Mitigate insider threats with Guardium and Privileged

Identity Manager (PIM)

Create a secure immune system by managing and auditing the use
of privileged access credentials

Polly Lau March 02, 2017

Kathryn Zeidenstein

In the last couple of years, there was a massive increase in awareness of insider threats. These
threats stem from the escalated privileges of individuals who are inside a company (privileged
users, such as system and database administrators). Privileged users have the power to
access sensitive data in an organization. The rise in phishing attacks and other attacks that
use social engineering make it all too likely that even innocent administrators are targeted
and their credentials are stolen and used for nefarious activities. For a demonstration of how
administrators are targeted, be sure to view the following Security Immune System video
demonstration.

Introduction
In the last couple of years, there was a massive increase in awareness of insider threats. These
threats stem from the escalated privileges of individuals who are inside a company (privileged
users, such as system and database administrators). Privileged users have the power to
access sensitive data in an organization. The rise in phishing attacks and other attacks that use
social engineering make it all too likely that even innocent administrators are targeted and their
credentials are stolen and used for nefarious activities. For a demonstration of how administrators
are targeted, be sure to view the following Security Immune System video demonstration.

To view this video, IBM Security Immune System Demonstration , please access the online
version of the article. If this article is in the developerWorks archives, the video is no longer
accessible.
To help combat insider threats, organizations are relying on industry-leading solutions from IBM
Security. In this article, we will describe two offerings and how they work together to provide added
insight into privileged user activity:

• Guardium provides a comprehensive solution for data protection, including comprehensive

data and file activity monitoring. With Guardium, organizations monitor detailed activity

© Copyright IBM Corporation 2017 Trademarks

Mitigate insider threats with Guardium and Privileged Identity Page 1 of 14
Manager (PIM)
developerWorks® ibm.com/developerWorks/

against databases or files. Guardium provides real-time alerting and detailed analytics to help
you uncover unauthorized insider activity, even activity that occurs over time.
• Privileged Identity Manager (PIM) helps mitigate insider threats by centrally managing and
auditing the use of privileged access credentials.

Benefits of an integrated solution

With Guardium Data Activity Monitor (DAM), companies are producing insightful reports to show
details of data activities such as who executed an activity, when it was executed, where the activity
occurred, and how it happened. If you have privileged account credentials that are managed by
IBM Security Privileged Identity Manager, you can perform database activities by using a shared
account that the user checks out. Before the integration, Guardium would be able to only “see” the
shared account ID, with no way to correlate that activity with a real person who checked out the
account.

For creating a clear audit trail and to hold people accountable, it is important to identify the actual
user who leased the PIM shared credential.

The Guardium and PIM integration that is described in this article requires Guardium Data Activity
Monitor v10 patch 103 or above. With the solution, Guardium reports can show the detailed activity
and correlate it with the real user who checked out the credential, as shown in the report in Figure
1.

Figure 1. Sample report shows user and check-in timestamp

Solution architecture
Configuration of the solution requires a two-step process:

Mitigate insider threats with Guardium and Privileged Identity Page 2 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

Terminology: Guardium custom tables allow users to ingest external data into Guardium
appliances and correlate them with Guardium audit data for consolidated reporting.

1. Schedule periodic imports of PIM metadata views to a set of Guardium custom tables. These
database views are loaded with the PIM data, such as lease history (who used the shared
account), list of shared credentials, and databases managed by PIM.
2. Once PIM data is uploaded to Guardium, you can schedule and automate the correlation of
the imported PIM lease history and credentials with the DAM-captured activities.

Figure 2. Two-step process to integrate PIM data with Guardium captured data
activities

Tip: Schedule PIM data correlation after each PIM data import to Guardium PIM custom
tables.

Important note: During the PIM data correlation process, only those shared credentials that
were leased exclusively in PIM are correlated with the respective captured database activities.
In other words, only those shared credentials that were leased by only one single person at any
moment was correlated with the Guardium DAM-captured activities. If the PIM was set to allow
a non-exclusive, shared credential lease and there were two users who leased the same shared
credential at the same time, Guardium would not connect the check-out data. There is a lack of
correlation here because there is no way to identify which of the two users who checked out the
shared credentials at the same time performed the corresponding specific data activities.
PIM Terminology:

Check-out: A user is starting a client application session and is prompted to check out
a shared credential that will be used for the client application session and will perform
database activities.
Check-in: A user finishes his/her client application session or the lease expires. The leased
shared credential returns back to the PIM and the shared credential is available for other
users to lease.

When the PIM data correlation finishes, information on captured Guardium data activities can
be joined with the user's information. This user actually performed the activities via the leased
privileged credentials. Guardium users can add the PIM attributes in their queries and reports to

Mitigate insider threats with Guardium and Privileged Identity Page 3 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

see privileged users' database activities. They can also see the PIM lease information and the user
who leased the shared credential and performed the activities.

