Guardium Tech Talk: Practical Tips for Managing Data Security Risk Joe DiPietro
by user
Comments
Transcript
Guardium Tech Talk: Practical Tips for Managing Data Security Risk Joe DiPietro
IBM Security Guardium Tech Talk: Practical Tips for Managing Data Security Risk using IBM Security Guardium Joe DiPietro [email protected] 1© 2015 IBM Corporation © 2015 IBM Corporation IBM Security Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat 2 © 2015 IBM Corporation IBM Security Guardium community on developerWorks bit.ly/guardwiki 3 Right nav © 2015 IBM Corporation IBM Security Information, training, and community InfoSphere Guardium Tech Talks – at least one per month. Suggestions welcome! InfoSphere Guardium YouTube Channel – includes overviews, technical demos, tech talk replays developerWorks forum (very active) Guardium DAM User Group on Linked In (very active) Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules) Guardium on IBM Knowledge Center (was Info Center) Deployment Guide for InfoSphere Guardium Red Book Technical training courses (classroom and self-paced- provided by Business Partners) InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Not recorded! Send a note to [email protected] if interested. 444 © 2015 IBM Corporation IBM Security Reminder: Upcoming Guardium Tech Talk July 30th, 2015: Guardium integration capabilities: A use-case based discussion and deep dive Speaker: John Haldeman, Practice Lead, Information Insights, LLC Register here! https://ibm.biz/BdXaJc Link to more information about this and upcoming tech talks can be found on the InfoSphere Guardium developerWorks community: http://ibm.co/Wh9x0o Please submit a comment on this page for ideas for tech talk topics. 5 © 2015 IBM Corporation IBM Security What we’ll discuss Understanding trends Defining risk in corporate information flow Quantifying risk and protection value Managing the risk using Guardium Scenarios and examples 6 © 2015 IBM Corporation IBM Security Data Breaches … 2015 Ponemon Study Pie Chart 2. Distribution of the benchmark sample by root cause of the data breach http://www-03.ibm.com/security/data-breach/ 2015 Cost of Data Breach Study 7 © 2015 IBM Corporation IBM Security Ponemon: Probability of a data breach: 1 in 4 companies… The three major reasons contributing to a higher cost of data breach in 2015: – Cyber attacks have increased in frequency and in the cost to remediate the consequences – The consequences of lost business are having a greater impact on the cost of data breach. – Data breach costs associated with detection and escalation increased http://www-03.ibm.com/security/data-breach/ 8 2015 Cost of Data Breach Study © 2015 IBM Corporation Attack Chain Stage: IBM Security IBM Security Software Portfolio Simplistic View Prevent Detect Respond Break-In Anatomy of a breach Latch-on Expand Gather Exfiltrate 9 © 2015 IBM Corporation IBM Security Business Impact – How Long Will It Take To Discover? Will You Know They Are Inside? The deficit gap is widening % 60 12015 Verizon 11 of cases, attackers are able to compromise an organization within minutes1 Data Breach Investigations report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf © 2015 IBM Corporation IBM Security Recommendations 1. Understand where your crown jewels are located and calculate the risk – http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/ 2. Look for (DAM) suspicious activity – Hackers are inside networks long before organizations understands what’s going on with their data – – Greater than 200 Days!! http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/ https://www01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti on.html 3. Have a plan for when data is exfiltrated (From Ponemon Institute, sponsored by IBM) – http://www-03.ibm.com/security/data-breach/ 4. Encryption covers a multitude of sins… 12 2015 Ponemon Study © 2015 IBM Corporation IBM Security 3 Types of Security Controls Are Required For “Crown Jewels” 1. Application security controls – Risk By Type of User Separation of duties for Privilege Application User & Application User access 2. Database security Controls – Continuously monitor direct access to the database which will bypass the application controls 3. System administrators security controls – 13 Operating System controls to monitor file access, copy, and modification © 2015 IBM Corporation IBM Security Risk Most corporate functions are electronically automated These functions live in databases. For example: – – – – – – – HR Payroll Procurement Corporate intellectual property (IP) Customer data Health care information Etc Create a risk methodology to help understand what is important and how much it costs to protect different assets 14 © 2015 IBM Corporation IBM Security 5 Point Checklist to Help Quantify Risk and Protect Crown Jewels 15 1. 