WIXLIB

NIST 800-53 AcceleratorAutomated Real-Time Controls to Protect Against Cyberattacks & Insider ThreatsHighlightsFull suite of database security applications: Automate & simplify NIST 800-53controls w ith preconfigured policies,reports & assessments Address FISM A, FISCAM , OM B, NIST,DIACAP & HIPAA policy requirements Real-time database monitoring andalerting to immediately identifyunauthorized activities Continuous fine-grained auditing Cross-database audit repository w ithsecure audit trail & separation of duties Vulnerability & configurationassessment to identify unpatched andmisconfigured systems Change Audit System (CAS) to preventunauthorized changes to databasestructures, data values, privileges andconfigurations Real-time prevention (blocking) Granular access controls Data discovery Compliance w orkflow automation(electronic sign-offs, escalations,comments, etc.) Data mining for forensics Long-term log retention Integration w ith existing infrastructures:LDAP/AD, change management (e.g.,BM C Remedy), SIEM (e.g., ArcSightCEF), RSA SecurID, Kerberos, etc. Centralized cross-database policymanagement via Web console M onitor all privileged user activitiesincluding local access (SSH console,shared memory, BEQ, TLI, etc.) Identify fraud via multi-tier, connectionpooled applications (PeopleSoft, SAP,Cognos, etc.), w ithout modifyingapplications.Prevent SQL injection attacks w ithbaselining and policy-based anomalydetectionSupports all major database platformsincluding Oracle, SQL Server, DB2,Informix, Sybase, M ySQL, TeradataSupports all major COTS applicationsincluding Oracle EBS, PeopleSoft,Siebel, JDE, Business Objects, Cognosplus custom applications.Figure 1: Guardium provides a full suite of database security applications forautomating and simplifying NIST 800-53 compliance across your entire databaseand application infrastructure. M ajor functionality components include real-timedatabase monitoring with policy-based alerts and blocking, fine-grained auditing,data discovery and vulnerability management. Guardium provides hundreds ofpreconfigured reports and policies along with a library of vulnerability tests,based on best practices, developed by DISA.OverviewProtecting against cyberattacks such as SQL injection, breaches, fraudand insider threats has heightened the need for federal agencies andcontractors to carefully review their security programs against theFISM A-mandated NIST 800-53 standard and comply w ith OM B M -06-16,in order to secure PII and other sensitive data such as financial data andclassified information.Guardium provides the most w idely-used solution for preventinginformation leaks from the data center and ensuring the integrity ofcritical data.Guardium 7 automates security operations and optimizes operationalefficiency w ith a scalable, multi-tier architecture that automates andcentralizes compliance controls across your entire application anddatabase infrastructure – w ithout impacting performance or requiringchanges to applications or database.

Figure 2: Non-Invasive M onit oring & Audit ing: Unlike native log-based approaches, Guardium provides a non-invasive, cross-DBM Sarchitecture that captures 100% of all database activities in real-time – including all privileged user actions, SELECTs and end-user IDsfor pooled connections – without impacting performance or requiring changes to database or applications. S-TAPs are lightweight,host-based probes that monitor all database traffic at the OS level, including local access by privileged users, and relay it to Guardiumcollector appliances for analysis, data mining and reporting. Collector appliances gather monitored data from S-TAPs and Z-TAPs(mainframe-resident probes) and/or by connecting directly to SPAN ports in network switches.Figure 3: Scalable M ult i-Tier Archit ect ure: Guardium’s scalable architecture supports both large and small environments, withcentralized aggregation and normalization of audit data, and centralized management of security policies and appliance configurationsvia a Web console – enterprise-wide. Simply add collectors or adjust filtering parameters to support increased transaction volumeand/or audit granularity. Aggregators automatically aggregate audit data from multiple collector appliances. For maximum scalabilityand flexibility, multiple tiers of aggregators can also be configured.

Table 1: Cert ificat ion and Accredit at ion – NIST SP 800-53 Securit y Cont rols SupportCont rol IDCont rol Nam eHighBaselineAC-02ACCOUNT M ANAGEM ENTAC-2 (1)(2) (3) (4)Support for control enhancements #2, #3, and 4.AC-03ACCESS ENFORCEM ENTAC-3 (1)S-GATE or S-TAPAC-04INFORM ATION FLOWENFORCEM ENTAC-4Guardium 7 w ith S-TAPAC-05SEPARATION OF DUTIESAC-5Guardium 7 enables organization to efficiently implement separationduties. Also enforces separation of duties through blocking access torecords based on policy.Feat ure / Implem ent at ion Not eAC-06LEAST PRIVILEGEAC-6Guardium 7 can implement additional security controls over and abovethe database to meet policy and operational requirements. Guardium 7can provide entitlement reports show ing all user accounts and accessprivilegesAC-07UNSUCCESSFUL LOGINATTEM PTSAC-7Failed login attempts are monitored and policies can be established tolock-out accounts after specified thresholds are reached.AC-10CONCURRENT SESSIONCONTROLAC-10Today: Detect and alert. Future: Limit based on policy.AC-11SESSION LOCKAC-11For access to Guardium system.AC-12SESSION TERM INATIONAC-12(1)System can alert and perform custom action to terminate the session.AC-13SUPERVISION AND REVIEW ACCESS CONTROLAC-13(1)Can monitor, report and use workflow to automate review . Integratesw ith ArcSight, Remedy, RSA Envision, M cAfee ePO, others.AC-17REM OTE ACCESSAU-01AUDIT AND ACCOUNTABILITYPOLICY AND PROCEDURESAU-02AC-17(1) (2) (3)(4)Control Enhancement #4 only for database admin functions.AU-1Organization can facilitate and implement database audit policy andprocedures through Guardium suiteAUDITABLE EVENTSAU-2 (1)(2) (3)Guardium supports the base requirement and all enhancements fordatabase auditing.AU-03CONTENT OF AUDITRECORDSAU-3 (1)(2)Extensive granularity w ith ability to track end-points and end-useraccounts w hen accessing through shared or pooled middleware.AU-04AUDIT STORAGE CAPACITYAU-4Guardium available in storage capacities to meet operationalrequirementsServer: M onitor system, database capacity, log space. S-TAP: M onitorand alert w hen dow n. Guardium system: M onitors itself and alerts. Alertvia email, console (SNM P, SM TP). Can be fed to SIEM (e.g., ArcSight).M onitor server space & native audit via scripts.AU-05AUDIT PROCESSINGAU-5 (1)(2)AU-06AUDIT M ONITORING,ANALYSIS, AND REPORTINGAU-6 (1)(2)For supported database: Oracle, SQL Server, IBM database2 & Informix,Sybase, M ySQL, Teradata.AU-07AUDIT REDUCTION ANDREPORT GENERATIONAU-7 (1)System retains audit data, read-only on source, but variety of w ays toview and reduce.

