Transcript
Daniel Perlov - WW Tech Support Lead for InfoSphere Guardium Abdiel Santos - Sr. L3 Engineer 11 April 2013
IBM InfoSphere Guardium Tech Talk: Take Control of your IBM InfoSphere Guardium Appliance
Information Management
© 2013 IBM Corporation
1
Information Management – InfoSphere Guardium
Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat – Raise your hand in the SmartCloud meeting room if you want to ask a question verbally and we’ll call your name – You will need *6 to unmute phone line if you are dialed in
2
April 11, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
2
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Implementing InfoSphere Guardium Database Activity Monitoring for DB2 for z/OS Speakers: Roy Panting and Ernie Mancill Date &Time: Thursday May 16, 2013 11:30 AM Eastern Register here: http://bit.ly/15WNmlE
Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Please submit a comment on this page for ideas for tech talk topics.
3
April 11, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
3
Information Management – InfoSphere Guardium
Guardium Overview
© 2013 IBM Corporation
Before we dive in into details of Guardium solution let’s talk for a minute about data security
4
Information Management – InfoSphere Guardium
Data Activity Monitoring
You know? you can do this online now. © 2013 IBM Corporation
Our life style changed dramatically over last 10-20 years. We are not going out for shopping we do shopping on the internet at Amazon, Ebay and so many other Internet retailers, we getting our entertainment from Netflix, Hulu, Pandora etc. etc. and we do not need to go to the bank to check balance and to pay bills… Our sensitive personal information including our address, phone numbers, bank accounts, health records etc. is all over the internet. The picture above is a great depiction of the paradigm change we are talking about…..
5
6
Information Management – InfoSphere Guardium
Challenges of the native security tools DB specific Intrusive Labor and time consuming No separation of duties Not real-time No preventive controls Inconsistent policies across applications, DBMS platforms, compliance initiatives Can’t identify end-user for connection-pooled applications that use generic service accounts (SAP, PeopleSoft, etc.) Lack of DBMS expertise on security teams © 2013 IBM Corporation
Guardium didn’t invent database security. Many database vendors came up with their own native solutions for database security. But are they sufficient?
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring for security & compliance Data Repositories
9 Continuous,
policy-based, real-time monitoring of all data traffic activities, including actions by privileged users
(databases, warehouses, file shares, Big Data)
9 Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities 9 Data protection compliance automation
Host-based Probes (S-TAPs) Collector Appliance
Key Characteristics Single Integrated Appliance
100% visibility including local DBA access
Non-invasive/disruptive, cross-platform architecture
Minimal performance impact
Dynamically scalable
Does not rely on resident logs that can easily be erased by attackers, rogue insiders
SOD enforcement for DBA access Auto discover sensitive resources and data Detect or block unauthorized & suspicious activity Granular, real-time policies Who, what, when, how
No environment changes Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc. Growing integration with broader security and compliance management vision © 2013 IBM Corporation
Lets take a quick look at how Guardium achieves these benefits: An essential component to Privacy and Protection is how to maintain real-time insight into database access and activity, to protect enterprise data and comply with regulatory requirements. Guardium enables IBM clients to maintain trusted information infrastructures by continuously monitoring access and activity to protect highvalue databases against threats from legitimate users and potential hackers. Additionally, Guardium also assesses the vulnerability of the database infrastructure itself to ensure their continued highest level of security. And last, we also reduce operational costs by automating regulatory compliance tasks. It does this using a single integrated appliance, which can be configured as a Collector, a Central Policy Manager, or Vulnerability Assessment Server with the simple use of license keys. The key to monitoring non-intrusively is the STAP, which is a light-weight kernel shim that goes on the DB server, and taps all DB traffic (operations, data, errors.. Inbound and outbound). Basically, Guardium is a gateway to all data flows. No DB, app, or network changes are necessary. All this traffic is collected at the Collector, which runs policy against it and provides real-time alerting. If you want to also control or block traffic the STAP can be configured as an SGATE. The Central Policy Manager is the central point of control for all collectors. You may notice that all major DB infrastructures and some major applications are supported. This is where Guardium provides extra value-add. By in-depth understanding of all these protocol/schema differences. The appliances can be configured in a grid that is dynamically scalable, and extends to support even virtualized and Cloud environments. Need more expand your environment? add more probes and collectors. The STAP only takes a max 2% performance hit on DBs, which is much less than turning native auditing on, with the additional benefit of SOD, since the DBAdmin does not have control over the appliance and cannot affect its audit collection. The appliance is easily deployable, and it discovers not only the DBs, but also the sensitive data and objects within them. It can even relate these object to certain applications like SAP, Peoplesoft, Siebel, Sharepoint, etc. This gives customers an quick overview of their current entitlements, which enables them to control privileged access. Once setup, the Collector or Central Policy Manager can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan these DBs and DB Servers for needed patches or configuration hardening, based on periodically updated vulnerability templates. All this information (configuration, vulnerability, audit) can easily be packaged and reported for the major regulations. We have pre-packaged modules for each major regulation. And to the part that may interest you the most, Guardium can readily integrate with several Security and Systems Management solutions, providing a complementary indepth view of the database security posture.
