Baselines

Baseline Overview

A baseline is a profile of access commands executed in the past, helping to identify normal activity and anomalous behavior. The Baseline Builder generates a baseline by examining activity previously logged and currently available, on the Guardium appliance.

When included in a security policy, the baseline becomes a baseline rule, which allows all database access that has been included in the baseline.  

A baseline rule in a policy has the following characteristics:

The Policy Builder can generate suggested policy rules from the baseline. The suggested rules can be edited and included in the policy ahead of the baseline rule, so that alternative actions (alerts, for example) can be taken for some commands that were seen in the baseline period. In addition, an examination of the suggested rules provides valuable insight into the actual traffic patterns observed (types of commands and frequency). Suggested rules are described in more detail below.

The Baseline Builder provides the ability to control what gets included in the baseline, in several ways:

About Baseline Sensitivity

Baseline sensitivity can be based on any combination of the following (each will be described in more detail, later):

Baseline sensitivity depends on a specified threshold, which defines the minimum number of times a command must be observed during the baseline period in order to include that command in the baseline.

With no sensitivity selected, each command that exceeds the threshold will be included in the baseline.

If a single type of sensitivity is selected, a separate count of each command will be maintained for each value of the sensitivity type (database user, for example).

If multiple types of sensitivity are selected, separate counts of each command are maintained for each combination of values for each selected type (for each combination of database user and source program, for example). Thus for each type of sensitivity included, the number of combinations can increase dramatically.

About Sequence Sensitivity

If the baseline is sensitive to command sequence, then when included in a policy the baseline rule will allow only the sequences of commands observed during the baseline period. To illustrate with a very simple example: if the only two sequences of commands observed in the baseline period are A-B and B-C, the following table illustrates which sequences of commands would be allowed by that baseline rule.

Command Sequence

Allowed

A - B

Y

A - anything else

N

B - C

Y

B - anything else

N

Anything but A

N

About Time Period Sensitivity

When the baseline is sensitive to the time period, separate counts are maintained for each time period defined. If overlapping time periods are defined (which is a normal situation), a command will be counted only once, in the most restrictive time period during which it occurs. If the time-period is non-contiguous – for example, from 00:00 to 08:00 each day of the week – only one contiguous segment of the time period is considered (eight hours in the example).

To illustrate how the Baseline Builder assigns requests to time periods, assume that Saturday is included in three time periods:

Since the time period named Saturday is the most restrictive (24 hours only), all requests time-stamped on Saturday will be counted in that time period, and not in the more inclusive Week End or 7x24 time periods.

About Baselines in Aggregation and Central Manager Environments

If there are multiple Guardium appliances in an Aggregation and/or Central Manager environment, there is a single important point to keep in mind when generating and using baselines:

Baselines are generated using only the data currently available on the appliance that is generating the baseline.

This means that:

About Suggested Rules

When a baseline is included in a policy, the Policy Builder can generate suggested rules from the baseline. It will generate the minimum number of rules necessary to represent everything that is included in the baseline. You can then accept any or all of the suggested rules, and modify the accepted ones as necessary. In addition to being a convenient way to generate an explicit policy (rather than an implicit policy based on a baseline only), this is an important step in validating that a baseline does not include malicious or erroneous activity that may have occurred during the baseline period.

You may want to modify the suggested rules if you discover an activity that occurred during the baseline period that you would like to monitor or alert upon in the future. You simply tailor the appropriate rule suggested from the baseline, and assign the desired action. By default, the suggested rules will be positioned before the baseline rule, so that the action specified will be taken before the baseline rule executes to allow that command with no further testing of rules.

Note: The Policy Builder can also generate rules from the database ACL. See Policies for more information.

About Suggested Object Groups

When generating suggested rules from either the baseline or the database ACL (access control), the Policy Builder minimizes the number of suggested rules by creating suggested object groups. For example, assume the baseline includes a particular command that references only three objects: AAA, BBB, and CCC, and that there is not already an object group defined consisting of only those three objects. The Policy Builder will create a suggested object group for those objects, and will generate a single rule for the command, which references the suggested object group.

You can display the membership of a suggested object group, and you have the option of accepting or rejecting each group. In the example just given, if you reject the suggested object group, the single rule that references it will be replaced by three suggested rules (one each for AAA, BBB, and CCC).

Create a Baseline

  1. Navigate to the Baseline Finder:

  2. Click the New button to open the Baseline Builder panel.

  3. Enter a unique baseline name in the Baseline Description box. Do not include apostrophe characters in the baseline description.

  4. In the Baseline Sensitivity pane, mark each element to which the baseline will be sensitive. The more sensitive the baseline, the more complex the testing that will be done both when creating the baseline and more importantly, when inspecting traffic. See the Overview above, for more information about baseline sensitivity.

  5. In the Baseline Threshold pane, enter the minimum number of occurrences for a command during the baseline period for that command to be included in the baseline. If one or more sensitivity boxes have been marked (see above), this count applies to the combination of sensitive values.

    If the approach you are taking in building your security policy is to always allow the most commonly issued commands from the past, then set this number upwards to the appropriate level. If, on the other hand, you want to ensure that the baseline is comprehensive, then leave this value set to 1. In either case, you can have the Policy Builder suggest rules from the baseline. The suggested rules are sorted in descending order by frequency in the baseline period, so you can decide at that time whether to include or modify rules for each unique command issued.

