IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.

1. Guardium Database Monitoring & Protection
Karl Wehden
IBM Infosphere Worldwide Data Governance Team
28 September 2010
1 © 2009 IBM Corporation

2. Guardium Value Proposition:
Continuously Monitor Access to High-Value Databases to …
1. Prevent data breaches
 Mitigate external & internal threats
2. Assure data governance
 Prevent unauthorized
changes to sensitive data
3. Reduce cost of compliance
 Automate & centralize controls
→ Across DBMS platforms & applications
→ Across SOX, PCI, SAS70, …
 Simplify processes
© 2009 IBM Corporation

3. Perimeter Defenses No Longer Sufficient
“A fortress mentality will not work in cyber. We
cannot retreat behind a Maginot Line of firewalls.”
- William J. Lynn III,
U.S. Deputy Defense Secretary
Insiders
(DBAs, developers,
outsourcers, etc.)
Outsourcing Stolen
Credentials
Web-Facing Apps (Zeus, etc.)
Legacy App
Integration/SOA
Employee Self-Service,
Partners & Suppliers
3 © 2009 IBM Corporation

4. Defense in Depth Strategy for Privacy and Security:
User access monitoring
Prevention of unauthorized access
Production data encryption
Unstructured data redaction
Non-production data masking
Archiving and retention compliance
4 © 2009 IBM Corporation

5. Balanced Control Objectives
Visibility into Risk Costs Money:
• The Introduction of unchecked detective controls can introduce significant cost
• The lack of detective controls can create a comfortably underestimated level of risk
• Evaluate the total cost of Control introduction:
– Operational Cost
– Risk mitigation cost
– Risk Avoidance benefit
– Model out for longer than the benefit of the tools selected
5 © 2009 IBM Corporation

6. Top Data Protection Challenges
© 2009 IBM Corporation

7. “Largest Hacking Case Ever Prosecuted”
Stephen “Maksik”
Albert Watt, author
Gonzalez, Yastremskiy
of “blabla” : 30 years in
aka sniffer: 2
soupnazi Turkish
years in prison
prison &
$170M in
restitution
• Gonzalez sentenced to xx years for Operation Get Rich or Die Tryin’
– Heartland, 7-Eleven, Hannaford: Stole 130M cards via SQL injection, network
reconnaissance, malware, sniffers
– Dave & Buster’s: Stole admin password file from POS service provider
– TJX, OfficeMax + 6 other retailers: Stole 40M cards via SQL injection & war driving
 Aided by former Barclay’s network security manager (“healthy childhood, white-collar success”)
– San Diego case: International ring (Ukraine, Estonia, PRC, Philippines, Thailand)
 “Maksik” Yastremskiy sentenced to 30 years in Turkish prison; hacked 11 Turkish banks
• “Our most formidable challenge is getting companies to detect they have been
compromised ...” Kimberly Kiefer Peretti, senior counsel, DoJ
7 © 2009 IBM Corporation

8. Chosen by Leading Organizations Worldwide
• 5 of the top 5 global banks • Top government agencies
• 2 of the top 3 global retailers • Top 3 auto maker
• 4 of the top 6 global insurers • #1 dedicated security company
• 2 of the world’s favorite beverage brands • Leading energy suppliers
• The most recognized name in PCs • Major health care providers
• 25 of the world’s leading telcos • Media & entertainment brands
© 2009 IBM Corporation

9. Key Drivers for Guardium
• SOX (Health Care payers)
– Prevent unauthorized changes to financial data
• Consumer privacy
– Prevent unauthorized viewing of personal data, especially by privileged users
(DBAs, developers, outsourcers)
– New Massachusetts law requires monitoring controls to be in place for all
Personally Identifiable Information (PII)
– HITECH adds teeth to HIPAA regulations
• PCI
– Track and monitor all access to cardholder data (Req.10)
– Protect stored cardholder data (Req. 3)
– Identify unpatched systems & enforce change controls (Req. 6)
– Compensating control for network segmentation (Req. 7) & column-level
encryption (Req. 3)
• Cost savings
– Streamline compliance with automated & centralized controls
– < 6 months payback (typical)
© 2009 IBM Corporation

10. Addressing the Full Database Security Lifecycle
Monitor Audit
& &
Enforce Report
Critical
Data
Infrastructure
Discover Assess
& &
Classify Harden
10 © 2009 IBM Corporation

