Intelligent Data Protection at Scale - ibm.com · PDF file• Most common data file types...

© 2015 IBM Corporation

IBM Security Guardium for FilesTech Talk

Dan GoodesGuardium WW Center of ExcellenceIBM Security

Doug WilliamsSCMon for File Systems ArchitectSecurity Assets Protection Team for IBM

Intelligent Data Protection at Scale

2© 2015 IBM Corporation

This tech talk is being recorded. If you object, please hang up

and leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardium

community tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions

in the chat to the Q and A group.

We’ll try to answer questions in the chat or address them at

speaker’s discretion. – If we cannot answer your question, please do include your email so we

can get back to you.

When speaker pauses for questions: – We’ll go through existing questions in the chat

Logistics

http://ibm.co/Wh9x0o


Next tech talk: What's new in Guardium Vulnerability Assessment V10

Speakers: Vikalp Paliwal, Product ManagerLouis Lam, Database managerFrank Cavaliero, Database Engineer

Date and time: Thursday, November 5th11:30 AM US Eastern, 8:30 AM US Pacific

Register here: ibm.biz/BdHXss

Reminder: Next Guardium Tech Talk

https://ibm.biz/BdHXss


40%

Yearly growth

of the Digital

Universe over

the next

decade

80%

Unstructured

data in the

enterprise

46%

Increase in

number of

data breaches

from 2013 to

2014

256Number of

days it can

take to

identify

malicious

attacks

23%

Corporations STILL struggle with security

Unstructured Data Security

Increase in

Total Cost of

a data

breach since

2013


IBM Security Guardium – Data Security & PrivacyProtect all data against unauthorized access and enable organizations to comply with government regulations and industry standards

On Premise On Cloud

Data at Rest

Stored(Databases, File Servers, Big Data, Data

Warehouses, Application Servers, Cloud/Virtual ..)

Over Network(SQL, HTTP, SSH, FTP, email,. …)

Data in Motion

Data Repositories

Sensitive Documents

Prevent data breachesPrevent disclosure or leakages of sensitive data

Ensure data privacyPrevent unauthorized changes to data

Reduce the cost of complianceAutomate and centralize controls across diverse regulations

and heterogeneous environments

Identify RiskDiscovery sensitive information, identify dormant data,

assess configuration gaps and vulnerabilities

1

2

3

4


Questions you should be able to answer about your data

Who has access to my repositories, folders, and documents?

Which documents contain sensitive data?

Who has been accessing the sensitive data?

Where is my sensitive data overexposed? How do I fix this?

Who is the likely data owner of a particular set of documents?

Who should have ownership of specific documents in my organization?

Who has unnecessarily permissive access to data?

Which documents are unused and possibly ready to archive?

Who deleted specific files?

How quickly can I provide access to auditable data???

??

?


Protect critical

configuration and

application files

Need to protect

critical application

files which can be

accessed, modified,

or even destroyed

through direct access

to application or

database server.

IBM Security Guardium for Files Use Cases

Protect sensitive and critical data without impacting your business.

Protect access to

documents

containing PII

information

Need to protect files

containing PII data,

while not impacting

day-to-day business

operations.

Protect backend

access to

application

documents

Need to block

backend access to

documents managed

by an enterprise

application.

Protect

source code

Need to protect

source code, and

other intellectual

property.

8© 2015 IBM Corporation8

Data at Rest Data in Motion

Where is the sensitive data?

How to protect sensitive data to reduce risk?

Who is the data owner?

Entitlements Reporting

File Activity Monitoring

File AccessBlocking

Unstructured DataClassification

Who should have access?

What is actually happening?

File Discovery

How to prevent unauthorized

activities?

Harden Monitor ProtectDiscoverWhere does your data reside?

How does IBM Security Guardium for Files do it?


Discover

• Scan and identify folders and files on the file system

• Extract and store metadata for all files

• Ongoing discovery process as new files are added to the file system

Identify user

rights

• Gather user privileges, user groups, and file permissions

Classify

• Identify sensitive information in files

• Classify the files according to policy

Aggregate And

normalize

• Store all collected metadata, user access rights, sensitive data classification information in a secure central repository

View And Audit

• View data through Audit Browser

• Generate prepackaged or custom reports

Monitor And

Protect

• Create and apply policies for ongoing monitoring and protection of your data

• Get notified when suspicious activity is detected on monitored files

• Block file access to unauthorized parties

© 2015 International Business Machines Corporation

File Activity MonitoringLife cycle


Protect critical files and documents

File activity monitoring helps you manage access to your unstructured data containing

critical and sensitive information. Provides complete visibility into activity by

providing extensive compliance and audit capabilities.NEW!

