Embed Size (px)
Citation preview
Your Mainframe Environment Is a Treasure Trove: Is Your Sensitive Data Protected?
Data protection with visibility and control
8 August 2017
Peter Mandel
Guardium Product Manager
2© 2015 IBM Corporation
Attackers break through conventional safeguards every day
Source: IBM X-Force Threat Intelligence Index - 2017
$7Maverage cost of a U.S. data breachaverage time to identify data breach
206 days
2014
1B+ records breached
2015
Healthcare mega-breaches
2016
4B+ records breached
3 IBM Security
What’s on the inside counts
Your next attacker is likely to be someone
you thought you could trust.**
**Source: IBM X-Force Research 2016 Cyber Security Intelligence Index
60% of all attacks are caused by insider threats**
4 IBM Security
Not all insider threats are created equal
Employees with privileged access to sensitive data carry the greatest risks!
Who represents an insider threat?
An inadvertent actor
A malicious employee
A 3rd party/partner with
access to sensitive data
(And falls into one of
the categories above)
Image Source: IBM X-Force Research 2016 Cyber Security Intelligence Index
5 IBM Security
How are most companies combating insider threats today?
61% of organizations do not
monitor and audit the actions of users with privileges more closely than non-privileged users*
*According to a 2015 UBM study of more than 200 organizations
70% of organizations do not have
a data security solution that supports
entitlement reporting*
6 IBM Security
Today’s technologies have eliminated “mainframe isolation”
The increasingly desirable target of the mainframe
%of all active coderuns on the mainframe80
%of enterprise data ishoused on the mainframe80
Internet
Cloud
Social
Mobile
Big Data
Business
Innovation
7 IBM Security
Key concerns
Mainframe customers are more vulnerable to security incidents:
Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for System z and the Enterprise
“As mainframes become a major component in service-
oriented architectures, they are increasingly exposed
to malware. Web services on the mainframe have
significantly impacted security.”
Meenu Gupta
President, Mittal Technologies Inc.
The solution…
%concerned with privileged insiders50%concerned with advanced persistent threats21
%concerned with web-enabled z/OS apps29
%of customers agree that deploying multiple layers of defense provides the best mainframe protection86
8 IBM Security8
8
Can you prove that privileged users have not inappropriately accessed
or jeopardized the integrity of your sensitive
customer, financial and employee data?
9 IBM Security
Where is the sensitive data?
How to prevent unauthorized
activities?
How to protect sensitive data to reduce risk?
How to secure the repository?
Discovery
Classification
Identity & Access
Management
Activity
Monitoring
Blocking
Quarantine
Masking
Encryption
Vulnerability
Assessment
Who should have access?
What is actually happening?
Discover Harden Monitor Block Mask
Data Security best practices
10 IBM Security
Comprehensive protection requires watchfulness and control
Watch sensitive data &
data access all the time
Monitor it everywhere it lives
Protect against unauthorized access
Easily review results and monitor
your data security heartbeat
11 IBM Security
Automated analytics can highlight behavioral risks …
Apply machine learning & intelligence to uncover behavioral changes and risks
1. Policy-based, real-time
monitoring* reveals behavior
patterns over time
2. Analytics run and anomaliesare surfaced
3. Anomalies are sent for manual review OR triggersaction
*including actions by privileged users
12 IBM Security
… and specialized threat detection analytics can spot and stop attack symptoms early
• Scan and analyze data to detect symptoms of data repository attacks
• Look for specific patterns of events and behaviors that indicate trouble
• Identify both SQL injections and malicious stored procedures
• Do not rely on attack signature dictionary comparisons (they go out of date quickly)
Drill down on any aspect of a threat
13 IBM Security
Security challenges specific to the mainframe:
Lack of visibilityIncreasing complexity
Ensuring complianceRising costs
Mainframe security
administration is typically
a manual operation
and relies upon old
and poorly-documented scripts; highly-skilled
mainframe administration resources are limited
Compliance verification
is a manual task
with alerts coming
only AFTER a problem
has occurred, if at all!
The mainframe is an integral
component of many large
business services, making
managing security threats
extremely complex creating
a higher risk to the business
Mainframe processes,
procedures, and
reports are often
siloed from the rest
of the organization
14 IBM Security
But System z is already secure – why do we need more?
