Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IBM Security InfoSphere Guardium Tech Talk Data In/Data Out Integration Options in Guardium John Haldeman, Practice Lead, Information Insights, LLC 1© 2015 IBM Corporation © 2015 IBM Corporation IBM Security Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat 2 © 2015 IBM Corporation IBM Security Guardium community on developerWorks Right nav bit.ly/guardwiki 3 © 2015 IBM Corporation IBM Security Reminder: Next Guardium Tech Talk Next tech talk: The best kept secrets of Guardium supportability Speaker: Abdiel Santos, L3 Engineering Manager Date and time: Thursday, August 13th 11:30 AM US Eastern Register here: https://ibm.biz/BdXAQr Link to more information about this and upcoming tech talks can be found on the Guardium developerWorks community: http://ibm.co/Wh9x0o Please submit a comment on this page for ideas for tech talk topics. 4 © 2015 IBM Corporation IBM Security Agenda Overview of data in Overview of data out IBM Security Privileged Identity Manager Integration (ISPIM) example use case http://xkcd.com/1201/ 5 © 2015 IBM Corporation IBM Security Data In Overview of Data In – – – – 6 Enterprise Integrator LDAP Universal Feed APIs (eg: group member changes) © 2015 IBM Corporation IBM Security Enterprise Integrator – Overview Import data from databases and hosted flat files 7 © 2015 IBM Corporation IBM Security Enterprise Integrator – Process in a Nutshell 1) Datasource 3) Upload 8 2) Custom Table (Auto Create, or Manual) 4) To Use the Data – Add it to a Domain (and join if you want/can) © 2015 IBM Corporation IBM Security Enterprise Integrator – Internals and Useful Things you Might Not Know About The Text Import Uses the HXTT CSV Library - Provides Undocumented (by Guardium at least) Options. For Example: – _CSV_Separator JDBC Property to change the CSV Separator – Reveals that for Samba Shares, You can Use Domain Users by Specifying the domain before “;” in the Username Credit to Jonas Hirner at IBM Germany for Pointing HXTT Out: 9 – https://www.ibm.com/developerworks/mydevelop erworks/blogs/dsco/entry/guardium_enterprise_in tegrator_advanced_features_of_the_text_databa se_driver16?lang=en © 2015 IBM Corporation IBM Security Enterprise Integrator – Internals and Useful Things you Might Not Know About Recently added: you can run DML after the upload to help clean things up 10 © 2015 IBM Corporation IBM Security Enterprise Integrator – Internals and Useful Things you Might Not Know About You can use certain variables to only import new data and skip the rest: – ^FromDate?^: Date of previous upload – ^ToDate?^: Date of currently running upload – ^fromID^: max(ID) of previous upload – ^toID^: max(ID) of current upload 11 © 2015 IBM Corporation IBM Security Enterprise Integrator – Some Examples of Use Using it for Change Ticket Integration is Common Using it for External Group Population is Fairly Common A good method for importing Progress DB audit data into Guardium (and used to be the method to get iSeries journal entries into it as well before the iTap) Windows System Event Imports with Snare – https://www.ibm.com/developerworks/community/blogs/DSCOTech/entry/wind ows_system_events_in_guardium_part_1_cas_or_snare30?lang=en – https://www.ibm.com/developerworks/community/blogs/DSCOTech/entry/wind ows_system_events_in_guardium_part_2_configuring_snare_backlog_and_g uardium_to_work_together15?lang=en 12 © 2015 IBM Corporation IBM Security LDAP – Overview Import data from enterprise directories to populate groups 13 © 2015 IBM Corporation IBM Security LDAP – Overview 14 © 2015 IBM Corporation IBM Security LDAP – Useful Tips on LDAP Imports Guardium’s interaction with AD/LDAP is as simple as it gets – because of that it makes use simple, low level tools to help develop your queries – ldp for instance Common Problem SQL Server Accounts – Need to add a domain prefix to the accounts before you can use them in reports/policies. Use Parameterized LDAP imports (details on next slide courtesy of Joe DiPietro) 15 © 2015 IBM Corporation IBM Security LDAP – Useful Tips on LDAP Imports Create a group called “-Test1”, (type is USER) Create another group “-Test1_bindValues” (type OBJECT) with the same groupname but add “_bindValues” to name This will identify what