Understand your sensitive data exposure

Get a full picture of ownership and access for your files

Control access to critical files through blocking and alerting

Gain visibility into all entitlements and activity through custom reports and advanced searchGuardium introduces new file activity monitoring to

identify normal and abnormal behavior and drill into

the details

Host-Based Probes

(FS-TAP)

Host-based Probes

(S-TAP)

Collector


• Scalable multi-tier architecture

• Continuous monitoring and

analytics

• Centralized audit repository

• Unified cross-database and file

system solution

• Compliance workflow automation

Central Policy

Manager and

Audit Repository

Guardium / Aggregator

Data center 2

Data center 1

Web/

application

servers

Web/

application

servers

Guardium

Host-based Probes

(S-TAP)

Guardium

Host-Based Probes

(S-TAP)

Guardium Collector

Guardium Collector

Guardium

Host-Based Probes

(FS-TAP)

Guardium

Host-Based Probes

(FS-TAP)

BenefitsAutomate and centralize controls


Guardium

Appliance

File Server

Discovery & Classification

Activity Monitor

1. FAM Discovery & Classification locates folders/files, extracts their metadata (name, path, size,

last modified, owner, privileges, etc.) and classifies them.

2. FAM Monitor audit file activity according to policy.

Guardium

File Activity Monitoring Main components


Enable FAM Discovery on the Guardium Appliance

Guardium Installation Manager (GIM) client should be installed File Server to be monitored

Upload FAM (discovery) and S-TAP (monitoring) to the Guardium Appliance

Install FAM module on File Server through GIM

Install S-TAP module on File Server through GIM

File Crawler

ICM (Classification

Server)

Universal -FeedGuardium

Appliance

Discover

Classify

Send to audit

File Crawler

Analysis Engine

File Activity Monitoring – DeploymentDeployment


• IBM Security Guardium for Files uses local ICM or (IBM Content Classification Module) to run classification on

files.

• ICC matches sets of rules that are packaged as Decision Plans. FAM is shipped with out-of-the-box decision plans

for detecting PCI, HIPPA, SOX and Source Files.

• Most common data file types supported (PDF, Text, Word, PowerPoint, Excel, XML, CSV, logs, source code,

configuration files, etc)

• Decision Plans are created in a standalone Windows application called: ICM Workbench that is

available for our customers.• For more in-depth information on IBM Content Classification please visit:

http://www-01.ibm.com/support/docview.wss?uid=swg27020838

Create/Edit Decision Plan

File Server

Upload Decision Plan through Appliance(Setup -> Tools And Views -> Upload Decision Plans)

ICM Workbench

Import content set

Add knowledge base


Discovery and classification using IBM Content Classification (included)

http://www-01.ibm.com/support/docview.wss?uid=swg27020838


In Workbench, you specify the conditions for triggering a rule.

Rule capabilities:

String search

– Word distance

– Dictionaries

– Regular expressions

– Pattern extraction

– Boolean expressions

Decision plan capabilities:

– Identify category

– Set document metadata

– Invoke statistical analysis

– Language identification

(1) New Decision Plan

(2) New Rule

(3) New Condition

(4) Word Match


Discovery and classification using IBM Content Classification


Enable FAM Discovery on the appliance

GIM client will be installed on requested File Server.

FAM module should be uploaded to the appliance.

Install FAM module on client.


Discovery and classification: Installation


After installation FAM Service is created and started on the File Server.

You can then see active FAM agents on Status Monitor screen.

You can see uploaded data in FAM Entitlement report.


Discovery and classification: Installation


Configuration can be remotely set from GIM module installation

screen.

FAM Parameters Description

FAM_ENABLED 0 - FAM Discovery agent is disabled.

1 - FAM Discovery agent is enabled.

2 - FAM Discovery agent is restarted.

FAM_SOURCE_DIRECTORIES Directories paths to run scan on.

Example: /home/soonnee

FAM_SCAN_EXCLUDE_DIRECTORIES Directories to exclude from scanning.

FAM_SCAN_EXCLUDE_FILES Files to exclude from scanning.

FAM_SCAN_MAX_DEPTH Limits scan depth.

Scan Parameters


Discovery and classification: Configuration


Classification Configuration


FAM_IS_DEEP_ANALYSIS True - Enable classification on files based on their content.

False – Metadata and access permission extraction only.

FAM_ICM_CLASS_DECISION_PLANS Classification Category and their requested rules.

Example: HIPAA{HIPAA_match,CreditCard,Name}:PCI{PCI_match}

FAM_ICM_CLASS_THREAD_COUNT Number of classifier threads. Recommended value is 5.

FAM_ICM_URL Classification is ran on local server.

Should be left as: http://localhost:18087

Appliance Configuration


FAM_SQLGUARD_IP Guardium collector IP address.

FAM_SERVER_PORT Guardium collector port. Default: 16022


Discovery and classification: Configuration, con’t.

http://localhost:18087/


Scheduler Configuration


FAM_SCHEDULER_START_TIME Activation time for scanning.

FAM_SCHEDULER_REPEAT False=Do not repeat scan. Default: true

FAM_SCHEDULER_HOUR_TIME_INTERVAL Interval between scans in hours.

FAM_SCHEDULER_MINUTE_TIME_INTERVAL Interval between scans in minutes.

Example:

For setting a scan every 12:30 Hours,

FAM_SCHEDULER_HOUR_TIME_INTERVAL=12

FAM_SCHEDULER_MINUTE_TIME_INTERVAL=30


Discovery and classification: Configuration, con’t.


