Fakhreddine El Mourabiti
Download
Report
Transcript Fakhreddine El Mourabiti
Safeguarding Enterprise Data with
Continuous, Real-Time Database
Security, Monitoring & Compliance
Fakhreddine El Mourabiti – Data Governance / Europe
[email protected]
1
© 2012 IBM Corporation
IBM Security Systems
You know? you can do
this online now.
©
2 2012 IBM Corporation
CONFIDENTIAL
© 2012 IBM Corporation
Data is the key target for security breaches…..
and Database Servers Are The Primary Source of
Breached Data
% of Records Breached (2010)
Database
servers
92%
All other
sources
7%
Desktop
computer
<1%
–
–
–
–
–
WHY?
Laptops &
backup
tapes
<1%
Database servers contain your client’s
most valuable information
Financial records
Customer information
Credit card and other account records
Personally identifiable information
Patient records
High volumes of structured data
Easy to access
“Because that’s where the money is.”
- Willie Sutton
2011 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report2012_en_xg.pdf
The Goals
Continuously monitor access to sensitive data in databases, data warehouses,
Hadoop big data environments and file shares to:
1
Prevent data breaches
– Mitigate external and internal threats
2
Ensure the integrity of sensitive data
– Prevent unauthorized changes to data, data
infrastructure, configuration files and logs
3
Reduce cost of compliance
- Automate and centralize controls
•
•
Across heterogeneous environments such as databases, applications, data
warehouses and Big Data platforms like Hadoop
Across diverse regulations, such as PCI DSS, data privacy regulations,
HIPAA/HITECH etc. Simplify the audit review processes
- Simplify audit review processes
4
CONFIDENTIAL
© 2012 IBM Corporation
The Compliance Mandate – What do you need to monitor?
Audit Requirements
COBIT
(SOX)
1. Access to Sensitive Data
(Successful/Failed SELECTs)
2. Schema Changes (DDL)
(Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)
(Insert, Update, Delete)
4. Security Exceptions
(Failed logins, SQL errors, etc.)
5. Accounts, Roles &
Permissions (DCL) (GRANT,
PCI-DSS
ISO 27002
Data
Privacy &
Protection
Laws
NIST
SP 800-53
(FISMA)
REVOKE)
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
Why Organizations Buy Database Activity Monitoring
1. We have to do it (regulations – auditors)
2. We can’t afford the cost & effort of doing it
manually (limited time and money)
3. We need consistency of audit reporting
It is him! They call him “El Auditor”
Addressing Key Stakeholders Concerns
SECURITY
OPERATIONS
Real-time policies
Secure audit trail
Data mining & forensics
Separation of duties
Best practices reports
Automated controls
Minimal impact
Change management
Performance optimization
5 Common Challenges around Database Auditing
7
•
How can we monitor user access and detect anomalies?
•
How can we control privileged users with direct access?
•
Can we store these audit logs in a secure repository?
•
Can we have one central audit repository for all
database types including Oracle, SQL Server, DB2 and
more?
•
How can we do all of this with minimal impact to our
database and infrastructure?
CONFIDENTIAL
© 2012 IBM Corporation
IBM Security Systems
Addressing the full database security
lifecycle
1
Discover
• Discover databases on the
network
• Discover where sensitive
data is located
8
2
Identify Risk
• Perform an assessment to
understand risk
• Harden the database to eliminate
unnecessary risk
3
Comply
• Monitor database activity to verify
security controls
• Automate reporting for proper
evidence in compliance process
© 2012 IBM Corporation
The Solution: Non-Invasive, Agent-Based Monitoring
DATA
Big Data
Environments
NEW
InfoSphere
BigInsights
Integration with
LDAP, IAM,
SIEM, TSM,
Remedy, …
9
CONFIDENTIAL
© 2012 IBM Corporation
Extend platform coverage: New S-TAP for System i
NEW
Providing complete and native data security solution for System i
• Monitors privileged user activity in real
time
• Enables complete separation of duties
• Helps satisfy auditor’s requirements
and ensure compliance to mandates like
PCI easily and cost effectively.
Protect sensitive data on your System i deployments ensure
compliance to mandates like PCI easily and cost effectively
10
CONFIDENTIAL
© 2012 IBM Corporation
Integration with IT Infrastructure for seamless operations
SIEM
(IBM QRadar, Arcsight, RSA
Envision, etc)
(Tivoli Netcool, HP Openview, etc)
Directory Services
(Active Directory, LDAP, TDS, etc)
SNMP Dashboards
Send Alerts
(CEF, CSV,
Syslog, etc)
Authentication
Send
Events
Change Ticketing
Systems
(Tivoli Request Mgr, Remedy,
Peregrine, etc)
(RSA SecurID, Radius, Kerberos,
LDAP)
Vulnerability
Standards
Data Classification
and Leak Protection
(CVE, STIG, CIS Benchmark)
(Credit Card, Social Security, phone,
custom, etc)
Security Management
Platforms
Long Term Storage
(IBM TSM, IBM Nettezza, EMC Centera,
FTP, SCP, etc)
(IBM QRadar, McAfee ePO )
• STAP
Application Servers
Software Deployment
(IBM Tivoli Provisioning Manager, RPM, Native
Distributions)
11
CONFIDENTIAL
(IBM Websphere, IBM Cognos, Oracle
EBS, SAP, Siebel, Peoplesoft, etc )
© 2012 IBM Corporation
Perimeter Defenses & Identity Management No Longer Sufficient
“A fortress mentality will not work in cyber. We cannot retreat behind a
Maginot Line of firewalls.” William J. Lynn III, U.S. Deputy Defense Secretary
88% of F500
49% of new vulnerabilities
are Web application
Insider Threat
vulnerabilities
(DBAs, developers,
outsourcers, etc.)
