Shulou(Shulou.com)06/01 Report--

Compared with the priority of business and function, the development of security always seems to be one step behind. However, with the penetration of IT infrastructure into various industries, the demand for data security capabilities is becoming more and more urgent, both locally and in the cloud.

In recent years, there have been some database security manufacturers in China, such as China Ambit, Ankai Technology, etc., whose voice in the domestic data security market is getting louder and louder; while abroad, Guardium, which focuses on database security, combined with IBM's advantages in global influence, is also slowly beginning to develop its strength in the Chinese market.

From an independent security enterprise to a member of the "safe immune system"

Back in 2002, a database security company called Guardium was set up in Israel.

Guardium was the only security vendor in the industry that had a security monitoring solution for mainframe (mainframe) security. At the same time, Guardium advocates that all access to the database can be crawled from the bottom by installing lightweight "probes" (software) on the database system. Because of its flexible deployment, low consumption of database system resources and comprehensive database access behavior, Guardium has accumulated about 400 customers in 7 years, and the size of the company has grown to about 150.

At the end of 2009, IBM officially announced the completion of the acquisition of Guardium with a price of US $225 million, and was determined to take advantage of its advantages in the field of "host security" to enable IBM's own database products (such as IBM DB2) to enhance its ability to monitor database access activities.

In 2012, IBM Security was officially established, and the security products originally scattered in various sub-departments were effectively integrated. The Guardium series is also launched as a stand-alone product in the field of "data security".

In 2016, IBM Security integrated its product lines in eight security areas, including data security, application security, network security, terminal security, mobile security, advanced fraud prevention, identity and access control, and security intelligence, and launched IBM "Security immune system" with IBM X-Force, and Guardium Suite is the main force of its "data security" product category.

Safe immune system

The advantage of IBM does not lie in its expertise in a certain field, on the contrary, through the acquisition and acquisition of leading manufacturers in the subdivision field, and the thorough absorption and digestion of its product technical capabilities, and then integrate into its own existing product line, play a greater role, this is the real strength of this giant.

Deployment and compliance benefit

From the beginning of the establishment of Guardium in 2002, the technical idea is to realize policy-based data traffic forwarding by installing probe software on the database system.

S-TAP probe deployment

Customers who do database security want to know the data: who, at what time, and which data resources have been accessed. This requires full coverage of the access information of the database, whether from the application of protocol communication in the network layer or from the server directly connected to the database through a high-authority account. By installing the probe on the database server, we can catch all the operations whether from the local or the network.

The probe of Guardium itself is the software of the operating system layer, which has nothing to do with the configuration of the database. At the same time, as a lightweight process, the consumption of database system resources from the point of view of operation and maintenance is very small, even in the case of large-scale concurrent access to the database, it will not affect its normal operation.

At the same time, the probe software has a wide range of platforms and mainstream databases, and almost no one in China can match it. The deployment of probes in the cloud environment is almost unaffected because it runs in the OS layer. Whether it is a VM or a physical machine, as long as the operating system remains unchanged, the probe can work normally.

Types of data platforms supported by Guardium

In addition to the deployment of probes, in terms of compliance, "automated compliance" is currently the demand of most customers in the database audit market. Because customer compliance itself is a costly process, customers often have to do a lot of extra work in the actual process of customer compliance. Guardium itself embeds many "off-the-shelf" compliance best practices. For example, the financial industry's PCI DSS (third-party payment industry data security standard), SOC (Sarbanes Act), SAS70, ISO 27001Accord 2 and the data Privacy Act, which have not even been formally implemented in Chinese mainland, are all included in Guardium. This undoubtedly brings great cheapness to the compliance of users. In addition, Guardium can also provide maximum support for internal "internal audit" compliance requirements through its flexible deployment and configuration.

PCI DSS audit

Extension from database security to data security

Support for big data platform

Due to the genetic limitations of Guardium itself, IBM did it with the idea of database security for a long time after the acquisition. However, with the rapid development and wide commercial application of big data technology, especially the Hadoop big data processing platform after 2011, IBM began to cooperate with some widely influential big data manufacturers in the industry (such as Cloudera, Hortonworks), and Guardium also began the research and development of big data platform support.

Guardium support for Hadoop clusters

No matter at home or abroad, there are a large number of big data manufacturers, the bottom of their distribution is based on open source Hadoop, while the customized services encapsulated at the upper layer can help users to carry out a series of operations and visits. The biggest advantage of the Guardium team is to use the existing resources and influence of IBM to negotiate with these big data manufacturers to understand what their underlying development architecture looks like and what the execution of commands is. Therefore, the access behavior of these upper-level services to the database can be fully known by Guardium. In addition, because of the extensive application of Hadoop architecture, Guardium can theoretically achieve better support for these products of big data manufacturers based on Hadoop.