Addressing difficulties in finding sensitive data in unstructured files.

Pattern matching helps extract: SSN, Zip-Code, Email, Phone Numbers, etc

Examples for entities extraction:

2) Location:West Westin ave., in South Carolina, 1234522 West Westin street, SC

* Abbreviations: Route, Rte, US, Hwy, ln, lane, ave, avenue, st

* Can Include: state, continent, zip-code, location prefix, address localization, gaps

1) Personal Name:Thomas B.M. DavidThomas David Jr.Thomas, DavidDr. DavidPedro Pablo Gonzales Garcia

Exclude: Thomas David St.Francisco Bay

Classification

22© 2015 IBM Corporation© 2015 International Business Machines Corporation

File Activity Monitoring Discovery and classification: Audit browser (Quick Search)


Guardium

Appliance

File Server

Discovery & Classification

Activity Monitor

1. FAM Discovery & Classification locates folders/files, extracts their metadata (name, path, size,

last modified, owner, privileges, etc.) and classifies them.

2. FAM Monitor audit file activity according to policy.

Guardium

File Activity Monitoring Main components


File Activity MonitoringReal-time activity monitoring – FS-TAP


File Activity MonitoringQuick Search Audit Browser


File Activity MonitoringOut of the box reports for Activity, Discovery, and Entitlements


Resources

Product web page

V10 Overview webcast (includes activity

monitoring for files)

Activity Monitoring for Files Demo on

YouTube

Supported files for FAM

Blog posting on setting up Windows FS-TAP

for monitoring

Product documentation for FAM (Knowledge

Center)

http://www-03.ibm.com/software/products/en/ibm-security-guardium-for-files

https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=1029675&sessionid=1&key=A66AB76B0B002C1E592DDB887417B4CB&sourcepage=register

http://youtu.be/o-123Ve_zZg

http://www.ibm.com/support/docview.wss?uid=swg27046456

https://guardiumnotes.wordpress.com/2015/10/03/winstap-s-tap-fs-tap-installation-and-configuration-guardium-10/

http://www-01.ibm.com/support/knowledgecenter/SSMPHH_10.0.0/com.ibm.guardium.doc/protect/fam_intro.html


IBM Security Guardium for Files

Demo


IBM Security Guardium for Files IBM Source Code Monitoring Project


IBM Security Guardium

IBM uses Guardium for Files to analyze

and protect source code by monitoring

and auditing build servers.

Benefits gained by using Guardium:

Ease of Use: Installation of Guardium Activity

Monitor for Files on build server in less than 2

minutes

Low Impact: Runs invisibly with minimal impact

to build environments

Real-time Alerting: Build admin managers

immediately notified to take action

Scalability: Guardium infrastructure easily scaled

to support more than 2,000 servers


Real-time monitoring of IBM build environments using Guardium and QRadar

IBM Build Servers with source code

(2000+ servers)

Executive

• Real-time monitoring• Alert detection

• Analytics• Alert generation

• Alert reporting• Systems mgmt• Custom developed

IBM source code build protection using Guardium Activity Monitor for Files

IBM Security

Guardium Activity

Monitor for Files

Attack Detect Alert

QRadar

SIEM

Report

Web Application

Portal

Capture all file access activities:- User data- Timestamp- File info- Process info

Rules based alerting:- Anomalies- Thresholds- Correlations- Reference Sets

- QRadar Interface- Alert Management- User Action Reporting- Report Management - Build Server Db

100% protection success with no source code loss


Guardium Activity Monitor for Files detects multiple types of source code thefts

Build Server w/Guardium

MonitoringClient

Guardium Appliance

(VM)

ALERTGenerated

Suspicious file

activity sent to

QRadar for real-time

analytics

Guardium Activity Monitor for Files advantages:

Ease of Use: Installation of Guardium Activity Monitor for Files on build server < 2 mins

Low Impact: Runs invisibly with minimal impact to build environments

Real-time Alerting: Build admin managers immediately notified to take action

Scalability: Guardium appliance infrastructure supports > 2000 servers

Files emailed

Files transferred to unapproved sites

QRadar Appliance

(VM)Files physical theft

Guardium captures

suspicious activity

File Access Data

sent to Guardium

appliance

Guardium monitors

all file access


IBM Security Guardium for Files

SCMON Demo


133 countries where IBM delivers

managed security services

20 industry analyst reports rank

IBM Security as a LEADER

TOP 3 enterprise security software vendor in total revenue

10K clients protected including…

24 of the top 33 banks in Japan,

North America, and Australia

Learn more about IBM Security

Visit our website

ibm.com/guardium

Watch our videos

https://ibm.biz/youtubeguardium

Read new blog posts

SecurityIntelligence.com

Follow us on Twitter

@ibmsecurity

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.

IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security

Intelligent Data Protection at Scale - ibm.com · PDF file• Most common data file types...

Documents

Transcript of Intelligent Data Protection at Scale - ibm.com · PDF file• Most common data file types...