Thank you for attending the July Virtual User Group meeting! Our topic was Universal Connectors. Ofer Haim, IBM Security UC Development Engineer, gave a brief presentation then led the discussion. The meeting slide deck (pdf) is attached.
Support
Q: If we have our own custom sniffer certificate does this apply?
A: It wouldn't apply but we still recommend updating the certificate on the appliance side. It won't supercede the custom one.
UC discussion
Q: I've heard OUA UC can have an impact on performance. What info is there on performance metrics or resources needed for UC?
A: It varies from DB to DB. Most vendors publish the impact of auditing and general recommendations.
Q: It would be good if there were a default policy (template) based on standards body to speed things up.
Also, would like a way to back up the UC, like an export. Another VUG member said that it should not just be export- should be part of backup process or separate scheduled backup for UC to put with their other backups.
A: V12.1 will have the backup capability.
Q: Is there a way to get alerts if there's a problem with the UC?
A: We have different ways to help with troubleshooting:
During configuration, tests are run, if something is wrong, you'll get an alert.
If it's been working for a while and then something happens, there's a troubleshooting tool in v12. We are working on specific alerts for UC.
There are alerts that can be enabled (e.g., threshold alerts; some of the predefined alerts; generic alerts in GI)
Q: When can we expect an idea/RFE that we submitted that is in status "planned for future release"?
A: This typically means for next release within the year. Please use the
IBM Security Ideas portal to submit requests for new data sources or new features or improvements. IBM might respond back with the questionnaire to get further details.
Q: If auditing policy changes, is there some way to alert if the policy has changed?
A: Yes, we are working on this (audit the auditing policy).
Q: It's been difficult to enable native audit, in many cases DBAs are not familiar with it. Would be helpful to have general guidelines to make it easier to deploy.
A: We will discuss to see how to share information about this in our documentation.
Q: Is there auto failover?
A: Currently UC v12.0 and below there's some failover mechanism but depends on input type, for example Filebeat or AWS, SQS. We want to have a unified solution in the future.
Q: What's the best way to ensure the UC input configs and filters are kept in synch as Guardium and database platforms change over time?
A: Documentation is in github; if we have changes, they will be there, or we'll use flash alerts if needed. If something changes, and plugin versions need to be upgraded, that would be communicated and it would be in a future bundle.