IBM services and technology solutions for supporting … · IBM technology solutions as key enablers ... 3.2.13 Back Up & Restore • TSM: ... • IBM Business Continuity and Resiliency
25
IBM services and technology solutions for supporting GDPR program 1
IBM services and technology solutions for supporting GDPR program
1
IBM technology solutions as key enablers - PrivacyGDPR Program Work-stream IBM software
2.1 Privacy Risk Assessment and Risk Treatment plan
2.2 Roles & Responsibilities
2.3 Personal Data Catalogue2.3.1 Discovery on Non-Structured Data • IBM StoredIQ2.3.2 Discovery on Structured Data
• InfoSphere Information Server2.3.3 Definition of Data Catalogue2.3.4 Adding functional details2.3.5 Adding technology details
2.4 Applications adequacy2.4.1 Mapping of applications managing personal data
• InfoSphere Information Server2.4.2 Assessment of compliance &gap analysis2.4.3 Implementation of actions for compliance
2.5 Privacy documentation adequacy
2.6 Privacy processes review/design
2.7 Automation of privacy processes2.7.1 Selection of processes2.7.2 Selection of ICT solutions • InfoSphere Information Server
• InfoSphere Master Data Management• Case Manager• Filenet Platform• InfoSphere Optim
2.7.3 Implementation of ICT solutions
2.7.4.Reporting of facts and evidences
2.8 Data Management System – Data quality2.8.1 Define Life Cycle management requirements • InfoSphere Information Server
• InfoSphere Master Data Management• Case Manager• InfoSphere Optim
2.8.2 Embed Data Privacy rules into processes &systems2.8.3 Embed Data Privacy rules in Data Mgmt practice
2. Privacy Enforcement
2
IBM technology solutions as key enablers - Security3.1 Policy, Risk Analysis and Risk Treatment Plan
3.2 Preventive security measures3.2.1 Asset Management & classification of personal data • Guardium3.2.2 Training3.2.3 Data Security • Guardium3.2.4 Identity Governance & Management • Identity Governance and Intelligence (Crossideas)3.2.5 Access Management • Information Security Access Management3.2.6 Encryption & Pseudonymization • Guardium3.2.7 Server, End Point and Mobile Security • Bigfix
• Carbon Black• MaaS360
3.2.8 Data Loss Prevention3.2.9 Vulnerability of DBs, Systems, Networks • QRadar Vulnerability Manager
• Guardium3.2.10 Vulnerability of applications
• Appscan3.2.11 Secure coding & SW development3.2.12 Network Security • XGS3.2.13 Back Up & Restore • TSM3.2.14 Monitoring processes
• Guardium3.2.15 Audit processes3.2.16 Suppliers & Third Party management
3.3 Detection & Response security measures3.3.1 SIEM for Privacy Violation • QRadar SIEM 3.3.2 Privacy Incident Management Process • Resilient
• QRadar Incident Forensics3.3.3 Notification of data breach to Authority
• Resilient3.3.4 Communication of data breach to Individual
3.4 Continuity and Recovery security measures3.4.1 Business Continuity Plan for personal data mgmt
• IBM Business Continuity and Resiliency Services3.4.2 Disaster Recovery Plan for personal data mgmt
3. Security Enforcement
GDPR Program Work-stream IBM software
3
IBM Customer Confidential
Focus on IBM Security software
4
IBM Customer Confidential5
PREVENTION DETECTION RESPONSE
Help to continuously stop attacks and remediate
vulnerabilities
Identify the most important threats
with advanced analytics and forensics
Respond to incidents in integrated
and organized fashion
IBM Customer Confidential
Other IBM prevention security software
Among the broad IBM Security portfolio, three SW are pivotal for compliance to the requirements
• Early identification of attack and potential data breaches
• Monitor & audit of the overall infrastructure
• Monitor and audit access to personal data, detection and alerting of non-compliant access
• Fine-grained control of data modification
• Fast incident response following a suspected or actual breach
• Orchestration of incident response processes including collection of forensic information, analysis, reporting and remediation
Pur
pose
s fo
r G
DP
RFo
cus
on
Sof
twar
e
6
PREVENTION DETECTION RESPONSE
IBM Customer Confidential
Security & Traceability – Guardium for GDPRFine grained data access control
1. Identify and Mitigate Security Vulnerabilities
2. Discover & Classify Personal Data
3. Encrypt/Obfuscate (Pseudonimize)
5. Enforce right to access, modify,.. data
Discover and classify data, assess vulnerabilities, report
on entitlements
Encrypt, mask, and redact sensitive data
Monitor data and file activity
Block, mask, alert, and quarantine dynamically
Automate complianceand auditing
ANALYTICS
6. Compliance Reporting
4. Monitor and track data access and modification
7
Presenter
Presentation Notes
Another word about governance …. Central Add messaging to this slide? Overlay messaging onto this slide.
