more databases. more hackers. more audits
TRANSCRIPT
© 2016 Imperva, Inc. All rights reserved.
More Databases. More Hackers.More Audits.Terry Ray and Cheryl O’Neill
Speakers
2
Terry RayChief Product Strategist
Cheryl O’NeillProduct Marketing Director, Data Security
Who has access to your data and why?How do you respond to suspicious activity?
3
© 2016 Imperva, Inc. All rights reserved.
Reasons to Invest in Database Audit and Protection
Security and Compliance Factors for Consideration
1
© 2016 Imperva, Inc. All rights reserved.
Database monitoring considerations circa 2014
The normal• Audit for compliance on critical systems
– Monitor logins/logouts and failed attempts– Monitor privileged activities
• Policies vary by department and database• Database audit logs consolidated quarterly• Ad hoc user rights review and
management• Change tickets manually reconciled for audit
The exception• Monitor for audit and data security
– All sensitive data– All user database activity
• Unified compliance policies and reports• Alerts integrated with real-time security
monitoring process• User rights review and management automated• Change ticket verification and reconciliation
© 2016 Imperva, Inc. All rights reserved.
Database audit and protection circa 2016
The normal• Monitor for data security
– All sensitive data– All user database activity
• Unified compliance policies and reports• Integrate Alerts with real-time security
monitoring process• Block suspicious behavior on critical
systems• Automate user rights review and
management• Integrate change management
The exception• Monitor extended data stores
– Cloud based databases and SaaS– Big Data
• User behavior profile analysis• Track user role characteristics• Mask data in non-production systems• Security database audit analysis• Centralized data security and incident
response
Compliance reports do not protect data
DBA
A compliance only focus1. Inconsistent policy application2. Audit
• login, logout, failed attempts• Privileged actions
3. Ad hoc user rights review4. Quarterly compliance reports
Multi-staged attack compromises users Application exploit compromises applications
Quarterly audit reports
Limited audit, No data security
Undetected breach and data loss
Compromised privileged access via apps and direct database root access
Data breach trends 2015
-500
1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500
2011 2012 2013 2014 2015
Number of Incidents
-
200,000,000
400,000,000
600,000,000
800,000,000
1,000,000,000
1,200,000,000
2011 2012 2013 2014 2015
Number of Exposed Records
3053 Outside Attacks
749 Outside Attacks
Inside incidents represent 22% of total incidents, but result in 49% of record exposure
Hacking, 59%
Web, 31%
Fraud, 6% Other, 4%
Source: 2015 Data Breach Trends, Data Breach Quick View, January 2016
29%
37%
18%
11%
3%2% 2015 Percentage of total
Unknown # of Rec.
1 to 100
101 to 1,000
1,001 to 10,000
10,001 - 100,000
Over 100,000
- 200 400
Outside
Inside Total
Inside-Accidental
Inside-Malicious
Inside-Unknown
Unknown Threat Vec.
Millions
2015 Records Exposed
Top 3 items stolen:1. Passwords2. Email addresses3. User name
Inside Incident Total
Outside Incident Total
© 2016 Imperva, Inc. All rights reserved.
Database audit policy vs. database security policy
• Database audit– Record for future review– Narrow scope– Does not invoke “action”– Legal record of events
• Database security– Alert in real time on suspicious
behavior– Broad visibility– Block in real time against obvious
bad behavior– Implies “action”
Active monitoring protects data
DBA
Multi-staged attack compromises users and DBA
SecureSphere for database detects, alerts, and stops unauthorized or anomalous behavior by legitimate users and hackers
Breach attempt detected and stopped
SecureSphere WAF blocks web application exploits
Any time audit reports
Data centric audit and protection
A security first focus1. Web Application Firewall2. Privileged user monitoring3. Monitor for audit and data security4. Uniform application of policies 5. Alerts6. Block suspicious behavior 7. Automated user rights mgmt.8. Integrate change ticket mgmt.
