IBM Security

Guardium Tech Talk:

IBM Security Guardium and QRadar Enhancing

insights using bidirectional integration
Walid Rjaibi
CTO, IBM Security Guardium
Johan Varno
Product Architect, IBM Security Integrator
September 8th, 2015

1 2015 IBM Corporation

2015 IBM Corporation

IBM Security

Logistics
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
Well post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
Well try to answer questions in the chat or address them at
speakers discretion.
If we cannot answer your question, please do include your email
so we can get back to you.

When speaker pauses for questions:

Well go through existing questions in the chat

2015 IBM Corporation

IBM Security

Guardium community on developerWorks

Right nav

bit.ly/guardwiki

2015 IBM Corporation

IBM Security

Reminder: Next Guardium Tech Talk

Next tech talk: What's new in Guardium DAM

V10: A Technical Overview

Speakers: Kathy Zeidenstein, Evangelist and Community
Advocate
David Rozenblat, Director of Guardium Development
Date and time: Thursday, September 17th
11:30 AM US Eastern

Register here: https://ibm.biz/BdX3Qx

Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
4

2015 IBM Corporation

IBM Security

Agenda
Data Security Drivers
Guardium & QRadar Overview
Guardium & QRadar Bi-directional Integration

2015 IBM Corporation

IBM Security

Data Security Drivers

External Threats
Sharp rise in external attacks
from non-traditional sources

Internal Threats
Ongoing risk of careless and
malicious insider behavior

Compliance
Growing need to address a
steadily increasing number of
mandates

Cyber attack
Organized crime
Corporate espionage
Government-sponsored attacks
Social engineering

Administrative mistakes
Careless inside behavior
Internal breaches
Disgruntled employees actions
Mix of private / corporate data

National regulations
Industry standards
Local mandates

2015 IBM Corporation

IBM Security

Data Security Drivers

83% of CISOs say that the challenge posed by external threats
has increased in the last three years

2015 IBM Corporation

IBM Security

Data Security Drivers

2014: 25% more records leaked than 2013 insane!

2015 IBM Corporation

IBM Security

Data Security Drivers

Minutes To Compromise, Months To Discover & Remediate*
Time span of events by percent of breaches

Time span of events by percent of breaches

Guardium
QRadar

Guardium
QRadar

2015 IBM Corporation

*Verizon data breach report 2012

IBM Security

Guardium Capabilities Overview

Data at Rest

Configuration

Vulnerability
Assessment

Discovery
Encryption
Classification

Discover
Where is the
sensitive data?

Harden

Activity
Monitoring

Blocking

Monitor

How to secure
the repository?

How to protect
sensitive data?

10

Entitlements
Reporting

Data in Motion

Dynamic Data
Masking

Protect

What is actually
happening?
Who should
have access?

How to protect
sensitive data
to reduce risk?
How to prevent
unauthorized
activities?

2015 IBM Corporation

IBM Security

QRadar Capabilities Overview

IBM QRadar Security Intelligence Platform
Log
Management

Network
Activity
Monitoring

Security
Intelligence

Risk
Management

Vulnerability
Management

Network
Forensics

Future

Northbound APIs
Reporting Engine

Security
Intelligence
Operating
System

Workflow

Rules Engine

Real-Time Viewer

Analytics Engine
Warehouse

Archival
Normalization

LEEF

AXIS

Configuration

NetFlow

Offense

Southbound APIs

Real Time Structured Security Data

11

Unstructured Operational / Security Data

2015 IBM Corporation

IBM Security

Traditional Guardium & QRadar Integration

S-TAP
File
Shares

Guardium

Alerts & VA reports

QRadar

S-TAP

One Way

Big Data

S-TAP
Data
Warehouse

Traditional Guardium & QRadar integration is a one way information flow where
Guardium sends alerts and Vulnerability Assessment (VA) reports to QRadar

A one-way Information Flow

12

2015 IBM Corporation

IBM Security

Traditional Guardium & QRadar Integration

Common alerting use cases for databases:
Failed logins
Unauthorized access
SQL Error codes (e.g., SQL injection attacks)
Users trying to escalate their privileges
Users creating triggers and views to indirectly access sensitive data
Bad Actor
10.0.1.8
Issue SQL

Oracle,
DB2,
MySQL,
Sybase,
etc.

