more databases. more hackers. more audits

© 2016 Imperva, Inc. All rights reserved.

More Databases. More Hackers.More Audits.Terry Ray and Cheryl O’Neill

Speakers

2

Terry RayChief Product Strategist

Cheryl O’NeillProduct Marketing Director, Data Security

Who has access to your data and why?How do you respond to suspicious activity?

3


Reasons to Invest in Database Audit and Protection

Security and Compliance Factors for Consideration

1


Database monitoring considerations circa 2014

The normal• Audit for compliance on critical systems

– Monitor logins/logouts and failed attempts– Monitor privileged activities

• Policies vary by department and database• Database audit logs consolidated quarterly• Ad hoc user rights review and

management• Change tickets manually reconciled for audit

The exception• Monitor for audit and data security

– All sensitive data– All user database activity

• Unified compliance policies and reports• Alerts integrated with real-time security

monitoring process• User rights review and management automated• Change ticket verification and reconciliation


Database audit and protection circa 2016

The normal• Monitor for data security

– All sensitive data– All user database activity

• Unified compliance policies and reports• Integrate Alerts with real-time security

monitoring process• Block suspicious behavior on critical

systems• Automate user rights review and

management• Integrate change management

The exception• Monitor extended data stores

– Cloud based databases and SaaS– Big Data

• User behavior profile analysis• Track user role characteristics• Mask data in non-production systems• Security database audit analysis• Centralized data security and incident

response

Compliance reports do not protect data

DBA

A compliance only focus1. Inconsistent policy application2. Audit

• login, logout, failed attempts• Privileged actions

3. Ad hoc user rights review4. Quarterly compliance reports

Multi-staged attack compromises users Application exploit compromises applications

Quarterly audit reports

Limited audit, No data security

Undetected breach and data loss

Compromised privileged access via apps and direct database root access

Data breach trends 2015

-500

1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500

2011 2012 2013 2014 2015

Number of Incidents

-

200,000,000

400,000,000

600,000,000

800,000,000

1,000,000,000

1,200,000,000

2011 2012 2013 2014 2015

Number of Exposed Records

3053 Outside Attacks

749 Outside Attacks

Inside incidents represent 22% of total incidents, but result in 49% of record exposure

Hacking, 59%

Web, 31%

Fraud, 6% Other, 4%

Source: 2015 Data Breach Trends, Data Breach Quick View, January 2016

29%

37%

18%

11%

3%2% 2015 Percentage of total

Unknown # of Rec.

1 to 100

101 to 1,000

1,001 to 10,000

10,001 - 100,000

Over 100,000

- 200 400

Outside

Inside Total

Inside-Accidental

Inside-Malicious

Inside-Unknown

Unknown Threat Vec.

Millions

2015 Records Exposed

Top 3 items stolen:1. Passwords2. Email addresses3. User name

Inside Incident Total

Outside Incident Total


Database audit policy vs. database security policy

• Database audit– Record for future review– Narrow scope– Does not invoke “action”– Legal record of events

• Database security– Alert in real time on suspicious

behavior– Broad visibility– Block in real time against obvious

bad behavior– Implies “action”

Active monitoring protects data

DBA

Multi-staged attack compromises users and DBA

SecureSphere for database detects, alerts, and stops unauthorized or anomalous behavior by legitimate users and hackers

Breach attempt detected and stopped

SecureSphere WAF blocks web application exploits

Any time audit reports

Data centric audit and protection

A security first focus1. Web Application Firewall2. Privileged user monitoring3. Monitor for audit and data security4. Uniform application of policies 5. Alerts6. Block suspicious behavior 7. Automated user rights mgmt.8. Integrate change ticket mgmt.

Real-time security analysis

Practical applications of activity monitoringProject GoalSensitive data audit • Streamline audit for PCI, SOX and other compliance purposes

Privileged user monitoring • Enforce separation of duties• Monitor all activity, including local DB server access• Block if necessary

Data theft prevention • Protect Sensitive data• Prevent the loss of sensitive data

Data across borders • International privacy regulations limit what data can be accessed by users outside the borders defined by the regulation

Change reconciliation • Show the compliance (i.e. SOX) auditors that changes to database could be traced to approved change tickets

Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack

VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core systems like SAP, Oracle Financials and PeopleSoft

Ethical walls Maintain strict separation between business groups within a larger organization. To comply with M&A requirements, government clearance, …

User tracking Map true web application end user to the shared application/database user to final data access

Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion


Plan for Long Term Protection

Efficient and Cost Effective Monitoring2


No protection, no compliance

No protection, poor compliance

Protection and compliance

Utilize built in “Native Audit” capabilities

Do not audit

Implement a dedicated database auditing solution


Why do organizations choose no audit over native audit?