2. 3. 4. 5. Identify your Crown Jewels (top data assets) in your organization Assign a value to these assets Identify specific threats to these assets Identify vulnerabilities to these assets Calculate your risk score to determine appropriate security controls Risk is dependent on the asset values, threats and vulnerabilities Let’s use a simple example as it relates to the databases PCI is a very common example and we’ll relate this to credit card processing © 2015 IBM Corporation IBM Security Step 1 – Identify Your PCI Assets (Crown Jewels) In This Case Identify all database servers that have PCI content These servers will have an asset value of $1,000,000 Scan the network to discover all the database servers Guardium 16 Agentless Network Scan 10.10.9.* © 2015 IBM Corporation IBM Security Step 1 – Identify Your PCI Assets Predefined rule to identify PCI Cardholder data using Luhn algorithm Crawl each database to identify if there is any PCI data using Luhn algorithm Rule name with: – “guardium://CREDIT_CARD" and – valid credit card number pattern in the Search Expression box, the classification policy will use the Luhn algorithm – A valid credit card number is a string of 16 digits or four sets of four digits, with each set separated by a blank. Database discovery and sensitive data finder (Classifier) tech talk 17 © 2015 IBM Corporation IBM Security PCI Data Found On This Server – 10.10.9.56 Where on this server? 19 What Server? © 2015 IBM Corporation IBM Security We’ve Identified the Crown Jewels, Now Identify the Vulnerabilities and Threats Vulnerabilities can be identified by security best practices Based on industry standards: DISA STIG & CIS Benchmark Extensive Library of pre-built tests for all supported platforms Customizable tests to address your specific corporate security policies – Via custom Operating System scripts, SQL queries, environment variables, etc. Combination of tests ensures comprehensive coverage to support risk measurements : 1. Database settings 2. Operating system DB Tier Database User Activity (Oracle, SQL Server, DB2, Informix, Sybase, MySQL, Netezza, Teradata) OS Tier • Getting Started with Vulnerability Assessment Tech talk Guardium Vulnerability Assessment Trial Download • 20 (Windows, Solaris, AIX, HPUX, Linux, z/OS) Tests • Permissions • Roles • Configurations • Versions • Custom tests • Configuration files • Environment variables • Registry settings • Custom tests © 2015 IBM Corporation IBM Security Use Industry Best Practices Templates – STIG and CIS STIG Section STIG Requirement 2: DBMS Integrity Monitor for current versions & patch levels; unauthorized changes; privileges granted to developers on production systems; ad hoc queries. 3: Access Control All actions traceable to a user; concept of least privilege (users, roles & applications); no shared accounts; no default accounts; lock accounts after 3 failed logins; minimum password strength; passwords changed every 90 days; restrict access by shared service accounts (connection pooling); all DBA accounts authorized by IAO. 4: Database Auditing Audit all DB operations with sufficient granularity to detect intrusive activity; monitor all DBA connections; ensure audit data only readable by authorized personnel; no unauthorized applications or batch jobs; unusual or suspicious patterns of activity; monitor changes to DB objects; review audit data daily; maintain audit data for 1 year. 5: Network Access Remote admin connections must be encrypted (& monitored); identify DB users when using connection pooling; separate DB accounts for replication; prevent developers from accessing sensitive data. 12: Oracle 1, 2: SQL Server 6: OS Permissions Verify file permissions on DB executables, configuration files & data files; ensure only authorized DBAs granted membership to DBMS privileged OS groups. 