IBM Customer Confidential
Prioritized Breakdown
Detailed Test Results
Result History
Detailed Remediation Suggestions
Filters and Sort Controls
Current Test Results
1. Guardium Vulnerability AssessmentIdentify and mitigate security vulnerabilities in data stores
8
Presenter
Presentation Notes
For the next use case: You are all probably familiar with network vulnerability scans. One of the best practices that has been adopted in the security community in the last couple of years is to conduct database vulnerability assessments. This allows you to harden your database infrastructure by discovering and fixing unpatched and misconfigured systems, making it more difficult to penetrate these systems. InfoSphere Guardium allows you to scan, once again on a manual or scheduled basis, specified databases to identify these types of issues using a regularly updated IBM Knowledge Base. Since operational requirements causes database configuration to constantly change, InfoSphere Guardium allows you to regularly identify issues without the use of the highly skilled DBAs typically required to identify configuration issues. Once you have completed an assessment you are presented with a variety of very helpful information, including: Overall test score for a quick quantitative measure of your security posture Your test history to ensure you are continuously improving A break down of your test results by both priority and functionality, which is very helpful in developing a remediation plan that aligns with your resources And detailed results for each test, including a description of the test, suggested remediation if you failed the tests, and helpful external pointers like CVE identifiers You get a very complete at-a-glance picture of the security posture of your database infrastructure without spending lots of time, effort, and cost.
IBM Customer Confidential
2. Guardium Data Activity MonitorAnalyze and automatically discover sensitive data and uncover risks
Automatically discover unregistered data repositories
Automatically discover sensitive data in databases and file systems
Classify sensitive data according to existing categories
Add membership to controlled data groups or categories subject to security policies
Comprehensive visibility, control and reporting
Sensitive Data Finder
Auto-discovery
9
Presenter
Presentation Notes
Metadata is part of the voiceover for bullet 1. Discover sensitive data and uncover risk Understand your sensitive data and where it resides Automate identification and classification of sensitive data Determine who is accessing sensitive data and spot anomalies with real-time activity monitoring Find compliance risks (automated) Uncover risks and take action using automated forensics Discovering the data environment composition: you cannot govern what you do not understand. Find un-catalogued databases and classifying sensitive information within them, including the entitlements 2) Track activity against sensitive data: maintaining security on a continuous basis by monitoring all transactions, 3) Protecting against threats and data loss: automating controls to protect our sensitive data with real-time policy assessment with appropriate remediation (Fine-Grained Policies with Real-Time Alerts. Prevent policy violations in real-time (blocking)). Expanding Fraud Identification at the Application Layer. Identify inappropriate use by authorized and privileged users. 4) And finally, helping understand the security/risk posture and hardening the data environment
IBM Customer Confidential
3. Guardium Data EncryptionEncrypt / Obfuscate (Pseudonimize)
10
IBM Customer Confidential
4. Guardium Data Activity Monitor (DAM) for DatabasesMonitor and track data access and modification
• Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users to detect unauthorized or suspicious activity
• Behavior analysis to detect outliers and spot anomalies
• Real-time alerting to prevent Data Loss
• Compliance automation
• Prepackaged compliance reports for SOX, PCI, etc
• Does not rely on resident logs that can easily be erased by attackers, rogue insiders
So now we come to the part were we should rip the benefits of the first two steps, because once you know about your data, you protect it, you will need to prove that your policies are effective. This is where the auditors are going to start asking questions. This is the most likely step companies skip, or do poorly because it is labor intensive and complex. And thus we have many failed audits or breaches which end up in fines, liability, PR nightmares, lost of trust in the brand. Just to illustrate the urgency for this step: DBA user groups have reported that less than 40% of organizations have mechanism to prevent privileged user tampering on databases or applications. Most companies we encounter have no database security monitoring solution in place, or they have attempted to build a “home grown” solution based on native auditing. Although it can be done, these projects are really not effective: They require lots of labor, time, and expertise to setup and maintain in a heterogeneous large environment Turning on native logging impacts the performance of the DB (10%-45%) Audit analysis means that you are responding after the fact. Which is Too late. And to top it off, there is No SOD…. Audit logs can be tampered by the DBAs at will. Add to this data