What's new in this release

Amazon Oracle v11 RDS DBaaS Monitoring with Cloud database service protection

Disable TLS1.0/1.1, Enable TLS1.2

VA Support Oracle 12.2

Enhance VA GUI to show short description

Update OpenSSL for Windows/UNIX S-TAP

Support for EMC ATMOS

GDPR accelerator for z/OS

Classifier enhancement

Simplified deployment of S-TAP via GIM

Enhance Enterprise Load Balancer to verify sniffer is up before allocating Managed Units

Allow multiple KTAP buffers with more than five collectors

Prioritize connection packets over regular packets

Quick Start compliance monitoring

• Deploy monitoring agents - Quickly prepare for database monitoring by discovering and activating GIM clients, installing S-TAPs, creating inspection engines, and mapping the S-TAPs to collectors.

• Set up compliance monitoring - Help meet compliance standards by quickly installing policies, populating groups, and running reports for monitoring database activity.

Cloudera Hadoop - Guardium was the first to provide Vulnerability Assessment in the NoSQL space with its support of MongoDB. Now Guardium is expanding into the Hadoop/Big Data space with support for the Cloudera platform. Guardium Vulnerability Assessment helps organizations feel more confident in using Cloudera by empowering them to assess and correct the system to align with security best practices. Combined with the Guardium Activity Monitor for real time audit, compliance, and security analytics, Guardium can provide a holistic security solution for Cloudera and for most common databases and data warehouses in typical enterprise environments.

Guardium S-TAP for z/OS - IBM Security Guardium, extends data security on mainframes with enhanced:

• Data protection to block against unauthorized DB2 for z/OS user activities

• Performance and optimization to reduce overhead

• Auditing and filtering capabilities to further extend data protection and real-time analytics

• Usability and supportability to help accelerate deployment and diagnostics

1. Outliers detection enhancements

   An outlier is defined by behavior by a particular source (a database, a particular user on a database, a server, or an OS user) in a particular time period that is outside of the “normal” timeframe or scope of the particular source's activity. Outliers detection extends traditional database monitoring with increased intelligence that provides early detection of possible attacks during operation by analyzing changes in source behavior. This release introduces:

   • FAM support

   • Runs on an aggregator on data from several collectors

   • Outlier mining status page, providing the current status of the outlier mining process on all managed units, and drill-down into outlier processes that did not complete successfully

   • Two tabs in the Results Table of the Investigation Dashboard: Summary tab has one row per source per hour in which an anomaly was found, with anomaly score and reasons; Details tab has one row per outlier with the anomaly score, outlier reason(s) and details (source program, object, verb, etc.)

2. Hadoop activity monitoring and Cloudera 5.7+ integration/ Ranger enhancements

   This release expands Guardium support for monitoring Hadoop data with Cloudera integration using Cloudera Navigator and Hortonworks integration using Apache Ranger. These integrations allow SSL encryption for clients that need to access Hadoop data and are supported by a new Hadoop Monitoring UI.

3. Classifier enhancements and new Cleversafe backup/archive option

   Guardium now supports running multiple classifier processes concurrently. The ability to run more than one classifier process at a time allows more efficient use of available system CPU resources.

   By default, Guardium classification processes now exclude several system databases and schema used by database software providers. By excluding these databases and tables, classification processes run more efficiently and may return fewer errors.

   Cleversafe backup/archive supports the Amazon S3 interface using the same SDK. Guardium interface to Cleversafe is analogous to Amazon S3 (which is also supported by Guardium). Guardium cloud support now includes Cleversafe, SoftLayer and Amazon S3.

4. Enterprise health views

   The new Deployment Health Dashboard expands existing deployment health views by providing an at-a-glance summary of health issues from across an entire Guardium deployment. The dashboard is especially useful for identifying patterns and trends in the health data before investigating individual systems where problems are identified.

5. FAM enhancements -UID chaining and multi-action rule and outliers

   UID chain for Windows FAM - Currently the Windows FAM agent returns the username for the process assigned to a file event. Now the Windows FAM agent will change that single username into a chain of usernames that belong to the history of the process (UID chain). For instance is Process 1 (user janedoe) spawns Process 2 (user johndoe), then for file events related to process #2, FAM will report the UID chain consisting of {janedoe, johndoe}.

   Multi-Action Rule for FAM - Multi-action rules are comprised of multiple actions, each one is per a specified command category or a specified group. The commands in a FAM context are: Read, Write, Delete, Execute and File Operation.

6. Entitlements optimization

   Entitlement Optimization mediates between the role of the DBA in providing users the entitlements required to perform their jobs efficiently, and the role of Security in keeping entitlements as accurate and as minimal as possible to prevent system vulnerabilities. Navigate to Entitlements optimization by Discover > Database Entitlements > Entitlement Optimization

7. HP Vertica support

   HP Vertica is a big data system that competes with Hadoop. HP-Vertica provides a standard Postgres SQL interface with its proprietary extensions.

   HP Vertica is used for data warehouses to provide very fast query performance. HP Vertica is used for user interaction analysis, ad tracking, click stream applications, threat assessment and financial forecasting.

8. UNIX S-TAP RPM changes

   • Installation to /opt/guardium (location cannot be changed).

   • RPM default configuration

   ktap_installed=1

   Flex loading can be used by exporting NI_ALLOW_MODULE_COMBOS="Y" prior to RPM installation

   sqlguard_ip set to 127.0.0.1

   tap_ip set to hostname

   RPM logs saved to /opt/guardium/rpm_logs

   • Live update is supported.

   KTAP request updates supported via existing processes (increments package version).

   • Shell and GIM installers will refuse to install if RPM installation is detected.

   • STAP will be running after installation, but needs to be configured.

