GBDI 4.1

GBDI Analytic Engines

There are four Analytics Engines (a.k.a. SAGEs) within GBDI:

  • The Noise Canceling Engine

  • The Profiling Engine

  • The Machine Learning Engine

  • The Trusted Connections Engine

There are six additional Analytics Services within GBDI:

  • The Security 360 service including both DB 360 and VA 360

  • The GDPR Scanning service

  • The Risk Management service

  • The Workflow service

  • The Integrity service

  • The Syslog service

All Analytics Engines and Services make use of GBDI's ability to run complex data analysis on large amounts of data in a short time. Each engine/service can be enabled separately. Each of the engines has a slightly different purpose and uses slightly different algorithms:

  • The Noise Canceling Engine uses reduce algorithms to compute signatures that summarize verbose data generated by DAM systems and enables SIEM and other downstream systems to receive and inspect highly optimized data sets tuned for information density and size, making the data more usable and less expensive to manage.

  • The Profiling Engine inspects connection information and creates a profile used for identifying new connections and for implementing trusted connection profiling as a built-in feature of GBDI. The profiling engine also looks at moving averages and alerts you of large percentage deltas. You can enable moving average analytics for sessions, exceptions, violations, queries and full SQL records. These analytics can help you discover when certain traffic suddenly drops significantly and/or when a policy change is causing too many records to be captured by Guardium. Moving average analytics run once a day and look back at 35 days. Only the same day of the week is used – e.g. if today is a Wednesday then today is compared with an average derived from the last five Wednesdays. The session moving average analytics also alerts you when a certain traffic pattern has stopped completely (e.g. some KTAP driver stopped collecting data). The session alert will also include the collector which which this traffic was last heard of, the other collectors from which data arrived, and whether there are any inactive STAPs on this collector. All moving average analytics results are delivered via email. Finally, the profiling engine also performs analysis of captured sessions to alert you when data should be captured but is not.

  • The Machine Learning Engine applies advanced analytic and machine learning techniques to identify outliers and anomalous behavior that can be inspected without viewing detailed raw data.

  • The Trusted Connections engine allow you to categorize connections as trusted or not using workflow (usually to the app owner) and then build a machine learning model that can further classify new incoming connections.

  • The DB 360 service takes different data sets such as audit data, vulnerability assessment (VA) data and classification data and creates a single holistic view of each database in terms of how protected and compliant it is.

  • The VA 360 service takes data from multiple VA scanners and merges them into a single view of vulnerabilities, risk and aging data.

  • The GDPR scanning engine allows you to look for private data in the various feeds coming from Guardium. Specifically, you can look at the full SQL data set, the policy violation data set and the classifier data set – all data sets that can easily contain private information. You can then search for names, addresses, IP addresses, phone numbers or any regular expression of value set that you upload into GBDI. Searches can be precise or fuzzy. Outputs can be sent or recorded for further review with the values seen to be private or only with the IDs of the original data set. You can also use the GDPR engine on foreign data sets – i.e. feed data into GBDI through any mechanism and use the GDPR engine on that data set.

  • The integrity service can be used to upload hashes of the data to the jSonar cloud. There is no sensitive data in the hashes and they can only be used for verification that the data has not be tampered with.

  • The Risk Management Service allows you to route discovered vulnerabilities and scans that uncover sensitive data to the owner for remediation or for marking an exception/false positive.