Beruflich Dokumente
Kultur Dokumente
IBM Security
Logistics
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
Well post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
Well try to answer questions in the chat or address them at
speakers discretion.
If we cannot answer your question, please do include your email
so we can get back to you.
IBM Security
Right nav
bit.ly/guardwiki
IBM Security
IBM Security
Agenda
Data Security Drivers
Guardium & QRadar Overview
Guardium & QRadar Bi-directional Integration
IBM Security
Internal Threats
Ongoing risk of careless and
malicious insider behavior
Compliance
Growing need to address a
steadily increasing number of
mandates
Cyber attack
Organized crime
Corporate espionage
Government-sponsored attacks
Social engineering
Administrative mistakes
Careless inside behavior
Internal breaches
Disgruntled employees actions
Mix of private / corporate data
National regulations
Industry standards
Local mandates
IBM Security
IBM Security
IBM Security
Guardium
QRadar
Guardium
QRadar
IBM Security
Configuration
Vulnerability
Assessment
Discovery
Encryption
Classification
Discover
Where is the
sensitive data?
Harden
Activity
Monitoring
Blocking
Monitor
How to secure
the repository?
How to protect
sensitive data?
10
Entitlements
Reporting
Data in Motion
Dynamic Data
Masking
Protect
What is actually
happening?
Who should
have access?
How to protect
sensitive data
to reduce risk?
How to prevent
unauthorized
activities?
IBM Security
Network
Activity
Monitoring
Security
Intelligence
Risk
Management
Vulnerability
Management
Network
Forensics
Future
Northbound APIs
Reporting Engine
Security
Intelligence
Operating
System
Workflow
Rules Engine
Real-Time Viewer
Analytics Engine
Warehouse
Archival
Normalization
LEEF
AXIS
Configuration
NetFlow
Offense
Southbound APIs
11
IBM Security
S-TAP
File
Shares
Guardium
QRadar
S-TAP
One Way
Big Data
S-TAP
Data
Warehouse
Traditional Guardium & QRadar integration is a one way information flow where
Guardium sends alerts and Vulnerability Assessment (VA) reports to QRadar
IBM Security
Oracle,
DB2,
MySQL,
Sybase,
etc.
IBM QRadar
Security Intelligence
Platform
Check Policy
On Appliance
13
Guardium
Policy Violation:
Alert to QRadar
10.0.1.8
IBM Security
14
IBM Security
S-TAP
File
Shares
Guardium
QRadar
S-TAP
Big Data
IBM Security
Oracle,
DB2,
MySQL,
Sybase,
etc.
10.0.1.8
Issue SQL
Hold SQL
Security Intelligence
Platform
Connection terminated
Check Policy
On Appliance
Block access from
10.0.1.8
16
IBM QRadar
Guardium
Machine 10.0.1.8
was compromised
IBM Security
* Intelligence sources
* Rules & events
Scenario:
QRadar determines that
certain IP addresses are
untrusted and that Guardium
should block access from them
TCP/JSON
SDI
REST
IBM Security
18
IBM Security
1. Guardium
2. QRadar
19
IBM Security
20
Configuration File
Description
QRTrigger.xml
The SDI Config xml file containing the AssemblyLines and other
assets used by the SDI Server to power the solution
QRTrigger.properties
Properties file that sets the ports used by the QRadar listener
process, as well as the status REST service
QRGuardium.xml
The SDI Config xml file with the response logic for Guardium
integration
QRGuardium.properties
eventAction.rules
IBM Security
Description
listener.port
The port used by the QRListener AL to receiving incoming TCP messages from
QRadar.
The default value is 1198.
metrics.port
The port used by the Metrics AL to accept incoming HTTP client GET requests.
The default value is 1598
QRGuardium.properties
21
Parameter Name
Description
guardium.url
guardium.username
guardium.password
guardium.client.id
guardium.client.secret
IBM Security
On Windows
ibmdisrv -c configs/QRTrigger.xml -d
On Unix
./ibmdisrv -c configs/QRTrigger.xml -d
22
23
IBM Security
24
IBM Security
25
IBM Security
26
IBM Security
27
IBM Security
28
IBM Security
SDI starts and loads the QRTrigger solution which listens for TCP messages from QRadar
29
IBM Security
30
IBM Security
31
IBM Security
Summary
Near real-time, automated, threat remediation to protect sensitive corporate data
based on QRadar best of breed security intelligence
Sensitive data protected near real time against new threats by a single automated
central policy update that applies to all sensitive data targets protected by Guardium
Significantly reduces the time between threat discovery and threat remediation
32
Virtual patching
remediation
Possible attack
through the
application
Detect database
attacks before
reaching DB
Detecting vulnerabilities
at the application layer
can help put rules in
place to be in the lookout
for exploitation
Detection of an SQL
injection at the network or
application layer can help
apply blocking rules to
data extraction
IBM Security
Resources
Installation and Configuration guide: Updating Guardium Policies based on events from
QRadar: https://ibm.biz/BdXMsK
developerWorks article on using Guardium REST APIs
http://www.ibm.com/developerworks/data/library/techarticle/dm-1404guardrestapi/index.html
Guardium and QRadar integration overview and demo:
https://www.youtube.com/watch?v=M0P12R2Kkjc
Guardium and QRadar integration configuration:
https://www.youtube.com/watch?v=IA4UbJnN9KE
Video demo: QRadar and Guardium Vulnerability Tests
http://www.ibm.com/developerworks/library/se-gqradar/index.html
Guardium, QRadar and Privileged Identity Manager Integration demo:
https://www.youtube.com/watch?v=TedDkWnAArc
Guardium Knowledge Center topic on customizing LEEF format and sending alerts and audit
results to QRadar. http://www01.ibm.com/support/knowledgecenter/SSMPHH_9.5.0/com.ibm.guardium95.doc/administer/topi
cs/configuring_global_profile.html?lang=en
33
IBM Security
IBM Security
IBM Security
Dzikuj
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
36
Italian