explosion into unstructured repositories (like Big Data) and cloud based virtualized systems and you get a real mess. InfoSphere Guardium’s real-time database monitoring platform helps clients safeguard their data, monitor database activity across heterogeneous environments, and reduce operational costs by automating regulatory compliance tasks ************************ Real time monitoring and auditing has to be implemented to be able to respond to any Data breach. InfoSphere Guardium enables clients to maintain trusted information infrastructures by continuously monitoring access and activity to protect high-value databases against threats from legitimate users and potential hackers. InfoSphere Guardium’s real-time database monitoring platform helps clients safeguard their data, monitor database activity across heterogeneous environments, and reduce operational costs by automating regulatory compliance tasks Secures and protects high-value databases, identifies application-layer fraud Enables consistent enforcement of governance policies; demonstrates compliance Lowers compliance costs and effort compared to manual auditing, with no impact on existing business processes InfoSphere Guardium complements IBM’s offerings for: Extends Test Data Management solutions by monitoring sensitive data access in test environments Extends Data Growth solutions with ability to monitor both active and inactive (archived) data Extends Data masking and protection solutions enabling consistent governance and compliance with regulatory mandates such as PCI, HIPAA, DPP and more Extends capabilities to automatically locate all databases, in both production and test environments, for monitoring and protection
IBM Customer Confidential
EmployeeTableSELECT
5. Guardium Data Activity Monitor (DAM) for DatabasesEnforce right to access, modify, delete data
12
Presenter
Presentation Notes
Example of detecting access to the database server from someone using the App Server credentials. Alerting is one of the options you have for policy rules. You can set up pretty fine-grained rules. Alerts can be sent to email, syslog and/or to a SIEM system such as QRAdar. They will also appear on the Incident Management tab of the Guardium UI. Be careful about how yo uset the Action – Alert per match could end up sending a lot of emails to someone depending on the type of SQL statement. Notes: The most common type of exception rule created is to alert on x number of failed login attempts within x minutes; for example 3 failed login attempts within 5 minutes. To create this alert, create a new exception rule as follows: Action = Alert Per Match Minimum Count = 3 Reset Interval = 5 Excpt. Type = LOGIN_FAILED DB User = . <period>. Placing a period in DB User causes to the system to place a counter on DB User, so that you will only receive an alert the same user attempts to login three times with in five minutes. Otherwise, it will alert whenever there are three failed logins from any three users within five minutes, which could result in a great deal of false positives.
IBM Customer Confidential
5. Guardium Data Activity Monitor (DAM) for DatabasesEnforce right to access, modify, delete data
No database changes No application changes No network changes Without the performance or
availability risks of an in-line database firewall
Session Terminated13
Presenter
Presentation Notes
The InfoSphere Guardium solution supports a wide range of responsive actions from the pull-down menu in the policy development interface. We just looked at an example of specifying a real time alert, but a wide variety of other responsive actions exist, including blocking the transaction in real-time and quarantining the user. The latter goes beyond blocking the transaction, and blocks the user from accessing the resources in question for a fixed period of time; avoiding the cat and mouse game that can occur if a perpetrator is blocked. In those cases they then seek ways to avoid your control, so quarantine gives your security team time to investigate and remediate the issue. But let’s take a moment to examine how a transaction can be blocked in real time. In most cases, the blocking policies are written so that your production traffic (from applications) is not examined, since that is known to be secure. Other traffic, in this case a DBA trying to directly access our product database, is held by the blocking version of our software probe, the Data-Level Access Control Product or SGATE, while the transaction is compared to your specified policy by the Collector. If a policy violation is detected, a message is sent back to the Data-Level Access Control software and the connection is terminated. You can see what the sequence of events looks like to the DBA in this GUI window, where they are using a desktop tool like SQLplus. When they try to access the sensitive credit card information, the transaction is blocked and the session is terminated. Unlike database software-based-approaches to prevention, such as those of Oracle or McAfee, the DLAC approach requires no changes to the database or application, which is a fundamental requirement of many organizations. And, unlike the in-line appliance approach of companies like Oracle or Imperva, it requires no network changes, nor the insertion of appliances that can introduce performance issues or a single point of failure.
