I was working on IBM Guardium project to onboard some DB servers into system.
To demonstrate how much work it will be , I created this tasks list. It is a draft for my own usage. I am sharing it out through my blog post. Hopefully there are more feedback coming to get this list fulfilled.
It will only cover three main requirements, creating a new Collector, DB Vulnerability Assessment, and Data Security Policy.
Table of Contents
Note: This list is still to keep updating.
|Install a new collector
|Prepare Environment for
Installing new collector: IP Address, Network Mask, Default Route, DNS, NTP,
|Set up virtual appliance for new
collector – same specification as existing one (18.104.22.168)
|Download same version image as
existing collector, load guardium image do standard installation
|set up initial and basic
configuration through command line: IP, Gateway, DNS, NTP, SMTP, change
default password, timezone, reboot system
|install license key, apply
patches, snapshot system.
|New Collector Integration with
Guardium Mgmt Server (22.214.171.124)
|Verification CLI installation
|Log Aggregating to Aggreator /
|Configure log shippment from new
collector to Aggregator
|AD Integration, Configuration
sync/push from Aggregator to Collector
|System backup Configuration
|Install GIM Agent / Stap on DB
|Generate Installation Scripts
for each server and DB
|Create user and group on DB
|Install GIM Agent and Stap
|Verification GIM and Stap
|Create System Monitor Alert for new
DB and Collector
|monitor S-tap on both servers
|monitor collector status
|Monitor collector local disk
|Data Archive Policy , Data
Export / Import / Purge Configuration
|Discover Sensitive Data
(Optional) , Discover Database (Optional)
|Buiding DB2 / MS sQL Security
|Verify results and schedule
|Review results with DBAs
|Policy for Data Security
|collecting Sensitive Fields
|Collecting Priviledge Accounts
|Define Use Cases (Optional) –
Same Use Cases
|Create same Data Security Policy
as Pilot projects but for different DBs.
|Create alerts / reports etc.
|Use Cases Testing / Tuning
1. Manage Your Assets
1.1 Add Database / Datasource
You can add Database by manually adding it or import from CSV file:
DataSource (Credentials) can be added into Guardium automatically once you providing credentials during importing or manually adding.
Else you can add it later through Setup -> Datasource Definitions. Datasource will be required for certain applications such as Vulnerability Assessment or Discovery Sensitive Data.
Another way for Guardium to recognize the databases is using STAP installed on DB server automatically. Once you have STAP installed on DB servers, Guardium will monitor and analyze the traffic in/out DB servers and add Database into Guardium automatically.
1.2 Manage Applications:
2. Discover and Classify
Discover Sensitive Data
Discovery and classification processes become important as the size of an organization grows and sensitive information like credit card numbers and personal financial data propagate to multiple locations. This often happens in the context of mergers and acquisitions or when legacy systems have outlasted their original owners. As a result, sensitive data may exist beyond the knowledge of the person who currently owns that data. This is a common yet extremely vulnerable scenario, since you cannot protect sensitive data unless you know it exists.
3. Assess Vulnerabilities
Assessments are a group of tests that scan database infrastructures for vulnerabilities and provide an evaluation of database and data security health with real-time and historical measurements.
4. Monitor Data Access
4.2 Set Up Application Data Monitoringand clicking the
4.3 Install Basic Security Monitoring Policy
5. Advanced Analytics
‘s Active Threat Analytics, Risk Spotter, and Investigation Dashboard give you both a bird’s eye view of potential risks in your system, risk trends over time, and tools to investigate the potential risks. Incorporate these tools into your daily routine to increase your abilities to identify and manage risks.
5.1 Risk Spotter
Risk Spotter is a First of its Kind technology, changing the security paradigm to an Artificial Intelligence Data Protection Policy. It uses a smart algorithm to search within and outside your policy radar (your installed policies), and it uses a holistic algorithm to dynamically assess risk factors. Its dynamic risk assessment considers many risk factors, including: outliers, vulnerability, volume of activities, access to sensitive data, type of commands (privileges). Risk Spotter presents the risky users and risk trends across your entire system, in easy to read graphs. The Risk Spotter page contains all the configuration and results, and actions you can take.
5.2 Active Threat Analytics
Active Threat Analytics shows potential security breach cases, based on the outlier mining process and identified attack symptoms. Use its dashboard to view and investigate cases, and take actions on individual cases.
5.3 Investigation Dashboard
The Investigation Dashboard provides powerful tools for identifying and assessing problems that might exist in your environment. It uses either local or system-wide unfiltered data, and provides numerous filter options to query data across an entire environment, potentially from any collector within that environment.