behind the scenes of the security immune system demo ... · opm data breach: how the government...
TRANSCRIPT
Behind the Scenes of the Security Immune System Demo: Guardium Integration Architecture
SECURITY FOR A NEW ERA OF COMPUTING
Cindy E. Compert, CIPT/M
September 22, 2016
CTO Data Security & Privacy, IBM Security
Cybersecurity Leader, US Public Sector Market
@CCBigData
2 IBM Security
Hints and tips for IMS security and compliance with Guardium for z/OS
Date: Thursday, October 13, 2016Time: 11:00 AM EDT, 8:00 AM PDT (60 minutes)Speaker: Bern Lord, CyberSecurity Technical SpecialistHowie Hirsch, CyberSecurity Technical Specialist
Register here: http://ibm.biz/IMSGuard
Mark your calendars! Next tech talk.
3 IBM Security
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
Kathy?
4 IBM Security
Agenda
• What’s a Security Immune System?
• Demonstration Overview
• Demo!
• Scenario Review and Integration Components
• Wrap up
5 IBM Security
“Your previous provider refused to share your electronic medical records,
but not to worry – I was able to obtain all of your information online.”
Source: The New Yorker
6 IBM Security
Valuable data
10XMedical records are worth 10X credit cards
3X
Concern around brand protection
Healthcare post-breach customer loss rate is 3X greater than retail
New delivery
channels
Board-level focus
66%2/3 of corporate directors blame the CEO for a breach
From compliance to investment
3%% of total IT budgetAll industries: 3 to 14% Healthcare: 3 to 4%
Security: A Strategic Imperative
65% of consumer healthcare
transactions will be mobile by 2018
7 IBM Security
A new Ecosystem demands a new approach
New threats require a new approach to security, but most are defending
against yesterday’s attacks, using siloed, discrete defenses
Broad Attacks
Build multiple perimeters
Protect all systems
Use signature-based methods
Periodically scan for known threats
Read the latest news
Shut down systems
Tactical ApproachCompliance-driven, reactionary
Targeted Attacks
Assume constant compromise
Prioritize high-risk assets
Use behavioral-based methods
Continuously monitor activity
Consume real-time threat feeds
Gather, preserve, retrace evidence
Strategic ApproachIntelligence-driven, continuous
Indiscriminate malware,spam and DoS activity
Advanced, persistent, organized, politically or financially motivated
8 IBM Security
Establish security as an immune system
Firewalls
Incident and threat management
Virtual patching
Sandboxing
Network visibility
Data access control
Data monitoringMalware protection
Antivirus
Endpoint patching and management
Criminal detection
Fraud protection
Incidentresponse
Access managementEntitlements and roles
Identity management
Privileged identity management
Application securitymanagement
Application scanning
Transaction protection
Device management
Content security
Log, flow and data analysis
Vulnerabilityassessment
Anomaly detection
9 IBM Security
Enhance security through intelligence and integration
Firewalls
Incident and threat management
Virtual patching
Sandboxing
Network visibility
Data access control
Data monitoring
Malware protection
Antivirus
Endpoint patching and management
Criminal detection
Fraud protection
Incidentresponse
Access management
Entitlements and roles
Identity management
Privileged identity management
Application securitymanagement
Application scanning
Transaction protection
Device management
Content security
Security Intelligence
Log, flow and data analysis
Vulnerabilityassessment
Anomaly detection
Global Threat Intelligence
Consulting Services | Managed Services
Cloud
Demonstration Overview
11 IBM Security
Security Immune System In Action: Demo Products
• IBM Security Network Protection XGS
• IBM Security Access Manager for Web (Web Seal)
• IBM Security Privileged Identity Manager with IBM Security Access Manager ESSO- including PIM to Guardium integration
• IBM Security Guardium Database Activity Monitor/ Guardium File Activity Monitor
• IBM Security QRadar
• IBM Security Resilient including QRadar Resilient App
• IBM Security Directory Integrator (included with QRadar)
• IBM Security AppScan including AppScan to integration
• IBM Security BigFix
• IBM Security Identity Governance
• IBM Security Guardium Data Encryption
12 IBM Security
How Real is this?