IBM QRadar
Security Intelligence
Platform

Check Policy
On Appliance

13

Guardium

Policy Violation:
Alert to QRadar
10.0.1.8

2015 IBM Corporation

IBM Security

Traditional Guardium & QRadar Integration

14

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

S-TAP
File
Shares

Guardium

Alerts & VA reports

QRadar

S-TAP
Big Data

Guardium policy updates

S-TAP
Data
Warehouse

It is now possible to have the Guardium data protection policies updated

automatically and nearly in real time in response to security intelligence events
from QRadar

A two-way Information Flow

15

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Common use cases:
Block access from a machine that became compromised
Increase audit levels for access by a user id that became suspicious
Increase audit levels for access by a privileged shared user id that was onboarded in a Privileged Identity Management (PIM) system

Oracle,
DB2,
MySQL,
Sybase,
etc.

10.0.1.8
Issue SQL

Hold SQL

Security Intelligence
Platform

Connection terminated

Check Policy
On Appliance
Block access from
10.0.1.8

16

IBM QRadar

Guardium

Machine 10.0.1.8
was compromised

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Solution Architecture: The solution builds upon IBM Security Integrator (SDI) to bridge QRadar
and Guardium

* Intelligence sources
* Rules & events

Scenario:
QRadar determines that
certain IP addresses are
untrusted and that Guardium
should block access from them

TCP/JSON

SDI

REST

1. Map from QRadar event to Guardium group

2. Select attribute in event payload to be added to Guardium
group
3. Reload Guardium policy for change to take effect
QRadar Event1: Guardium groupXX, attributeYY, policyZZ
QRadar Event2: Guardium groupAA, attributeBB, policyCC
17

2015 IBM Corporation

IBM Security

18

IBM Security Directory Integrator

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Solution Deployment: The solution requires SDI 7.1.1 or later with the latest fixpak installed

1. Guardium

Create the desired policy and associated group

Set up a client ID and secret for SDI to invoke Guardium REST API
(Guardium REST API article:
http://www.ibm.com/developerworks/data/library/techarticle/dm1404guardrestapi/index.html

2. QRadar

Configure a forwarding destination

Configure rules to dispatch QRadar events to the solution

3. Security Directory Integrator (SDI)

19

Install the solution configuration files

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Solution Deployment: The SDI configuration files are available with an accompanying white
paper on developerworks. The customer copies these files to the configs sub-folder of the SDI
Solution Directory

20

Configuration File

Description

QRTrigger.xml

The SDI Config xml file containing the AssemblyLines and other
assets used by the SDI Server to power the solution

QRTrigger.properties

Properties file that sets the ports used by the QRadar listener
process, as well as the status REST service

QRGuardium.xml

The SDI Config xml file with the response logic for Guardium
integration

QRGuardium.properties

Properties file for various settings needed to communicate with

Guardium

eventAction.rules

Properties file that ties QRadar Events to the appropriate action to be

taken

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

QRTrigger.properties
Parameter Name

Description

listener.port

The port used by the QRListener AL to receiving incoming TCP messages from
QRadar.
The default value is 1198.

metrics.port

The port used by the Metrics AL to accept incoming HTTP client GET requests.
The default value is 1598

QRGuardium.properties

21

Parameter Name

Description

guardium.url

The URL to the Guardium instance.

guardium.username

User name/id used to authenticate to Guardium.

guardium.password

Password associated with the username.

guardium.client.id

Client Id registered with Guardium.

guardium.client.secret

Client secret provided for the Client Id

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Starting the solution: The solution is started by navigating to the TDI Installation Directory and
executing the following command.