(X-Force)
companies
have
employees
infected
with Zeus
(RSA)
SQL Injection is a
leading attack vector
(X-Force)
Stuxnet exploited
SQL Server
vulnerability to attack
control systems
Kneber Botnet stole
68,000 credentials
& 2,000 SSL
certificates over
4-week period
(NetWitness)
Epsilon data breach
affects millions
(outsourced provider)
#1 VM vulnerability is
VM guest hopping
(hypervisor escape) (X-Force)
Why Enterprises are Dissatisfied with Traditional Approach
× Inefficient and costly
Database performance is impacted
Manual processes require valuable resources
× Provide little value to the business
Logs are complicated to inspect
Any detection is not real-time
× No segregation of duties
Privileged users can bypass the system
Audit trail can be modified
13
CONFIDENTIAL
© 2012 IBM Corporation
Secure Settings
Activity Monitoring
Observation
Towers / Turret
Walls
Moat
Arrow Loop
Gate
Guards
14
CONFIDENTIAL
© 2012 IBM Corporation
Vulnerability Assessment – Reporting
15
Auditing Database Configuration Changes
• Tracks changes to files, environment variables, registry settings,
scripts, etc.
• 200+ pre-configured templates for all major OS/DBMS configurations
– Easily customizable via scripts, SQL, etc. (ad hoc tests)
– Also checks OS permissions for Vulnerability Assessment (VA) tests
16
CONFIDENTIAL
© 2012 IBM Corporation
Monitoring Data Leakage from High-Value Databases
Should my customer service rep view 99 records in an hour?
Is this normal?
What exactly
did Joe see?
17
CONFIDENTIAL
© 2012 IBM Corporation
Tracking Privileged Users Who "su"
Challenge: How do
you track users
who 'switch'
accounts (perhaps
to cover their
tracks)?
User activity
Native database
logging/auditing & SIEM
tools can't capture OS
user information
Other database
monitoring solutions only
provide OS shell account
that was used
18
What Guardium Shows You
CONFIDENTIAL
© 2012 IBM Corporation
Protect Stored Data: need to know only
Application
Servers
SQL
DB2, MySQL,
Oracle, Sybase,
SQL Server, etc.
Unauthorized
Users
Issue SQL
S-TAP
Outsourced DBA
Redact
Cross-DBMS policies
Mask sensitive data
No database changes
No application changes
Actual data
stored in the
database
Redact and Mask
Sensitive Data
19
User view of the data in the database
CONFIDENTIAL
© 2012 IBM Corporation
Cross-DBMS, Data-Level Access Control (S-GATE)
Application Servers
SQL
Oracle,
DB2,
MySQL,
Sybase,
etc.
Privileged
Users
Issue SQL
S-GATE
Hold SQL
Outsourced DBA
Connection terminated
Cross-DBMS policies
Block privileged user actions
No database changes
No application changes
Without risk of inline
appliances that can interfere
with application traffic
Check Policy
On Appliance
Policy Violation:
Drop Connection
Session Terminated
20
CONFIDENTIAL
© 2012 IBM Corporation
Monitoring z/OS
Comprehensive
Privileged Users
Sensitive Objects
------- ----------- ----------- -----
Complete control over what is audited
Typical User vs Privileged User Authorization
RACF, Top Secret and ACF-2
allow authorized users to have
limited access to DB2
Sensitive Objects
------- ----------- ----------- -----
Privileged users have direct access to
data. This requires granular control
to verify access to sensitive data
Three key components for System z
1. Data Gathering
• Collecting each SQL
statement
1
2. Data Filtering
• Determining if the SQL
matches a monitoring
policy
3. Data Movement
• Packaging and sending
the SQL to the Guardium
collector
------- ----------- ----------- -----
2
3
Audit
Interest
23
No Audit
Interest
S-TAP for DB2 on z/OS Architecture
•Simplified Administration
•Simplified Configuration
•Improved Performance
Collector
S-TAP
Audit Server
Administration
Repository
DB2
Subsystem
TCP/IP
STREAMING
Process
S-TAP
Agent
DB2 IFI
Collection
Audit Trace
ASC
Audit SQL
Collector
Audited DB2
Subsystem
Audited
Table
S-TAP for IMS on z/OS Architecture
S-TAP Windows
Administration
GUI
Collector
SMF Data
Recon Data
TCP/IP
STREAMING
Process
S-TAP Server
and
Collectors
IMS Online
Regions
Audited
DB/Segments
Data collection,
filtering, and
delivery
Audited
DB/Segments
IMS DL/1
Batch
Regions
S-TAP for VSAM on z/OS Architecture
Edit configuration
Appliance
files
z/OS
TCP/IP
STREAMING
Process
Administration
Repository
File System
Dataset
S-TAP Agent
IP ADDRESS & PORT #
Audit Data
Streaming
System,
SMF,
RACF
Collectors
Audited VSAM
File system
Audited
Tables
Audited
Datasets
The Entire Picture
SQL
Application
Select …
Collector
Fetch…
Fetch…
Audited DB2 for z/OS
Update…
Subsystem
S-TAP
Streaming
Process
S-TAP
S-TAP
S-TAP
Stage 0
Stage 1
Filters
Filters
Stage 2
Filters
- by object ?
DB2 for z/OS
Subsystem
Evaluate SQL
- by connection
Evaluate SQL
- by user ?
All other
evaluations
sent to Stage2
- by plan
All other
evaluations sent
to Stage1
DB2 IFI
Capture non-SQL
events
--- Moving ---
--- Filtering ----
--- Gathering ---
Policy Configuration
Collector
Connection Types,
Plans, Users, and
Objects, to audit
DB2 for z/OS
Subsystem
------- -----
ibm.com/guardium