Real-time security analysis
Practical applications of activity monitoringProject GoalSensitive data audit • Streamline audit for PCI, SOX and other compliance purposes
Privileged user monitoring • Enforce separation of duties• Monitor all activity, including local DB server access• Block if necessary
Data theft prevention • Protect Sensitive data• Prevent the loss of sensitive data
Data across borders • International privacy regulations limit what data can be accessed by users outside the borders defined by the regulation
Change reconciliation • Show the compliance (i.e. SOX) auditors that changes to database could be traced to approved change tickets
Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack
VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core systems like SAP, Oracle Financials and PeopleSoft
Ethical walls Maintain strict separation between business groups within a larger organization. To comply with M&A requirements, government clearance, …
User tracking Map true web application end user to the shared application/database user to final data access
Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion
© 2016 Imperva, Inc. All rights reserved.
Plan for Long Term Protection
Efficient and Cost Effective Monitoring2
© 2016 Imperva, Inc. All rights reserved.
No protection, no compliance
No protection, poor compliance
Protection and compliance
Utilize built in “Native Audit” capabilities
Do not audit
Implement a dedicated database auditing solution
© 2016 Imperva, Inc. All rights reserved.
Why do organizations choose no audit over native audit?
• Database performance impact
• Audit data storage impact
• Manually intensive in a heterogeneous environment
• Complexities of regulatory requirements are overwhelming
• Time consuming difficult to use Native Audit log output
• Don’t know what to audit
• Not aware of the location of all sensitive data
• DBA team is small and usually busy
Confidential15
Confidential17
© 2016 Imperva, Inc. All rights reserved.
Performance Impact Video Demo
SecureSphere Agent adds 2% CPU overhead, with no impact on HD I/O or TPS
Native audit increase HD I/O, slows response time and cuts TPS by 50%
© 2016 Imperva, Inc. All rights reserved.
Database Audit and Protection TCO
The Monetary and Human Costs Associated with DAP
3
Know your challenges with native audit
• Know that most organizations have more than one DB vendor
• The perimeter will be breached
• End points are vulnerable• Internal users are a risk• Privileged users accounts are
data wells waiting to be tapped
© 2016 Imperva, Inc. All rights reserved.
Database audit and protection – DAP solutions
• Imperva SecureSphere• IBM Guardium
© 2016 Imperva, Inc. All rights reserved.
The differenceMajor computer manufacturer
• 65 VM Appliances
• Monitoring >1050 DB Servers
• Replaced IBM and deployed on 1050 DBs within 6 months
• 10 FTE less than 50% of role.
• Expanded scope to include blocking and additional audit.
• 135 VM Appliances
• Maximum monitored 500 DB Servers
• Deployment project >3 years – were never able to finish.
• 10 FTE using 100% of role.
• Audit gaps, no blocking
Imperva IBM
Compare
© 2016 Imperva, Inc. All rights reserved.
Red Italian car
© 2016 Imperva, Inc. All rights reserved.
Capacity design comparison summary
Imperva:• Big Data model
• Distributed flat file• Optimal for writes• High fidelity data retention• Compresses audit data 20x• Real time data access from MX
due to flat file architecture
IBM Guardium:• Traditional relational DB model
• Structured rows & columns • Optimal for reads, poor for writing• Alters repetitive data to minimize some writes• Less compression on archive due to RDBMS
components in data structure• Delayed data access due to RDBMS
architecture and batch aggregation
© 2016 Imperva, Inc. All rights reserved.
Identical coverage deployment comparison
© 2016 Imperva, Inc. All rights reserved.
Lower total cost of ownershipMajor Computer Manufacturer
• Labor cost dropped by over 50% compared with the Guardium deployment
• 60 days to roll out SecureSphere to the 500 databases
• Expanded the SecureSphere roll out to a total of 1050 databases
• SecureSphere cut the annual cost by 72%, to $744 per database
The result
© 2016 Imperva, Inc. All rights reserved.