1: Oracle 1, 3: SQL Server 21 CIS Section 2,12: Oracle 2: SQL Server 2, 11: Oracle 1, 3, 4, 6, 8: SQL Server 12: Oracle 4, 5: SQL Server CIS Requirement Guardium Monitors Installation and patch levels; creation of objects for unauthorized changes; monitor developer access to production; avoid ad-hoc queries on production databases; change control process. No default accounts; passwords; DB hardening; guest accounts disabled; disable various extended stored procedures; SQL logins have strong passwords; assign permissions to roles rather than users; periodic scan of Role Members. Review DBA Group membership; review and control which applications access the database; review audit info regularly; audit privileged user activity (object access, ownership, add DB user, etc.). Encryption ; change SQL Server default ports. Windows registry; deny Guest OS Group; OS Benchmark Configuration. © 2015 IBM Corporation IBM Security Guardium Risk Score For Vulnerabilities of This Asset Historical Progress or Regression Overall Risk Score Detailed Scoring Matrix 22 Help Mitigate Risk by Measuring Progress and Validating Security Controls © 2015 IBM Corporation IBM Security Next Step, Identify Additional Risks Like This Example OnLineBanking There are many types of risks Unauthorized Users Joe 10.10.9.27 MS Excel – Anyone that can connect to the database to see the cardholder data Unauthorized IP Addresses – Only certain servers are allowed to communicate together Unauthorized Programs – Access by other programs bypasses other security controls -- - - - -- -- - -- - Crown Jewels Monitoring Database Objects – Only certain tables will contain sensitive information 23 However, to simplify these risks, let’s call it an unauthorized “connection” © 2015 IBM Corporation IBM Security Identifying An Unauthorized Connection… “Unauthorized connections” are very familiar process in the Credit Card industry Simplified example with credit cards – “unauthorized connections” = false charge on my credit card account – Proactive notification for “unauthorized connections” – Regular reporting to cardholders “unauthorized connections” Database Activity Monitoring (DAM) for unauthorized connections – Proactive notification for “unauthorized connections” – Regular reporting to stakeholders “unauthorized connections” 24 © 2015 IBM Corporation IBM Security Credit Card Best Practices Proactive Monitoring “unusual” transactions – Countries you have never purchased in before – Unusual “out of pattern” transactions Post transaction reporting Regular reports to cardholders (it’s your money!) – Identify transactions not made by cardholder – Identify overcharges 25 © 2015 IBM Corporation IBM Security Proactive - Credit Card Best Practices Proactive, Real Time New transaction unusually high: $12,534.23 “unauthorized connection” 26 New transaction unusual country based on past purchasing pattern : 359.34 Latvian lats “unauthorized connection” © 2015 IBM Corporation IBM Security Post Transaction Reporting Process for “Unauthorized Connections” Credit card company summarizes information and produces a report Report is delivered to cardholder on a predefined time period (ie. Monthly) Cardholder reviews statement – Sends payment based on all transactions that are on the statement – Sends partial payment based on “disputed charges” “Disputed charges” may identify unauthorized activities “Disputed charges” are investigated and documented 27 © 2015 IBM Corporation IBM Security Goal Of Reporting To Cardholders Involve cardholder in the process Reduce costs by preventing fraudulent charges Quickly identify activity that cardholder did not perform Increased accuracy - the card holder knows the most intimate details of their activity Scale: credit card company uses few resources and leverages subject mater experts in their process to be more efficient 28 © 2015 IBM Corporation IBM Security Database Activity Monitoring Best Practices - Proactive OnLineBanking 10.10.9.27 Known: Joe – Application Name (OnLineBanking) – Application Server IP Address (10.10.9.244) – Database user (APPUSER) SQLPlus Unknown – NOT IP Addresses 10.10.9.244 (ie. 10.10.9.27) – NOT Database user APPUSER (ie. Joe) – NOT “OnLineBanking” Application name (ie. SQLPlus) Proactive policies can highlight – Fraudulent activity