Mitigate insider threats with Guardium and Privileged Identity Manager (PIM)
Create a secure immune system by managing and auditing the use of privileged access credentials
In the last couple of years, there was a massive increase in awareness of insider threats. These threats stem from the escalated privileges of individuals who are inside a company (privileged users, such as system and database administrators). Privileged users have the power to access sensitive data in an organization. The rise in phishing attacks and other attacks that use social engineering make it all too likely that even innocent administrators are targeted and their credentials are stolen and used for nefarious activities. For a demonstration of how administrators are targeted, be sure to view the following Security Immune System video demonstration.
To help combat insider threats, organizations are relying on industry-leading solutions from IBM Security. In this article, we will describe two offerings and how they work together to provide added insight into privileged user activity:
- Guardium provides a comprehensive solution for data protection, including comprehensive data and file activity monitoring. With Guardium, organizations monitor detailed activity against databases or files. Guardium provides real-time alerting and detailed analytics to help you uncover unauthorized insider activity, even activity that occurs over time.
- Privileged Identity Manager (PIM) helps mitigate insider threats by centrally managing and auditing the use of privileged access credentials.
Benefits of an integrated solution
With Guardium Data Activity Monitor (DAM), companies are producing insightful reports to show details of data activities such as who executed an activity, when it was executed, where the activity occurred, and how it happened. If you have privileged account credentials that are managed by IBM Security Privileged Identity Manager, you can perform database activities by using a shared account that the user checks out. Before the integration, Guardium would be able to only “see” the shared account ID, with no way to correlate that activity with a real person who checked out the account.
For creating a clear audit trail and to hold people accountable, it is important to identify the actual user who leased the PIM shared credential.
The Guardium and PIM integration that is described in this article requires Guardium Data Activity Monitor v10 patch 103 or above. With the solution, Guardium reports can show the detailed activity and correlate it with the real user who checked out the credential, as shown in the report in Figure 1.
Figure 1. Sample report shows user and check-in timestamp
Configuration of the solution requires a two-step process:
- Schedule periodic imports of PIM metadata views to a set of Guardium custom tables. These database views are loaded with the PIM data, such as lease history (who used the shared account), list of shared credentials, and databases managed by PIM.
- Once PIM data is uploaded to Guardium, you can schedule and automate the correlation of the imported PIM lease history and credentials with the DAM-captured activities.
Figure 2. Two-step process to integrate PIM data with Guardium captured data activities
Important note: During the PIM data correlation process, only those shared credentials that were leased exclusively in PIM are correlated with the respective captured database activities. In other words, only those shared credentials that were leased by only one single person at any moment was correlated with the Guardium DAM-captured activities. If the PIM was set to allow a non-exclusive, shared credential lease and there were two users who leased the same shared credential at the same time, Guardium would not connect the check-out data. There is a lack of correlation here because there is no way to identify which of the two users who checked out the shared credentials at the same time performed the corresponding specific data activities.
When the PIM data correlation finishes, information on captured Guardium data activities can be joined with the user's information. This user actually performed the activities via the leased privileged credentials. Guardium users can add the PIM attributes in their queries and reports to see privileged users' database activities. They can also see the PIM lease information and the user who leased the shared credential and performed the activities.
Installation and configuration
This section describes the procedures to set up the integration between Guardium and IBM Privileged Security Identity Manager (PIM). Here is a high-level overview of the steps:
- Add database resource in PIM configuration for bulk data upload (PIM administrator).
- Add database user access to PIM data views (PIM administrator).
- Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables (Guardium administrator).
- Schedule automatic PIM data correlation (Guardium administrator).
After the installation and configuration is complete, Guardium users can add PIM data into data activity reports, as described in Enhancing reports with PIM data.
Add database resource in PIM configuration for bulk data upload
Starting from IBM Security Privileged Identity Manager version 2.0.2 Fix Pack 6, PIM allows users to use a #Resource-type identifier to handle bulk uploads. Before Guardium can be configured to pull PIM credentials and check-out/check-in activities, a PIM database resource is required to be set up in Privileged Identity Manager.
For example, the following screenshot shows a sample database-type resource in PIM with the hostname / port / type of the database server for which PIM manages credentials. This sample screenshot shows an Oracle database server IP address and port where the PIM check-in/check-out activities can be tracked and related with Guardium privileged users' database access activities.
Figure 3. Sample PIM update resource screen
For more information on setting up a database-type resource in PIM for data uploads, visit the PIM Knowledge Center.
Add database user access to PIM data views
IBM Security Privileged Identity Manager tracks the PIM activities in its metadata database, called "idmdb" by default. Before we upload the PIM activities from the idmdb database into the Guardium appliance, we first need to create a database user that Guardium can use to access the idmdb data views.
- Create a database user for PIM idmdb:
- On the PIM server, create a new user on the operating system.
- Add the new operating system user
- Change the password for the new
- On the PIM server, create a new user on the operating system. For example,
- Grant the user permissions to access the required PIM data views. Log
in as your PIM idmdb administrator, then use these commands to grant
the new user with access to the required PIM data views:
Listing 1. Sample code listing
db2 connect to idmdb user piminst using <password> GRANT SELECT ON V_PIM_CICO_HISTORY_DB_RSRC TO <username> GRANT SELECT ON V_PIM_CRED_INFO_DB_RSRC TO <username> GRANT SELECT ON V_PIM_CRED_DETAILS_DB_RSRC TO <username> db2 disconnect current
Note: The PIM data is owned by the PIM idmdb administrator,
PIMINST user by default. For more information on how to
allow a database user to access the required PIM data views in idmdb, see
this Knowledge Center topic.