11. Real-Time Database Security & Monitoring
SQL
DB2 Server
• Non-invasive architecture • Enforces separation of duties
• Outside database • Does not rely on DBMS-resident logs that can
• Minimal performance impact (2-3%) easily be erased by attackers or rogue insiders
• No DBMS or application changes • Granular, real-time policies & auditing
• Cross-DBMS solution • Who, what, when, how
• Automated compliance reporting, sign-offs &
• 100% visibility including local DBA access escalations (SOX, PCI, NIST, etc.)
© 2009 IBM Corporation

12. Scalable Multi-Tier Architecture
Integration with LDAP/
AD, IAM,
change management,
SIEM, archiving, …
© 2009 IBM Corporation

13. © 2009 IBM Corporation

14. Thank You!
© 2009 IBM Corporation

15. IBM/Guardium vs. Oracle Database Security
Oracle Database Vault,
Oracle Audit Vault IBM/Guardium
Heterogeneous support
Minimal performance impact or changes
Enforces Separation of Duties (SoD)
Real-time monitoring & alerting
Extrusion/data leakage monitoring
Application monitoring (EBS, PeopleSoft, SAP, etc.)
Reduces DBA workload
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
© 2009 IBM Corporation

16. Appendix
16 © 2009 IBM Corporation

17. Blue Cross Blue Shield Case Study
• Who: BCBS organization with 475,000 members
• Need: Secure financial data for SOX; secure patient data for HIPAA; adhere to NIST
– Monitor all access to critical databases, including access by privileged users
– Create a centralized audit trail for all database systems
– Produce detailed compliance reports for auditors
– Implement proactive security via real-time alerts
• Environment:
– Oracle, SQL Server 2003/2005, IBM DB2, Sybase
– AIX & Windows
– LDAP & Microsoft MOM
• Alternatives considered
– Native logging: Rejected due to performance overhead & need for centralized management
– Application Security Inc (AppSec): Preferred Guardium’s appliance model
• Results:
– Monitoring 130 database instances on 100 servers (3 week implementation)
– Guardium helped client to interpret regulations and implement policies
– Integrated with Tivoli Storage Manager (TSM) for archiving of audit data
17 © 2009 IBM Corporation

18. Global Manufacturer with 239% ROI
• Who: F500 consumer food manufacturer ($15B revenue)
• Need: Secure SAP & Siebel data
– Enforce change controls & implement consistent auditing across platforms
Commissioned Forrester
• Environment: Consulting Case Study
– SAP, Siebel, Manugistics, IT2 + 21 other Key Financial Systems (KFS)
– Oracle & IBM DB2 on AIX; SQL Server on Windows
• Results: 239% ROI & 5.9 months payback, plus:
– Proactive security: Real-time alert when changes made to critical tables
– Simplified compliance: Passed 4 audits (internal & external)
 “The ability to associate changes with a ticket number makes our job a lot easier …
which is something the auditors ask about.” [Lead Security Analyst]
– Strategic focus on data security
 “There’s a new and sharper focus on database security within the IT organization.
Security is more top-of-mind among IT operations people and other staff such as
developers.”
© 2009 IBM Corporation

19. Safeguarding Customer Information for Washington
Metropolitan Area Transit Authority (Metro)
• Who: Operates 2nd largest U.S. rail transit system and transports
more than a third of the federal government to work
• Need: Metro needed to safeguard sensitive customer data and simplify compliance
with PCI-DSS -- without impacting performance or changing database configurations
– Protecting customer data
– Passing audits more quickly and easily
– Monitoring for potential fraud in PeopleSoft system
• Environment:
– More than 9 million transactions per year (Level 1 merchant)
– Complex, multi-tier heterogeneous environment
• Alternatives considered: Native logging and auditing impractical
• Customer Impact: “Our customers trust us to transport them safely and safeguard
their personal information.”
– “We looked at native DBMS logging and auditing, but it’s impractical because of its high overhead,
especially when you’re capturing every SELECT in a high-volume environment like ours. In addition,
native auditing doesn’t enforce separation of duties or prevent unauthorized access by privileged
insiders.”
19 © 2009 IBM Corporation