quickly – Improper operational procedures (ie. Outdated scripts, direct database access, unauthorized applications, etc) • YouTube video demo on Connection Profiling 29 © 2015 IBM Corporation IBM Security “unauthorized connections” Proactive Notification 30 © 2015 IBM Corporation IBM Security Report of Unauthorized Connections… Application Owners Are Critical to the Process 31 © 2015 IBM Corporation IBM Security A Different Perspective…“Unauthorized Connections” Unauthorized Client IP 32 Unauthorized Application Unauthorized DB Users © 2015 IBM Corporation IBM Security Reduce Risk By Sending Report Using “Audit Process” 33 © 2015 IBM Corporation IBM Security Approval And Sign Off 34 One “unauthorized connection” is fully investigated © 2015 IBM Corporation IBM Security This Example Shows “Unauthorized Connections” For each unauthorized connection, you add to your risk score To reduce your risk score, stakeholders will “justify” the connection as a valid and legitimate connection for their application Simple “connection” reporting is very effective to highlight unauthorized application access Use workflow to ensure reporting process is being followed and documented More details for risk tables… 35 © 2015 IBM Corporation IBM Security Defining Risk Tables Threats to database can come from many places Start with a “coarse” level analysis and refine it over time to become more granular There are many complex risk formulas and processes, but start with a simplistic approach to get something working for your organizational uniqueness Defining a small group of risk tables helps you quantify what you are protecting, and the risk based on these different attributes…Here’s a sample: – Asset Risk – How valuable is the asset that I’m trying to protect? • SOX, PCI, HIPAA, Corporate Marketing Plans, Corporate Mergers and Acquisitions, etc – User Risk – What roles do these users have? • Database user, application developer, application user, power application user, unknown user, etc – Object Risk – How sensitive is this piece of data within the database? • SSN vs Cardholder information for PCI vs Patient Records vs Country ID, vs Mailing Address vs Mother’s Maiden Name, etc – Application Risk – How should this data be accessed, by what application? • Accessing through the SAP system is different than a direct database connection with SQL/Plus or TOAD – IP Address Risk – What IP address made this connection? • Different IP Addresses have different levels of security (ie. Behind firewalls, DMZ, in a “trusted zone”, external Internet, etc). 36 © 2015 IBM Corporation IBM Security Defining Risk Tables – Asset Risk Assign risk rating for your critical assets Put an asset cost so that you understand how much protection to allocated for this asset Depending on the asset class, we will assign cost for these assets SQL> select * from ID ---------1 2 3 4 5 6 7 8 9 assetRisk SERVERIP --------------10.10.9.56 10.10.9.59 10.10.9.252 10.10.9.58 10.10.9.58 10.10.9.68 10.10.9.69 10.10.9.78 10.10.9.79 order by riskvalue;; SERVERDESC RISKVALUE RISKRATING ASSETCOST ------------------------- ---------- ---------- -----------PCI Server 1 high 1,000,000 Corporate Strategy 1 high 2,000,000 SOX Server 1 high 500,000 HIPAA Server 1 high 900,000 Retail Banking 1 high 10,000,000 Development Server 2 medium 400,000 QA Server 2 medium 200,000 Training Server 3 low 100,000 SiteLocation Server 3 low 200,000 9 rows selected. SQL> 37 © 2015 IBM Corporation IBM Security Optionally Identify Server Processing Power in Your Risk Score Number of CPU’s can be tracked via Tap Monitor CPU Tracker 38 © 2015 IBM Corporation IBM Security Defining Risk Tables – Employee Risk Create UserRisk table Assign risk based on department – riskRating Database Engineering = priv users (high risk) • 1 (high) • 2 (medium) Application Development = priv users (high risk) Business Analytics = power application users (medium risk) • 3 (low) Retail Banking = application users (low risk) SQL> select * from Employee; ID ---------1 2 3 4 USERNAME --------------Joe DiPietro John Smith Sally Johnson Ron Harrison SQL> select * from DBUSER DEPTNUM DEPTNAME --------------- ------- ------------------------joe 10 Database Engineering john 20 Application Development sally 30 Business Analytics ron 40 Retail Banking LOB userRisk order by