IBM Security Guardium

Autonomous Guard

By ODED SOFER posted Fri March 20, 2020 02:52 AM


The new “Risk Spotter” feature uses information gathered from various Guardium components, together with its holistic algorithm to provide a new look at risk. It quantifies the potential risk posed by specific users, and auto-tunes the Security Policies accordingly.

Risk Spotter automates the following flow:

  1. Monitoring the Load of all of the Guardium systems in your environment to determine how many users can be tracked more closely.
  2. Top Risky Assessment of the top N users (default = 50) by taking all the risk factors into consideration, such as violations, vulnerabilities, access to sensitive data, type of commands executed (DML, DDL, System, etc.), data volume accessed, working hours (off hours, weekend, holiday…), and outlier mining findings.                                                                                                                                                                                      Note: The risk factor is the potential risk, i.e., the user may behave normally, without specific  suspicious actions but the risk can be high owing to the commands executed, access to sensitive data, working hours and so on.
  3. Smart Sampling monitors “under the radar” users, identifying potential risky users across your entire system.
  4. Tagging the Top Risky Users and the new Sampled Users. The tagged users are covered by a specific Security Policy that auto-tracks them more closely.

The Risk Spotter pre-defined Policy or Custom Policy takes action for the Tagged Users

Enable this feature in the Risk Spotter page, it works on the CM level.

Actions you can take include:

  • Open tickets directly in ServiceNow (or other ticketing system) for review, using ServiceNow to distribute the review to the relevant people in the organization.
  • Add user to Watchlist: tag specific users, adding them to a list of users you are actively monitoring.
  • The pre-defined policy is set to capture the first N activities of every session of the tagged users. You can easily change this value, as well as change the policy action to Log Full Details or Log Full Details With Value, etc.
  • If you use Guardium to assign reviewers to the Top Risky users (Guardium Workflow Process), then use the Audit Process with the “Active Risk Spotter – Risky Users Scores” report (or similar)