Thursday, April 3, 2014

Guardium Overview

Yet another system summary I did for management (I've been pumping them out like jelly beans lately).

Guardium is a 100% certainty (in theory) database monitoring tool. This means that Guardium will process 100% of the queries that come through a database it is installed on, as opposed to performing sampling on database queries and capturing a percentage of the queries as most other monitoring tools do. Similar to LogRhythm the easiest way to get a picture of Guardium is to talk about how queries travel through Guardium and how they are used.

Guardium uses agents (called STAP agents) that get installed on a database server. These sit on the physical box, outside of SQL Server (or any other database) and are allowed to observe queries as they are sent to the database (Guardium does not block any queries). As a query comes onto the box, Guardium grabs a copy of it and the query is forwarded on to the database itself.

Once the agent has the query, it immediately forwards it on to the collector. The collector runs the policy on the query, which determines what, if any, logging should happen for that query. The logging is limited to information contained in the query, since Guardium has no insight into what happens inside of the database. The collector can then choose to forward the query to the aggregator, which is a feature we aren't really using right now.

Common things Guardium watches for are privileged user IDs, restricted tables, select *'s, etc. If information about the query is logged it is possible to run reports on it.

Reports are essentially queries written against the data Guardium has logged (who has access what restricted tables, who ran a select *, etc).

These reports can be scheduled as an Audit Process (also called a workflow for simplicity). An audit process is assigned to a specific user and generates reports on a schedule. When a report is generated a user is notified and has to log into Guardium to sign off on the report, verifying that they have seen the results and are not concerned about them.

In some ways Guardium is a SIEM tool for database queries, but without the correlation of sources. It is mostly useful for reports and alarms.