In addition to simplifying the process of defining report content and its appearance, we can immediately build a datamart and place it in the indicated dashboard.
New Report builder is also available to manage reports based on Custom domains.
The rule setup screen scared every new user. Identifying the correct field and understanding what was defined required a lot of experience.
Simplifying the process of rule creation is the main value of changes in the new version of Policy Builder. The division of criteria into three categories (session, SQL and other) and displaying only active ones allows you to understand the logic of the rule in the blink of an eye.
The management of the order of rules and their interaction has also been simplified. In one window we can manipulate, copy and import rules in the policy and quickly determine whether it is necessary to analyze a given situation by several roles.
Group Builder (10.5)
Managing groups is one of the basic administrative tasks that allow you to properly monitor and report activity on protected resources. In the new Group Builder, we can find a specific group in a transparent way and identify its meaning in our installation (where the group is used, source of collected data, how many records it contains).
The most anticipated improvement in group management is the ability to easily filter and modify content. Especially after the Policy Builder version 10.6 upgrade, we get one coherent interface in which managing reference data is a simple task.
Agent Management by GIM (10.1.4)
The new GIM management interface has been described in my K-TAP video and significantly increases the agent management effectiveness.
In version 10.6 we will find some improvements like preview of installed modules, identification of lack of communication with the agent during configuration of the module, update of progress information.
GIM is now a great tool for managing hundreds of agents without need to get direct access to managed system.
Simple Agent Deployment (10.1.3)
The ability to pre-install the GIM agent in large environments (Listener mode) is extremely valuable. The new “Deploy Monitor Agents” feature also reduces the time it takes to install agents.
It is useful tool, however, has a limitation related to the inability to indicate the SSL certificates if we decide to use our own. 😦
I assume that we will have possibility to install other modules (CAS, FAM) and create configuration templates soon.
Simple Compliance Monitoring (10.1.3)
This dashboard provides possibility to setup and present results in the unified view the status of our datasets against our compliance requirements (like GDPR, PCI, SOX).
Sound good but especially for compliance the polices, reports and audit have to be customized case by case.
The configuration requires customization of classification process, monitoring policy and reports to be real compliance dashboard. I like it but still improvements needed to have the possibility to:
- assign custom policy instead of the modification permanently assigned
- assign custom classification process instead the modification the assigned one
- define list of reports assigned to compliance dashboard
This dashboard assumes that compliance settings have global character for all customer data sources what cannot be true in many cases.
Guardium Application Ecosystem
The ability to create additional functionalities for the system by users or business partners without the need to integrate with the vendor’s development process is a genius idea. The success of the App Exchange platform in QRadar (IBM SIEM solution) resulted in its implementation in other ones, including the Guardium.
The developed application is isolated from the system itself within the container (Docker). The programming platform is Flask – Python based web microframework.
Communication with the system takes place through a rich Guardium REST API that implements most of the functions available in the standard API available through cli.
Application management in the Guardium itself amounts to installing (file import), determining access for roles and launching the developed application.
The entire ecosystem can be fully controlled from the Central Manager level.
Creating an application does not require a lot of programming experience. Technologies used in the solution allow you quickly and efficiently implement “missing” system functions.
However, it should be remembered that each application operates in an independent container, therefore using them imposes more requirements on the appliance – a minimum 32 GB of RAM (if Quick Search is switched on).
Here my first Guardium application screen (I am working on separate article focused on this only)
DAM solutions appeared on the market when the idea of data storage in the cloud was only the subject of scientific dissertations. Within a dozen or so years, the situation has changed dramatically and the requirement to support processing outside local data centers becomes a requirement and not an addition to the solution.
Each subsequent version of Guardium brought something new in this matter.
Guardium architecture allows to implement it inside IaaS services where the user has access to the operating system and it is possible to install S-TAP. However, data transmission from the cloud to local appliance was ineffective so now we have access to pre-installed appliances in the Amazon, Azure and Softlayer clouds (10.1.3).
However the real challenge for monitoring solutions is the SaaS infrastructure where the service provider administers the data silo without the possibility of installing additional services.
The solution can be the consumption the native audit logs provided by the service or engine by DAM system. What has been introduced for AWS RDS Oracle 11 and 12 in Guardium 10.1.4. However it stresses another problem of support a completely new format of session information for something which works perfectly by parsing SQL syntax. Logs format, scope of information can be changed by provider without possibility to control this stream and elevates huge problem for any DAM vendor.
So in the latest Guardium release we have got the External S-TAP. The proxy solution which assumes that sessions to unmanaged data nodes will be redirected to new Guardium service by load balancer. This approach simplifies implementation because we do not need analyze logs and base on standard session interception.
The External S-TAP is distributed as a Docker solution and can be downloaded from dockerhub
The customer can decide how will be it implemented:
- External S-TAP on premise and reroutes all request to cloud service
- External S-TAP as cloud service and reroutes request inside cloud infrastructure
- External S-TAP on premise intercepts traffic to local databases without necessity to install S-TAP on monitored system
This kind of approach opens possibility to use it in different situation not only for cloud services but also as a platform to extend functionality for new data silo based on self-developed parsers.
This initial release supports MSSQL and Oracle on premise and AWS Oracle and Azure MSSQL for cloud. I believe that very soon this technology will be opened to support more platforms and armored by SDK.
Platform support enhancement
- New releases brought support for new versions of Oracle, MSSQL, Teradata, MongoDB, Cassandra, MariaDB, MemSQL
- Simplification of Cloudera Navigator monitoring with auditing events directly from Kafka node
- Vulnerability Assessment supports Cloudera now
- The FAM is MS Office documents aware and reduces noise related to I/O operation related to them
- SharePoint support – 3rd party agent for SharePoint monitoring and data classification
- NAS support – 3rd party agent to classify and monitor access to data on Hitachi, NetApp, EMC, Dell EMC devices
- Simplification of ATAP management (including possibility to avoid service restart in case of STAP upgrade)
- Teradata monitoring based on EXIT
VA multi-threading (10.6)
Now many instances of classification and vulnerability assessment tasks can be executed at this same time – however be aware that it requires a lot of resources. So I suggest setup the separated aggregator which will be dedicated to this job.
CLI and public key authentication (10.5)
Finally we can login to cli using certificates instead of simple password based authentication
Session-level policies (10.6)
Standard policy evaluation requires SQL body identification (command, objects) to be available for condition inside rule even the decision process does not require this kind of analysis because the session information only is sufficient (user, ip address, network protocol).
To speed up policy evaluation in these situations now we have completely new type of polices – session-level.We can create policy in GUI or cli using special “Session Level Rule Language Grammar”.
The policy focuses only on session information
and uses completely new set of actions including information transformation (can be very tricky).
The session-level policy is still evaluated on collector (by sniffer) but the decision about logging, switching to open mode from close one can be returned much more faster.
There is possibility to install together standard and session-level policy.
New Firewall mode (10.6)
The new FIREWALL_DEFAULT_STATE=2 value integrates the decision flow with WATCH and UNWATCH flags from Session-Level policies. So the decision about excluding of application sessions from blocking analysis approach can be made faster and smarter way.
Enterprise Load Balancer
ELB update allows to create failover groups to switch STAP only in the defined scope of appliances. It provides solution for large environments with geographically scattered Guardium domains.
Last four Guardium releases introduce a lot of new functionalities to make this system simpler in use, be prepared for customer transition into a cloud and create system open to extend in the directions stressed by their users.