Download InfoSphere Guardium Tech Talk Data In/Data Out Integration Options in Guardium

IBM Security
InfoSphere Guardium Tech Talk
Data In/Data Out
Integration Options in Guardium
John Haldeman, Practice Lead, Information Insights, LLC
1© 2015 IBM Corporation
© 2015 IBM Corporation
IBM Security
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
2
© 2015 IBM Corporation
IBM Security
Guardium community on developerWorks
Right nav
bit.ly/guardwiki
3
© 2015 IBM Corporation
IBM Security
Reminder: Next Guardium Tech Talk
Next tech talk: The best kept secrets of Guardium
supportability
Speaker: Abdiel Santos, L3 Engineering Manager
Date and time: Thursday, August 13th
11:30 AM US Eastern
Register here: https://ibm.biz/BdXAQr
 Link to more information about this and upcoming tech talks can be found on the Guardium
developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.
4
© 2015 IBM Corporation
IBM Security
Agenda
 Overview of data in
 Overview of data out
 IBM Security Privileged Identity
Manager Integration (ISPIM) example
use case
http://xkcd.com/1201/
5
© 2015 IBM Corporation
IBM Security
Data In
 Overview of Data In
–
–
–
–
6
Enterprise Integrator
LDAP
Universal Feed
APIs (eg: group member changes)
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Overview
 Import data from databases and hosted flat files
7
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Process in a Nutshell
1) Datasource
3) Upload
8
2) Custom Table (Auto Create, or Manual)
4) To Use the Data – Add it to a Domain (and join if
you want/can)
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Internals and Useful Things you Might Not
Know About
 The Text Import Uses the HXTT
CSV Library - Provides
Undocumented (by Guardium at
least) Options.
 For Example:
– _CSV_Separator JDBC Property to
change the CSV Separator
– Reveals that for Samba Shares, You
can Use Domain Users by Specifying
the domain before “;” in the
Username
 Credit to Jonas Hirner at IBM
Germany for Pointing HXTT Out:
9
– https://www.ibm.com/developerworks/mydevelop
erworks/blogs/dsco/entry/guardium_enterprise_in
tegrator_advanced_features_of_the_text_databa
se_driver16?lang=en
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Internals and Useful Things you Might Not
Know About
 Recently added: you can run DML after the upload to help clean things
up
10
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Internals and Useful Things you Might Not
Know About
 You can use certain
variables to only import
new data and skip the
rest:
– ^FromDate?^: Date of previous
upload
– ^ToDate?^: Date of currently
running upload
– ^fromID^: max(ID) of previous
upload
– ^toID^: max(ID) of current upload
11
© 2015 IBM Corporation
IBM Security
Enterprise Integrator – Some Examples of Use
 Using it for Change Ticket Integration is Common
 Using it for External Group Population is Fairly Common
 A good method for importing Progress DB audit data into Guardium (and
used to be the method to get iSeries journal entries into it as well before
the iTap)
 Windows System Event Imports with Snare
– https://www.ibm.com/developerworks/community/blogs/DSCOTech/entry/wind
ows_system_events_in_guardium_part_1_cas_or_snare30?lang=en
– https://www.ibm.com/developerworks/community/blogs/DSCOTech/entry/wind
ows_system_events_in_guardium_part_2_configuring_snare_backlog_and_g
uardium_to_work_together15?lang=en
12
© 2015 IBM Corporation
IBM Security
LDAP – Overview
 Import data from enterprise directories to populate groups
13
© 2015 IBM Corporation
IBM Security
LDAP – Overview
14
© 2015 IBM Corporation
IBM Security
LDAP – Useful Tips on LDAP Imports
 Guardium’s interaction with AD/LDAP is as simple as it gets – because of that it
makes use simple, low level tools to help develop your queries – ldp for instance
 Common Problem SQL Server Accounts – Need to add a domain prefix to the
accounts before you can use them in reports/policies. Use Parameterized LDAP
imports (details on next slide courtesy of Joe DiPietro)
15
© 2015 IBM Corporation
IBM Security
LDAP – Useful Tips on LDAP Imports
 Create a group called “-Test1”, (type is USER)
 Create another group “-Test1_bindValues” (type OBJECT)
with the same groupname but add “_bindValues” to name
 This will identify what LDAP Bind Values can be
parameterized to the member names when importing
these elements into the group
 Put your "domain" first then put in the groups that
the users are associated with. In my case the “domain"
is "vm" and the groups are "userGroup" and
"WINS Users"
“-Test1” Group
Special case for SQL Server
authentication with full domain name
definition
Domain “VM” is first position
in the group definition
“userGroup” and“WINS users”
are the groups to search as
the second position
This will be your results with “domain”\”LDAP Attribute”
16
© 2015 IBM Corporation
IBM Security
Universal Feed – Overview
 Translate a feed to the Universal Feed Protocol
 Big Difference with data imports? Real Time: Looks like a new STAP
 A Good Question to Ask Yourself When Choosing UF or Enterprise
Integrator – If I’m polling anyway, would batch imports be better/simpler?
