Behind the Scenes of the Security Immune System Demo: Guardium Integration Architecture

SECURITY FOR A NEW ERA OF COMPUTING

Cindy E. Compert, CIPT/M

September 22, 2016

CTO Data Security & Privacy, IBM Security

Cybersecurity Leader, US Public Sector Market

@CCBigData

2 IBM Security

Hints and tips for IMS security and compliance with Guardium for z/OS

Date: Thursday, October 13, 2016Time: 11:00 AM EDT, 8:00 AM PDT (60 minutes)Speaker: Bern Lord, CyberSecurity Technical SpecialistHowie Hirsch, CyberSecurity Technical Specialist

Register here: http://ibm.biz/IMSGuard

Mark your calendars! Next tech talk.

3 IBM Security

Guardium community on developerWorks

bit.ly/guardwiki Right

nav

Kathy?

4 IBM Security

Agenda

• What’s a Security Immune System?

• Demonstration Overview

• Demo!

• Scenario Review and Integration Components

• Wrap up

5 IBM Security

“Your previous provider refused to share your electronic medical records,

but not to worry – I was able to obtain all of your information online.”

Source: The New Yorker

6 IBM Security

Valuable data

10XMedical records are worth 10X credit cards

3X

Concern around brand protection

Healthcare post-breach customer loss rate is 3X greater than retail

New delivery

channels

Board-level focus

66%2/3 of corporate directors blame the CEO for a breach

From compliance to investment

3%% of total IT budgetAll industries: 3 to 14% Healthcare: 3 to 4%

Security: A Strategic Imperative

65% of consumer healthcare

transactions will be mobile by 2018

7 IBM Security

A new Ecosystem demands a new approach

New threats require a new approach to security, but most are defending

against yesterday’s attacks, using siloed, discrete defenses

Broad Attacks

Build multiple perimeters

Protect all systems

Use signature-based methods

Periodically scan for known threats

Read the latest news

Shut down systems

Tactical ApproachCompliance-driven, reactionary

Targeted Attacks

Assume constant compromise

Prioritize high-risk assets

Use behavioral-based methods

Continuously monitor activity

Consume real-time threat feeds

Gather, preserve, retrace evidence

Strategic ApproachIntelligence-driven, continuous

Indiscriminate malware,spam and DoS activity

Advanced, persistent, organized, politically or financially motivated

8 IBM Security

Establish security as an immune system

Firewalls

Incident and threat management

Virtual patching

Sandboxing

Network visibility

Data access control

Data monitoringMalware protection

Antivirus

Endpoint patching and management

Criminal detection

Fraud protection

Incidentresponse

Access managementEntitlements and roles

Identity management

Privileged identity management

Application securitymanagement

Application scanning

Transaction protection

Device management

Content security

Log, flow and data analysis

Vulnerabilityassessment

Anomaly detection

9 IBM Security

Enhance security through intelligence and integration

Firewalls

Incident and threat management

Virtual patching

Sandboxing

Network visibility

Data access control

Data monitoring

Malware protection

Antivirus

Endpoint patching and management

Criminal detection

Fraud protection

Incidentresponse

Access management

Entitlements and roles

Identity management

Privileged identity management

Application securitymanagement

Application scanning

Transaction protection

Device management

Content security

Security Intelligence

Log, flow and data analysis

Vulnerabilityassessment

Anomaly detection

Global Threat Intelligence

Consulting Services | Managed Services

Cloud

Demonstration Overview

11 IBM Security

Security Immune System In Action: Demo Products

• IBM Security Network Protection XGS

• IBM Security Access Manager for Web (Web Seal)

• IBM Security Privileged Identity Manager with IBM Security Access Manager ESSO- including PIM to Guardium integration

• IBM Security Guardium Database Activity Monitor/ Guardium File Activity Monitor

• IBM Security QRadar

• IBM Security Resilient including QRadar Resilient App

• IBM Security Directory Integrator (included with QRadar)

• IBM Security AppScan including AppScan to integration

• IBM Security BigFix

• IBM Security Identity Governance

• IBM Security Guardium Data Encryption

12 IBM Security

How Real is this?

Source: Committee on Oversight and Government Reform U.S. House of Representatives 114th Congress “The

OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” 9/7/16

https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-

National-Security-for-More-than-a-Generation.pdf

13 IBM Security

Janet StevensPatient Intake Coordinator,

PrettyGood Health, Inc. Charlie the Puppy

Demonstration Time…

Scenario Review and Integration Components

15 IBM Security

Break-In

Phishing

Gather

Credentials

Attack

Exfiltrate

Critical Data

Security Immune System Example 1: Breaking the Attack Chain

Integrated Protection

XGS/QRadar/Guardium Closed Loop Remediation

XGS

QRadar

Resilient Incident Response

Guardium

16 IBM Security

Insider Threat

Gather

Credentials

Attack

Exfiltrate

Critical Data

Security Immune System Example 2: Insider Threat

Integrated Protection

PIM/QRadar/Guardium Closed Loop Remediation

PIM

QRadar

Guardium

17 IBM Security

The Basics: Guardium RESTAPI

• AKA ‘Guardium Glue’

