ibm security guardium tech talk: vulnerability assessment ... · pdf fileibm security guardium...
TRANSCRIPT
IBM Security Guardium Tech Talk: Vulnerability Assessment for SAP HANAREST EASY BY AUTOMATING SAP HANA VULNERABILITY ASSESSMENTS
Kathy Zeidenstein
June 21, 2016
Guardium Community Advocate, IBM
Vikalp PaliwalOffering Manager, IBM Security Guardium
Peter DwyerPrincipal Technologist, Guardium Engineering
2 IBM Security
Worrying About Your Whitelists – Guardium Tips and Tricks for Deciding What to Trust
Speaker:John Haldeman, Enterprise Architect, Information Insights, LLC
Date and time: July 21, 201608:00 AM PDT, 11:00 AM EDT
Register here: http://ibm.biz/GTechwhitelist
Upcoming Tech Talks
3 IBM Security
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
4 IBM Security
Agenda
• Why compliance needs Guardium Vulnerability Assessment – an overview
• SAP HANA Vulnerabilities
• VA for SAP HANA Demo with Remediation
• Other key Resources for VA
5 IBM Security
IBM Security Guardium: Analyze. Protect. Adapt.
Monitor and analyze data access
and configurations to uncover
threats
Protect data and files from
inappropriate access and data
leakage
Adapt and change to evolving
enterprise environments and
reduced security skills
6 IBM Security
D AT A S E C U R I T Y I N T E L L I G E N C E
D y n a m i cS t a t i c
Data at RestConfiguration
Data in Motion
Data Security Intelligence Scope
Harden Monitor ProtectDiscover
Risk Analysis Protect Risk Analysis Protect
Databases Datawarehouses Hadoop NoSQL in-memory-DB Files Apps
•Discover
•Classify
•Entitlements
•Forensics
•Compliance
•Vulnerability
Assessment
•Config Changes
history
•Encryption
•Remediation of
Vulnerabilities
•Patching
•Config Change
•Policy change
•Monitor data traffic
(DAP)
•Alert
•Audit data access
•Monitor config
changes
•Blocking (DLP)
•Dynamic Data Masking
(redaction, Q/W) – (DDM)
•Quarantine
•Virtual Patch
Governance driven by easy and quick to Adapt: Buy + Deploy + Manage + Use + Maintain
Enterprise GB Cloud Mobile Social
Why compliance needs Guardium Vulnerability Assessment – an overview
8 IBM Security
Re
q
Description IBM Security Guardium Capability
2 Do not use vendor-supplied defaults for system
passwords
Comprehensive suite of DBMS-specific tests based upon industry standards
(CIS, STIG)
3 Protect stored cardholder data Real-time database leak prevention
6 Develop and maintain secure systems and
applications
Centralized vulnerability and configuration assessment
7 Restrict access to cardholder data by business
need-to-know
Proactive, real-time access control (independent of native DBMS controls)
8 Assign a unique ID to each person with computer
access
Complements native DBMS controls with external, cross-DBMS controls
10 Track and monitor all access to network and
cardholder data
Continuous, granular auditing with scalable architecture to handle high
transaction volumes
11 Regularly test security systems and processes Integrated vulnerability scanning, file integrity monitoring & behavioral
vulnerability testing
12 Maintain a policy that addresses Information
Security for all
Robust automated controls for enforcing information security policies
How Guardium Vulnerability Assessment addresses PCI-DSS
VA
VA
VA
VA
VA
9 IBM Security
Audit Requirements PCI DSSCOBIT
(SOX)ISO 27002
Data Privacy
& Protection
Laws
NIST
SP 800-53
(FISMA)
1. Access to Sensitive Data(Successful/Failed SELECTs)
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)(Insert, Update, Delete)
4. Security Exceptions(Failed logins, SQL errors, etc.)
5. Accounts, Roles & Permissions
(DCL)(GRANT, REVOKE)
SOX Compliance need to have right permissions and controls
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
VA
10 IBM Security
• Operationalization of a Data Protection by Design and by Default Process
• Requirement to conduct risk analysis and Data Protection Impact
Assessments (DPIA)
• Implementation of technical and organizational security measures
appropriate to the risks presented
• Breach notification obligations
• Increased obligations for data processors
• Increased rules on the transfer of data outside the European Economic
Area (EEA)
EU General Data Protection Regulation (GDPR) requires enhanced obligations on data controllers and processors
VA
*EU : European Union
11 IBM Security
Vulnerability Assessment Technology is used to support security threat management and compliance
Database
Network
Infrastructure
Endpoint
Applications
• In-depth assessments of databases and applications such as ERP
systems (for ex SAP or Oracle), especially, are not widely supported in
traditional VA solution, which focus on devices
• IT Security managers choosing a VA solution must make a dedicated
ongoing vulnerability signature support and maintenance for majority of
their asset base a critical requirement.