Installation and configuration

This section describes the procedures to set up the integration between Guardium and IBM
Privileged Security Identity Manager (PIM). Here is a high-level overview of the steps:
Learn more. Develop more. Connect more.

The new developerWorks Premium membership program provides an all-access pass to

powerful development tools and resources, including 500 top technical titles for application
developers through Safari Books Online, deep discounts on premier developer events
(including IBM InterConnect, video replays of recent O'Reilly conferences, and more.

1. Add database resource in PIM configuration for bulk data upload (PIM administrator).
2. Add database user access to PIM data views (PIM administrator).
3. Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables (Guardium
administrator).
4. Schedule automatic PIM data correlation (Guardium administrator).
After the installation and configuration is complete, Guardium users can add PIM data into data
activity reports, as described in Enhancing reports with PIM data.

Add database resource in PIM configuration for bulk data upload

Starting from IBM Security Privileged Identity Manager version 2.0.2 Fix Pack 6, PIM allows users
to use a #Resource-type identifier to handle bulk uploads. Before Guardium can be configured to
pull PIM credentials and check-out/check-in activities, a PIM database resource is required to be
set up in Privileged Identity Manager.

For example, the following screenshot shows a sample database-type resource in PIM with the
hostname / port / type of the database server for which PIM manages credentials. This sample
screenshot shows an Oracle database server IP address and port where the PIM check-in/
check-out activities can be tracked and related with Guardium privileged users' database access
activities.

Figure 3. Sample PIM update resource screen

Mitigate insider threats with Guardium and Privileged Identity Page 4 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

For more information on setting up a database-type resource in PIM for data uploads, visit the PIM
Knowledge Center.

Add database user access to PIM data views

IBM Security Privileged Identity Manager tracks the PIM activities in its metadata database,
called "idmdb" by default. Before we upload the PIM activities from the idmdb database into the
Guardium appliance, we first need to create a database user that Guardium can use to access the
idmdb data views.

• Create a database user for PIM idmdb:

• On the PIM server, create a new user on the operating system. For example, pimview.
• Add the new operating system user pimview to group DB2USERS.
• Change the password for the new pimview user.
• Grant the user permissions to access the required PIM data views. Log in as your PIM idmdb
administrator, then use these commands to grant the new user with access to the required
PIM data views:
Listing 1. Sample code listing
db2 connect to idmdb user piminst using <password>
GRANT SELECT ON V_PIM_CICO_HISTORY_DB_RSRC TO <username>
GRANT SELECT ON V_PIM_CRED_INFO_DB_RSRC TO <username>
GRANT SELECT ON V_PIM_CRED_DETAILS_DB_RSRC TO <username>
db2 disconnect current

Note: The PIM data is owned by the PIM idmdb administrator, PIMINST user by default. For more
information on how to allow a database user to access the required PIM data views in idmdb, see
this Knowledge Center topic.

Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables
This section walks through the steps to upload the PIM metadata into Guardium appliance.
Starting from Guardium v10p103, three PIM custom tables are included out-of-the-box. Once the
PIM data is periodically uploaded to the custom tables provided, Guardium can then correlate the
PIM check-out data with the captured activity reports.
When you use Guardium Central Manager, upload the PIM data to Guardium Central
Manager, then schedule a data distribution from the Central Manager to all managed units by
navigating to Manage > Central Manager > PIM Data Distribution.

• Log in to the Guardium appliance.

• Navigate to Comply > Custom Reporting > Custom Table Builder.
• On the Custom Tables page, look for the three PIM custom tables.

Mitigate insider threats with Guardium and Privileged Identity Page 5 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

Figure 4. Out-of-box PIM custom tables in Guardium

• Select a PIM custom table and click Upload Data to configure the data upload from the PIM
metadata database into Guardium.
Figure 5. Upload data to PIM custom tables

• On the Upload Data page, click Add Datasource to add the PIM datasource.

Mitigate insider threats with Guardium and Privileged Identity Page 6 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

Figure 6. Add datasource to upload data to PIM custom tables

• A Datasource Finder page will open. Click New (+) to create a new datasource for the PIM
metadata database that contains the PIM activities info.
Figure 7. Add new PIM datasource in Datasource Finder

• In the data source definition, provide the connection details to connect to the PIM idmdb
database. Connect by using the credentials that were added from the previous section “Add
database user access to PIM data views.” For a list of required minimum privileges, refer to
the IBM Knowledge Center "Creating a user to access database views." Click Apply to save
the datasource definition test and use the Test Connection button to test the datasource
connection before proceeding.