Source: Committee on Oversight and Government Reform U.S. House of Representatives 114th Congress “The
OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” 9/7/16
https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-
National-Security-for-More-than-a-Generation.pdf
13 IBM Security
Janet StevensPatient Intake Coordinator,
PrettyGood Health, Inc. Charlie the Puppy
Demonstration Time…
Scenario Review and Integration Components
15 IBM Security
Break-In
Phishing
Gather
Credentials
Attack
Exfiltrate
Critical Data
Security Immune System Example 1: Breaking the Attack Chain
Integrated Protection
XGS/QRadar/Guardium Closed Loop Remediation
XGS
QRadar
Resilient Incident Response
Guardium
16 IBM Security
Insider Threat
Gather
Credentials
Attack
Exfiltrate
Critical Data
Security Immune System Example 2: Insider Threat
Integrated Protection
PIM/QRadar/Guardium Closed Loop Remediation
PIM
QRadar
Guardium
17 IBM Security
The Basics: Guardium RESTAPI
• AKA ‘Guardium Glue’
• Use cases:
1. Automating processes- run reports from a web portal and display results
2. Dynamically update groups, install policies (push)- jump server scripting
example
3. Pull Guardium information into another tool or environment
• Shell script, curl, etc. – our example uses Cygwin shell script emulator
Link: Guardium REST API: http://ibm.biz/Bdrwzi developerworks article + Tech Talk links
18 IBM Security
Script example: Policy install automation
Install 2 policies, use concat symbol (|) to separate
REST API command to install policy
19 IBM Security
Guardium to QRadar Integration
• 1. Sending Guardium alerts (‘events’) to QRadar realtime - covered here
• 2. Updating Guardium policies based on events from QRadar (slide 20): Reference guide:
https://ibm.biz/BdXMsK
• 3. Importing Vulnerability Assessment results into QRadar Risk or Vulnerability Manager
(http://ibm.biz/BdrwM5 page 19) .
20 IBM Security
Guardium to QRadar Events: How to
5 Steps to Set up! Docs in QRadar here: http://ibm.biz/BdrwMf
• Create a syslog destination for policy violation events. (use Grdpapi to identify your QRadar system)
• Configure your existing Guardium policies to generate syslog events (select LEEF format)
• Install and trigger the policy on IBM Guardium.
• Configure the log source in QRadar.
• Identify and map unknown policy events in QRadar. Select the ’unknown event’ in QRadar and use ‘map event’ button to select Event name you want to display. Best practice: name event same as rule name. (100+ default rules)
21 IBM Security
Guardium to QRadar Events: How to- detail
21
1. Enable syslog forwarding:
store remotelog add non_encrypted daemon.info 192.168.42.150 udp
store remotelog add non_encrypted daemon.warning 192.168.42.150 udp
store remotelog add non_encrypted daemon.err 192.168.42.150 udp
store remotelog add non_encrypted daemon.alert 192.168.42.150 udp
2. Syslog mapping of info, warning, err, alert is taken from
Policy SEVERITY level
3. Basic integration was done with “pre-defined” policy rules,
so that the RULE DESCRIPTION from the predefined
policies will be automatically parsed
4. Make sure to use the LEEF Template format
5. QRadar - Make sure Guardium “Hostname” is used for
“Log Source Identifier” in Qradar configuration
6. QRadar - Optionally map QID in Qradar if not using default
Rule Description
Guardium Appliance
1. Configure remotelog on the
guardium appliance
2. Configure the policy to send
the alerts
22 IBM Security
Closed Loop IntegrationExample: Updating Guardium policies based on Events from QRadar
generated by the IBM Network Security Protection Appliance (XGS)
• Security Directory Integrator (included with QRadar) provides real-time synchronization, transformation
and movement between events
1. Network Security (XGS) detects and blocks attempted malware attack on user Janet’s workstation
2. ‘Java Malicious Applet’ intrusion event sent to QRadar
3. QRadar rule forwards event to Security Directory Integrator (SDI)
4. SDI processes event and calls Guardium REST API to update ‘Suspicious Client IP’ group with
Janet’s IP address and reinstalls Guardium policies
5. ‘Suspicious Users Log Full Details’ rule is triggered when Janet attempts to view sensitive tables
Docs: http://ibm.biz/BdrTwm
Example: http://ibm.biz/BdrTwb
23 IBM Security
New Privileged Identity Manager to Guardium Integration
• PIM Data collected as Custom Tables
• Available as pre-defined Custom tables
• Available for Reporting
• Used by correlation process and distributed to all managed units
• Correlation Process – suggest run frequently if needed
• Links Guardium Sessions to PIM Data
• Enhances session information with information about the actual user that
leased the ID, justification, checkin and checkout date and times, etc.
• Correlated Data
• Available as part of the access domain
• Requires Guardium patch 103 + 10.1.2 and PIM release v2.0.2.6
• Tech Note: http://www.ibm.com/support/docview.wss?uid=swg21990953
24 IBM Security
Guardium – PIM Integration – Correlate Privileged User Activity
Sessions Information consolidated with PIM Lease data
25 IBM Security
AppScan= Application Security Program Management and Compliance for the Enterprise
Application Security Management
Use a single console for managing application testing, reporting and policies
Dynamic Application Scanning
Identify and remediate vulnerabilities in live applications
Static Application Scanning
Address application security from day one to production
Security IntelligenceNetwork Protection
Key
Integrations
Mobile App Protection Data Security
New!!