• Database performance impact

• Audit data storage impact

• Manually intensive in a heterogeneous environment

• Complexities of regulatory requirements are overwhelming

• Time consuming difficult to use Native Audit log output

• Don’t know what to audit

• Not aware of the location of all sensitive data

• DBA team is small and usually busy

Confidential15

Confidential17


Performance Impact Video Demo

SecureSphere Agent adds 2% CPU overhead, with no impact on HD I/O or TPS

Native audit increase HD I/O, slows response time and cuts TPS by 50%


Database Audit and Protection TCO

The Monetary and Human Costs Associated with DAP

3

Know your challenges with native audit

• Know that most organizations have more than one DB vendor

• The perimeter will be breached

• End points are vulnerable• Internal users are a risk• Privileged users accounts are

data wells waiting to be tapped


Database audit and protection – DAP solutions

• Imperva SecureSphere• IBM Guardium


The differenceMajor computer manufacturer

• 65 VM Appliances

• Monitoring >1050 DB Servers

• Replaced IBM and deployed on 1050 DBs within 6 months

• 10 FTE less than 50% of role.

• Expanded scope to include blocking and additional audit.

• 135 VM Appliances

• Maximum monitored 500 DB Servers

• Deployment project >3 years – were never able to finish.

• 10 FTE using 100% of role.

• Audit gaps, no blocking

Imperva IBM

Compare


Red Italian car


Capacity design comparison summary

Imperva:• Big Data model

• Distributed flat file• Optimal for writes• High fidelity data retention• Compresses audit data 20x• Real time data access from MX

due to flat file architecture

IBM Guardium:• Traditional relational DB model

• Structured rows & columns • Optimal for reads, poor for writing• Alters repetitive data to minimize some writes• Less compression on archive due to RDBMS

components in data structure• Delayed data access due to RDBMS

architecture and batch aggregation


Identical coverage deployment comparison


Lower total cost of ownershipMajor Computer Manufacturer

• Labor cost dropped by over 50% compared with the Guardium deployment

• 60 days to roll out SecureSphere to the 500 databases

• Expanded the SecureSphere roll out to a total of 1050 databases

• SecureSphere cut the annual cost by 72%, to $744 per database

The result


Monitor more • Separation of duties• Pre-built purpose specific policies• Autonomous rule evaluation• High-speed evaluation• In-line, sniffing, or hybrid monitor • Secure storage of compliance audit • Contextual security alerts

Monitor Complianceaudit

Security audit

Login/Logout Yes Yes

Security exceptions (failed login, connection errors, SQL errors)

Limited Yes

Data access Limited Yes

Data modification Limited Yes

SQL statements Limited Yes

User name Limited Yes

Views No Yes

Stored procedures No Yes

Table groups No Yes

Triggers No Yes

Privileged operations Limited Yes

Protocol violations No Yes

Source IP, OS, application No Yes


Users

Deployment options & performance considerations

ManagementServer (MX)

Agentauditing Enterprise

databases

Agentauditing

DAP non-inline Network

auditing

DAPinline

Networkauditing

DBA/Sys admin

DBA/Sys admin• Agent architecture: Impact to DB server

• Appliance architecture: Capacity to capture necessary DB traffic and audit data

• Management Server: Backwards and forwards compatibility down to agent level

• Proactive: Real-time event notification and blocking

Gateway Appliances


Architecture overview

MX Management

Adm

inM

gmt.

Anal

ysis

Col

lect

ion

Gateway GatewayGateway

Tap Ticketing

SQLLDAP

SIEMSyslog | LDAP | SQLREST | SOAP | SNMP

SyslogSNMP


SecureSphere leverages your other investments

• Limit risk with FireEye– Automatically monitor ALL activity or restrict data access of compromised hosts

• Improve visibility and analysis with Splunk & SIEM solutions– Holistic analyze consolidated security data and alerts

• Add contextual intelligence with LDAP and data lookups– User verification and data enrichment

• Enforce change management polices with ticketing systems– Automatically verify and log existence of an approved change request

• Track users from web app to database activity with SecureSphere WAF– Correlate user activity across sessions and systems


Position yourself for the futureBig Data engines Cloud adoption

SecureSphereData

Protectionfor

SecureSphere for Big Data

ImpervaCounterBreachProtecting the weakest link -

users

Insider threat protection


How do I respond

QUICKLYif not?

Exactly

WHOIs accessing my data?

?

Truly detecting and containing breaches requires addressing all

OK?Is the access

CounterBreachUser Interface

Behavior machine learning

VisibilityContain

andInvestigate

Deception

Imperva SecureSphere

LEARN AND DETECT BLOCK /QUARANTINE

MONITOR

Imperva SecureSphere

Databases and Files


Big Picture Competitive

Environment – DCAP

Gartner Market Guide for Data-

Centric Audit and Protection

Figure 2. Schematic Representation of the DCAP Market Showing How a Sample of Vendors Operates Across Different Data Silos

Detection tools may be applicable across multiple silos through a single management console but other functionality is limited

Source: Gartner, Market Guide for Data-Centric Audit and Protection, 22 November 2014


Food for thought: questions companies should be able to answer

1) Where specifically, is your private data located?2) Who is accessing your data?3) How do they access your data?4) Should they have access to your data?5) What users have access to your data, but do not use it?6) Who is responsible if data is lost? – Often Security7) Who is responsible for monitoring that data? – Usually Database Administration

8) Is the data being used appropriately?9) Does anything provide timely and actionable security intelligence?


For More Information:+1(866) 926-4678 – Americas+44 01189 497 130 – [email protected]

more databases. more hackers. more audits

Software