Mitigate insider threats with Guardium and Privileged Identity Page 7 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

Figure 8. Datasource connection definition for PIM idmdb

Figure 9. Test datasource connection prompt

• When the PIM datasource definition is created, select the PIM datasource and add it to the
Custom Tables Upload Data job.
Figure 10. Add PIM idmdb datasource to the PIM custom table data upload

Mitigate insider threats with Guardium and Privileged Identity Page 8 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

Figure 11. Add PIM idmdb data source in each PIM custom table upload job

• To set up a schedule for automatic data upload, click Modify Schedule to modify the
schedule of the PIM data that will be uploaded to Guardium custom tables.
Figure 12. Schedule a periodic data upload from PIM into Guardium

Figure 13. Define a preferable schedule for your PIM data upload jobs

Mitigate insider threats with Guardium and Privileged Identity Page 9 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

Figure 14. Upload is actively scheduled

• Repeat the same steps for the rest of the PIM tables.

Troubleshooting tip: If no data is populated to the Guardium PIM custom tables, verify the
following instances:

• The configuration with the PIM database resource settings is correct (see the earlier section
Add database resource in PIM configuration for bulk data upload ).
• There are privileged users with check-out/check-in activities against the database that are
specified in the PIM database resource. PIM custom tables upload only data that hasn't
uploaded yet to the Guardium tables.

Find out more about PIM and Guardium

Visit IBM Security Guardium and IBM Security Privileged Identity Manager for more
information.

Set up PIM data correlation

Once the PIM data is uploaded to the Guardium appliance (or when PIM data is distributed to all
managed units), schedule the PIM data correlation job to periodically correlate the uploaded PIM
data with the captured Guardium Session data.

• Use the following CLI command to enable correlation of uploaded PIM data with captured
Guardium DAM session data. Note that < state > can be set to on or off. Set the < state> to
on to enable PIM correlation mode and set to off to disable PIM correlation mode.
> store pim_correlation_mode < state>
• Use the following CLI command to verify that the PIM correlation mode is enabled.
> show pim_correlation_mode

Reminder: Guardium correlates only PIM activities with Guardium session data for exclusive
shared access or activities that were done when only one single user who checked out the
shared credential at the specified time.

Mitigate insider threats with Guardium and Privileged Identity Page 10 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

To schedule PIM data correlation with Guardium session data, navigate to Comply > PIM
Correlation > Modify schedule. Make sure to check the Activate schedule box to activate the
scheduled job. Here is an example of a PIM data correlation schedule.

Figure 15. Schedule periodic PIM data correlation with Guardium captured
data

Here is an example of a PIM data correlation schedule.

Figure 16. Sample PIM Data Correlation schedule

Tip: Space out the Guardium PIM data upload and Data Correlation jobs with other
Guardium jobs. In this example, PIM Data Correlation is scheduled to run every hour at 12
AM. However, if you have other audit processes that also run on the same schedule, you
might want to consider scheduling the PIM data upload and the PIM Data Correlation jobs to
run every hour of the day, starting later (instead of 12 AM, running at 12:30 AM).

Enhance reports with PIM data

When PIM data is correlated with captured Guardium session data, users can join their activity
data with the PIM data in their query/reports. The PIM correlated data is accessible via the Access
domain in the Guardium Query Builder. You can create a new report or modify your existing access
reports to add this correlated data.

Mitigate insider threats with Guardium and Privileged Identity Page 11 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

If we look back at the first report, it includes both the captured DB user name and activity
information, and the correlated PIM data. In this sample, Guardium captured the data activity
(Timestamp, Server Type, ServerIP, ClientIP, Network Protocol, DB user name, SQL) and
correlated it with the PIM check-out and check-in data. This data gives us the visibility and not
just the shared DB user name (that is, SYSTEM) who executed the SQL statements, but also the
actual PIM user who checked out the SYSTEM user to perform those activities.

The following sample report shows the DB user name, PIM user name, and the PIM check-out
and check-in timestamp:

Figure 17. Sample PIM activity report

Tip: Schedule the PIM Data Correlation to start soon after each PIM data upload job is
complete.

Here is a sample query of the previous sample report. You can include any PIM Session attributes
from the Entity list to correlate in your own activity report.

Mitigate insider threats with Guardium and Privileged Identity Page 12 of 14

Manager (PIM)
ibm.com/developerWorks/ developerWorks®

Figure 18. Sample query with PIM Session attributes information

Figure 19. Sample PIM Correlation report with PIM check-out/check-in time
stamps and justification information with captured data activities

Conclusion
The powerful combination of IBM Security Privileged Identity Manager and Guardium Activity
Monitoring can help you to reduce blind spots in the management and monitoring of privileged
users, especially with regards to sensitive data access and activity. The setup is not difficult and

Mitigate insider threats with Guardium and Privileged Identity Page 13 of 14

Manager (PIM)
developerWorks® ibm.com/developerWorks/

the processes are scheduled and automated between the two products. This integration is just one
of many in the IBM Security portfolio that make up the security immune system.

© Copyright IBM Corporation 2017

(www.ibm.com/legal/copytrade.shtml)
Trademarks
(www.ibm.com/developerworks/ibm/trademarks/)

Mitigate insider threats with Guardium and Privileged Identity Page 14 of 14

Manager (PIM)