Vulnerability Assessment Solution
-Gartner - market guide for VA
“Secure your crown jewels”
12 IBM Security
Proactively identifying and mitigating risk to secure data assets
Guardium Vulnerability Assessment is used to support
data security threat management and compliance
For data security threat management : Use VA for
security configuration assessments to reduce overall
enterprise risk for sophisticated attacks
For compliance : Use VA for scanning requirements
for regulatory compliance
(like PCI DSS, GDPR, HIPAA, STIG, PHI, SOX)
13 IBM Security
ANALYZE. PROTECT. ADAPT.
14 IBM Security
Identify vulnerabilities across multiple platform from a single console
• Automatically discover and classify sensitive data to expose compliance risks
• Analyze mis-configurations and default settings to uncover risks
• Understand who is accessing data, spot anomalies and stop data loss in real time
• Supports exception and remediation processes with seamlessly integrated reporting and dash boarding
• Tracks National Vulnerability Database (CVE), XForce DB
• Supports virtual patching through exception
• Integrates with SIEM (Qradar), QVM, AppScan, other VM tools
• New user experience supports comprehensive visibility, control and reporting
• Support 15 – Database, Datawarehouses, BigData (NoSQL) platforms
• More than 2200 vulnerability assessment tests
• STIG Benchmarks for oracle 11gr2 and SQL Server 2012
• Latest Q2 DPS tests includes additional new test for Oracle, MySQL, Postgres, DB2z,i
NEW!
15 IBM Security
3 steps to easy deployment
1
2
3
16 IBM Security
Guardium support the most complex IT environmentsEnterprise wide Scalability
17 IBM Security
Leverage security industry best practice and benefits . . .
Secure
• Privileges, Authentication
• Configuration settings
• Security patches
• Password policies
• OS Level file permission
Enforce
• DISA STIG,
CVE and CIS
• SAP Security
Performance Zero Impact
User defined queries for custom tests to meet baseline for
• Organization
• Industry
• Application
Established
Baseline
Forensics• Advanced Forensics and Analytics using custom reports
• Understand your sensitive data risk and exposure
• Ownership and access for your files
18 IBM Security
VA Data sources
• Data source definitions are created to include JDBC connection parameters to connect to various DBMSs
and scan DB vulnerabilities
• Customizable report to review all defined data sources to have VA scans
• If multiple data sources need to be created or updated at the same time, it can be done via CSV upload
• Upload a CSV file containing the datasource information for bulk datasource creation / updates
19 IBM Security
Update latest discovered vulnerabilities
• Notifications are sent when latest vulnerability assessment tests become available.
• DPS packages are updated regularly
• Download quarterly DPS package from IBM Fix Central website
• Easily upload DPS package from Guardium appliance GUI
20 IBM Security
Guardium provides test for latest SAP HANA vulnerabilities
SAP HANA support:
v1.00, v1.01+110
(both cloud and on premise)
VA test Coverage (65 tests in total):
Password policies
Default SYSTEM password, System privileges and roles
Database Object privileges granted to PUBLIC
Database Object privileges granted to individual user
Database Object privileges granted with grant option
Version and Patches
HTTP, JS specific vulnerabilities
CAS (File permission and ownership)
Enforce strict guidelines from
STIG, CIS, CVE and SAP Security
for SAP HANA vulnerabilities
21 IBM Security
• Assessments can be scheduled to run via audit process (compliance workflow) and be sent to compliance
and remediation teams for fixing the vulnerabilities
• VA provides detailed result for all vulnerabilities test which can used for remediation purposes
SAP HANA Vulnerability Assessment tests provides SAP Security guidelines
22 IBM Security
Detailed Remediation recommendations for fixing the vulnerabilities and harden risk
• Customizable report can be generated to list all failed VA tests, filtered/sorted by different test categories, test
score, severity, datasources…etc.
• Reports can be scheduled to send to a list of users via email with CSV/PDF attachments, link to report, or to
SIEM system, AppSCAN, QVM or any other VM solution
• Through workflow compliance . Audit process, failed vulnerability assessment reports can be sent to DBA’s
for remediation
23 IBM Security
Audit Process – schedule VA reports sent to list of users
• Schedule Audit Process to run regularly (e.g. every
1st day of month; every Saturday 2am…etc.); or
adhoc review
• Send results to a list of users
• Results can be CSV,
CEF, PDF attachments
in emails, link to report,
or send to SIEM
24 IBM Security
Test Exceptions• For any failed vulnerability tests, a test exception (or virtual patching) can be created for specific data sources
• Expiration date can be set for each test exception
• E.g. FAILED VA test : ‘Deactivate the SYSTEM User’ for SAP HANA. Need an exception until end of month to deactivate the
account. Set it to PASS for this exception timeframe.