Monitor more • Separation of duties• Pre-built purpose specific policies• Autonomous rule evaluation• High-speed evaluation• In-line, sniffing, or hybrid monitor • Secure storage of compliance audit • Contextual security alerts
Monitor Complianceaudit
Security audit
Login/Logout Yes Yes
Security exceptions (failed login, connection errors, SQL errors)
Limited Yes
Data access Limited Yes
Data modification Limited Yes
SQL statements Limited Yes
User name Limited Yes
Views No Yes
Stored procedures No Yes
Table groups No Yes
Triggers No Yes
Privileged operations Limited Yes
Protocol violations No Yes
Source IP, OS, application No Yes
© 2016 Imperva, Inc. All rights reserved.
Users
Deployment options & performance considerations
ManagementServer (MX)
Agentauditing Enterprise
databases
Agentauditing
DAP non-inline Network
auditing
DAPinline
Networkauditing
DBA/Sys admin
DBA/Sys admin• Agent architecture: Impact to DB server
• Appliance architecture: Capacity to capture necessary DB traffic and audit data
• Management Server: Backwards and forwards compatibility down to agent level
• Proactive: Real-time event notification and blocking
Gateway Appliances
© 2016 Imperva, Inc. All rights reserved.
Architecture overview
MX Management
Adm
inM
gmt.
Anal
ysis
Col
lect
ion
Gateway GatewayGateway
Tap Ticketing
SQLLDAP
SIEMSyslog | LDAP | SQLREST | SOAP | SNMP
SyslogSNMP
© 2016 Imperva, Inc. All rights reserved.
SecureSphere leverages your other investments
• Limit risk with FireEye– Automatically monitor ALL activity or restrict data access of compromised hosts
• Improve visibility and analysis with Splunk & SIEM solutions– Holistic analyze consolidated security data and alerts
• Add contextual intelligence with LDAP and data lookups– User verification and data enrichment
• Enforce change management polices with ticketing systems– Automatically verify and log existence of an approved change request
• Track users from web app to database activity with SecureSphere WAF– Correlate user activity across sessions and systems
© 2016 Imperva, Inc. All rights reserved.
Position yourself for the futureBig Data engines Cloud adoption
SecureSphereData
Protectionfor
SecureSphere for Big Data
ImpervaCounterBreachProtecting the weakest link -
users
Insider threat protection
© 2016 Imperva, Inc. All rights reserved.
How do I respond
QUICKLYif not?
Exactly
WHOIs accessing my data?
?
Truly detecting and containing breaches requires addressing all
OK?Is the access
41
CounterBreachUser Interface
Behavior machine learning
VisibilityContain
andInvestigate
Deception
Imperva SecureSphere
LEARN AND DETECT BLOCK /QUARANTINE
MONITOR
Imperva SecureSphere
Databases and Files
© 2016 Imperva, Inc. All rights reserved.
Big Picture Competitive
Environment – DCAP
Gartner Market Guide for Data-
Centric Audit and Protection
Figure 2. Schematic Representation of the DCAP Market Showing How a Sample of Vendors Operates Across Different Data Silos
Detection tools may be applicable across multiple silos through a single management console but other functionality is limited
Source: Gartner, Market Guide for Data-Centric Audit and Protection, 22 November 2014
© 2016 Imperva, Inc. All rights reserved.
Food for thought: questions companies should be able to answer
1) Where specifically, is your private data located?2) Who is accessing your data?3) How do they access your data?4) Should they have access to your data?5) What users have access to your data, but do not use it?6) Who is responsible if data is lost? – Often Security7) Who is responsible for monitoring that data? – Usually Database Administration
8) Is the data being used appropriately?9) Does anything provide timely and actionable security intelligence?
© 2016 Imperva, Inc. All rights reserved.
For More Information:+1(866) 926-4678 – Americas+44 01189 497 130 – [email protected]