© 2015 IBM Corporation
IBM Security Guardium for FilesTech Talk
Dan GoodesGuardium WW Center of ExcellenceIBM Security
Doug WilliamsSCMon for File Systems ArchitectSecurity Assets Protection Team for IBM
Intelligent Data Protection at Scale
2© 2015 IBM Corporation
This tech talk is being recorded. If you object, please hang up
and leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions
in the chat to the Q and A group.
We’ll try to answer questions in the chat or address them at
speaker’s discretion. – If we cannot answer your question, please do include your email so we
can get back to you.
When speaker pauses for questions: – We’ll go through existing questions in the chat
Logistics
3© 2015 IBM Corporation
Next tech talk: What's new in Guardium Vulnerability Assessment V10
Speakers: Vikalp Paliwal, Product ManagerLouis Lam, Database managerFrank Cavaliero, Database Engineer
Date and time: Thursday, November 5th11:30 AM US Eastern, 8:30 AM US Pacific
Register here: ibm.biz/BdHXss
Reminder: Next Guardium Tech Talk
4© 2015 IBM Corporation
40%
Yearly growth
of the Digital
Universe over
the next
decade
80%
Unstructured
data in the
enterprise
46%
Increase in
number of
data breaches
from 2013 to
2014
256Number of
days it can
take to
identify
malicious
attacks
23%
Corporations STILL struggle with security
Unstructured Data Security
Increase in
Total Cost of
a data
breach since
2013
5© 2015 IBM Corporation
IBM Security Guardium – Data Security & PrivacyProtect all data against unauthorized access and enable organizations to comply with government regulations and industry standards
On Premise On Cloud
Data at Rest
Stored(Databases, File Servers, Big Data, Data
Warehouses, Application Servers, Cloud/Virtual ..)
Over Network(SQL, HTTP, SSH, FTP, email,. …)
Data in Motion
Data Repositories
Sensitive Documents
Prevent data breachesPrevent disclosure or leakages of sensitive data
Ensure data privacyPrevent unauthorized changes to data
Reduce the cost of complianceAutomate and centralize controls across diverse regulations
and heterogeneous environments
Identify RiskDiscovery sensitive information, identify dormant data,
assess configuration gaps and vulnerabilities
1
2
3
4
6© 2015 IBM Corporation
Questions you should be able to answer about your data
Who has access to my repositories, folders, and documents?
Which documents contain sensitive data?
Who has been accessing the sensitive data?
Where is my sensitive data overexposed? How do I fix this?
Who is the likely data owner of a particular set of documents?
Who should have ownership of specific documents in my organization?
Who has unnecessarily permissive access to data?
Which documents are unused and possibly ready to archive?
Who deleted specific files?
How quickly can I provide access to auditable data???
??
?
7© 2015 IBM Corporation
Protect critical
configuration and
application files
Need to protect
critical application
files which can be
accessed, modified,
or even destroyed
through direct access
to application or
database server.
IBM Security Guardium for Files Use Cases
Protect sensitive and critical data without impacting your business.
Protect access to
documents
containing PII
information
Need to protect files
containing PII data,
while not impacting
day-to-day business
operations.
Protect backend
access to
application
documents
Need to block
backend access to
documents managed
by an enterprise
application.
Protect
source code
Need to protect
source code, and
other intellectual
property.
8© 2015 IBM Corporation8
Data at Rest Data in Motion
Where is the sensitive data?
How to protect sensitive data to reduce risk?
Who is the data owner?
Entitlements Reporting
File Activity Monitoring
File AccessBlocking
Unstructured DataClassification
Who should have access?
What is actually happening?
File Discovery
How to prevent unauthorized
activities?
Harden Monitor ProtectDiscoverWhere does your data reside?
How does IBM Security Guardium for Files do it?
9© 2015 IBM Corporation
Discover
• Scan and identify folders and files on the file system
• Extract and store metadata for all files
• Ongoing discovery process as new files are added to the file system
Identify user
rights
• Gather user privileges, user groups, and file permissions
Classify
• Identify sensitive information in files
• Classify the files according to policy
Aggregate And
normalize
• Store all collected metadata, user access rights, sensitive data classification information in a secure central repository
View And Audit
• View data through Audit Browser
• Generate prepackaged or custom reports
Monitor And
Protect
• Create and apply policies for ongoing monitoring and protection of your data
• Get notified when suspicious activity is detected on monitored files
• Block file access to unauthorized parties
© 2015 International Business Machines Corporation
File Activity MonitoringLife cycle
10© 2015 IBM Corporation
Protect critical files and documents
File activity monitoring helps you manage access to your unstructured data containing
critical and sensitive information. Provides complete visibility into activity by
providing extensive compliance and audit capabilities.NEW!