• Use cases:

1. Automating processes- run reports from a web portal and display results

2. Dynamically update groups, install policies (push)- jump server scripting

example

3. Pull Guardium information into another tool or environment

• Shell script, curl, etc. – our example uses Cygwin shell script emulator

Link: Guardium REST API: http://ibm.biz/Bdrwzi developerworks article + Tech Talk links

18 IBM Security

Script example: Policy install automation

Install 2 policies, use concat symbol (|) to separate

REST API command to install policy

19 IBM Security

Guardium to QRadar Integration

• 1. Sending Guardium alerts (‘events’) to QRadar realtime - covered here

• 2. Updating Guardium policies based on events from QRadar (slide 20): Reference guide:

https://ibm.biz/BdXMsK

• 3. Importing Vulnerability Assessment results into QRadar Risk or Vulnerability Manager

(http://ibm.biz/BdrwM5 page 19) .

20 IBM Security

Guardium to QRadar Events: How to

5 Steps to Set up! Docs in QRadar here: http://ibm.biz/BdrwMf

• Create a syslog destination for policy violation events. (use Grdpapi to identify your QRadar system)

• Configure your existing Guardium policies to generate syslog events (select LEEF format)

• Install and trigger the policy on IBM Guardium.

• Configure the log source in QRadar.

• Identify and map unknown policy events in QRadar. Select the ’unknown event’ in QRadar and use ‘map event’ button to select Event name you want to display. Best practice: name event same as rule name. (100+ default rules)

21 IBM Security

Guardium to QRadar Events: How to- detail

21

1. Enable syslog forwarding:

store remotelog add non_encrypted daemon.info 192.168.42.150 udp

store remotelog add non_encrypted daemon.warning 192.168.42.150 udp

store remotelog add non_encrypted daemon.err 192.168.42.150 udp

store remotelog add non_encrypted daemon.alert 192.168.42.150 udp

2. Syslog mapping of info, warning, err, alert is taken from

Policy SEVERITY level

3. Basic integration was done with “pre-defined” policy rules,

so that the RULE DESCRIPTION from the predefined

policies will be automatically parsed

4. Make sure to use the LEEF Template format

5. QRadar - Make sure Guardium “Hostname” is used for

“Log Source Identifier” in Qradar configuration

6. QRadar - Optionally map QID in Qradar if not using default

Rule Description

Guardium Appliance

1. Configure remotelog on the

guardium appliance

2. Configure the policy to send

the alerts

22 IBM Security

Closed Loop IntegrationExample: Updating Guardium policies based on Events from QRadar

generated by the IBM Network Security Protection Appliance (XGS)

• Security Directory Integrator (included with QRadar) provides real-time synchronization, transformation

and movement between events

1. Network Security (XGS) detects and blocks attempted malware attack on user Janet’s workstation

2. ‘Java Malicious Applet’ intrusion event sent to QRadar

3. QRadar rule forwards event to Security Directory Integrator (SDI)

4. SDI processes event and calls Guardium REST API to update ‘Suspicious Client IP’ group with

Janet’s IP address and reinstalls Guardium policies

5. ‘Suspicious Users Log Full Details’ rule is triggered when Janet attempts to view sensitive tables

Docs: http://ibm.biz/BdrTwm

Example: http://ibm.biz/BdrTwb

23 IBM Security

New Privileged Identity Manager to Guardium Integration

• PIM Data collected as Custom Tables

• Available as pre-defined Custom tables

• Available for Reporting

• Used by correlation process and distributed to all managed units

• Correlation Process – suggest run frequently if needed

• Links Guardium Sessions to PIM Data

• Enhances session information with information about the actual user that

leased the ID, justification, checkin and checkout date and times, etc.

• Correlated Data

• Available as part of the access domain

• Requires Guardium patch 103 + 10.1.2 and PIM release v2.0.2.6

• Tech Note: http://www.ibm.com/support/docview.wss?uid=swg21990953

24 IBM Security

Guardium – PIM Integration – Correlate Privileged User Activity

Sessions Information consolidated with PIM Lease data

25 IBM Security

AppScan= Application Security Program Management and Compliance for the Enterprise

Application Security Management

Use a single console for managing application testing, reporting and policies

Dynamic Application Scanning

Identify and remediate vulnerabilities in live applications

Static Application Scanning

Address application security from day one to production

Security IntelligenceNetwork Protection

Key

Integrations

Mobile App Protection Data Security

New!!

