Professional Documents
Culture Documents
Se Manage Audit Privileged Users Pim Guardium PDF
Se Manage Audit Privileged Users Pim Guardium PDF
Se Manage Audit Privileged Users Pim Guardium PDF
In the last couple of years, there was a massive increase in awareness of insider threats. These
threats stem from the escalated privileges of individuals who are inside a company (privileged
users, such as system and database administrators). Privileged users have the power to
access sensitive data in an organization. The rise in phishing attacks and other attacks that
use social engineering make it all too likely that even innocent administrators are targeted
and their credentials are stolen and used for nefarious activities. For a demonstration of how
administrators are targeted, be sure to view the following Security Immune System video
demonstration.
Introduction
In the last couple of years, there was a massive increase in awareness of insider threats. These
threats stem from the escalated privileges of individuals who are inside a company (privileged
users, such as system and database administrators). Privileged users have the power to
access sensitive data in an organization. The rise in phishing attacks and other attacks that use
social engineering make it all too likely that even innocent administrators are targeted and their
credentials are stolen and used for nefarious activities. For a demonstration of how administrators
are targeted, be sure to view the following Security Immune System video demonstration.
To view this video, IBM Security Immune System Demonstration , please access the online
version of the article. If this article is in the developerWorks archives, the video is no longer
accessible.
To help combat insider threats, organizations are relying on industry-leading solutions from IBM
Security. In this article, we will describe two offerings and how they work together to provide added
insight into privileged user activity:
against databases or files. Guardium provides real-time alerting and detailed analytics to help
you uncover unauthorized insider activity, even activity that occurs over time.
• Privileged Identity Manager (PIM) helps mitigate insider threats by centrally managing and
auditing the use of privileged access credentials.
For creating a clear audit trail and to hold people accountable, it is important to identify the actual
user who leased the PIM shared credential.
The Guardium and PIM integration that is described in this article requires Guardium Data Activity
Monitor v10 patch 103 or above. With the solution, Guardium reports can show the detailed activity
and correlate it with the real user who checked out the credential, as shown in the report in Figure
1.
Solution architecture
Configuration of the solution requires a two-step process:
Terminology: Guardium custom tables allow users to ingest external data into Guardium
appliances and correlate them with Guardium audit data for consolidated reporting.
1. Schedule periodic imports of PIM metadata views to a set of Guardium custom tables. These
database views are loaded with the PIM data, such as lease history (who used the shared
account), list of shared credentials, and databases managed by PIM.
2. Once PIM data is uploaded to Guardium, you can schedule and automate the correlation of
the imported PIM lease history and credentials with the DAM-captured activities.
Figure 2. Two-step process to integrate PIM data with Guardium captured data
activities
Tip: Schedule PIM data correlation after each PIM data import to Guardium PIM custom
tables.
Important note: During the PIM data correlation process, only those shared credentials that
were leased exclusively in PIM are correlated with the respective captured database activities.
In other words, only those shared credentials that were leased by only one single person at any
moment was correlated with the Guardium DAM-captured activities. If the PIM was set to allow
a non-exclusive, shared credential lease and there were two users who leased the same shared
credential at the same time, Guardium would not connect the check-out data. There is a lack of
correlation here because there is no way to identify which of the two users who checked out the
shared credentials at the same time performed the corresponding specific data activities.
PIM Terminology:
Check-out: A user is starting a client application session and is prompted to check out
a shared credential that will be used for the client application session and will perform
database activities.
Check-in: A user finishes his/her client application session or the lease expires. The leased
shared credential returns back to the PIM and the shared credential is available for other
users to lease.
When the PIM data correlation finishes, information on captured Guardium data activities can
be joined with the user's information. This user actually performed the activities via the leased
privileged credentials. Guardium users can add the PIM attributes in their queries and reports to
see privileged users' database activities. They can also see the PIM lease information and the user
who leased the shared credential and performed the activities.
1. Add database resource in PIM configuration for bulk data upload (PIM administrator).
2. Add database user access to PIM data views (PIM administrator).
3. Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables (Guardium
administrator).
4. Schedule automatic PIM data correlation (Guardium administrator).
After the installation and configuration is complete, Guardium users can add PIM data into data
activity reports, as described in Enhancing reports with PIM data.
For example, the following screenshot shows a sample database-type resource in PIM with the
hostname / port / type of the database server for which PIM manages credentials. This sample
screenshot shows an Oracle database server IP address and port where the PIM check-in/
check-out activities can be tracked and related with Guardium privileged users' database access
activities.
For more information on setting up a database-type resource in PIM for data uploads, visit the PIM
Knowledge Center.
Note: The PIM data is owned by the PIM idmdb administrator, PIMINST user by default. For more
information on how to allow a database user to access the required PIM data views in idmdb, see
this Knowledge Center topic.
Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables
This section walks through the steps to upload the PIM metadata into Guardium appliance.
Starting from Guardium v10p103, three PIM custom tables are included out-of-the-box. Once the
PIM data is periodically uploaded to the custom tables provided, Guardium can then correlate the
PIM check-out data with the captured activity reports.
When you use Guardium Central Manager, upload the PIM data to Guardium Central
Manager, then schedule a data distribution from the Central Manager to all managed units by
navigating to Manage > Central Manager > PIM Data Distribution.
• Select a PIM custom table and click Upload Data to configure the data upload from the PIM
metadata database into Guardium.
Figure 5. Upload data to PIM custom tables
• On the Upload Data page, click Add Datasource to add the PIM datasource.
• A Datasource Finder page will open. Click New (+) to create a new datasource for the PIM
metadata database that contains the PIM activities info.
Figure 7. Add new PIM datasource in Datasource Finder
• In the data source definition, provide the connection details to connect to the PIM idmdb
database. Connect by using the credentials that were added from the previous section “Add
database user access to PIM data views.” For a list of required minimum privileges, refer to
the IBM Knowledge Center "Creating a user to access database views." Click Apply to save
the datasource definition test and use the Test Connection button to test the datasource
connection before proceeding.
• When the PIM datasource definition is created, select the PIM datasource and add it to the
Custom Tables Upload Data job.
Figure 10. Add PIM idmdb datasource to the PIM custom table data upload
Figure 11. Add PIM idmdb data source in each PIM custom table upload job
• To set up a schedule for automatic data upload, click Modify Schedule to modify the
schedule of the PIM data that will be uploaded to Guardium custom tables.
Figure 12. Schedule a periodic data upload from PIM into Guardium
Figure 13. Define a preferable schedule for your PIM data upload jobs
• Repeat the same steps for the rest of the PIM tables.
Troubleshooting tip: If no data is populated to the Guardium PIM custom tables, verify the
following instances:
• The configuration with the PIM database resource settings is correct (see the earlier section
Add database resource in PIM configuration for bulk data upload ).
• There are privileged users with check-out/check-in activities against the database that are
specified in the PIM database resource. PIM custom tables upload only data that hasn't
uploaded yet to the Guardium tables.
Visit IBM Security Guardium and IBM Security Privileged Identity Manager for more
information.
• Use the following CLI command to enable correlation of uploaded PIM data with captured
Guardium DAM session data. Note that < state > can be set to on or off. Set the < state> to
on to enable PIM correlation mode and set to off to disable PIM correlation mode.
> store pim_correlation_mode < state>
• Use the following CLI command to verify that the PIM correlation mode is enabled.
> show pim_correlation_mode
Reminder: Guardium correlates only PIM activities with Guardium session data for exclusive
shared access or activities that were done when only one single user who checked out the
shared credential at the specified time.
To schedule PIM data correlation with Guardium session data, navigate to Comply > PIM
Correlation > Modify schedule. Make sure to check the Activate schedule box to activate the
scheduled job. Here is an example of a PIM data correlation schedule.
Figure 15. Schedule periodic PIM data correlation with Guardium captured
data
Tip: Space out the Guardium PIM data upload and Data Correlation jobs with other
Guardium jobs. In this example, PIM Data Correlation is scheduled to run every hour at 12
AM. However, if you have other audit processes that also run on the same schedule, you
might want to consider scheduling the PIM data upload and the PIM Data Correlation jobs to
run every hour of the day, starting later (instead of 12 AM, running at 12:30 AM).
If we look back at the first report, it includes both the captured DB user name and activity
information, and the correlated PIM data. In this sample, Guardium captured the data activity
(Timestamp, Server Type, ServerIP, ClientIP, Network Protocol, DB user name, SQL) and
correlated it with the PIM check-out and check-in data. This data gives us the visibility and not
just the shared DB user name (that is, SYSTEM) who executed the SQL statements, but also the
actual PIM user who checked out the SYSTEM user to perform those activities.
The following sample report shows the DB user name, PIM user name, and the PIM check-out
and check-in timestamp:
Tip: Schedule the PIM Data Correlation to start soon after each PIM data upload job is
complete.
Here is a sample query of the previous sample report. You can include any PIM Session attributes
from the Entity list to correlate in your own activity report.
Figure 19. Sample PIM Correlation report with PIM check-out/check-in time
stamps and justification information with captured data activities
Conclusion
The powerful combination of IBM Security Privileged Identity Manager and Guardium Activity
Monitoring can help you to reduce blind spots in the management and monitoring of privileged
users, especially with regards to sensitive data access and activity. The setup is not difficult and
the processes are scheduled and automated between the two products. This integration is just one
of many in the IBM Security portfolio that make up the security immune system.