riskvalue; ID EMPID DEPTNUM RISKVALUE RISKRATING ---------- ---------- ------- ---------- -------1 1 10 1 high 2 2 20 1 high 3 3 30 2 medium 4 4 40 3 low 39 SQL> Depending on the department name, we will assign risk for these users connecting to the database © 2015 IBM Corporation IBM Security DB2 Entitlement Reports Joe has a high risk, based on his role and privilege (entitlements) to the database -Column level privileges to the Creditcard object that contains PCI Personal Account Numbers (PAN) -If this account is compromised or this “authorized” user performs “unauthorized activities” your data is in jeopardy… -Monitoring “joe’s” activities is critical to validate his actions 40 © 2015 IBM Corporation IBM Security Defining Risk Tables SQL> select * from ID ---------1 3 4 5 OBJECTNAME --------------creditcard accountNum address policyValue SQL> select * from ID ---------4 3 5 2 1 3 objectRisk order by riskvalue; OBJECTDESC RISKVALUE RISKRATING ------------------------- ---------- -------Holds Creditcard Info 1 high Holds account numbers 1 high Holds Address Info 2 medium Holds Total Policy Value 2 medium appNameRisk APPNAME --------------toad excel sqlplus retailBanking retailBanking retailBanking Depending on the object table, we will assign a risk rating order by riskvalue; APPDESC RISKVALUE RISKRATING ---------------------------- ---------- -------Toad - DBA tool 1 high Microsoft Excel 1 high SQLPlus -Oracle DBA tool 1 high Retail Banking Application 3 low Retail Banking Application 3 low Retail Banking Application 3 low 6 rows selected. Depending on the application, we will assign a risk rating *Identifying critical tables is essential in creating a risk profile **Identifying “authorized” application that access these critical tables will help validate 41 your security controls © 2015 IBM Corporation IBM Security Different IP Networks Have Different Security Classified network Core network DMZ network Partner network Internet 42 © 2015 IBM Corporation IBM Security Identify Risk of Connections with Different Categories of IP Address Guardium’s Access Map dynamically draws network diagram based on timeframe of access! 43 © 2015 IBM Corporation IBM Security Defining Risk Tables SQL> select * from ID ---------11 10 12 4 5 7 8 9 3 2 1 6 ipAddressRisk IPADDRESS ---------------10.10.9.241 10.10.9.240 10.10.9.242 10.10.9.58 10.10.9.58 10.10.9.69 10.10.9.78 10.10.9.79 10.10.9.252 10.10.9.59 10.10.9.56 10.10.9.68 order by riskvalue; IPDESC RISKVALUE RISKRATING ------------------------------------------------- ---------- -------DMZ: Web Servers group 2 medium DMZ: Web Servers group 2 medium DMZ: Web Servers group 2 medium Authorized Client IP: HIPAA Server 3 low Authorized Client IP: Retail Banking 3 low Authorized Client IP: QA Server 3 low Authorized Client IP: Training Server 3 low Authorized Client IP: SiteLocation Server 3 low Authorized Client IP: SOX Server 3 low Authorized Client IP: Corporate Strategy 3 low Authorized Client IP: PCI and Retail Banking App 3 low Authorized Client IP: Development Server 3 low 12 rows selected. SQL> 44 Depending on the IP Address, we will assign a risk rating © 2015 IBM Corporation IBM Security Now Score The “Unauthorized Connection” Based on the Risk Tables Unauthorized Client IP 45 Unauthorized Application Unauthorized DB Users © 2015 IBM Corporation IBM Security Calculating Risk Core network – Not “Classified Network” 10.70.147.57 MS Excel – Unauthorized “High Risk” application directly connecting to the database Joe – “High Risk” user based on entitlement report Joe Priv User Unauthorized Network UnAuthorized Application 1 High 1 High 1 High 3 Total Risk Score High Medium Low 1 2 3 Baseline 7 Security Policy - All connections at 7 or lower shall be monitored and audited 46 © 2015 IBM Corporation IBM Security Other Connections… Joe Administrator Priv User Unauthorized Network UnAuthorized Application Priv User Authorized Network Authorized Application JOCONNOR App User Authorized Network Authorized Application 47 1High 1High 1High 3Total Risk Score – Joe 1High 3Low 3Low 7Total Risk Score - Administrator 3Low 3Low 3Low 9Total Risk Score - JOCONNOR © 2015 IBM Corporation IBM Security Creating Risk Map Based on IT Role System Database Application Application Privilege Administrator Administrator Developer User User System Administrator Database Administrator Application Developer Application User Privilege User Information Security Audit Risk & Compliance 48 x x x x x x x x x x x Information Security Audit Risk & Compliance Other Risk Concerns 1. Weak security x Unauthorized access to data 2. 