Guardium Integration

26 IBM Security

HR ApplicationApplication Name, URL,

Type HR DatabaseDatabase Name, IP, type

Application Specific Vulnerability 1

Application Specific Vulnerability 2

Application Specific Vulnerability 3

Application Specific Vulnerability 4

Application Specific Vulnerability 5

Database Vulnerability 1

Database Vulnerability 2

Database Vulnerability 3

Database Vulnerability 4

Database Vulnerability 5

Guardium Vulnerability Assessment and AppScan ASE Integration

Guardium

Vulnerability

Assessment

AppScan ASE

27 IBM Security 27

AppScan to Guardium Integration: Vulnerability Assessment- example flow

Step 1: Application

Static Analysis

Step 2: Application

Dynamic Analysis

Step 3: Guardium

Vulnerability import

and Application

correlation

Step 4: Remediation

& Reporting

28 IBM Security

AppScan Dashboard Example: Oracle Vulnerabilities

29 IBM Security

Incident Response, a collaboration and skills challenge

SILOED SECURITY TEAMS AND TOOLSlead to manual activities and lost time

UNDEFINED RESPONSE PROCEDUREScreate delays and unnecessary confusion

LACK OF SKILLS build bottlenecks and an inability to act

UNFAMILIARITY WITH REGULATIONS cause unfulfilled obligations and privacy concerns

Legal

HR

CEOCISO

IT

Risk? Ownership?Tasks?

Security Operations

Incident Response

IDS NIPS AV DBs AppsDLP FW ...

Today’s response is manual and disconnected

Gap

Incident response is time critical and cuts across the organization

30 IBM Security

Resilient allows security teams to collaborate on a single hub

Aligns people, process, and technology

Provides centralized collaboration and intelligence

Built with one of the world’s largest knowledgebases of

global regulatory and privacy requirements

Allows security teams to easily configure IR plans for

their organization in hours or days – not weeks or months

Unlocks the value of other security investments

– e.g. SIEM, ticket systems, IDS/IPS, and more

Enables organizations to automate response processes

and measure the ROI of their security investments

RESPOND FASTER. SMARTER. BETTER.

Resilient’s Incident Response Platform (IRP) makes security

alerts instantly actionable, provides valuable intelligence and

incident context, and enables security teams to eliminate or

streamline critical steps

31 IBM Security

QRadar to Resilient Incident Response Integration- Resilient App

32 IBM Security

Example HIPAA Incident: includes tasks and instructions

33 IBM Security

Easy to configure! Provider URL + credentials

34 IBM Security

Resources Summary

• High Level demo overview (webinar replay): http://ibm.biz/SecHealthReplay

• Security Integrations on developerworks: http://ibm.biz/Bdrwzr (videos + tested solutions)

• Guardium REST API: : http://ibm.biz/Bdrwzi developerworks article + Tech Talk links

• Guardium to QRadar:

• Sending Guardium alerts (events)to QRadar: http://ibm.biz/BdrwMf

• Closed Loop- updating Guardium policies based on events from QRadar : http://ibm.biz/BdrTwm

and http://ibm.biz/BdrTwb (example XGS Network Security and Guardium)

• Importing Vulnerability Assessment results into QRadar Risk or Vulnerability Manager

(http://ibm.biz/BdrwM5 page 19) .

• Privileged Identity Manager (PIM) to Guardium:

http://www.ibm.com/support/docview.wss?uid=swg21990953

• Resilient Incident Response to QRadar: http://www-03.ibm.com/security/engage/app-exchange/ and

http://ibm.biz/BdrwvZ (Resilient App Detail). Integrations available to vast number of systems including

Guardium via Resilient Action Module.

35 IBM Security

IBM is uniquely qualified to help secure a new era of computing

Learnings from 35 billion

security events managed

per day

Real-time intelligence and

cognition to help detect,

assess, stop cyber threats

Integrated security

services and

technology solutions

Security for

the cloud

from the cloud

Security best practices

from tens of thousands

of engagements

Platforms to share

threat research

and new apps

INTELLIGENCE

and Cognitive

INTEGRATION

and Cloud

EXPERTISE

and Collaboration

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

FOLLOW US ON:

THANK YOU

37 IBM Security

Guardium VA and AppScan integrated dashboard will show the holistic view of datasource and application vulnerabilities

AppScan ASE provides single dashboard view to access overall Application risk

calculated based on failed application and datasource vulnerabilities

•ASE imports failed Datasource vulnerabilities from Guardium Vulnerability

Assessment report in csv format

•Each failed test in the VA report is imported with the attribute mapping in ASE

•Supported in ASE version 9.0.3 iFix 3, Q1 2016

Elements List:

Test Description (Required)

Host (Required)

Port (Required)

Service Name (Required)

DB Name (Required)

Test Score (Required)

Score Description (Optional)

User Name (Optional)

Full Version Info (Optional)

Severity (Optional)

Datasource Type (Optional)

Short Description (Optional)

Recommendation (Optional)

Result Text (Optional)

Result Details (Optional)

External Reference (Optional)

STIG Reference (Optional)

STIG Severity (Optional)

STIG SRG (Optional)

IAControls (Optional)

38 IBM Security

Vulnerability Assessment Query

39 IBM Security

Import Guardium Vulnerabilities in AppScan