7
Information Management – InfoSphere Guardium
Guardium Overview
© 2013 IBM Corporation
Typical Guardium deployment topology. STAPs intercept DB traffic and send it collectors. From collectors data transferred to aggregators for reporting purposes. Central Manager unit allows single control point for the entire environment
8
Information Management – InfoSphere Guardium
Taking Control Insure Appliance availability System Availability Activity Monitoring Data Uploads Backup & Aggregation Scheduled Tasks Audit Processes System Configuration Guardium User Activities Guardium Access Control
© 2013 IBM Corporation
These are the main areas of Guardium administration
9
Information Management – InfoSphere Guardium
Activity Monitoring
Off-shore
Remote Monitor
Collector
Internet
HR
Remote Monitor Collector Local Access Monitor
Remote Locations Collector
Aggregator/ Central Manager
Data Center Finance
© 2013 IBM Corporation
Captured data flow from agents (STAPs) to collectors
Information Management – InfoSphere Guardium
Data Upload LDAP
Off-shore
Remote Monitor
Collector
Internet
HR
Remote Monitor
Custom Domains
Remote Locations Collector
Collector
Aggregator/ Central Manager
Data Center Finance
© 2013 IBM Corporation
Uploading data from external sources ex LDAP used commonly to populate group of users
Information Management – InfoSphere Guardium
Backups & Aggregation
Off-shore
Remote Monitor
Aggregation
Internet
HR
Remote Monitor
Collector
Ba ck up
Collector Local Access Monitor
Remote Locations Collector
Aggregator/ Central Manager
Finance
© 2013 IBM Corporation
Data moves nightly to aggregators ( data repositories) for reporting. Data also needs to be archive/ backed up
Information Management – InfoSphere Guardium
Taking control tasks System - Uptime & Reboots - Disk space (%full) - CPU Load - Memory Usage - Failed Logins
Guardium User Activity - Login / Logout - Full Audit Trail - Data Level Security - Application Level Security - Credential Changes
Internal Database - Status: up/down - Disk Space (%Full) - System Resources - Currently running queries - Response Times
Web Service & Applications - Status: up/down - Scheduled Jobs Exceptions - Audit processes - Correlation alerts - Configuration changes - CAS templates - Auto Detect process - Classification process - Vulnerability Assessment
Information Inflow - S-TAP - CAS - Data Upload (Domains) - LDAP Imports
Inspection Core (snif) - Status: up/down/overloaded - CPU & memory usage - Identify bottlenecks - Lost requests - Policy & Configuration Changes
Database Activity Patterns - Database types - Database Servers - Session/SQL Count - Activity rates - Ignored data
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Taking Control - Policy
© 2013 IBM Corporation
Policy very important tool to control traffic flow.
14
Information Management – InfoSphere Guardium
Taking Control - Policy
© 2013 IBM Corporation
15
Information Management – InfoSphere Guardium
Taking Control - Self Monitoring Tools Available Tools • Graphical Monitors • Reports & Alerts • Audit Process • Self Monitoring daemon (nanny) • SNMP Polling & Traps • Diagnostic Tools • Dashboard • One-click Data Gathering • Automatic Data Analysis
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Self Monitoring – Predefined Monitors
backlog backlog
Dropped packets
logged
Disk/DB utilization analyzed
© 2013 IBM Corporation
This monitor shows health status of inspection core and Disk/DB usage. Inspection core has two major components – analyzer and logger. This monitor shows performance of each component
17
Information Management – InfoSphere Guardium
Self Monitoring – Predefined Monitors
© 2013 IBM Corporation
Here is more examples of special predefined monitors to report on system health
18
Information Management – InfoSphere Guardium
Self Monitoring Reports
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Self Monitoring – Domains
38 Total Query Domains 18 Self Monitoring
© 2013 IBM Corporation
Customer can create his own reports on any of the domains in the list
20
Information Management – InfoSphere Guardium
Self Monitoring – Alerts
© 2013 IBM Corporation
These is a list of predefined alerts that available to customer ‘out of the box’. Many more alerts can be added by customer
Information Management – InfoSphere Guardium
Self Monitoring – Audit Process
© 2013 IBM Corporation
Audit process allows generate reports on schedule bases and forward them to designated recipients
Information Management – InfoSphere Guardium
System utilization Buffer Usage Monitor report
© 2013 IBM Corporation
This report contains many useful information about appliance health and utilization
23
Information Management – InfoSphere Guardium
Dashboard
© 2013 IBM Corporation
Dashboard based on Buffer Usage Monitor report from previous slide. It does report data analyses based on Utilization Thresholds and present results in as green, yellow, red colored lines to indicate light, medium or heavy appliance utilization
24
Information Management – InfoSphere Guardium
Dashboard details
© 2013 IBM Corporation
25
Information Management – InfoSphere Guardium
All system configurations controlled from Central Manager
Off-shore
Remote Monitor
Collector
Internet
HR
Remote Monitor Collector Local Access Monitor
Remote Locations Collector
Aggregator/ Central Manager
Finance
© 2013 IBM Corporation
All the definitions, reports , queries, alerts, audit processes, policies etc. good be defined from central manager
Supportability
Information Management – InfoSphere Guardium
CLI Account Shell InfoSphere Guardium is a security appliance with strict access control policy No user access allowed on OS level insures audit data reliability CLI provides limited and controlled access in special cases like –Initial settings –Password management –Troubleshooting and diagnostics –more…
© 2013 IBM Corporation
28
Information Management – InfoSphere Guardium
Product Supportability Enhancements A set of new CLI support commands Large suite of new ‘must gather’ commands which can be run from CLI. Support analyze commands S-Tap Loader Harness utility to assist in Linux S-Tap installations. SGATE firewall force watch and force un-watch mode. STAP Statistics for monitoring STAP performance from the UI of appliance. Comprehensive STAP diagnostics utilities.