Separation of duties – Privileged users “need to know” vs abuse or mistake
– Trace-based auditing controlled by privileged users
– System Authorization Facility (SAF) plays a vital role in protection of
data on z/OS, but is not tamper-resistant and actionable
Achieving audit readiness is labor-intensive and
introduces latency– RACF lacks sufficient granularity for reporting
– DB2 Audit Trace requires externalization to SMF and customer
provided reporting infrastructure
Real-time event collection – Batch processing of audit data from external sources prevents real
time alerts
15 IBM Security
Guardium helps secure mission-critical mainframe data
Guardium extends z Systems data security to provide
End-to-End access rights management and controls
Separation of Duty (SOD) with privilege users
Real-time data activity monitoring and actionable alerts
Block unauthorized database activities & quarantine at risk
users
Low monitoring overhead, can be offloaded to zIIP
Proof points to quickly and efficiently meet audit
requirements
Lower cost and complexity of meeting compliance
Guardium enhances mainframe security intelligence
Single consolidated view of security events across the entire enterprise
Bi-directional integration with Qradar, send alerts to Guardium of asset
risks such as rogue users and IP addresses
Machine learning and outlier activities detection, send real-time alerts
for investigation
Enterprise-wide search and forensics investigation of anomalous events
16 IBM Security
Guardium for System z: Components
Guardium Collector appliance for System z
Securely stores audit data collected on the mainframe
Provides analytics, reporting & compliance workflow automation
Integrated with Guardium enterprise architecture
Centralized, cross-platform audit repository for enterprise-wide analytics and compliance
reporting across mainframe & distributed environments
• S-TAP (for DB2, IMS or Data Sets) on z/OS event capture
Mainframe probe
Collects audit data for Guardium appliance
Collection profiles managed on the Guardium appliance
Extensive filtering available to optimize data volumes and performance
Enabled for zIIP processing
Audit data streamed to appliance – small mainframe footprint
16
17 IBM Security
Guardium for DB2/z protection
• Capture all database activities on DB2 for z/OS Including: SELECTs, DML, DDL, and authorization changes
• Very low performance overhead (typically less than using DB2 traces)
zIIP eligible processes
• Flexible filtering Helps manage data volume and performance overhead
• Direct streaming of audit data
• Centralized interaction Goes through the Guardium appliance
• Common event collection Is supported with IBM Query Monitor
18 IBM Security
Guardium for Datasets protection
• Activity monitoring for files outside of a DBMS Monitor VSAM files, PDS, sequential file access activity
• Why should we monitor data store outside a DBMS? Sensitive data may be stored in these files
DB2 and IMS store data in VSAM files
• Utilities operate directly on the VSAM LDS files
• Guardium for Datasets reports when the VSAM LDS files are accessed
Monitor and audit configuration files
Capture CICS transaction information and identify the CICS sign-on that was used
for a specific file access event
19 IBM Security
Guardium for IMS protection
• Monitor all READ, INSERT, UPDATE and DELETE access to databases and segments
• Applies to IMS Batch and IMS Online regions
• You can select which calls to audit per target For example: all databases, all segments, one DB and one segment of the DB, etc.
Each segment can have different calls audited
• When a call is collected, all relevant information is captured• call type, userid, PSB name, DBName, Segment Name, etc.
20 IBM Security
Pervasive Encryption: Multiple layers of data privacy protection
App Encryption
hyper-sensitive data
Database EncryptionProvide protection for sensitive data in-
use at DB level, in-flight & at-rest
File or Dataset Level EncryptionProvide broad coverage for sensitive data using encryption tied to access control for in-flight &
at-rest data protection (from unauthorized copying of the files)
Full Disk and Tape EncryptionProvide 100% coverage for in-flight & at-rest data with zero
host CPU cost
Coverage
Com
ple
xity &
Se
cu
rity
Con
tro
l
Protection against
intrusion, tamper or
removal of physical
infrastructure
Broad protection & privacy
managed by OS… ability to
eliminate storage admins from
compliance scope
Granular privacy protection from DB
Privilege Users accesses … selective
encryption & key management to control
sensitive data access
Data protection & privacy provided and
managed by the application… encryption of
sensitive data when lower levels of encryption
not available or suitable
21 IBM Security
Filters and
Sort
Controls
Result
History
Current Test
Results
Detailed
Remediation
Suggestions
Harden DB2/z further with Vulnerability Assessment
Prioritized
Breakdown
Detailed Test
Results
Identify key APARs and mis-configured systems
22 IBM Security
Chosen by leading organizations worldwide to secure sensitive data
5 of the top 5 global banks XX
Protecting access to over $10,869,929,241 in financial assets
2 of the top 3 global retailers XX
Safeguarding the integrity of 2.5 billion credit card or personal information transactions per year
5 of the top 6 global insurers
Protecting more than 100,000 databases with personal and private information
Top government agencies
Safeguarding the integrity of the world’s government information and defense
8 of the top 10 telcos worldwide
Maintaining the privacy of over 1,100,000,000 subscribers
4 of the top 4 global managedhealthcare providers
Protecting access to 136 million patients private information
The most recognized name in PCs Protecting over 7 million
credit card transactions per year
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