   • New script, guard-config-update, provided to make post-installation configuration easier.

9. GDPR Accelerator

   Data privacy and security are the most pressing concerns that any organization must face. Previously within the European Union each country required different levels of compliance, the newly announced General Data Protection Regulation (GDPR) expands and standardizes data protection rules across the whole European Union.

   The Guardium GDPR accelerator provides predefined reports based on GDPR groups and policies. To begin working with the GDPR accelerator, assign the GDPR role to a Guardium user, then navigate to Accelerators > GDPR with that user account.

10. Data in-sight

    Data in-sight introduces a revolutionary paradigm that utilizes human visual capabilities to gain an overall view on data flow and to identify unexpected behaviors. Guardium already provides robust machine learning and data-analysis features to assist audits and detect attacks, based on accumulated experience and knowledge. Data in-sight adds the flexibility of human visual perception to spot associations and movements in the raw data, irrespective of known attack types, that would otherwise be unnoticed.

    For example, an object recognition project to identify potholes in city streets would not identify an elephant wandering the neighborhood. The human eye, however, would spot it immediately. Similarly, when reviewing audited data in bar charts, users looks for known issue types, but can easily overlook new (unknown) aberrations.

    Data in-sight converts audited data to a 3-D chronological visualization of data sources and destinations, showing data transactions unfold exactly as they occurred.

    The visualization space contains two planes, each represents entities of the audit domain of a given type. Every entry in the audit data is represented as a moving ‘flash line’ from an object of the upper plane (one of client IP, OS user, DB user, source program) to an object of the lower plane (one of database, object, server). The flash line between the source and the destination leaves a trail (a dotted line) indicating the presence of interaction between the specific source and destination, which gradually fades into the background. The trails form an overview of the interaction between sources and destinations in the selected time period. The sources are located near their destinations, and near other similar sources. The size of the destination entity is proportional to the volume of transactions relative to the other destination entities. There are many ways of modifying the display including: color-code the top entity (color changes as data source details change), filter from the data in-sight chart, and the investigation dashboard facets. You can also view data in-sight with VR headsets.

    To access data in-sight: in the Investigation Dashboard, click Add Chart > data in-sight chart.

• Infrastructure and platform:

  • Platform hardening with enhanced security, globalization, and accessibility improvements

  • Support for a Guardium appliance running in Hyper-V environment. Hyper-V is a virtualization solution from Microsoft.

• Improved supportability and management of the Guardium deployment:

  • Stability and reliability are enhanced for the S-TAP agents and the collection parsing.

  • Central Manager Health View provides a central dashboard to assess the status of the deployed Guardium components.

  • S-TAP Watchdog (guard_monitor) for UNIX/Linux and Windows is a process designed to monitor S-TAP performance and responsiveness. If S-TAP CPU utilization exceeds the configured threshold, or if S-TAP does not respond to a console request, the following actions can be taken:

    • Automatically run guard_diag;

    • Automatically kill the S-TAP process;

    • Automatically core dump and kill the S-TAP process.

• Enterprise readiness enhancements make Guardium components easier to deploy and use in large environments, including:

  • Updates to the automatic load balancing to improve granularity and rebalancing requests

  • Reporting progress alerts for long running jobs

  • Finer grain access to user interface (UI) console to help customers divide roles and access to Guardium

  • Template and profile configurations to ease deployment and control from the Central Manager

  • Selective aggregation to streamline the reporting on large environments

  • Support for 7-element tuple - A tuple group allows multiple attributes to be combined together to form a single composite group member. Example of 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name

• Expanded data source coverage:

  • Improved failover, encryption, and reporting from the S-TAP agent on System i

  • Enhanced filtering, UID chaining, and usability for the S-TAP agents for z/OS data sources

  • Additional data security functions for more big data platforms: dynamic data masking for MongoDB, blocking for HortonWorks and integration with Ranger security platform, and Cassandra Kerberos

    • Ranger integration - Ranger offers a centralized security framework to manage fine grained access control over Hadoop and related components (Hive, HBase, HDFS, Yarn). Using Ranger administration console, users can easily manage policies around accessing a resource (file, folder, database, table, column etc) for a particular set of users and/or groups, and enforce the policies within Hadoop. They also can enable audit tracking and policy analytics for deeper control of the environment.

  • Support for the S-TAP agent RedHat 7.1 on Power 8 (big and little endian) architecture. Endianness refers to the order of the bytes, comprising a digital word, in computer memory. Words may be represented in big-endian or little-endian format. Little-endian format stores the least significant byte at the lower memory address with the most significant byte being stored at the highest memory address.

  • New support for DB2 Analytics Accelerator for z/OS

  • PostgreSQL 9.4 and SSL encryption support

  • For DB2 UDB and MS SQL, Guardium supports count_big(*).

• Security integration that provides synergistic use cases for the challenging security problems across IT silos:

  • Insider Threat Protection. Leverage integration with IBM Security Privileged Identity Manager to uncover insider threats.

  • Threat Protection System. Work in conjunction with IBM Security QRadar and IBM Security XGS to detect threats before they reach the data source to prevent data breaches or heighten monitoring alertness.

• Technology preview for additional data access analytics tools:

  • Investigation Center provides a central place to run forensic tracking based on the audit records.

• Updated security awareness with new common vulnerability event (CVE) and other vulnerability tests

• Shared common framework for vulnerability assessment from the Application layer to the backend infrastructure, with an integration with IBM Security AppScan

• Scalability and performance improvements to help deploy in large organizations

• File Activity Monitor discovery performance improvements

• Support for FAM discovery on AIX 6.1 and Aix 7.1 (no classification). Support for shared drive discovery and classification on FAM crawler.