Cont rol IDCont rol Nam eHighBaselineAU-08TIM E STAM PSAU-8 (1)AU-09PROTECTION OF AUDITINFORM ATIONAU-9Hardened Linux platform w ith no root access.AU-11AUDIT RETENTIONAU-11Enterprise database auditing w ith interfaces to standard archivingsolutions including IBM TSM, EM C Centera, NAS, etc.CA-02SECURITY ASSESSM ENTSCA-2Comprehensive vulnerability assessment module.CA-03INFORM ATION SYSTEMCONNECTIONSCA-3S-GATE can be used to prevent access from unauthorized systems andnetw orks.CA-07CONTINUOUS M ONITORINGCA-7Can monitor / assess technical controls w ithin Guardium scope.CM -02BASELINE CONFIGURATIONCM -2 (1)(2)Inventory: Database, configuration, binaries, stored procedures,functions, tables, users, etc.CM -03CONFIGURATION CHANGECONTROLCM -3 (1)Integrates w ith change management systems (e.g., Remedy). Detectschanges and can check for authorized changes.CM -04M ONITORINGCONFIGURATION CHANGESCM -4CM -05ACCESS RESTRICTIONS FORCHANGECM -5 (1)Audit and enforce at database levelCM -06CONFIGURATION SETTINGSCM -6 (1)Database security configuration assessments and monitoring based onDISA STIGS, NIST and CIS Benchmark.CP-07ALTERNATE PROCESSINGSITESCP-7 (1)(2) (3) (4)Product supports cold, w arm and hot site failover configuration andoperations w ith multiple sites, nodes and database.CP-09INFORM ATION SYSTEMBACKUPCP-9 (1)(2) (3) (4)Backup must use FIPS 140-2 validated product/moduleCP-10INFORM ATION SYSTEMRECOVERY ANDRECONSTITUTIONCP-10(1)IA-05AUTHENTICATORM ANAGEM ENTIR-04INCIDENT HANDLINGIR-4 (1)Real-time incident detection at database level w hich can be used foranalysis and response.IR-05INCIDENT M ONITORINGIR-5 (1)Real-time detection and monitoring of threats mitigating the risk of Webbased attacks w ith real-time identification of suspicious behavior andexecution of preventative actions.IR-06INCIDENT REPORTINGIR-6 (1)Extensive reporting features w hich can be used to support incidentreporting.IR-07INCIDENT RESPONSEASSISTANCEIR-7 (1)Can be configured to send incidents based on type and organizationalstructure.RA-05VULNERABILITY SCANNINGRA-5 (1)(2)Guardium performs vulnerability and patch scanning on database servers.IA-5Feat ure / Implem ent at ion Not eSynchronize w ith NTP services. Span all database for central log w ithsingle timestamp overcoming devices w hich are not synchronized.Detect database configuration changes, audit, alert and report.Guardium can be used to compare know n good state to reconstructedsystem to detect any variances.Can do strong passw ords today and associated passw ord requirements.

HighBaselineCont rol IDCont rol Nam eFeat ure / Implem ent at ion Not eSA-11DEVELOPER SECURITYTESTINGSA-11Can be used to test and monitor development versions of database.SC-17PUBLIC KEYINFRASTRUCTURECERTIFICATESSC-17Guardium plugs into customer PKI.SI-04INTRUSION DETECTIONTOOLS AND TECHNIQUESSI-4 (2)(4) (5)Provides support for control and all HIGH enhancements as it pertains todatabase.SI-06SECURITY FUNCTIONALITYVERIFICATIONSI-6SI-07SOFTWARE ANDINFORM ATION INTEGRITYSI-7 (1)(2)SI-09INFORM ATION INPUTRESTRICTIONSSI-9Supports variety of granular control on input.SI-10INFORM ATION INPUTACCURACY,COM PLETENESS, ANDVALIDITYSI-10Can detect certain input out of range or outside threshold values andthen block. (Not a replacement for dynamic application vulnerabilitytesting.)Hardened Linux OS w ith no root access.M onitors critical files on database servers.Figure 4: Granular Policies. Guardium provides granular, preconfigured policies and reports to rapidly identify suspicious orunauthorized activities such as access via unauthorized applications or multiple failed logins. A range of actions, such as real-timeSNM P alerts, can be configured to occur when policy rules are violated.