3. Unauthorized remote access x x 4. Inaccurate information 5. x Erroneous x or falsified data input 6. Misuse by authorized end users 7. Incomplete processingx x 8. Duplicate transactions 9. Untimely processing 10. Communications system failure 11. Inadequate training 12. Inadequate support 13. etc… © 2015 IBM Corporation IBM Security High Risk Connections - Eliminating Risk Over “4” Proactively block connections from “Unauthorized” IP Addresses, High Risk Applications and/or Users Application Servers SQL Privileged Users Oracle, DB2, MySQL, Sybase, etc. Issue SQL S-GATE Hold SQL Outsourced DBA Connection terminated Policy Violation: Drop Connection Check Policy On Appliance Session Terminated 49 © 2015 IBM Corporation IBM Security Quick Review… 3 Types of Security Controls Are Required For “Crown Jewels” 1. Application security controls – Risk By Type of User Separation of duties for Privilege Application User & Application User access 2. Database security Controls – Continuously monitor direct access to the database which will bypass the application controls 3. System administrators security controls – 50 Operating System controls to monitor file access, copy, and modification © 2015 IBM Corporation IBM Security Application Security Controls - Guardium For Application Customer Service Representatives (CSRs) access company applications remotely Guardium is installed in the middle to guarantee that application screens undergo masking process CSRs utilize the application as usual Sensitive information unessential for CSR operation is masked out Data Center Name: John Smith SSN: 111-11-1111 Balance: $127.50 51 Guardium Masking Gateway Guardium for Applications demo on PeopleSoft Name: John Smith SSN: *35 ***** Outsourced Call Center Balance: $127.50 © 2015 IBM Corporation IBM Security Application Security Controls - AppScan IBM Security AppScan Trial download 52 © 2015 IBM Corporation IBM Security Database Controls Can Cover 3 Types of Rules Exception (ie. SQL Errors & more) 3 Result Set 2 SQL Query 1 Database Database Server There are three types of rules: 53 1. An access rule applies to client requests 2. An extrusion rule evaluates data returned by the server 3. An exception rule evaluates exceptions returned by the server © 2015 IBM Corporation IBM Security System Admin Controls - Guardium Data Encryption (GDE) Clear Text MetaClear File System Metadata Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 fAiwD7nb$ Nkxchsu^j2 3nSJis*jmSL Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 File Data Name: J Smith CCN:60115793892 Exp Date: 04/04 Bal: $5,145,789 SSN: 514-73-8970 dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF 54 Block-Level Protects Sensitive Information Without Disrupting Data Management High-Performance Encryption Root Access Control Data Access as an Intended Privilege Guardium Data Encryption Tech Talk (YouTube) (1 of 3) © 2015 IBM Corporation IBM Security Guardium Data Encryption (GDE) - System Administrator Controls (Deny, Encrypt, Audit, Permit) WHO is attempting to access protected data? – Configure groups, or applications who can access protected data WHAT data is being accessed? – Configure appropriate file and directory access WHEN is the data being accessed? – Configure a range of hours and days of the week for authorized access HOW is the data being accessed? – Configure allowable file system operations allowed to access the data e.g. read, write, delete, rename, application or process, etc. EFFECT: Permit; Deny; Encrypt; Audit Root users can: 1. read directory (/SAPDirectory), but it will be encrypted and audited 2. Blocked access to directory (/NoAccess) 1 $%#@!*(&^$%$%^ &*()(*&^%$#@#$% ^&*DFGHJTR#$ 2 55 © 2015 IBM Corporation IBM Security Operating System Switch User “SU” To Gain Access System Administrators have a lot of power • Be careful for “SU” • Proactive Policies are required 56 Use Continuous Monitoring to identify high risk users who can switch identity © 2015 IBM Corporation IBM Security Summary 1. Understand where your crown jewels are located and calculate the risk – http://www-935.ibm.com/services/us/en/it-services/security-services/the-growing-risk-to-crown-jewels-infographic/ 2. Look for (DAM) suspicious activity – Hackers are inside networks long before organizations understands what’s going on with their data – – Greater than 200 Days!! http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/ https://www01.