Guardium Integration
26 IBM Security
HR ApplicationApplication Name, URL,
Type HR DatabaseDatabase Name, IP, type
Application Specific Vulnerability 1
Application Specific Vulnerability 2
Application Specific Vulnerability 3
Application Specific Vulnerability 4
Application Specific Vulnerability 5
Database Vulnerability 1
Database Vulnerability 2
Database Vulnerability 3
Database Vulnerability 4
Database Vulnerability 5
Guardium Vulnerability Assessment and AppScan ASE Integration
Guardium
Vulnerability
Assessment
AppScan ASE
27 IBM Security 27
AppScan to Guardium Integration: Vulnerability Assessment- example flow
Step 1: Application
Static Analysis
Step 2: Application
Dynamic Analysis
Step 3: Guardium
Vulnerability import
and Application
correlation
Step 4: Remediation
& Reporting
28 IBM Security
AppScan Dashboard Example: Oracle Vulnerabilities
29 IBM Security
Incident Response, a collaboration and skills challenge
SILOED SECURITY TEAMS AND TOOLSlead to manual activities and lost time
UNDEFINED RESPONSE PROCEDUREScreate delays and unnecessary confusion
LACK OF SKILLS build bottlenecks and an inability to act
UNFAMILIARITY WITH REGULATIONS cause unfulfilled obligations and privacy concerns
Legal
HR
CEOCISO
IT
Risk? Ownership?Tasks?
Security Operations
Incident Response
IDS NIPS AV DBs AppsDLP FW ...
Today’s response is manual and disconnected
Gap
Incident response is time critical and cuts across the organization
30 IBM Security
Resilient allows security teams to collaborate on a single hub
Aligns people, process, and technology
Provides centralized collaboration and intelligence
Built with one of the world’s largest knowledgebases of
global regulatory and privacy requirements
Allows security teams to easily configure IR plans for
their organization in hours or days – not weeks or months
Unlocks the value of other security investments
– e.g. SIEM, ticket systems, IDS/IPS, and more
Enables organizations to automate response processes
and measure the ROI of their security investments
RESPOND FASTER. SMARTER. BETTER.
Resilient’s Incident Response Platform (IRP) makes security
alerts instantly actionable, provides valuable intelligence and
incident context, and enables security teams to eliminate or
streamline critical steps
31 IBM Security
QRadar to Resilient Incident Response Integration- Resilient App
32 IBM Security
Example HIPAA Incident: includes tasks and instructions
33 IBM Security
Easy to configure! Provider URL + credentials
34 IBM Security
Resources Summary
• High Level demo overview (webinar replay): http://ibm.biz/SecHealthReplay
• Security Integrations on developerworks: http://ibm.biz/Bdrwzr (videos + tested solutions)
• Guardium REST API: : http://ibm.biz/Bdrwzi developerworks article + Tech Talk links
• Guardium to QRadar:
• Sending Guardium alerts (events)to QRadar: http://ibm.biz/BdrwMf
• Closed Loop- updating Guardium policies based on events from QRadar : http://ibm.biz/BdrTwm
and http://ibm.biz/BdrTwb (example XGS Network Security and Guardium)
• Importing Vulnerability Assessment results into QRadar Risk or Vulnerability Manager
(http://ibm.biz/BdrwM5 page 19) .
• Privileged Identity Manager (PIM) to Guardium:
http://www.ibm.com/support/docview.wss?uid=swg21990953
• Resilient Incident Response to QRadar: http://www-03.ibm.com/security/engage/app-exchange/ and
http://ibm.biz/BdrwvZ (Resilient App Detail). Integrations available to vast number of systems including
Guardium via Resilient Action Module.
35 IBM Security
IBM is uniquely qualified to help secure a new era of computing
Learnings from 35 billion
security events managed
per day
Real-time intelligence and
cognition to help detect,
assess, stop cyber threats
Integrated security
services and
technology solutions
Security for
the cloud
from the cloud
Security best practices
from tens of thousands
of engagements
Platforms to share
threat research
and new apps
INTELLIGENCE
and Cognitive
INTEGRATION
and Cloud
EXPERTISE
and Collaboration
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
FOLLOW US ON:
THANK YOU
37 IBM Security
Guardium VA and AppScan integrated dashboard will show the holistic view of datasource and application vulnerabilities
AppScan ASE provides single dashboard view to access overall Application risk
calculated based on failed application and datasource vulnerabilities
•ASE imports failed Datasource vulnerabilities from Guardium Vulnerability
Assessment report in csv format
•Each failed test in the VA report is imported with the attribute mapping in ASE
•Supported in ASE version 9.0.3 iFix 3, Q1 2016
Elements List:
Test Description (Required)
Host (Required)
Port (Required)
Service Name (Required)
DB Name (Required)
Test Score (Required)
Score Description (Optional)
User Name (Optional)
Full Version Info (Optional)
Severity (Optional)
Datasource Type (Optional)
Short Description (Optional)
Recommendation (Optional)
Result Text (Optional)
Result Details (Optional)
External Reference (Optional)
STIG Reference (Optional)
STIG Severity (Optional)
STIG SRG (Optional)
IAControls (Optional)
38 IBM Security
Vulnerability Assessment Query
39 IBM Security
Import Guardium Vulnerabilities in AppScan