© 2013 IBM Corporation
29
Information Management – InfoSphere Guardium
CLI support commands support reset-password root support show db-processlist < running|all|locked > [ full ] support show db-top-tables < all | like < string > > support show large_files < size > < age > support show netstat support show top support show db-struct-check support clean DAM_data – exceptions, full_details, msgs, constructs, access, policy_violations, parser_errors, flat_log, audit_results support clean audit_task support clean log_files support check tables © 2013 IBM Corporation
Information Management – InfoSphere Guardium
CLI support must_gather commands Automatic diagnostic data collection by subject type Aggregation Alerts General GUI Audit Process Backup/ Restore Central Manager Missing DB User Data purge Scheduler Sniffer System/DB stats © 2013 IBM Corporation
Information Management – InfoSphere Guardium
Must Gather CLI Commands support must_gather app_issues
© 2013 IBM Corporation
This a usage example of one of must_gather commands
32
Information Management – InfoSphere Guardium
Must Gather CLI Commands – files location
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Must Gather CLI Commands reviewing results
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
PMR Stamping PMR Stamping functionality automatically copies and displays basic appliance information in the PMR body. PMR Stamping is done when the must_gather tgz file is uploaded to the PMR ticket.
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
CLI support analyze commands New class of the commands introduced recently to automatically check for potential issues and generate warnings to the user diagnostic to proactively prevent potential issues:
support analyze sniffer support analyze tap_property
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
CLI Commands support analyze tap_property Purpose: – this command analyzes value of fields and specific field combinations from SOFTWARE_TAP_PROPERTY and SOFTWARE_TAP_DB_SERVER tables in order to identify potential issues with STAP configuration.
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
CLI Commands support analyze tap_property
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
CLI Commands support analyze sniffer
© 2013 IBM Corporation
39
Information Management – InfoSphere Guardium
STAP Statistics STAP statistics is a recently added feature which sends performance statistics from ktap, stap, and the host database server to the appliance where it can be reviewed in reports. To enable STAP statistics you must configure the stap_statistic parameter in the guard_tap.ini Values of stap-statistic parameter specify the polling interval for data gathering. There is a new STAP Statistics domain allow customers to create custom reports statistic data.
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
STAP Statistics
© 2013 IBM Corporation
This is an example of STAP statistic report
41
Information Management – InfoSphere Guardium
STAP Diagnostics Utilities Guard_diag (Unix/Linux) and diag.bat (Windows) are utilities which facilitate collection of diagnostics information for STAP issues. Both guard_diag and diag.bat can be invoked directly from the database server as scripts. Additionally guard_diag can be invoked from appliance UI.
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
STAP Diagnostics Utilities – Guard_diag (cont.)
© 2013 IBM Corporation
Use ‘stap commands’ icon to invoke Run Diagnostics
43
Information Management – InfoSphere Guardium
Resources Guardium support home page http://www947.ibm.com/support/entry/portal/overview/software/information_management/infosphere_guardium Guardium documentation http://www947.ibm.com/support/entry/portal/documentation/software/information_management/infosphere_guardium
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Implementing InfoSphere Guardium Database Activity Monitoring for DB2 for z/OS Speakers: Roy Panting and Ernie Mancill Date &Time: Thursday May 16, 2013 11:30 AM Eastern Register here: http://bit.ly/15WNmlE
Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Please submit a comment on this page for ideas for tech talk topics.
45
April 11, 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Dziękuję Polish Traditional Chinese
Thai
Gracias Spanish
Merci French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack Swedish
Simplified Chinese
Grazie Japanese
46
April 11, 2013
IBM InfoSphere Guardium Tech Talk
Italian
© 2013 IBM Corporation
Thank you very much for time today.
46 46
Backup (use this section for additional slides that can’t be covered in 45 minutes)
Information Management
© 2013 IBM Corporation