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/common_tools/topics/outliers_detecti on.html 3. Have a plan for when data is exfiltrated (From Ponemon Institute, sponsored by IBM) – http://www-03.ibm.com/security/data-breach/ 4. Encryption covers a multitude of sins… 2015 Ponemon Study 57 © 2015 IBM Corporation IBM Security Learn and try Learn more about some of what we talked about today: • • • • • • • YouTube video demo on Connection Profiling (part 1 of 3) developerWorks article on Guardium PCI accelerator Outliers and Quick Search demo on YouTube Database discovery and sensitive data finder (Classifier) tech talk Getting Started with Vulnerability Assessment Tech talk Guardium for Applications demo on PeopleSoft Guardium Data Encryption Tech Talk (YouTube) (1 of 3) And try: • IBM Security AppScan Trial download • Guardium Vulnerability Assessment Trial Download 58 © 2015 IBM Corporation IBM Security Learn more Understand risk and compliance mandates – Whitepapers: Protect payment card data with InfoSphere Help ensure HIPAA compliance with InfoSphere Understanding encryption requirements of PCI DSS – ebook: Managing compliance to protect enterprise data Talk to your sales rep about holistic data security – Whitepaper Secure Enterprise Data & Ensure Compliance – ROI Study: Forrester Total Economic Impact of InfoSphere Guardium – Website: InfoSphere Guardium Database Security 59 59 © 2015 IBM Corporation IBM Security Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 60 60 Italian © 2015 IBM Corporation Backup Slides 61 © 2015 IBM Corporation IBM Security AppScan 62 © 2015 IBM Corporation IBM Security 63 © 2015 IBM Corporation IBM Security 64 © 2015 IBM Corporation IBM Security 65 © 2015 IBM Corporation IBM Security Use Extrusion Rules On Result Sets for Pattern Access Monitor for data access and exfiltration. Attackers who bypass perimeter controls become “trusted insiders” in most organizations because the internal network is trusted and unmonitored. Deploy network analysis and visibility (NAV) tools to gain insight into how traffic is traversing your entire network.19 guardium://CREDIT_CARD Empty Value: Enter the special value guardium://empty to test for an empty value in the traffic. This is allowed only in the following fields: DB Name, DB User, App User, OS User, Src App, Event Type, Event User Name, and App Event Text. Note: You can also use regular expressions in the following fields (DB user, App User, SRC App, Field name, Object, App Event Values Text) by typing the special value guardium://regexp/(regular expression) in the text box that corresponds to the field. 66 © 2015 IBM Corporation IBM Security Additional Slides for reference 67 © 2015 IBM Corporation IBM Security IBM SmartCloud Virtual Guardium Users Group Community 68 © 2015 IBM Corporation IBM Security Guardium community on developerWorks Right nav bit.ly/guardwiki 69 © 2015 IBM Corporation IBM Security Most approaches to data security and compliance miss the mark Do nothing … however: – – – – – – – Limited time, lots of regulation, growing costs of compliance Requirements for privacy/security by user role add complexity $3.5M per year average cost of compliance $5.5M USD average cost of a data breach $194 USD average cost of a data breach per compromised record 28,349 average number of breached records per incident 94% of compromised records originated in database servers Leverage home grown approaches … however: – Manual approaches lead to higher risk and inefficiency – Requirements for privacy/security by user role add complexity – New source of threats: outsourcing, web-facing applications, stolen credentials, insiders Implement a holistic data protect strategy 70 “ 70 Don’t focus just on one or two databases but extend your efforts to become enterprise-wide — encompassing hundreds and thousands of databases. -- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011 © 2015 IBM Corporation