IBM Guardium

Administration and Performance

—

2021 Master Skills University

Security Expert Labs
Vinay Vijayadharan
Agenda

• Data Management
• Patching
• Enterprise Level Reporting
• Self Monitoring

IBM Security / © IBM Corporation 2021

2
Administration of Guardium

What should be configured? G ua rd

iu m A
h ttp s : d m in is
• Import/Export // w w w tr a
gua rd . i b m .c o t o r s R e s p o n
ium-ad m /s s ib ilit i
m in is t u p p o r t /p a g es
• Archiving and Backup r a to r -r es/ibm Guide:
e s pon -
• Purging and retention period s ib ilit i s e c u r it y -
e s -g u i
de
• Enterprise level reporting
• Self monitoring alerts

What should be monitored?

• Appliance health
• Unit utilization
• Sniffer performance
• Agent health
• Running/ scheduled processes
• Patching
• Configuration changes

IBM Security / © IBM Corporation 2021

Data management
Scheduling
• Daily exports on the collectors
• Daily imports on the aggregators
• Daily archives on the collectors
• Daily archives on the aggregators - optional
• Results archives/Results export - optional
• Weekly configuration backup on central manager
• Monthly system backup on all appliances

IBM Security / © IBM Corporation 2021

4
Data management
Archiving on the collectors vs aggregators
• Archiving on the collectors:
• Incremental daily information for both static and dynamic data.
• Static data is archived in full during archive on 1st of each month.
• To restore data for specific day: restore data for all days of that month up to the target day.

• Archiving on the aggregators:

• Incremental daily information for dynamic data.
• Static data is archived in full daily.
• To restore data for specific day: restore data for the target day.
• store archive_table_by_date – allows to change an aggregator archive behavior to one of the
collector (incremental daily status archive with full only 1st of the month).

IBM Security / © IBM Corporation 2021

5
Data management
Archiving on the collectors vs aggregators
• Archiving on the collectors:
• Archiving data from the [golden] source
• Less usage of long-term storage
• Need to restore multiple files to have restored data for specific date
• Collector’s archive file can be restored directly into aggregator
• Archiving on the aggregators:
• Archiving data on the target – make sure all imports are complete to avoid missing data in the
archive
• More usage of long-term storage (static data is included every day)
• Faster restore – one file needs to be restored for specific date.
• Restore of archive files from older versions into newer version appliance is supported for both
collectors and aggregators archive files.
• Restore of archive file into different / newly built appliance is supported as long as the “shared
secret” used to archive on the original appliance is in the history of the target appliance.

IBM Security / © IBM Corporation 2021

6
Data management
Scheduling

• Create configuration profiles on CM then distribute

IBM Security / © IBM Corporation 2021

7
Data management
Scheduling
• Scheduled Jobs (Manage > Reports > Activity Monitoring > Scheduled Jobs)
• Provides list of scheduled jobs on the Guardium appliance
• Setting remote source on the CM displays list of scheduled jobs on managed appliance
• Distributed report makes data from all managed units available on the CM

IBM Security / © IBM Corporation 2021

8
Data management
Scheduling

• Scheduled Jobs Exceptions (Manage > Maintenance > General > Scheduled Jobs
Exceptions)
• Lists errors encountered during execution of Scheduled jobs
• May indicate a need to re-schedule to avoid scheduling clashes
• Some jobs may need to be re-run manually after correcting the problem
• Distributed report makes data from all managed units available on the CM

IBM Security / © IBM Corporation 2021

9
Data management
Scheduling

IBM Security / © IBM Corporation 2021

10
Patching

• Guardium appliance patches are available for download from IBM Fix Central
• store system patch install
• USAGE: store system patch install <type> <date> <time>,
where
<type> is the installation type: sys, scp, ftp, or cd and
<date> and <time> is the patch installation request time.
<date> is formatted as YYYY-mm-dd and
<time> is formatted as hh:mm:ss
If you do not enter date and time or enter "now", the installation request time is NOW.

• When using “sys” option to upload a patch, patch must be first uploaded to the Guardium
appliance via fileserver
• USAGE: fileserver [ip_address] [duration]
This command limits access to just the machine being called or to the supplied IP address
Where duration is time in seconds, range 60 (minimum) to 3600 (maximum)
• In federated environments, patches are uploaded to CM via CLI, then distributed to
managed appliances via CM GUI
• Subscribe to IBM My Notifications for new patch notifications

IBM Security / © IBM Corporation 2021

11
Enterprise level reporting

• Enterprise STAP View (Manage > System View > Enterprise S-TAP View)
• Gathers and displays STAP status from all Guardium collectors
• Requires scheduling S-TAP Info custom table upload via Custom Table Builder

IBM Security / © IBM Corporation 2021

12
Enterprise level reporting

IBM Security / © IBM Corporation 2021

13
Enterprise level reporting
• Enterprise STAP View report (continued)

• Detailed Enterprise STAP View

IBM Security / © IBM Corporation 2021

14
Enterprise level reporting
• Enterprise Buffer Usage Monitor (Manage > Reports > Unit Utilization > Enterprise Buffer
Usage Monitor)
• Gathers Buffer Usage infofmation from all Guardium appliances
• Requires scheduling CM Buffer Usage Monitor custom table upload
• Datasource Name indicates which appliance the record was extracted from

IBM Security / © IBM Corporation 2021

15
Enterprise level reporting
• Unit Utilization (Manage > Unit Utilization > Unit Utilization)
• Processes data from CM Buffer Usage Monitor custom table to assess unit utilization of Guardium
appliances
• Requires scheduling CM Buffer Usage Monitor custom table upload
• Requires scheduling Unit Utilization Levels job (Manage > Unit Utilization > Unit Utilization Levels)