LDAP Bind Values can be parameterized to the member names when importing these elements into the group Put your "domain" first then put in the groups that the users are associated with. In my case the “domain" is "vm" and the groups are "userGroup" and "WINS Users" “-Test1” Group Special case for SQL Server authentication with full domain name definition Domain “VM” is first position in the group definition “userGroup” and“WINS users” are the groups to search as the second position This will be your results with “domain”\”LDAP Attribute” 16 © 2015 IBM Corporation IBM Security Universal Feed – Overview Translate a feed to the Universal Feed Protocol Big Difference with data imports? Real Time: Looks like a new STAP A Good Question to Ask Yourself When Choosing UF or Enterprise Integrator – If I’m polling anyway, would batch imports be better/simpler? 17 © 2015 IBM Corporation IBM Security Universal Feed – Overview The UF feature is an externalized and documented protocol Documentation: – http://www.ibm.com/developerworks/data/library/techarticle/dm-1210universalfeed/ – http://www.ibm.com/developerworks/data/library/techarticle/dm-1211universalfeed2/ Examples (other than the Mainframe/IBM i STAPs which implement a UF variant as well): – NEC’s Elastic Relational Store implements the UF to work with Guardium. – Denodo is actively working on providing a UF implementation for its data virtualization product – Bateleur Software developed something for Adabas • http://www.bateleur.co.za/products/adaguard – UF Feed Proxy for Guardium Data Encryption/Vormetric Transparent Encryption • https://github.com/johnhaldeman/GuardDETap • Has been adapted on at least one occasion to show SYSLOG forwarding to Guardium (but it may not be wise to try make Guardium a SIEM or log aggregator) – UF Feed Proxy for MongoDB (don’t use this to monitor MongoDB – STAPs do that now): • https://github.com/johnhaldeman/mongoTap 18 © 2015 IBM Corporation IBM Security grdAPI and REST APIs 19 © 2015 IBM Corporation IBM Security grdAPI and REST APIs grdAPIs are primarily used to speed up repetitive tasks, not integration REST APIs provide a more convenient interface for applications Good use case is pushing group changes to Guardium rather than having Guardium pull in the changes through the enterprise integrator We already did some tech talks on the APIs: – https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf32fc3a2c8cb_4b9c_83e4_09b3c6f60e46/p age/InfoSphere%20Guardium%20Tech%20Talk%20%20Using%20Guardium%20APIs%20to%20speed%20deployment%20and%20automate%20repetitive%20tasks – https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf32fc3a2c8cb_4b9c_83e4_09b3c6f60e46/p age/Take%20a%20RESTful%20look%20at%20InfoSphere%20Guardium%20APIs Interesting Use Case for REST APIs – Modifying Guardium Policies with QRADAR through SDI – https://ibm.biz/BdXMsK 20 © 2015 IBM Corporation IBM Security Data Out Overview of Data Out – – – – 21 CSV Exports External Feed SYSLOG REST API © 2015 IBM Corporation IBM Security CSV Exports – Overview Generate the CSV file with an audit process, then export it 22 © 2015 IBM Corporation IBM Security CSV Exports – CSV File Generation 23 © 2015 IBM Corporation IBM Security CSV Exports – CSV File Export 24 © 2015 IBM Corporation IBM Security CSV Exports – Resultant File 25 © 2015 IBM Corporation IBM Security External Feed – Overview Run a audit process and pipe the audit process results to a JDBC connection Pssst… Not to be confused with the Universal Feed – also it’s not really a feed 26 © 2015 IBM Corporation IBM Security External Feed – Setup Define a feed with a grdAPI: – grdapi create_ef_mapping reportName="Sessions List" Start the Guardium fileserver and in the logs section retrieve the provided table template: 27 © 2015 IBM Corporation IBM Security External Feed – Setup Continued Adjust the template (comes built for MySQL – so it may require changes) Create the table in your target database Create a datasource for the target database In the audit process builder task, specify the external feed and the datasource If required (eg: using a different table name) adjust the feed mapping with – grdapi modify_ef_mapping 28 © 2015 IBM Corporation IBM Security SYSLOG – Overview 29 © 2015 IBM Corporation IBM Security