  6. Use the Baseline Network Information pane to identify the servers and clients to be included in the baseline. The method used to select which IP addresses to use to construct the baseline is the same for servers and clients.

    For each address encountered in the baseline data, membership in an optional tagged group is considered first. A tagged group is a specific list of IP addresses for which baseline constructs will be generated. If a tagged group is selected, and if an IP address encountered in the baseline data is included in the corresponding tagged group, that element will be included in the baseline for that specific IP address. For example, assume that the Tagged Client IP Group named ZoneAGroup has been selected, and that group includes a client address of 192.162.14.33. If the baseline generator encounters the command SELECT abc FROM xyz from that IP address, that command will be counted for that specific address.

    In contrast, if no tagged group is selected, or if an IP address is encountered in the baseline data that is not a member of the selected tagged group, that command may be counted with identical commands from other IP addresses as directed by the corresponding network mask.

    The network mask is required to group both client and server IP addresses.

    You must always
    :

To illustrate how the baseline builder uses network masks to group addresses, assume that:

When generating the baseline, this command will be included in the count of all SELECT abc FROM xyz commands for all client IP addresses from the 192.168.0.0 subnet.

  1. Click the Save button to validity-check and save the baseline definition. If you have omitted required fields or entered invalid values, the definition will not be saved and you must resolve any problems before attempting to save again.

  2. Optionally click the Roles button to assign roles for the policy. See Assign Security Roles.

  3. Optionally click the Comments button to add comments to the definition. See Commenting.

  4. After a baseline has been saved successfully, the Baseline Generation and Baseline Log panes appear at the bottom of the panel.

  5. Click anywhere on the Baseline Generation pane title to expand the pane.

  6. Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates (see Select or Enter a Date). Regardless of how you enter dates, any minutes or seconds specified will be ignored.

  7. Click the Generate button to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the baseline.

Note: After you successfully generate the baseline for the first time, additional fields display in the Baseline Generation panel. These fields allow you to merge data from additional time periods into the baseline, and to restrict the client and server IP addresses used during each additional time period. For more information, see Merge Baseline Information, below.

Merge Baseline Information

To merge baseline information (to include information from additional time periods and/or from different groups of clients and servers, for example):

  1. Navigate to the Baseline Finder:

  2. From the Baseline Definition list, select the baseline into which additional baseline information is to be merged.

  3. Click the Modify button to open the Edit Baseline panel.

  4. Do not modify the Baseline Sensitivity selections. If you modify the baseline sensitivity, you will be prompted to generate a completely new baseline to replace the existing one.

  5. Optional. Set the Minimum number of occurrences for addition to Baseline value in the Baseline Threshold pane. The value entered here has no impact on information previously included in the baseline. Once something has been added to the baseline, it is not removed during a merge operation.

  6. Optional. Enter alternative network information in the Baseline Network Information pane. The values that display are from the last generate or merge operation. If the merged information comes from the same set of servers and/or clients, leave these fields unchanged. Otherwise, make the appropriate changes in this pane to select the traffic to be included in the baseline, as described previously. (See Create a Baseline, above.)

  7. Click anywhere on the Baseline Generation pane title to expand the pane.

  8. Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates (see Select or Enter a Date). Regardless of how you enter dates, any minutes or seconds specified will be ignored.

  9. Select the Merge radio button.

  10. Optional. In the Filter Selection pane, limit the baseline generation to specific client and/or server IP addresses by entering an IP address followed by a network mask. For example, to select all client IP addresses from the 192.168.9.x subnet, enter 192.168.9.1 in the first Client IP box, and 255.255.255.0 in the second box. To include additional addresses, click the (Add) button, then enter the additional address information

  11. Click the Generate button to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the baseline.

Modify a Baseline

Caution: Before modifying a baseline definition, be sure that you understand the implications of modifying it, particularly if the baseline whose definition you want to modify and re-generate is used in an installed policy. If you modify and re-generate a baseline contained in an installed policy, when you re-install that policy it will use the new baseline. To provide a fall-back option for baselines used by installed policies, consider instead cloning these baselines and policies, and modifying and generating the cloned definitions. See Clone a Baseline, below, for more information.

  1. Navigate to the Baseline Finder:

  2. From the Baseline Definition list, select the baseline to be modified.

  3. Click the Modify button to open the Edit Baseline panel. Apart from the panel title, this panel is identical to the Add Baseline panel described above. See Create a Baseline, above, for instructions on using this panel.

Clone a Baseline

There are a number of situations where you may want to define a new baseline based on an existing one, without modifying the original definition. See the caution, above.

  1. Navigate to the Baseline Finder:

  2. From the Baseline Definition list, select the baseline to be cloned.

  3. Click the Clone button to open the Clone Baseline panel.

  4. Enter a unique name for the new baseline in the New Baseline Description box. Do not include apostrophe characters in the new baseline description.

  5. To clone the baseline constructs (the commands, basically) that have been generated for the baseline being cloned, mark the Clone Constructs checkbox.

  6. Click the Accept button to save the new baseline. You can then open and edit the new baseline via the Baseline Finder. See Modify a Baseline.

Remove a Baseline

  1. Navigate to the Baseline Finder:

  2. From the Baseline Definition list, select the baseline to be removed.

  3. Click the Remove button. You will be prompted to confirm the action.