Understand your sensitive data exposure
Get a full picture of ownership and access for your files
Control access to critical files through blocking and alerting
Gain visibility into all entitlements and activity through custom reports and advanced searchGuardium introduces new file activity monitoring to
identify normal and abnormal behavior and drill into
the details
Host-Based Probes
(FS-TAP)
Host-based Probes
(S-TAP)
Collector
11© 2015 IBM Corporation
• Scalable multi-tier architecture
• Continuous monitoring and
analytics
• Centralized audit repository
• Unified cross-database and file
system solution
• Compliance workflow automation
Central Policy
Manager and
Audit Repository
Guardium / Aggregator
Data center 2
Data center 1
Web/
application
servers
Web/
application
servers
Guardium
Host-based Probes
(S-TAP)
Guardium
Host-Based Probes
(S-TAP)
Guardium Collector
Guardium Collector
Guardium
Host-Based Probes
(FS-TAP)
Guardium
Host-Based Probes
(FS-TAP)
BenefitsAutomate and centralize controls
12© 2015 IBM Corporation
Guardium
Appliance
File Server
Discovery & Classification
Activity Monitor
1. FAM Discovery & Classification locates folders/files, extracts their metadata (name, path, size,
last modified, owner, privileges, etc.) and classifies them.
2. FAM Monitor audit file activity according to policy.
Guardium
File Activity Monitoring Main components
13© 2015 IBM Corporation
Enable FAM Discovery on the Guardium Appliance
Guardium Installation Manager (GIM) client should be installed File Server to be monitored
Upload FAM (discovery) and S-TAP (monitoring) to the Guardium Appliance
Install FAM module on File Server through GIM
Install S-TAP module on File Server through GIM
File Crawler
ICM (Classification
Server)
Universal -FeedGuardium
Appliance
Discover
Classify
Send to audit
File Crawler
Analysis Engine
File Activity Monitoring – DeploymentDeployment
14© 2015 IBM Corporation
• IBM Security Guardium for Files uses local ICM or (IBM Content Classification Module) to run classification on
files.
• ICC matches sets of rules that are packaged as Decision Plans. FAM is shipped with out-of-the-box decision plans
for detecting PCI, HIPPA, SOX and Source Files.
• Most common data file types supported (PDF, Text, Word, PowerPoint, Excel, XML, CSV, logs, source code,
configuration files, etc)
• Decision Plans are created in a standalone Windows application called: ICM Workbench that is
available for our customers.• For more in-depth information on IBM Content Classification please visit:
http://www-01.ibm.com/support/docview.wss?uid=swg27020838
Create/Edit Decision Plan
File Server
Upload Decision Plan through Appliance(Setup -> Tools And Views -> Upload Decision Plans)
ICM Workbench
Import content set
Add knowledge base
File Activity Monitoring
Discovery and classification using IBM Content Classification (included)
15© 2015 IBM Corporation
In Workbench, you specify the conditions for triggering a rule.
Rule capabilities:
String search
– Word distance
– Dictionaries
– Regular expressions
– Pattern extraction
– Boolean expressions
Decision plan capabilities:
– Identify category
– Set document metadata
– Invoke statistical analysis
– Language identification
(1) New Decision Plan
(2) New Rule
(3) New Condition
(4) Word Match
File Activity Monitoring
Discovery and classification using IBM Content Classification
16© 2015 IBM Corporation
Enable FAM Discovery on the appliance
GIM client will be installed on requested File Server.
FAM module should be uploaded to the appliance.
Install FAM module on client.
File Activity Monitoring
Discovery and classification: Installation
17© 2015 IBM Corporation
After installation FAM Service is created and started on the File Server.
You can then see active FAM agents on Status Monitor screen.
You can see uploaded data in FAM Entitlement report.
File Activity Monitoring
Discovery and classification: Installation
18© 2015 IBM Corporation
Configuration can be remotely set from GIM module installation
screen.
FAM Parameters Description
FAM_ENABLED 0 - FAM Discovery agent is disabled.
1 - FAM Discovery agent is enabled.
2 - FAM Discovery agent is restarted.
FAM_SOURCE_DIRECTORIES Directories paths to run scan on.
Example: /home/soonnee
FAM_SCAN_EXCLUDE_DIRECTORIES Directories to exclude from scanning.
FAM_SCAN_EXCLUDE_FILES Files to exclude from scanning.
FAM_SCAN_MAX_DEPTH Limits scan depth.
Scan Parameters
File Activity Monitoring
Discovery and classification: Configuration
19© 2015 IBM Corporation
Classification Configuration
FAM Parameters Description
FAM_IS_DEEP_ANALYSIS True - Enable classification on files based on their content.
False – Metadata and access permission extraction only.
FAM_ICM_CLASS_DECISION_PLANS Classification Category and their requested rules.
Example: HIPAA{HIPAA_match,CreditCard,Name}:PCI{PCI_match}
FAM_ICM_CLASS_THREAD_COUNT Number of classifier threads. Recommended value is 5.
FAM_ICM_URL Classification is ran on local server.
Should be left as: http://localhost:18087
Appliance Configuration
FAM Parameters Description
FAM_SQLGUARD_IP Guardium collector IP address.
FAM_SERVER_PORT Guardium collector port. Default: 16022
File Activity Monitoring
Discovery and classification: Configuration, con’t.