SYSLOG – Registering Receivers CLI Command: store remotelog 30 © 2015 IBM Corporation IBM Security SYSLOG Customize Message Format 31 © 2015 IBM Corporation IBM Security SYSLOG – Three Ways to Send Data Policies: Threshold Alerts: Audit Processes: 32 © 2015 IBM Corporation IBM Security REST Querying – Overview 33 © 2015 IBM Corporation ISPIM Use Case 34 © 2015 IBM Corporation IBM Security Use Case with ISPIM IBM Security Privileged Identity Manager Integration (ISPIM) Example Use Cases – Context: What is ISPIM anyway? – Integration Use Case: Track and Identify Ownership for Shared Credentials ISPIM Primary Features – – – – 35 Shared Credential Management and Password Vault Application Identity Management Session Recording Single Sign On © 2015 IBM Corporation IBM Security ISPIM – Components and How it Works: Check Out 36 © 2015 IBM Corporation IBM Security ISPIM – Components and How it Works: Check In 37 © 2015 IBM Corporation IBM Security Integration Use Case – Track and Identify Ownership for Shared Credentials 38 © 2015 IBM Corporation IBM Security Populating privileged user (shared credential) groups using LDAP In ISPIM, shared credentials are kept in the IBM Security Directory Server In our lab environment, that falls under the DN: ou=credentials,ou=credCatalog,erglobalid=00000000000000000000,ou=ii,dc=com We know that by browsing to it in ldp: 39 © 2015 IBM Corporation IBM Security Importing the Shared Credentials into Guardium Configuring the LDAP query Search filters can be used to limit what shared credentials are pulled in (limiting on credential tag probably makes the most sense for ISPIM) 40 © 2015 IBM Corporation IBM Security Importing the Shared Credentials into Guardium Imported Users 41 © 2015 IBM Corporation IBM Security Importing the Shared Credentials into Guardium Usage of group in shared account report: 42 © 2015 IBM Corporation IBM Security Importing Shared Credential Checkouts Configuring the Enterprise Integrator Import 43 © 2015 IBM Corporation IBM Security Correlating Checkout Events to Sessions Not a simple join – based on ownership after checkout – Instead Create a Custom Column grdapi create_computed_attribute SQL Statement for column (Imported table is in CUSTOM MySQL database and can be referenced) 44 © 2015 IBM Corporation IBM Security Shared Account Ownership in Guardium Reports Result – Ownership of shared account when connection is initiated is reported on 45 © 2015 IBM Corporation IBM Security Direct Export of Data to ISPIM’s DB2 Database External Feed Definition: 46 © 2015 IBM Corporation IBM Security Direct Export of Data to ISPIM’s DB2 Database Audit Process Audit Task: 47 © 2015 IBM Corporation IBM Security Queries without export Uses this tool that takes Guardium REST calls and translates them into XML that Cognos can understand: – https://github.com/johnhaldeman/guardiumReportWrapperForCognos Notes on how to use it: – http://infoinsightsllc.blogspot.ca/2015/04/querying-live-guardium-data-with-cognos.html 48 © 2015 IBM Corporation IBM Security Queries without export - Example 49 http://<host>:<port>/GuardiumJSONtoXML/xmlReport?reportName=Sessions%20List&QUERY_FROM_DATE=NOW+1+week&QUERY_TO_DATE=NOW&SHOW_ALIASES=YES&REMOTE_SOURCE=%25 © 2015 IBM Corporation IBM Security Queries without export – Configuration in Cognos 50 © 2015 IBM Corporation IBM Security Direct Export of Data to ISPIM’s DB2 Database or Direct Query through the XML Wrapper: The Data in Cognos 51 © 2015 IBM Corporation IBM Security Information, training, and community cheat sheet Guardium Tech Talks – at least one per month. Suggestions welcome! InfoSphere Guardium YouTube Channel – includes overviews, technical demos, tech talk replays developerWorks forum (very active) Guardium DAM User Group on Linked In (very active) Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules) Guardium on IBM Knowledge Center (was Info Center) Deployment Guide for InfoSphere Guardium Red Book Technical training courses (classroom and self-paced- provided by Business Partners) InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Not recorded! Send a note to [email protected] if interested. 52 52 52 © 2015 IBM Corporation IBM Security Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 53 Italian © 2015 IBM Corporation