17
© 2015 IBM Corporation
IBM Security
Universal Feed – Overview
 The UF feature is an externalized and documented protocol
 Documentation:
– http://www.ibm.com/developerworks/data/library/techarticle/dm-1210universalfeed/
– http://www.ibm.com/developerworks/data/library/techarticle/dm-1211universalfeed2/
 Examples (other than the Mainframe/IBM i STAPs which implement a UF variant as well):
– NEC’s Elastic Relational Store implements the UF to work with Guardium.
– Denodo is actively working on providing a UF implementation for its data virtualization
product
– Bateleur Software developed something for Adabas
• http://www.bateleur.co.za/products/adaguard
– UF Feed Proxy for Guardium Data Encryption/Vormetric Transparent Encryption
• https://github.com/johnhaldeman/GuardDETap
• Has been adapted on at least one occasion to show SYSLOG forwarding to Guardium
(but it may not be wise to try make Guardium a SIEM or log aggregator)
– UF Feed Proxy for MongoDB (don’t use this to monitor MongoDB – STAPs do that now):
• https://github.com/johnhaldeman/mongoTap
18
© 2015 IBM Corporation
IBM Security
grdAPI and REST APIs
19
© 2015 IBM Corporation
IBM Security
grdAPI and REST APIs
 grdAPIs are primarily used to speed up repetitive tasks, not integration
 REST APIs provide a more convenient interface for applications
 Good use case is pushing group changes to Guardium rather than having
Guardium pull in the changes through the enterprise integrator
 We already did some tech talks on the APIs:
– https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf32fc3a2c8cb_4b9c_83e4_09b3c6f60e46/p
age/InfoSphere%20Guardium%20Tech%20Talk%20%20Using%20Guardium%20APIs%20to%20speed%20deployment%20and%20automate%20repetitive%20tasks
– https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf32fc3a2c8cb_4b9c_83e4_09b3c6f60e46/p
age/Take%20a%20RESTful%20look%20at%20InfoSphere%20Guardium%20APIs
 Interesting Use Case for REST APIs – Modifying Guardium Policies with QRADAR
through SDI
– https://ibm.biz/BdXMsK
20
© 2015 IBM Corporation
IBM Security
Data Out
 Overview of Data Out
–
–
–
–
21
CSV Exports
External Feed
SYSLOG
REST API
© 2015 IBM Corporation
IBM Security
CSV Exports – Overview
 Generate the CSV file with an audit process, then export it
22
© 2015 IBM Corporation
IBM Security
CSV Exports – CSV File Generation
23
© 2015 IBM Corporation
IBM Security
CSV Exports – CSV File Export
24
© 2015 IBM Corporation
IBM Security
CSV Exports – Resultant File
25
© 2015 IBM Corporation
IBM Security
External Feed – Overview
 Run a audit process and pipe the audit process results to a JDBC
connection
 Pssst… Not to be confused with the Universal Feed – also it’s not really a
feed
26
© 2015 IBM Corporation
IBM Security
External Feed – Setup
 Define a feed with a grdAPI:
– grdapi create_ef_mapping reportName="Sessions List"
 Start the Guardium fileserver and in the logs section retrieve the provided
table template:
27
© 2015 IBM Corporation
IBM Security
External Feed – Setup Continued




Adjust the template (comes built for MySQL – so it may require changes)
Create the table in your target database
Create a datasource for the target database
In the audit process builder task, specify the external feed and the datasource
 If required (eg: using a different table name) adjust the feed mapping with
– grdapi modify_ef_mapping
28
© 2015 IBM Corporation
IBM Security
SYSLOG – Overview
29
© 2015 IBM Corporation
IBM Security
SYSLOG – Registering Receivers
 CLI Command: store remotelog
30
© 2015 IBM Corporation
IBM Security
SYSLOG
 Customize Message Format
31
© 2015 IBM Corporation
IBM Security
SYSLOG – Three Ways to Send Data
Policies:
Threshold Alerts:
Audit Processes:
32
© 2015 IBM Corporation
IBM Security
REST Querying – Overview
33
© 2015 IBM Corporation
ISPIM Use Case
34
© 2015 IBM Corporation
IBM Security
Use Case with ISPIM
 IBM Security Privileged Identity Manager Integration (ISPIM) Example
Use Cases
– Context: What is ISPIM anyway?