Schedule upload of PIM data into Guardium out-of-the-box PIM custom tables
This section walks through the steps to upload the PIM metadata into Guardium appliance. Starting from Guardium v10p103, three PIM custom tables are included out-of-the-box. Once the PIM data is periodically uploaded to the custom tables provided, Guardium can then correlate the PIM check-out data with the captured activity reports.
- Log in to the Guardium appliance.
- Navigate to Comply > Custom Reporting > Custom Table Builder.
- On the Custom Tables page, look for the three PIM custom tables.
Figure 4. Out-of-box PIM custom tables in Guardium
- Select a PIM custom table and click Upload Data to
configure the data upload from the PIM metadata database into
Figure 5. Upload data to PIM custom tables
- On the Upload Data page, click Add Datasource to add
the PIM datasource.
Figure 6. Add datasource to upload data to PIM custom tables
- A Datasource Finder page will open. Click New (+) to
create a new datasource for the PIM metadata database that contains
the PIM activities info.
Figure 7. Add new PIM datasource in Datasource Finder
- In the data source definition, provide the connection details to
connect to the PIM idmdb database. Connect by using the credentials
that were added from the previous section “Add database user access to
PIM data views.” For a list of required minimum privileges, refer to
the IBM Knowledge Center "Creating a user to access database
views." Click Apply to save the datasource
definition test and use the Test Connection button to
test the datasource connection before proceeding.
Figure 8. Datasource connection definition for PIM idmdb
Figure 9. Test datasource connection prompt
- When the PIM datasource definition is created, select the PIM
datasource and add it to the Custom Tables Upload Data job.
Figure 10. Add PIM idmdb datasource to the PIM custom table data upload
Figure 11. Add PIM idmdb data source in each PIM custom table upload job
- To set up a schedule for automatic data upload, click Modify
Schedule to modify the schedule of the PIM data that will
be uploaded to Guardium custom tables.
Figure 12. Schedule a periodic data upload from PIM into Guardium
Figure 13. Define a preferable schedule for your PIM data upload jobs
Figure 14. Upload is actively scheduled
- Repeat the same steps for the rest of the PIM tables.
Troubleshooting tip: If no data is populated to the Guardium PIM custom tables, verify the following instances:
- The configuration with the PIM database resource settings is correct (see the earlier section Add database resource in PIM configuration for bulk data upload ).
- There are privileged users with check-out/check-in activities against the database that are specified in the PIM database resource. PIM custom tables upload only data that hasn't uploaded yet to the Guardium tables.
Set up PIM data correlation
Once the PIM data is uploaded to the Guardium appliance (or when PIM data is distributed to all managed units), schedule the PIM data correlation job to periodically correlate the uploaded PIM data with the captured Guardium Session data.
- Use the following CLI command to enable correlation of uploaded PIM
data with captured Guardium DAM session data. Note that < state >
can be set to
off. Set the < state> to
onto enable PIM correlation mode and set to
offto disable PIM correlation mode.
> store pim_correlation_mode < state>
- Use the following CLI command to verify that the PIM correlation mode
> show pim_correlation_mode
To schedule PIM data correlation with Guardium session data, navigate to Comply > PIM Correlation > Modify schedule. Make sure to check the Activate schedule box to activate the scheduled job. Here is an example of a PIM data correlation schedule.
Figure 15. Schedule periodic PIM data correlation with Guardium captured data
Here is an example of a PIM data correlation schedule.
Figure 16. Sample PIM Data Correlation schedule
Enhance reports with PIM data
When PIM data is correlated with captured Guardium session data, users can join their activity data with the PIM data in their query/reports. The PIM correlated data is accessible via the Access domain in the Guardium Query Builder. You can create a new report or modify your existing access reports to add this correlated data.
If we look back at the first report, it includes both the captured DB user name and activity information, and the correlated PIM data. In this sample, Guardium captured the data activity (Timestamp, Server Type, ServerIP, ClientIP, Network Protocol, DB user name, SQL) and correlated it with the PIM check-out and check-in data. This data gives us the visibility and not just the shared DB user name (that is, SYSTEM) who executed the SQL statements, but also the actual PIM user who checked out the SYSTEM user to perform those activities.
The following sample report shows the DB user name, PIM user name, and the PIM check-out and check-in timestamp:
Figure 17. Sample PIM activity report
Here is a sample query of the previous sample report. You can include any PIM Session attributes from the Entity list to correlate in your own activity report.
Figure 18. Sample query with PIM Session attributes information
Figure 19. Sample PIM Correlation report with PIM check-out/check-in time stamps and justification information with captured data activities
The powerful combination of IBM Security Privileged Identity Manager and Guardium Activity Monitoring can help you to reduce blind spots in the management and monitoring of privileged users, especially with regards to sensitive data access and activity. The setup is not difficult and the processes are scheduled and automated between the two products. This integration is just one of many in the IBM Security portfolio that make up the security immune system.