Combining real-time alerts and correlation analysis with SIEM products

Distribute contextual knowledge of database activity patterns, structures, and protocols directly to the third-party database of the SIEM system.

About this task

Guardium® preprocesses large volumes of database traffic and distills important information. Then, it provides the condensed summary to external SIEM (Security Incident Event Manager) systems such as ArcSight, Envision, and QRadar. Thus, SIEM products do not have to work as hard to process large traffic streams. Rather, it can concentrate on correlating all activity, alerting on unauthorized or suspicious behavior, and helping with the regulatory compliance requirements on event logs.

This Guardium SIEM (Security Incident Event Manager) integration can be done in one of the following ways:

  • Syslog forwarding, the most common method for alerts and events.
  • Using the CLI command, store remotelog add, to configure the Syslog forwarding for facility and priority, and destination host. For more information, see store remotelog add.
  • Using Guardium templates for ArcSight, Envision, and QRadar
  • SCP/FTP (CSV or CEF Files sent to an external repository and the SIEM system must upload and parse from this external repository.)

Guardium distributes its contextual knowledge of database activity patterns, structures, and protocols directly to the third-party database of the SIEM system (Guardium has credentials to the SIEM system. It can also write directly to the SIEM database in the SIEM schema. Contact Guardium support as entities of Guardium must be mapped to the third-party schema.

Remember: The SIEM system must enable remote logging to listen for the correct facility and priority, which is defined within syslog. For more information on configuring the facility and priority, see Facility and priority of syslog messages.

By combining real-time security alerts and correlation analysis of Guardium with SIEM and log management products, companies can enhance their ability to:

  • Proactively identify and mitigate risks from external attacks, trusted insiders, and compliance breaches.
  • Implement automated controls from Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI-DSS), and data privacy regulations.
  • Manage system and network events alongside critical logs and events from the core of their data centers – enterprise databases and applications – for enterprise-wide correlation, forensics, incident prioritization, and reporting.

Companies such as QRadar, ArcSight, CA, Cisco MARS, LogLogic, RSA enVision, and SenSage offer Security Information and Event Management (SIEM) solutions, also referred to as Security Event Management (SEM) solutions. SIEM products are complementary to database activity monitoring solution of Guardium. They can also use filtering and preprocessing of database events of Guardium to provide 100% visibility and database analytics for SOX, PCI-DSS, and data privacy.

SIEM technology provides real-time analysis of security alerts that are generated by network hardware and applications. It helps companies to respond to network attacks faster and to organize the massive amounts of log data that is generated daily. SIEM solutions are log-based correlation engines.

SIEM solutions are primarily focused on detection and security, but not on auditing. They assemble data from other logs and analyze it at a high level. They correlate data such as IP addresses and routers but have little database visibility. They do not have forensics-quality, digitally signed, audit monitoring capabilities so they can be used for immediate information, but not historical proof.

Security information and event management (SIEM) users are faced with the challenge of importing raw logs that are generated by internal DBMS utilities. The performance of DBMS logging utilities, the unfiltered information that they produce, and the lack of necessary granular information create challenges.

Configure Guardium to integrate with various SIEM tools by using the Guardium user interface.

SIEM, Guardium Integration
Tip: With SIEM integration, the reports and policies do not change on the Guardium system. Users can continue with their existing policies and reports, trigger alerts, and send reports to the SIEM system.

For SIEM-Guardium Integration, predefined templates are available for QRadar, Envision, and ArcSight so you do not need to define them. You can select the appropriate message template within the rule action.

You can change the default message template, specify the parameters for syslog forwarding, and create the CSV or CEF file to export.

Remember: CEF is only used for ArcSight. The other SIEM products have a different format and do not use CEF.

For the SIEM product to recognize the information that is being sent, the message template must be changed through the Global Profile. This formatting agreement between the SIEM solution and Guardium allows SIEM products to parse incoming messages and update its own database with the new event, data, or both.

To change the message template, click Setup > Tools and Views > Global Profile, click Edit, and then select a template or create a new template .

The Guardium appliance can be configured to send Syslog messages to remote systems. Specific types of Syslog messages can be sent to specific hosts. The Syslog message type is determined from the facility-priority of the message.

Configure sending to remote systems by using the CLI command store remote log add. You can test communication with the remote server by using the CLI command show_remotelog_status. For more details on the process, see remote syslog.

Examples of facility are: all, auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, mark, news, security, Syslog, user, uucp. Examples of priority are: alert, all, crit, debug, emerg, err, info, notice, warning.

Reports with data for other applications or large datasets can be exported to CSV format.

Report, Entity Audit Trail, and Privacy Set task output can be exported to CSV (Delimiter-separated Value) files. Also, CSV file output can be written to Syslog. If the remote Syslog capability is used, the output CSV file is forwarded to the remote Syslog locations.

Each record in the CSV or CEF files represents a row on the report. Contact Guardium Support for a tool that permits the reformatting of CSV files before export.

Each record in the CSV or CEF files represents a row on the report.

To send Syslog messages and export reports to CSV files, complete the following steps.
Remember: Do not compress the file within the audit process definition so that the SIEM vendor can parse it correctly.

Procedure

  1. To open the Audit Process Finder, click Comply > Tools and Views > Audit Process Builder.
  2. Click the new icon to add a process or select an existing process from the list.
  3. Under Audit Tasks, click New Audit Task.
  4. Enter a description and select Report.
  5. Select a report from the list and enter the CSV/CEF File Label.
  6. Select Export CSV file and Write to Syslog. Choose a named template from the list.
  7. Under Task Parameters, select the time range by using the calendar icon and click Apply.

What to do next

CSV/CEF files can be exported on a schedule to the SIEM host.

  1. Open the Audit Process Finder and modify or add an audit task.
  2. Choose Export CSV file or Export CEF file.
    Tip: ACCESS reports can be saved and forwarded in CEF or LEEF format but other reports, such as Guardium Logins, Aggregation Activity Log, and CAS events cannot be mapped to CEF or LEEF.
  3. Clear the Write to Syslog checkbox. Otherwise, Syslog messages are generated instead of a file.
  4. Open the CSV/CEF Export menu by clicking Manage > Data Management > Results Export (Files).
  5. Select either the SCP or FTP Protocol. Then enter the Host, Directory, Username, Port, and SCP/FTP password.
  6. In the Scheduling section, define the Start Time, Restart frequency, Repeat frequency, Schedule by Day/Week or Month, Schedule Start Time. Select the checkbox to automatically run dependent jobs.
  7. Click Save to commit the changes or Reset to clear the fields.
To send policy alerts to Syslog, modify exception, access, and extrusion rules in the Policy Builder to trigger notifications. These policy rules can be sent as emails or directly to Syslog for forwarding.
  1. To open the Policy Builder, click Setup > Tools and Views > Policy Builder.
  2. Select the policy and click Edit Rule.
  3. Click Add Rule... > Add Exception Rule.
  4. Enter the Description, Category, Classification, and select a Severity level from the list.

For every policy rule violation logged during the reporting period, the Policy Violations report provides the Timestamp from the Policy Rule Violation entity, Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. With this report, users can group violations and create incidents, set the severity of each violation, and assign incidents to users.