IBM Customer Confidential
Understand your sensitive data exposure
Get a full picture of ownership and access for your files
Control access to critical files through blocking and alerting
Gain visibility into all file entitlements and activity through custom reports and advanced search
Guardium introduces new file activity monitoring to identify normal and abnormal behavior and drill into
the details
4-5. Guardium Data Activity Monitor (DAM) for FilesMonitor and track data access and modification Enforce right to access, modify, delete data
• File Activity Monitoring helps you manage access to your unstructured data containing critical and sensitive information.
• Provides complete visibility into activity by providing extensive compliance and audit capabilities.
14
IBM Customer Confidential
Guardium GDPR Accelerator A pre-defined knowledge set mapped to GDPR obligations
Data Discovery and Classification for Personal Data
Predefined Policies and Groups for GDPR Personal Data
Auditing and Monitoring reports for GDPR Personal Data
Support for GDPR Impact Assessment
Compliance workflows and Audit Process Builder for notifications to auditors, controllers and DPO
Guardium GDPR Accelerator
15
IBM Customer Confidential
Prioritized incidents
EmbeddedIntelligence
IDENTIFICATION• Data collection,
storage, and analysis• Real-time correlation
and threat intelligence• Automatic asset, service and
user discovery and profiling• Activity baselining and
anomaly detection
REMEDIATION• Incident forensics• Around-the-clock
management, monitoring and protection
• Incident response
EXTENSIVE DATA SOURCES
Servers & mainframes
Data activity
Network and virtual activity
Application activity
Configuration data
Security devices
Users &identities
Vulnerabilities and threats
Global threat intelligence
Security & Traceability – QRadar Sense Analytics Infrastructure control and advanced treath detection
16
Presenter
Presentation Notes
QRadar SIEM excels at taking in massive amounts of enterprise-wide security data and using it’s advanced intelligence and analytics to build a prioritized list of incidents requiring immediate attention. Inside the Offenses tab, Security teams can simply right-click any of the entries within the dashboard to see any of the underlying event and flow data to start determining a remediation plan or determine the result was a false positive.� With the arrival of QRadar Incident Forensics, there’s a new option for seeing even more supporting data extracted from the associated network packet data. This problems a new level of clarity to the incident and allows investigators to discover less obvious data connections and previously hidden relationships between multiple IDs. �Using Internet search engine technology, QRadar Incident Forensics presents a simplified user interface accepting free-form text and Boolean logic operators. The search criteria can use any packet capture metadata, reconstructed file metadata or keywords that would reside within a document, email, chat session, etc. Results are normally returned in minutes if not seconds. QRadar Incident Forensics does to full packet capture data what QRadar SIEM does to event and flow data—it helps security teams discover the malicious or anomalous conditions really, really quickly. Product: QRadar Sense Analytics Engine, QRadar Incident Forensics, QRadar Incidence Response, IBM Managed Security Services
IBM Customer Confidential
Security & Traceability – QRadar Sense AnalyticsOne platform to drive security intelligence and analytics
Advanced Threat
Detection
Insider Threat
Detection
Risk and Vulnerability Management
Incident Forensics
Incident Response
Compliance
Reporting
Securing Cloud
Third-Party Usage
17
Presenter
Presentation Notes
This is just a summary of what we’ve been trying to communicate over the course of this presentation. The benefits to adopting or switching to QRadar Security Intelligence include: Faster identification of high priority issues – so you can quickly build an effective remediation plan Consolidation of data silos – so you can see the relationships between event and threat data and tune your implementation for even greater accuracy Ability to address regulation mandates – so you can pass any audit coming your way Stop insider fraud and abuse – so you can contain and control and data tampering, loss, etc., Tighten your security profile by reviewing assets configurations and removing vulnerabilities – so you are less exposed to commonly occurring attacks
IBM Customer Confidential
Save on network bandwidth for data audit logs
Guardium & QRadar integration Optimizing security while expanding monitoring scope for data sources
MainframeNetwork
InfrastructureData
WarehouseBig DataFile
Guardium
IdentityDatabase Application
Improve analytics performance by offloading data analysis
Save on storage costs for duplicating data audit logs
No need to turn audit logs on DB. Save on DB/App performance
Real-time analysis and preventive measures
Normalized audit logs
18
Presenter
Presentation Notes
You may already be familiar with how Guardium complement and enhances QRadar by providing real-time insights into data risks and threats, while providing complete and normalized audit records to all data sources, from databases, datawarehouses, big data, and now files. This complete visibility is something they cannot get otherwise, without affecting the performance and security of the data source itself. Just as you thought things could not get better, now we added bidirectional support. Now we can consume QRadar events and risk information. What good is that? Well, QRadar has a wealth of threat and security information about the IT environment as a whole. They are simplifying preventive analysis of threats. So, why not use that information to augment our alertnesss on the data side. If QRadar knows or detects rogue users or IP addresses that pose a risk, Guardium should know about it to change the risk severity in its policies on data sources automatically.
