More Databases. More Hackers. More Audits.

© 2016 Imperva, Inc. All rights reserved.
More Databases. More Hackers.
More Audits.
Terry Ray and Cheryl O’Neill

Speakers
2
Terry Ray
Chief Product Strategist
Cheryl O’Neill
Product Marketing Director, Data Security

Who has access to your data and why?
How do you respond to suspicious activity?
3

Reasons to Invest in Database Audit and Protection
Security and Compliance Factors for
Consideration
1

Database monitoring considerations circa 2014
The normal
• Audit for compliance on critical systems
– Monitor logins/logouts and failed attempts
– Monitor privileged activities
• Policies vary by department and database
• Database audit logs consolidated quarterly
• Ad hoc user rights review and
management
• Change tickets manually reconciled for audit
The exception
• Monitor for audit and data security
– All sensitive data
– All user database activity
• Unified compliance policies and reports
• Alerts integrated with real-time security
monitoring process
• User rights review and management automated
• Change ticket verification and reconciliation

Database audit and protection circa 2016
The normal
• Monitor for data security
– All sensitive data
– All user database activity
• Unified compliance policies and reports
• Integrate Alerts with real-time security
monitoring process
• Block suspicious behavior on critical
systems
• Automate user rights review and
management
• Integrate change management
The exception
• Monitor extended data stores
– Cloud based databases and SaaS
– Big Data
• User behavior profile analysis
• Track user role characteristics
• Mask data in non-production systems
• Security database audit analysis
• Centralized data security and incident
response

Compliance reports do not protect data
DBA
A compliance only focus
1. Inconsistent policy application
2. Audit
• login, logout, failed attempts
• Privileged actions
3. Ad hoc user rights review
4. Quarterly compliance reports
Multi-staged attack compromises users
Application exploit compromises applications
Quarterly audit reports
Limited audit, No data security
Undetected
breach and
data loss
Compromised privileged access via
apps and direct database root access

Data breach trends 2015
-
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
2011 2012 2013 2014 2015
Number of Incidents
-
200,000,000
400,000,000
600,000,000
800,000,000
1,000,000,000
1,200,000,000
2011 2012 2013 2014 2015
Number of Exposed Records
3053 Outside Attacks
749 Outside Attacks
Inside incidents represent 22%
of total incidents, but result in
49% of record exposure
Hacking, 59%
Web, 31%
Fraud, 6%
Other, 4%
Source: 2015 Data Breach Trends, Data Breach Quick View, January 2016
29%
37%
18%
11%
3%
2% 2015 Percentage of total
Unknown # of Rec.
1 to 100
101 to 1,000
1,001 to 10,000
10,001 - 100,000
Over 100,000
- 200 400
Outside
Inside Total
Inside-Accidental
Inside-Malicious
Inside-Unknown
Unknown Threat Vec.
Millions
2015 Records Exposed
Top 3 items stolen:
1. Passwords
2. Email addresses
3. User name
Inside IncidentTotal
Outside IncidentTotal

Database audit policy vs. database security policy
• Database audit
– Record for future review
– Narrow scope
– Does not invoke “action”
– Legal record of events
• Database security
– Alert in real time on suspicious
behavior
– Broad visibility
– Block in real time against obvious
bad behavior
– Implies “action”

Active monitoring protects data
DBA
Multi-staged attack
compromises users and DBA
SecureSphere for database detects, alerts, and
stops unauthorized or anomalous behavior by
legitimate users and hackers
Breach attempt
detected and
stopped
SecureSphere WAF blocks web
application exploits
Any time audit reports
Data centric audit and protection
A security first focus
1. Web Application Firewall
2. Privileged user monitoring
3. Monitor for audit and data security
4. Uniform application of policies
5. Alerts
6. Block suspicious behavior
7. Automated user rights mgmt.
8. Integrate change ticket mgmt.
Real-time security analysis

Practical applications of activity monitoring
Project Goal
Sensitive data audit • Streamline audit for PCI, SOX and other compliance purposes
Privileged user monitoring • Enforce separation of duties
• Monitor all activity, including local DB server access
• Block if necessary
Data theft prevention • Protect Sensitive data
• Prevent the loss of sensitive data
Data across borders • International privacy regulations limit what data can be accessed by users outside the borders
defined by the regulation
Change reconciliation • Show the compliance (i.e. SOX) auditors that changes to database could be traced to approved
change tickets
Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack
VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core
systems like SAP, Oracle Financials and PeopleSoft
Ethical walls Maintain strict separation between business groups within a larger organization. To comply with
M&A requirements, government clearance, …
User tracking Map true web application end user to the shared application/database user to final data access
Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion

Plan for Long Term Protection
Efficient and Cost Effective Monitoring
2

No protection, no compliance
No protection, poor compliance
Protection and compliance
Utilize built in “Native Audit” capabilities
Do not audit
Implement a dedicated database auditing solution

Why do organizations choose no audit over native audit?
• Database performance impact
• Audit data storage impact
• Manually intensive in a
heterogeneous environment
• Complexities of regulatory
requirements are overwhelming
• Time consuming difficult to use Native
Audit log output
• Don’t know what to audit
• Not aware of the location of all
sensitive data
• DBA team is small and usually busy

Performance Impact Video Demo
SecureSphere Agent adds
2% CPU overhead, with no
impact on HD I/O or TPS
Native audit increase HD
I/O, slows response time
and cuts TPS by 50%

Database Audit and Protection TCO
The Monetary and Human Costs
Associated with DAP
3