On Windows

ibmdisrv -c configs/QRTrigger.xml -d

On Unix

./ibmdisrv -c configs/QRTrigger.xml -d

22

2015 IBM Corporation

Slide walkthrough demo

23

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

QRadar Dashboard

24

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Configure QRadar Events for Forwarding

25

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Configure Guardium policy to use the group that will be written to

26

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Mapping QRadar Events to Actions in Guardium

Ignore most events.

Process event named Data Leak Prevention Detected:
Add IP address in QR field src to Guardium group Server_IP and reload Guardium
policy ServerBlackList so that it picks up the new group member.

27

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Guardium Policy Group is initially empty

28

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Starting the solution

SDI starts and loads the QRTrigger solution which listens for TCP messages from QRadar

29

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

The QR-listener is receiving messages and adding them to the Guardium group

30

2015 IBM Corporation

IBM Security

The New Guardium & QRadar Integration

Verify that Guardium groups have been updated

31

2015 IBM Corporation

IBM Security

Summary
Near real-time, automated, threat remediation to protect sensitive corporate data
based on QRadar best of breed security intelligence
Sensitive data protected near real time against new threats by a single automated
central policy update that applies to all sensitive data targets protected by Guardium
Significantly reduces the time between threat discovery and threat remediation

Sample Use Cases

Flexible solution that can address many security scenarios

32

Virtual patching
remediation

Possible attack
through the
application

Detect database
attacks before
reaching DB

Detecting vulnerabilities
at the application layer
can help put rules in
place to be in the lookout
for exploitation

Several login failures to

an application (e.g. SAP)
could indicate someone
to look out for at the
database layer and
heighten controls on
databases connected to
SAP resource.

Detection of an SQL
injection at the network or
application layer can help
apply blocking rules to
data extraction

2015 IBM Corporation

IBM Security

Resources

Installation and Configuration guide: Updating Guardium Policies based on events from
QRadar: https://ibm.biz/BdXMsK
developerWorks article on using Guardium REST APIs
http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html
Guardium and QRadar integration overview and demo:
https://www.youtube.com/watch?v=M0P12R2Kkjc
Guardium and QRadar integration configuration:
https://www.youtube.com/watch?v=IA4UbJnN9KE
Video demo: QRadar and Guardium Vulnerability Tests
http://www.ibm.com/developerworks/library/se-gqradar/index.html
Guardium, QRadar and Privileged Identity Manager Integration demo:
https://www.youtube.com/watch?v=TedDkWnAArc
Guardium Knowledge Center topic on customizing LEEF format and sending alerts and audit
results to QRadar. http://www01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/administer/topi
cs/configuring_global_profile.html?lang=en
33

2015 IBM Corporation

IBM Security

Information, training, and community cheat sheet

Guardium Tech Talks at least one per month. Suggestions welcome!
Guardium YouTube Channel includes overviews, technical demos, tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of
sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced- provided by Business Partners)

InfoSphere Guardium Virtual User Group. Open, technical

discussions with other users. Not recorded!
Send a note to krzeide@us.ibm.com if interested.
34
34
34

2015 IBM Corporation

IBM Security

Reminder: Next Guardium Tech Talk

Next tech talk: What's new in Guardium DAM

V10: A Technical Overview

Speakers: Kathy Zeidenstein, Evangelist and Community
Advocate
David Rozenblat, Director of Guardium Development
Date and time: Thursday, September 17th
11:30 AM US Eastern

Register here: https://ibm.biz/BdX3Qx

Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
35

2015 IBM Corporation

IBM Security

Dzikuj
Polish
Traditional Chinese

Thai

Gracias
Spanish

Merci
French

Russian

Arabic

Obrigado

Danke

Brazilian Portuguese

German

Tack
Swedish

Simplified Chinese

Grazie
Japanese

36

Italian

2015 IBM Corporation