 covers the latest benchmarks that were recently published by STIG for Oracle11gR2 and SQL Server 2012. http://iase.disa.mil/stigs/app-security/database/pages/index.aspx 25
STIG Oracle Guardium v10 supports STIG s latest Oracle benchmark v8r12. The external references for all existing and new tests are in sync with the latest STIG benchmark. Tests that reference STIG now have a separate STIG reference, STIG severity and STIG IAControls field. There are new Oracle tests created from the latest STIG benchmark. The logic for many existing tests were modified to sync up with latest STIG recommendations. 26
STIG SQL Server Guardium v10 supports STIG s latest SQL Server 2012 benchmark v1r2. The external references for all existing and new tests are in sync with the latest STIG benchmark. STIG external reference for SQL Server now begin with SQL% instead of DG% or DM% Tests that reference STIG now have a separate STIG reference, STIG severity and STIG SRG field. New SQL Server tests were created from the latest STIG benchmark. The logic for many existing tests were modified to sync up with the latest STIG recommendations. 27
VA Query timeout When a test takes more than 10 minutes to execute, it will time out with a message specific to the DBMS type driver. This mechanism can be turned off or modified using CLI commands. This feature is support on all query based tests (Test ID between 2000 and 3000). Aster, Informix and SAP HANA DBMS type is not support. This feature was introduced in v9p500 for query based tests only. Version 10 added support to a list of JAVA based privileges tests. A GUI restart is required for this feature. Recommendation: Do not set this timeout value to greater than 30 minutes. CLI commands are: show va query_timeout store va query_timeout off store va query_timeout on <min> 28
VA Privileges test output To avoid the rare case in which excessive violations cause memory issues, Guardium is limiting the number of rows returned per test to 20,000 rows. This default can be overridden using CLI commands. This feature is supported on all query based tests (Test ID between 2000 and 3000). SAP HANA DBMS type is not supported. This feature was introduced in v9p500 for query based tests only. Version 10 added support to a list of JAVA based privileges tests. A GUI restart is required for this feature. CLI commands are: show va max_detail store va max_detail off store va max_detail on <num> 29
IBM Security Guardium Vulnerability Assessment demo Frank Cavaliero 30
Q&A 3Key Take-Aways IBM Security Guardium Vulnerability Assessment Provides complete risk posture of data asset and help automate compliance requirements Analyze, protect and adapt to all your data security challenges Built on proven enterprise-ready, easily scalable architecture
Legal notices and disclaimers Copyright 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at Copyright and trademark information www.ibm.com/legal/copytrade.shtml
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.