IBM Security / © IBM Corporation 2021

16
Enterprise level reporting
• Unit Utilization (continued)
• Supports drill-down to retrieve Unit Utilization details

IBM Security / © IBM Corporation 2021

17
Enterprise level reporting
• Unit Utilization details (Manage > Unit Utilization > Unit Utilization details)
• Requires Guardium appliance hostname as input
• Designed to fetch information for one Guardium appliance at a time
• Lists various parameters used to calculate the Overall Unit Utilization Level
• Each parameter has a value and a corresponding level associated with it

IBM Security / © IBM Corporation 2021

18
Enterprise level reporting
• Utilization Thresholds (Manage > Unit Utilization > Utilization Thresholds)
• Lists all parameters used in calculation of Overall Unit Utilization Levels
• Threshold 1 corresponds to Medium, and Threshold 2 corresponds to High
• Thresholds are configurable via grdapi commands

IBM Security / © IBM Corporation 2021

19
Enterprise level reporting
• Deployment Health Table – Guardium systems tab (Manage > System View >
Deployment Health Table)
• Lists Overall Status of Guardium appliances
• Is Java based (cannot be modified)
• S-TAPs tab introduced in appliance version 11.3

IBM Security / © IBM Corporation 2021

20
Enterprise level reporting
• Deployment Health Table – STAPs tab (Manage > System View > Deployment
Health Table)
• Lists Overall Status of STAPs, data streams, and universal connectors
• Is Java based (cannot be modified)
• Only available in appliance version 11.3 and higher

IBM Security / © IBM Corporation 2021

21
Enterprise level reporting
• Deployment Health Topology (Manage > System View > Deployment Health Topology)
• Interactive Visual representation of Guardium infrastructure
• Is Java based (cannot be modified)

IBM Security / © IBM Corporation 2021

22
Enterprise level reporting
• Deployment Health Dashboard (Manage > System View > Deployment Health Dashboard)

IBM Security / © IBM Corporation 2021

23
Enterprise level reporting
• Deployment Health Dashboard (continued)
• Can be set to auto-refresh every 5 minutes

Click to customize
Dashboard settings

IBM Security / © IBM Corporation 2021

24
Enterprise level reporting
• S-TAP and GIM Dashboard (Manage > System View > S-TAP and GIM
Dashboard)
• Lists key stats regarding STAP and GIM agents
• Is Java based (cannot be modified)
• Only available in appliance version 11.3 and higher

IBM Security / © IBM Corporation 2021

25
Enterprise level reporting
• S-TAP and GIM Dashboard (continued)
• Can be used to toggle traffic related stats and edit traffic ignore lists

Click to customize
Dashboard settings

IBM Security / © IBM Corporation 2021

26
Enterprise level reporting
• System Monitor (Manage > System View > System Monitor)
• Available on all Guardium appliances
• Reports can be re-sized but not added/deleted

IBM Security / © IBM Corporation 2021

27
Enterprise level reporting
• Missing DB User Dashboard (needs to be imported on Central Manager)
• Useful when investigating missing DB Users
• Instructional video - https://ibm.biz/Bdfbnq

IBM Security / © IBM Corporation 2021

28
Self monitoring
• Monitor Guardium appliances availability through SNMP polling.
• Monitor S-TAP is up and running at all times
• Inactive S-TAP
• Monitor collector is healthy and is logging activities
• Sniffer restart
• Flat log
• Disk space and database space
• Enterprise no traffic alert
• Data management processes are running and successful
• Aggregation / archive alerts
• Scheduled processes (group population, policy installation etc…) are running and
successful
• Scheduled job exceptions
• Configuration changes are restricted and monitored
• S-TAP/IE configuration changes
• Policy changes
• Group changes / content of the groups

IBM Security / © IBM Corporation 2021

29
Self monitoring
Threshold alerting

• Make sure both Alerter and Anomaly Detection are configured.

• Polling Interval should not exceed the smallest Running Frequency from configured alerts.

IBM Security / © IBM Corporation 2021

30
Self monitoring
Threshold alerting
• Threshold alerts are based on queries and these queries must contain at least one date field
(timestamp)
• Run Frequency is how often the query is run
• Accumulation Interval is how far back does the report go
• Notification frequency is how often the receivers are notified

IBM Security / © IBM Corporation 2021

31
Self monitoring
Threshold alerting
• Exampled: Inactive S-TAP alert
• Use case : inactive STAP alert to identify the scenario when STAP can’t communicate to the
collector (STAP was active, but was stopped; necessary port was opened, but not opened anymore
etc...).

IBM Security / © IBM Corporation 2021

32
Self monitoring
Threshold alerting
• Exampled: Inactive S-TAP alert

IBM Security / © IBM Corporation 2021

33
Self monitoring
Solution supportability

• Appliance UI notifies user of new patches available. Compares against patches currently
installed on the appliance.
• Ability to manage different must-gather and STAP diagnostics from the appliance.
• Variety of cli support to provide additional visibility into appliance performance / configuration /
mysql DB / file system and perform tuning actions.
• Guardium administration guide maintained by support:
http://www-01.ibm.com/support/docview.wss?uid=swg21700685&aid=1

IBM Security / © IBM Corporation 2021

34
Thank you

Follow us on: © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.

ibm.com/security IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.

securityintelligence.com Statement of Good Security Practices: IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product should be considered completely secure and no
ibm.com/security/community single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most

xforce.ibmcloud.com effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise
immune from, the malicious or illegal conduct of any party.

@ibmsecurity

youtube/user/ibmsecuritysolutions