Last month we held a weekly series “Ask Me Anything - Data Security” for customers to ask questions to panel of IBM Security Guardium experts in Development, Product Management, Technical Sales, and Support. The questions and their answers covered a wide range of topics. In this article, we summarize the highlights of all four Ask Me Anything sessions, organized by topic. These are the various topics we touched on: Updates and patches, Upgrading, S-TAP agents, Cloud, Guardium Insights, SIEM, ServiceNow integration, CyberArk integration, mainframe, hardware appliances, Policy Analyzer, Inspection engine, Guardium Value Assessment and resources.

Updates and patches

Q: Can you explain more about the types of patches and their naming scheme?

A: Vlad Langman (L3 Engineering Manager) explained about the different types of patches: GPUs (which are cumulative), bundles (which are more granular, and are dependent on GPUs, and ad hocs (which are a specific change for a specific issue). There are two new tech notes that should be helpful. This one describes the different patch types and naming scheme:  https://www.ibm.com/support/pages/node/6195371?myns=swgother&mynp=OCSSMPHH&mync=E&cm_sp=swgother-_-OCSSMPHH-_-E

and this one describes the different agent types and names: https://www.ibm.com/support/pages/node/6198844?myns=swgother&mynp=OCSSMPHH&mync=E&cm_sp=swgother-_-OCSSMPHH-_-E

Upgrading

Q: What recommendations are there for upgrading?

A: Upgrading best practices was the topic at the April Virtual Users Group, which Vlad presented. There are two labs based on his presentation in the Security Learning Academy:

Upgrading Guardium from 10.6 to 11.0: https://www.securitylearningacademy.com/course/view.php?id=4951

Upgrading Guardium from 11.0 to 11.1: https://www.securitylearningacademy.com/course/view.php?id=4952

Q: We are upgrading to V11 in a Windows 2008 environment, will there be challenges?

A: Vlad said Windows 2008 is not even supported by the vendor but he knows customers are still on it. The Guardium team doesn’t spend much time testing it, focusing instead on newer versions. However, we haven’t heard of customers experiencing issues.  

S-TAP Agents

Q: How do I get a list or count of installed agent versions in my environment?

A: David Rozenblat (CTO Data Security Guardium) said you can use the detailed Enterprise S-TAP view or create a report in new query builder.

Q: In v11.1 does the S-TAP agent have more Kafka settings?

A: Benazeer Daruwalla (Offering Manager IBM Security Data Protection portfolio) said the main enhancements are the ability to add S-TAPs to a consumer group defined in Kafka, as well as new libraries to authenticate the services connecting to the S-TAP securely. More information is here: https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.stap/stap/r_stapparmsu_hadoop.html#reference_wxb_srq_cx__cloudera­

Q: My S-TAP shows green but doesn’t seem to be monitoring traffic, is it possible to monitor traffic flow from the S-TAP to the collector to verify that it is working?

A: Kalpana Doddamreddy (Guardium Development Manager) explained, a green S-TAP means S-TAP is able to communicate with collector but not necessarily that traffic is flowing. The S-TAP verification feature allows you to find out. You would go to the S-TAP status monitor page on the managed unit. Clicking on an S-TAP will show a list of configured inspection engines. You then select the inspection engine and choose the Verify action. That will tell you if traffic is flowing or not.

Cloud

Q: What are Guardium’s cloud capabilities?

A: Guardium supports heterogenous platforms. You can deploy Guardium (collectors, aggregators, CM) in the cloud provider infrastructure (AWS marketplace, Azure) as well as on prem.

The external S-TAP to allow you to monitor cloud data sources that are deployed in cloud native architectures, for example, mongoDB deployed in a container where you can’t deploy a traditional S-TAP agent. Guardium also supports native logs and streaming APIs.

To learn more about all the capabilities to extend your existing Guardium infrastructure to protect cloud data sources, watch the replay of this webinar “Hybrid multi-cloud data protection with IBM Security Guardium”: http://ibm.biz/April29TechTalk

Rick Robinson (Offering Manager for IBM Data Security) added that Guardium Data Encryption can be deployed in cloud environments. Also, Guardium for Cloud Key Management (GCKM) allows you to manage your encryption keys in a central location.

Q: I have a Guardium v10 collector in an Oracle cloud and databases in a physical data center, can I install the Guardium agents in the physical servers?

A: Amy Wong (Director and Development Manager Guardium): Yes, you can have databases on prem and collectors on the cloud. Though make sure to filter your data so you don’t send everything.

Guardium for Cloud Key Management
 

Rick Robinson gave an overview of GCKM, which is part of the IBM encryption suite of products. Effectively it is an on-prem server that has the ability to log into the key management service of multiple clouds and provide centralized multi-cloud key control and management for IaaS and SaaS. It currently supports IBM, AWS, Azure, Salesforce, Office365 (Google is on the roadmap). It provides secure key storage, as well as logging and reporting for enhanced visibility and compliance.

Guardium Insights

Q: Tell us about Insights

A: Dean Evans (Data Security Sales Leader): Insights was first released in December, there are code drops every 2 months. It has a great modern UI, it’s IBM built, industrial strength, holds years of data, has quick access to reports and analytics. It works with data sources on cloud, on prem, z/OS - all able to flow into Guardium Insights’ single repository. Also, it can ingest log files from AWS and Azure. It’s built on OpenShift, made for cloud, though can run on prem as well. Luis Casco-Arias (Program Director Offering Manager for Data Security Guardium) added that Insights is part of a larger encompassing data security vision.

Q: Is Insights going to be the future Guardium Data Protection?