20. How Does Guardium Complement Tivoli?
• Guardium is part of the “Data and Information”
layer of the IBM Security Framework
• Integrates with Tivoli Security & Information
Event Manager (TSIEM) for sharing of policy
violation alerts & selected log information
• Use TSIEM for:
– Collecting logs & events from wide range of systems
(UNIX, Windows, z/OS, firewalls, etc.)
– Enterprise-wide dashboard & reports; correlation
• Use Guardium for:
– All database-related security & compliance functions:
real-time monitoring & auditing (including privileged
user monitoring), vulnerability assessment, data
discovery, configuration auditing, compliance
reporting & workflow automation
– Feeding policy violations & audit logs to TSIEM
20 © 2009 IBM Corporation

21. IBM Acquires Guardium (11/30/09)
• Joining IBM's Information Management business
• Why Guardium? Unique ability to:
 Safeguard critical enterprise information
 Reduce operational costs by automating compliance processes
 Simplify governance with centralized policies for heterogeneous infrastructures
 Continuously monitor access and changes to high-value databases
• Trusted information lies at the center of today’s business
transformations
 Guardium enables organizations to maintain trusted information infrastructures
 Business analytics and trusted information drive smarter business outcomes
 This supports IBM’s vision of creating a Smarter Planet: Smarter energy,
smarter healthcare, smarter cities, smarter finance, smarter IT, and more
© 2009 IBM Corporation

22. How Guardium Fits with IBM’s IM Portfolio: Governance
Optim
InfoSphere
Relating Governing Guardium Mastering
Information Information Information
Integrating
Information
22 © 2009 IBM Corporation

23. How Guardium Fits with IBM’s Security Portfolio
Tivoli Identity Manager, Access Manager, zSecure, SIEM, …
Guardium DB Monitoring, Optim TDM & DP, AME, SIEM, …
Rational AppScan, Ounce Suite, WebSphere DataPower, …
Server Protection, Network Intrusion Prevention System (IPS, …
23 © 2009 IBM Corporation

24. PCI Compliance for McAfee.com
• Who: World’s largest dedicated security company
• Need: Safeguard millions of PCI transactions
– Maintain strict SLAs with ISP customers (Comcast, COX, etc.)
– Automate PCI controls
• Environment: Guardium deployed in less than 48 hours
– Multiple data centers; clustered databases
– Integrated with ArcSight SIEM
– Expanding coverage to SAP systems for SOX
• Previous Solution: Central database audit repository with native DBMS logs
– Massive data volumes; performance & reliability issues; SOD issues
• Results:
– “McAfee needed a solution with continuous real-time visibility into all sensitive
cardholder data – in order to quickly spot unauthorized activity and comply with PCI-
DSS – but given our significant transaction volumes, performance and reliability
considerations were crucial.”
– “We were initially using a database auditing solution that collected information from
native DBMS logs and stored it in an audit repository, but granular logging significantly
impacted our database servers and the audit repository was simply unable to handle
the massive transaction volume generated by our McAfee.com environment.”
© 2009 IBM Corporation

25. Financial Services Firm with 1M+ Sessions/Day
• Who: Global NYSE-traded company with 75M customers
• Need: Enhance SOX compliance & data governance
– Phase 1: Monitor all privileged user activities, especially DB changes.
– Phase 2: Focus on data privacy.
• Environment: 4 data centers managed by IBM Global Services
– 122 database instances on 100+ servers
– Oracle, IBM DB2, Sybase, SQL Server on AIX, HP-UX, Solaris, Windows
– PeopleSoft plus 75 in-house applications
• Alternatives considered: Native auditing
– Not practical because of performance overhead; DB servers at 99% capacity
• Results: Now auditing 1M+ sessions per day (GRANTs, DDL, etc.)
– Caught DBAs accessing databases with Excel & shared credentials
– Producing daily automated reports for SOX with sign-off by oversight teams
– Automated change control reconciliation using ticket IDs
– Passed 2 external audits
© 2009 IBM Corporation