Guardium & QRadar integration Guardium Classification, VA e QRadar Vulnerability Manager
20
Presenter
Presentation Notes
Guardium assesses vulnerabilities in 3 areas: 1) At the database layer: looking for default permissions, bad configuration, outdated versions, or even custom tests 2) At the OS level: also looking for missing patches, bad registry entries or environmental variables, or security configuration issues. 3) And from the observed behavior from the database activity monitoring analysis: like repeated failed login attempts. Many of these tests are known issues and have a Common Vulnerability Event number or CVE assigned. Guardium sends a filtered report with CVE failures per resource to QRadar through a staging server. These reports can be sent using the AXIS format or the SCAP schema. QRadar SIEM can use these “Failed CVE reports” to determine the risk level of particular resources. QRadar Vulnerability Manager is a new offering that allows customers to consolidate and model their security posture view, by collecting vulnerability and configuration information from a wide set of sources. Traditionally, vulnerability scanners have focused on network, OS, or application vulnerabilities (in this priority order), and they have almost forgotten the database, which as you know by now, where most targeted attacks end up. Fortunately, Guardium VA provides a very complete vulnerability assessment for database and OS infrastructure, that can help QVM differentiate against competition, since there are very few DB vulnerability assessment vendors. *********************** SCP= secure copy QVM key features: Contains an embedded, well proven, scalable, analyst recognised, PCI certified scanner Detects 70,000+ vulnerabilities Tracks National Vulnerability Database (CVE) Present in all QRadar log and flow collectors and processors Integrated external scanner Complete vulnerability view supporting 3rd party vulnerability system data feeds Supports exception and remediation processes of VM with seamlessly integrated reporting and dash boarding
IBM Customer Confidential
Incident Management – IBM ResilientHow to handle and respond to security incidents
PREVENTION DETECTION RESPONSE
Help to continuously stop attacks and remediate
vulnerabilities
Identify the most important threats
with advanced analytics and forensics
Respond to incidents in integrated
and organized fashion
Unites Security Operations and Incident ResponseResilient will extend IBM’s offerings to create one of the industry’s most complete solutions to prevent, detect, and respond to threats
Delivers a Single Hub for Response ManagementResilient will allow security teams to orchestrate response processes, and resolve incidents faster, more effectively, and more intelligently
Integrates Seamlessly with IBM and 3rd Party Solutions Resilient integrates with QRadar and other IBM and 3rd party solutions so organizations of various sizes can successfully resolve attacks
21
IBM Customer Confidential
IBM Resilient’s unique value
Resilient has the largest knowledge base of regulations regarding Data Breach incidents!
22
Presenter
Presentation Notes
Resilient is the industry standard solution for incident response. Our IRP integrates all other security technologies into a single hub, allowing easy workflow configuration and process automation. It arms security teams with best-in-class response capabilities. We bring a unique perspective to IR in the fact that we align people, process, and technology together to drive improved response. Empowers security teams to analyze, respond, resolve and mitigate incidents faster. Integrates all other security technologies into a single hub, allowing easy workflow configuration and process automation. Bottom line: Resilient helps you save time, automate your IR processes, and empower your security team. One customer went from 20 days (on average) to close a security incident to less than 5 days
IBM Customer Confidential
IBM Resilient Incident Response Platform
Security Module• Industry standard
workflows (NIST, SANS)
• Threat intelligence feeds
• Organizational SOPs
• Community best practices
Action Module
• Automate processes
• Enrich incident details
• Gather forensics• Enact mitigation
Privacy Module
• Global breach regulations
• Contractual obligations• Third-party
requirements• Organizational SOPs• Privacy best practices
23
Presenter
Presentation Notes
This is just a summary of what we’ve been trying to communicate over the course of this presentation. The benefits to adopting or switching to QRadar Security Intelligence include: Faster identification of high priority issues – so you can quickly build an effective remediation plan Consolidation of data silos – so you can see the relationships between event and threat data and tune your implementation for even greater accuracy Ability to address regulation mandates – so you can pass any audit coming your way Stop insider fraud and abuse – so you can contain and control and data tampering, loss, etc., Tighten your security profile by reviewing assets configurations and removing vulnerabilities – so you are less exposed to commonly occurring attacks