• Report on Test Exceptions with explanations can be generated
• On VA report, test exception can be created by simply right-clicking on failed VA test; or by API
DEMO of VA for SAP HANA
26 IBM Security
Vulnerability Assessment – Dashboard Samples - Reports can be graphically
displayed and sent to or shared with CISO, CSO, Compliance Execs…
27 IBM Security
New Guardium VA Material
V10 Solution Brief:
http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGS03063USEN&attachment=WGS03063USEN.PDF
V10 Guardium Vulnerability Assessment Data Sheet
http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGD03074USEN&attachment=WGD03074USEN.PDF
Guardium VA Demo for MongoDB : https://www.youtube.com/watch?v=uEMF6bnb4Sk
Guardium VA demo for DB2 z/OS : https://www.youtube.com/watch?v=0WqIXK5GWZo
Guardium VA demo and tech talk for DB2 for i: http://ibm.biz/GTechIBMi
© 2016 IBM Corporation
Learn More
• ibm.com/guardium
• What’s new in Guardium
V10 article on
developerworks (updated
for 10.1)
• Release notes
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU
Backup
31 IBM Security
Req Description IBM Security Guardium Capability
2 Do not use vendor-supplied defaults for system passwords Comprehensive suite of DBMS-specific tests based upon industry standards (CIS, STIG)
• Configure system parameters to prevent misuse
• Encrypt non-console admin access
Checks for default passwords, unpatched systems, misconfigured privileges, etc.
Audits usage and alerts on misuse
Locks configurations after vulnerabilities remediated
Monitors encrypted traffic (Oracle, ASO, SSL, etc.) without need for key storage
3 Protect stored cardholder data Real-time database leak prevention
Continuous, real-time, policy-based monitoring with proactive security (alerts, blocking unauthorized access)
Compensating control for column-level encryption
Auto-discovers & classifies PCI data; Identifies sensitive PCI data in query result stream
6 Develop and maintain secure systems and applications Centralized vulnerability and configuration assessment
• Establish a process to identify security vulnerabilities
• Follow change control procedures for all configuration changes
• Separation of duties (development, test, and production)
Ensures current patches applied and vulnerable SPs identified; “Virtual Patching”
Alerts on all configuration changes, inside and outside databases
Enforces separation of duties with real-time alerting and granular access controls
7 Restrict access to cardholder data by business need-to-know Proactive, real-time access control (independent of native DBMS controls)
Policies defined by source IP or application, OS or DB user, time, SQL command, object, etc.
Blocks any unauthorized user, including administrators, from accessing cardholder data
Compensating control for unsegmented networks
Entitlement reporting to collect and understand user rights information across heterogeneous databases
8 Assign a unique ID to each person with computer access Complements native DBMS controls with external, cross-DBMS controls
• Enforce password policies
• Limit repeated access attempts
Alerts on credential sharing, failed logins, account creation, privilege escalation
Verifies password policies are enforced; can lock accounts or terminate sessions
10 Track and monitor all access to network and cardholder data Continuous, granular auditing with scalable architecture to handle high transaction volumes
Fine-grained audit trail of all database activities (SELECT, DDS, DML, DCL, logins, logouts, etc.)
No reliance on native trace or audit logs: minimal performance Impact (2-3%), enforces separation of duties
Tracks all network and local connections, including direct access by DBAs (shared memory, etc.)
Audit information stored securely in hardened appliance to prevent anti-forensics or tampering
Identifies fraud by resolving end-user IDs in connection-pooling apps (SAP, Cognos, PeopleSoft, etc.)
Integrates with LDAP, IAM, TCIM, TSM, SIEM, change management, CMDBs, etc.)
Compliance workflow automation (electronic sign-offs, escalations) demonstrates oversight process
PCI Accelerator provides pre-configured reports based on best practices
11 Regularly test security systems and processes Integrated vulnerability scanning, file integrity monitoring & behavioral vulnerability testing
• Run internal and external vulnerability scans
• Deploy integrity monitoring to detect mods of critical system files
Includes hundreds of pre-configured vulnerability tests for all major DBMS/OS combinations
Tracks changes to DB configuration files, environment/registry variables, executables and OS files
12 Maintain a policy that addresses Information Security for all Robust automated controls for enforcing information security policies
• Monitor/Analyze alerts and distribute to appropriate personnel
• Monitor and control all access to data
Real-time alerts, correlation alerts, centralized aggregation of all audit data, SIEM integration
Automated sign-offs demonstrate formal oversight process
100% visibility & control over all database transactions (with blocking)
How Guardium Vulnerability Assessment addresses PCI-DSS
VA
VA
VA
VA
VA
32 IBM Security
Filters and
Sort
Controls
Result
History
Current Test
Results
Detailed
Remediation
Suggestions
Prioritized
Breakdown
Detailed
Test
Results
SAP HANA vulnerability assessment report
Harden databases by identifying un-patched and misconfigured systems
Download report
in PDF/XML
33 IBM Security
HR ApplicationApplication Name, URL,
Type HR DatabaseDatabase Name, IP, type
Application Specific Vulnerability 1
Application Specific Vulnerability 2
Application Specific Vulnerability 3
Application Specific Vulnerability 4
Application Specific Vulnerability 5
Database Vulnerability 1
Database Vulnerability 2
Database Vulnerability 3
Database Vulnerability 4
Database Vulnerability 5
Guardium VA and AppScan ASE Integration – Use Case
Using Guardium VAUsing AppScan ASE
34 IBM Security
You can manage imported issues, display the About This Issue, edit attributes of those issues