26. Securing Customer Data for European Telco
• Who: Global telco with 70M mobile customers; €30B revenue.
• Need: Ensure privacy of call records for compliance with data privacy laws.
– Phase 1: Safeguard OSS systems
– Phase 2: Safeguard BSS systems
• Environment: 15 heterogeneous, geographically-distributed data centers
– Oracle, SQL Server, Informix, Sybase
– HP-UX, HP Tru64, Solaris, Windows, UNIX
– SAP, Remedy plus in-house applications (billing, Web portal, etc.)
• Alternatives considered: Native auditing; Oracle Audit Vault.
– Not practical because of performance overhead; lack of granularity;
non-support for older versions; need for multi-DBMS support.
• Results:
– Deployed to 12 initial data centers in only 2 weeks!
– Now auditing all traffic in high-traffic environment; centrally managed.
– Passed several external audits
– Future plans: Implement application user monitoring; 2-factor authentication; expand scope to
other applications.
© 2009 IBM Corporation

27. Simplifying Enterprise Security for Dell
• Need:
– Improve database security for SOX, PCI & SAS70
– Simplify & automate compliance controls
• Guardium Deployment: Published case study in Dell Power Solutions
– Phase 1: Deployed to 300 DB servers in 10 data centers
(in 12 weeks)
– Phase 2: Deployed to additional 725 database servers
• Environment :
– Oracle & SQL Server on Windows, Linux; Oracle RAC, SQL Server clusters
– Oracle EBS, JDE, Hyperion plus in-house applications
• Previous Solution: Native logging (MS) or auditing (Oracle) with in-house scripts
– Supportability issues; DBA time required; massive data volumes; SOD issues.
• Results: Automated compliance reporting; real-time alerting; centralized
cross-DBMS policies; closed-loop change control with Remedy integration
– Guardium “successfully met Dell’s requirements without causing outages to any databases;
produced a significant reduction in auditing overhead in databases.”
© 2009 IBM Corporation

28. Addressing the Full Database Security Lifecycle
Monitor Audit
& &
Enforce Report
Critical
Data
Infrastructure
Discover Assess
& &
Classify Harden
28 © 2009 IBM Corporation

29. Granular Policies with Detective & Preventive Controls
Application Database
Server Server
10.10.9.244 10.10.9.56
© 2009 IBM Corporation

30. Enforcing Change Control Policies
Tag DBA actions with ticket IDs
Compare observed changes to
approved changes
Identify unauthorized
changes (red)
or changes with
invalid ticket IDs
© 2009 IBM Corporation
30

31. Auditing Database Configuration Changes
• Tracks changes to files, environment variables, registry
settings, scripts, etc. that can affect security posture
• 200+ pre-configured, customizable templates for all major
OS/DBMS configurations
31 © 2009 IBM Corporation

32. Cross-DBMS, Data-Level Access Control (S-GATE)
Application
 Cross-DBMS policies
Servers SQL Oracle,  Block privileged user actions
DB2,
Privileged  No database changes
MySQL,
Users Sybase,
etc.
 No application changes
Issue SQL
S-GATE  Without risk of inline
Hold SQL appliances that can interfere
Outsourced DBA Connection terminated
with application traffic
Check
Policy
On
Appliance
Policy Violation:
Drop
Connection
Session Terminated
© 2009 IBM Corporation

33. Discovering & Classifying Sensitive Data
 Discover databases
 Discover sensitive data
 Policy-based actions
 Alerts
 Add to group of
sensitive objects
33 © 2009 IBM Corporation

34. Identifying Fraud at the Application Layer
Joe Marc
• Issue: Application server uses generic service account
to access DB
– Doesn’t identify who initiated transaction
(connection pooling)
• Solution: Guardium tracks access to application user
User associated with specific SQL commands
(Generic) – Out-of-the-box support for all major enterprise
applications (Oracle EBS, PeopleSoft, SAP, Siebel,
Application Business Objects, Cognos…) and custom
Database
Server applications (WebSphere …)
Server
– No changes required to applications
– Deterministic tracking of user IDs
 Does not rely on time-based “best-guess”
34 © 2009 IBM Corporation

35. Automated Sign-offs & Escalations for Compliance
• Automates entire compliance workflow
• Report distribution to oversight team
• Electronic sign-offs
• Escalations
• Comments & exception handling
• Addresses auditors’ requirements to document oversight processes
• Results of audit process stored with audit data in secure audit repository
• Streamlines and simplifies compliance processes
© 2009 IBM Corporation

36. Database Servers = Majority of Compromised Records
SQL injection
played a role in
79% of records
compromised
during 2009
breaches
2009 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
© 2009 IBM Corporation