– Integration Use Case: Track and Identify Ownership for Shared Credentials
 ISPIM Primary Features
–
–
–
–
35
Shared Credential Management and Password Vault
Application Identity Management
Session Recording
Single Sign On
© 2015 IBM Corporation
IBM Security
ISPIM – Components and How it Works: Check Out
36
© 2015 IBM Corporation
IBM Security
ISPIM – Components and How it Works: Check In
37
© 2015 IBM Corporation
IBM Security
Integration Use Case – Track and Identify Ownership for Shared Credentials
38
© 2015 IBM Corporation
IBM Security
Populating privileged user (shared credential) groups using LDAP
 In ISPIM, shared credentials are kept in the IBM Security Directory Server
 In our lab environment, that falls under the DN:
ou=credentials,ou=credCatalog,erglobalid=00000000000000000000,ou=ii,dc=com
 We know that by browsing to it in ldp:
39
© 2015 IBM Corporation
IBM Security
Importing the Shared Credentials into Guardium
 Configuring the LDAP query
 Search filters can be used to limit what shared credentials are pulled in (limiting on credential
tag probably makes the most sense for ISPIM)
40
© 2015 IBM Corporation
IBM Security
Importing the Shared Credentials into Guardium
 Imported Users
41
© 2015 IBM Corporation
IBM Security
Importing the Shared Credentials into Guardium
 Usage of group in shared account report:
42
© 2015 IBM Corporation
IBM Security
Importing Shared Credential Checkouts
 Configuring the Enterprise Integrator Import
43
© 2015 IBM Corporation
IBM Security
Correlating Checkout Events to Sessions
 Not a simple join – based on ownership after checkout – Instead Create a Custom Column
 grdapi create_computed_attribute
 SQL Statement for column (Imported table is in CUSTOM MySQL database and can be
referenced)
44
© 2015 IBM Corporation
IBM Security
Shared Account Ownership in Guardium Reports
 Result – Ownership of shared account when connection is initiated is reported on
45
© 2015 IBM Corporation
IBM Security
Direct Export of Data to ISPIM’s DB2 Database
 External Feed Definition:
46
© 2015 IBM Corporation
IBM Security
Direct Export of Data to ISPIM’s DB2 Database
 Audit Process Audit Task:
47
© 2015 IBM Corporation
IBM Security
Queries without export
 Uses this tool that takes Guardium REST calls and translates them into XML that Cognos can
understand:
– https://github.com/johnhaldeman/guardiumReportWrapperForCognos
 Notes on how to use it:
– http://infoinsightsllc.blogspot.ca/2015/04/querying-live-guardium-data-with-cognos.html
48
© 2015 IBM Corporation
IBM Security
Queries without export - Example

49
http://<host>:<port>/GuardiumJSONtoXML/xmlReport?reportName=Sessions%20List&QUERY_FROM_DATE=NOW+1+week&QUERY_TO_DATE=NOW&SHOW_ALIASES=YES&REMOTE_SOURCE=%25
© 2015 IBM Corporation
IBM Security
Queries without export – Configuration in Cognos
50
© 2015 IBM Corporation
IBM Security
Direct Export of Data to ISPIM’s DB2 Database or Direct Query
through the XML Wrapper:
 The Data in Cognos
51
© 2015 IBM Corporation
IBM Security
Information, training, and community cheat sheet
Guardium Tech Talks – at least one per month. Suggestions welcome!
InfoSphere Guardium YouTube Channel – includes overviews, technical demos, tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of
sources, developerWorks articles, tech talk materials and schedules)
 Guardium on IBM Knowledge Center (was Info Center)
 Deployment Guide for InfoSphere Guardium Red Book
 Technical training courses (classroom and self-paced- provided by Business Partners)





InfoSphere Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.
52
52
52
© 2015 IBM Corporation
IBM Security
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
53
Italian
© 2015 IBM Corporation