Because now many enterprises will choose to put important data into such a platform to do comprehensive correlation analysis. Previously, hackers may break into a database and only get part of the company's business information. If there is something wrong with big data's system, if there is a data leak, it may have a huge negative impact on the company's business.

With regard to the data security market and customers of big data platform, IBM once told the media that at present, a large domestic "operator" customer of IBM has begun to use Guardium to protect their big data system, and IBM is also actively cooperating with big data manufacturers all over the world. In addition to the previously mentioned Cloudera and Hortonworks, there are more foreign MongoDB and IBM's own BigInsights. Guardium supports these Hadoop-based big data platforms very well, and IBM believes that this market will be relatively broad in the future.

Guardium support for MongoDB clusters

Linkage with existing resources of IBM

The biggest advantage of IBM lies in its linkage integration of the layout and resources of the entire IT industry. This will also be reflected in the major strategic decisions of its enterprises, such as mergers and acquisitions. When IBM acquired Guardium in 2009, its support for "mainframe security" monitoring and its alignment with IBM's existing major product lines, such as IBM DB2, where the global financial system is used to store core business data, were the primary reasons for IBM and one of the prerequisites for the acquisition.

In addition, in the whole "safe immune system", the "two-way integration" of Guardium and QRadar, the SOC platform in the "brain" position, is also an obvious feature that distinguishes Guardium from other similar products. QRadar, which is in the field of "security intelligence", integrates the log analysis results, vulnerability status reports, risks and assets data submitted by SIEM in the customer network, and combines the real-time threat intelligence provided by the IBM X-Force platform and Watson for Cyber Security to achieve linkage, analyze the security environment and external threats of the customer network, detect the occurrence of abnormal behavior and security incidents, and feedback to the user emergency response process through the Resilient system. Throughout the process from detection to analysis to response, various security products are linked, and so is Guardium, which is in the data security class.

Bi-directional Integration of Guardium and QRadar

Not only does Guardium push the information related to data security filtered out by Guardium to QRadar to help QRadar make analysis and judgment, but also after QRadar obtains intelligence, for example, after discovering an attack or saying that a data system is an attacked target, he acts as a "commander" to order Guardium to break a malicious link, or even to isolate it for a short time. And for the later investigation and evidence collection and real-time emergency response, strive for some time advantages. This is the so-called two-way integration. In other words, Guardium can interact with QRadar to some extent, not only when I tell you some information, but also in the process of disposal, we can work together to do some protective actions.

Of course, the integration of Guardium and QRadar-like SIEM or SOC platforms is not limited to QRadar, such as HP's Arcsight, and some domestic users use SIEM and SOC platforms, as long as they all use protocol formats that conform to certain communication standards, such as leef format (Log Event Enhanced Format), Guardium can be integrated to give full play to their capabilities in the field of data security.

Data security analysis

Guardium was originally designed to monitor the database, including automated compliance with mainstream industry standards mentioned earlier. In other words, there is not so much emphasis on looking at things from a security perspective. Today, IBM's "safe immune system" pays more attention to solving problems from the perspective of "security". Then, how to transform some underlying technical data to the business level, find some regular content, and finally apply it to security is the goal of Guardium data security analysis.

Data security analysis

For example, from the customer's time dimension, the database access is regular, the customer's business time is also regular, Guardium is to find this rule first. In fact, Guardium has built a machine learning engine in its system, and can depict a data access "baseline" based on the information of your historical access activities, and then use this baseline to make some discrimination for later access activities.

Looking back at China's data security market, some domestic manufacturers who focus on the subdivision of data security have developed rapidly in recent years. Whether locally or in the cloud, the market demand for data security has always been strong, and the complexity of customer database types and operating systems have set a lot of "hurdles" for these domestic manufacturers in terms of technical capabilities. At the same time, it is impossible to establish communication and cooperation mechanism with these international mainstream database manufacturers, and it is difficult to achieve deep compatibility with various database products, which is also an urgent problem for these data security manufacturers.

On the contrary, IBM, in addition to maintaining and expanding its current accumulated advantages in technology and resources, whether it can make its security products more "approachable", more accustomed to listening to Chinese customers, and make security products more in line with the habits of Chinese users in details, I think it will never be an easy thing, especially for global "giants" like IBM. But it's worth looking forward to.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.