20© 2015 IBM Corporation
Scheduler Configuration
FAM Parameters Description
FAM_SCHEDULER_START_TIME Activation time for scanning.
FAM_SCHEDULER_REPEAT False=Do not repeat scan. Default: true
FAM_SCHEDULER_HOUR_TIME_INTERVAL Interval between scans in hours.
FAM_SCHEDULER_MINUTE_TIME_INTERVAL Interval between scans in minutes.
Example:
For setting a scan every 12:30 Hours,
FAM_SCHEDULER_HOUR_TIME_INTERVAL=12
FAM_SCHEDULER_MINUTE_TIME_INTERVAL=30
File Activity Monitoring
Discovery and classification: Configuration, con’t.
21© 2015 IBM Corporation
Addressing difficulties in finding sensitive data in unstructured files.
Pattern matching helps extract: SSN, Zip-Code, Email, Phone Numbers, etc
Examples for entities extraction:
2) Location:West Westin ave., in South Carolina, 1234522 West Westin street, SC
* Abbreviations: Route, Rte, US, Hwy, ln, lane, ave, avenue, st
* Can Include: state, continent, zip-code, location prefix, address localization, gaps
1) Personal Name:Thomas B.M. DavidThomas David Jr.Thomas, DavidDr. DavidPedro Pablo Gonzales Garcia
Exclude: Thomas David St.Francisco Bay
Classification
22© 2015 IBM Corporation© 2015 International Business Machines Corporation
File Activity Monitoring Discovery and classification: Audit browser (Quick Search)
23© 2015 IBM Corporation
Guardium
Appliance
File Server
Discovery & Classification
Activity Monitor
1. FAM Discovery & Classification locates folders/files, extracts their metadata (name, path, size,
last modified, owner, privileges, etc.) and classifies them.
2. FAM Monitor audit file activity according to policy.
Guardium
File Activity Monitoring Main components
24© 2015 IBM Corporation© 2015 International Business Machines Corporation
File Activity MonitoringReal-time activity monitoring – FS-TAP
25© 2015 IBM Corporation© 2015 International Business Machines Corporation
File Activity MonitoringQuick Search Audit Browser
26© 2015 IBM Corporation© 2015 International Business Machines Corporation
File Activity MonitoringOut of the box reports for Activity, Discovery, and Entitlements
27© 2015 IBM Corporation© 2015 International Business Machines Corporation
File Activity MonitoringOut of the box reports for Activity, Discovery, and Entitlements
28© 2015 IBM Corporation
Resources
Product web page
V10 Overview webcast (includes activity
monitoring for files)
Activity Monitoring for Files Demo on
YouTube
Supported files for FAM
Blog posting on setting up Windows FS-TAP
for monitoring
Product documentation for FAM (Knowledge
Center)
31© 2015 IBM Corporation
IBM Security Guardium
IBM uses Guardium for Files to analyze
and protect source code by monitoring
and auditing build servers.
Benefits gained by using Guardium:
Ease of Use: Installation of Guardium Activity
Monitor for Files on build server in less than 2
minutes
Low Impact: Runs invisibly with minimal impact
to build environments
Real-time Alerting: Build admin managers
immediately notified to take action
Scalability: Guardium infrastructure easily scaled
to support more than 2,000 servers
32© 2015 IBM Corporation
Real-time monitoring of IBM build environments using Guardium and QRadar
IBM Build Servers with source code
(2000+ servers)
Executive
• Real-time monitoring• Alert detection
• Analytics• Alert generation
• Alert reporting• Systems mgmt• Custom developed
IBM source code build protection using Guardium Activity Monitor for Files
IBM Security
Guardium Activity
Monitor for Files
Attack Detect Alert
QRadar
SIEM
Report
Web Application
Portal
Capture all file access activities:- User data- Timestamp- File info- Process info
Rules based alerting:- Anomalies- Thresholds- Correlations- Reference Sets
- QRadar Interface- Alert Management- User Action Reporting- Report Management - Build Server Db
100% protection success with no source code loss
33© 2015 IBM Corporation
Guardium Activity Monitor for Files detects multiple types of source code thefts
Build Server w/Guardium
MonitoringClient
Guardium Appliance
(VM)
ALERTGenerated
Suspicious file
activity sent to
QRadar for real-time
analytics
Guardium Activity Monitor for Files advantages:
Ease of Use: Installation of Guardium Activity Monitor for Files on build server < 2 mins
Low Impact: Runs invisibly with minimal impact to build environments
Real-time Alerting: Build admin managers immediately notified to take action
Scalability: Guardium appliance infrastructure supports > 2000 servers
Files emailed
Files transferred to unapproved sites
QRadar Appliance
(VM)Files physical theft
Guardium captures
suspicious activity
File Access Data
sent to Guardium
appliance
Guardium monitors
all file access
35© 2015 IBM Corporation
133 countries where IBM delivers
managed security services
20 industry analyst reports rank
IBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan,
North America, and Australia
Learn more about IBM Security
Visit our website
ibm.com/guardium
Watch our videos
https://ibm.biz/youtubeguardium
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security