Know your challenges with native audit
• Know that most organizations
have more than one DB
vendor
• The perimeter will be
breached
• End points are vulnerable
• Internal users are a risk
• Privileged users accounts are
data wells waiting to be
tapped

Database audit and protection – DAP solutions
• Imperva SecureSphere
• IBM Guardium

The difference
Major computer manufacturer
• 65 VM Appliances
• Monitoring >1050 DB Servers
• Replaced IBM and deployed
on 1050 DBs within 6 months
• 10 FTE less than 50% of role.
• Expanded scope to include
blocking and additional audit.
• 135 VM Appliances
• Maximum monitored 500 DB Servers
• Deployment project >3 years – were
never able to finish.
• 10 FTE using 100% of role.
• Audit gaps, no blocking
Imperva IBM
Compare

Red Italian car

Capacity design comparison summary
Imperva:
• Big Data model
• Distributed flat file
• Optimal for writes
• High fidelity data retention
• Compresses audit data 20x
• Real time data access from MX
due to flat file architecture
IBM Guardium:
• Traditional relational DB model
• Structured rows & columns
• Optimal for reads, poor for writing
• Alters repetitive data to minimize some writes
• Less compression on archive due to RDBMS
components in data structure
• Delayed data access due to RDBMS
architecture and batch aggregation

Identical coverage deployment comparison

Lower total cost of ownership
Major Computer Manufacturer
• Labor cost dropped by over 50% compared
with the Guardium deployment
• 60 days to roll out SecureSphere
to the 500 databases
• Expanded the SecureSphere roll out
to a total of 1050 databases
• SecureSphere cut the annual cost by 72%,
to $744 per database
The result

Monitor more
• Separation of duties
• Pre-built purpose specific policies
• Autonomous rule evaluation
• High-speed evaluation
• In-line, sniffing, or hybrid monitor
• Secure storage of compliance audit
• Contextual security alerts
Monitor Compliance
audit
Security
audit
Login/Logout Yes Yes
Security exceptions (failed login,
connection errors, SQL errors)
Limited Yes
Data access Limited Yes
Data modification Limited Yes
SQL statements Limited Yes
User name Limited Yes
Views No Yes
Stored procedures No Yes
Table groups No Yes
Triggers No Yes
Privileged operations Limited Yes
Protocol violations No Yes
Source IP, OS, application No Yes

Users
Deployment options & performance considerations
Management
Server (MX)
Agent
auditing
Enterprise
databases
Agent
auditing
DAP
non-inline
Network
auditing
DAP
inline
Network
auditing
DBA/Sys admin
DBA/Sys admin
• Agent architecture: Impact to
DB server
• Appliance architecture:
Capacity to capture necessary
DB traffic and audit data
• Management Server:
Backwards and forwards
compatibility down to agent
level
• Proactive: Real-time event
notification and blocking
Gateway
Appliances

Architecture overview
MX Management
AdminMgmt.AnalysisCollection
Gateway GatewayGateway
Tap Ticketing
SQLLDAP
SIEMSyslog | LDAP | SQL
REST | SOAP | SNMP
Syslog
SNMP

SecureSphere leverages your other investments
• Limit risk with FireEye
– Automatically monitor ALL activity or restrict data access of compromised hosts
• Improve visibility and analysis with Splunk & SIEM solutions
– Holistic analyze consolidated security data and alerts
• Add contextual intelligence with LDAP and data lookups
– User verification and data enrichment
• Enforce change management polices with ticketing systems
– Automatically verify and log existence of an approved change request
• Track users from web app to database activity with SecureSphere WAF
– Correlate user activity across sessions and systems

Position yourself for the future
Big Data engines Cloud adoption
SecureSphere
Data
Protection
for
SecureSphere
for Big Data
Imperva
CounterBreach
Protecting the
weakest link -
users
Insider threat protection

How do I respond
QUICKLY
if not?
Exactly
WHO
Is accessing my data?
?
Truly detecting and containing breaches requires addressing all
OK?
Is the access

CounterBreach
User Interface
Behavior
machine
learning
Visibility
Contain
and
Investigate
Deception
Imperva
SecureSphere
LEARN AND DETECT BLOCK /
QUARANTINE
MONITOR
Imperva
SecureSphere
Databases and Files

Big Picture
Competitive
Environment – DCAP
Gartner Market
Guide for Data-
Centric Audit and
Protection
Figure 2. Schematic Representation of the DCAP Market Showing How a Sample of
Vendors Operates Across Different Data Silos
Detection tools may be applicable across multiple silos through a single management
console but other functionality is limited
Source: Gartner, Market Guide for Data-Centric Audit and Protection, 22 November 2014

Food for thought: questions companies should be able to answer
1) Where specifically, is your private data located?
2) Who is accessing your data?
3) How do they access your data?
4) Should they have access to your data?
5) What users have access to your data, but do not use it?
6) Who is responsible if data is lost? – Often Security
7) Who is responsible for monitoring that data? – Usually Database Administration
8) Is the data being used appropriately?
9) Does anything provide timely and actionable security intelligence?

For More Information:
+1(866) 926-4678 – Americas
+44 01189 497 130 – EMEA
info@imperva.com

More Databases. More Hackers. More Audits.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to More Databases. More Hackers. More Audits.

Similar to More Databases. More Hackers. More Audits. (20)

More from Imperva

More from Imperva (19)

Recently uploaded

Recently uploaded (20)

More Databases. More Hackers. More Audits.