A: Benazeer explained that key drivers for Guardium Insights are the ability to retain data for longer periods of time, operational simplification using containerized based services, microservices, a modern IT architecture and principles. Guardium DP will work side by side with Insights and over time modernize functions and features.

Q: Does Guardium support multi-tenancy?

A: Guardium DP is not really designed to support it, but Guardium Insights is. For example, clients can retain data from monitoring operational sources in one tenant and from crown jewel sources in another tenant. Other scenarios could be multiple lines of business or departments/areas.

Leslie Wiggins (Offering Manager Guardium Insights) said that Insights 2.0.1 was just released. It now supports data sources coming from Guardium z/OS, as well as supporting Guardium v10.6 (in addition to v11). Also, Insights is opening up its APIs.

SIEM/Splunk

Q: What about streaming data straight to Splunk vs going through Guardium?

A: Benazeer said that if you pull in all your audit logs to Splunk or a SIEM you’ll inundate your SOC analyst with a lot of noise. It would also increase storage/costs in Splunk. Guardium is the pre-processor. Guardium is purpose-built for data security. It is a mature product (20 years) with specialized capability for data security (based on understanding of databases, hundreds of out of the box reports focused on compliance, out of the box automation workflows, policy templates to take proactive action, such as redaction, blocking etc.)

ServiceNow integration

Q: What is the integration with ServiceNow like?

A: ServiceNow integration was added in V11.1 Dan Gurney (Guardium Software engineer) showed how it works. It allows you, for example, to pick a specific vulnerability that needs to be addressed and send it via the ticketing system, rather than sending a whole VA report to a DBA.

You can find this feature in the Guardium UI by searching for ticket or ServiceNow, which brings up the External Ticketing System page. For more information, see: https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.admin/integrate/external_ticketing.html

Q: Can you send tickets for halted scans?

A: No, however that is something we will look into.

CyberArk integration

Q: How can I learn about CyberArk integration?

A: You can watch this tech talk from last year: https://youtu.be/dh2DNKrEm3w

Q: What about integration with Secret Server?

A: It is on the roadmap for 1H next year.

Q: Is there data masking for non-production environments?

A: At the moment we can offer a tokenization solution from Guardium Data Encryption, which does masking, though in a different way from the analytics solution.

Mainframe

Q: On the mainframe, can you filter by database name in the collection profile?

A: Bern Lord (Cybersecurity Technical Specialist Guardium z/OS) said that since the database name is different for distributed and Db2 z, what works better is to run a query to grab the objects in the database and put it in a group in the collection profile.

Hardware appliances
 

Q: Is there any update for hardware appliances?

A: Vikalp Paliwal (Offering Manager, Data Security Guardium) said that we recently released a new hardware appliance M6 in January. Link to the data sheet is here: https://www.ibm.com/downloads/cas/EM-ENUSZP20-0111-CA

Q: How long will M4 be supported?

A:  Until Jan 2022 but recommend move to M5 or M6; there is currently a promotion. Latest hardware will give you more value and ROI.

Q: What appliances do we need if we plan to migrate to v11.1? What about firmware?

A: Vlad said we don’t have limitations on hardware. Red Hat 7 is installed with Guardium V11, so if it is installable on the hardware then there shouldn’t be a problem. There are minimal requirements for RAM and hard drive. If you’re on V10, should be OK because the requirements didn’t change from V10 to V11.

About the firmware, when you run the pre-upgrade health check, it will tell you if you need to upgrade the firmware if you’re below a certain level before you upgrade.

Policy Analyzer

Q: How can I run an ad hoc policy analysis?

A: With Policy Analyzer, you can run an ad hoc analysis by specify a future starting time and a duration. Then you can review the results. This is useful if you’re creating a new policy and you want to test it out. (Policy analyzer also offers a continuous mode.) 

Policy Analyzer was added in Guardium V11 to help customers better understand how their policies are working. It helps identify frequently fired rules, optimize rule order, and evaluate rule changes. Policy Analyzer is available from managed units or stand-alone units. A comment was made that it would be useful to leverage in larger CM environments; we understand and are looking into that. To learn more about it, see this article: http://ibm.biz/policyanalyzer


Inspection engine/Database Discovered Instances Rules UI

Krishna Sundaramurthy (Guardium Development Manager) discussed the Database Discovered Instances Rules UI feature in Guardium that allows users to control when and how new inspection engines are created. This capability automatically detects and processes new database instances and changes to them. The core automatic create feature was added in 11.1 and back ported to 10.6. The next release of Guardium will have additional alerting and preview capability. To learn more about it, see:

 https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.1.0/com.ibm.guardium.doc/discover/db_discovered_instances.html

Guardium value assessment

Dean Evans (Data Security Sales Leader), pointed out that now may be a good time to check your policies, make sure things are being captured as needed, and reports being populated as expected. To help you do that, you can request a Guardium value assessment.  With a value assessment some customers have discovered important things like a new inspection engine that was added but not being monitored, or an audit report not being populated.

Additional Resources

• Andy McCarl, Knowledge Management Specialist for IBM Security, encouraged everyone to join the VIP Security Rewards program, which has various learning resources in the form of challenges. Find out more here: IBM VIP Rewards for Security. 
• Vikalp shared what IBM is doing to help customers with regard to security during this COVID-19 crisis, such as free access for 90 days to MaaS360 and IBM Cloud Identity. For more information, see: https://www.ibm.com/security/covid-19
• The Guardium Virtual Users Group was mentioned as a way for customers to meet virtually each month to learn and share information about Guardium. Contact leilaj@us.ibm.com to join.

The Ask Me Anything sessions were hosted/organized by Carrie Rogers, Dean Evans, Vikalp Paliwal, and Andy McCarl. We welcome your feedback on this series.