Securing ephi with Effective Database Activity Monitoring. HIMSS Webcast 4/26/2011. p. 1

Transcription

1 Securing ephi with Effective Database Activity Monitoring HIMSS Webcast 4/26/2011 p. 1

2 Agenda Agenda Database Security Primer Industry Trends What Works Integrated DB Security Product Demonstration Questions & Answers Mac McMillan CEO, CynergisTek Chair, HIMSS Privacy & Security Committee Mel Shakir CTO, NitroSecurity p. 2

3 About CynergisTek Healthcare Industry Focus - Broad base of healthcare clients - Specific partner relationships - Industry participation Dedicated to Thought Leadership - Chair, HIMSS Privacy & Security Committee - Chair, HIMSS Infosec Working Group - HIT Exchange Editorial Board - Industry Advisory Board Memberships Public and Private sector experience - Government, Banking, Technology and Healthcare Sector Experience p. 3

4 About NitroSecurity Real time Security & Compliance - Integrated SIEM & Log Management - Unmatched speed and scale - Unique database & application monitors - Only content aware SIEM - Integrated IDS/IPS family - Certified for defense and critical infrastructure Rapid Growth - Doubled SIEM sales in Over 500 enterprise and government customers Worldwide Sales & Support - Headquarters Portsmouth, New Hampshire, USA p. 4

5 Industry Recognition August, 2010 Ranked #1 January, 2011 Best Log Mgmt p. 5

6 Industry Recognition December, 2009 August, 2010 December, 2010 the best and fastest database in the security industry An analyst s power tool, strong SIEM capabilities in a highly configurable dashboard The fastest database in the business, a truly creative front end, What more could you ask for in a SIEM? p. 6

7 Sample Healthcare Customers p. 7

8 3 Reasons Why Active Monitoring is Necessary Real threats from insider abuse, to loss of data and systems, to persistent malicious attacks with real consequences. Overly complex environments with hundreds of applications, with associated data bases, and separate standalone databases, created and forgotten. Stepped up Regulatory requirements, with very specific accountabilities for access, and increasingly sharpened enforcement mechanisms with accountability that costs. Valerie Morgan-Alston, deputy director for enforcement and regional operations, a new OCR position, said to expect big enforcement actions in the future. p. 8

9 Database Security Primer Data Discovery Vulnerability Assessment (VA) Access Authorization Secure Data in Motion Secure Data at Rest Real-time Monitoring Leakage Prevention p. 9

10 Database Security Challenges Technical Challenges - Data is constantly in motion - Huge volumes of database activity to log - Performance impact not acceptable - Segregation of security duties from DBAs - Change to applications not acceptable - Database agent(s) mgt nightmare - Connection pools hide user identity Who s responsible? - SOC, NOC, DBA?, Application Team? Budgetary Dilemmas - Additional staffing in SOC/NOC - Databases are only a component of overall security p. 10

11 Security Solution Technologies: Deployment Phases Drivers: Security & Compliance Phase I VA, Antivirus, Firewall, IPS/IDS, Access Control Phase II SIEM Deployment (Network Perimeter & Host) Phase III Monitor Databases & Applications Phase IV Prevent Leakage of Sensitive Data (DLP) p. 11

12 Top Database Security Threats Excessive Privilege Abuse Legitimate Privilege Escalation Database Platform Vuln(s) SQL Injection Weak Audit Trail Denial of Service (DoS) Database Comm Protocol Weak Authentication Backup Data Exposure Source GNC Computer News p. 12

13 The Need For Diligence/Awareness OCR has charted a course aimed at promoting compliance, but enforcement ready. HITECH specifically directs that HHS/OCR will conduct compliance audits/investigate major breaches. Incident based investigations climbs to over 250, approximately 25,000 smaller breaches, and countless others not reported. OCR requests 10% increase in budget. HHS levy first fines, Cignet Health hit with $4.3M and Massachusetts General given $1.3M fine and RA. Two sentenced to jail time, several others under indictment. 2011, OCR initiates training for State AGs to enforce HIPAA. p. 13

14 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting p. 14

15 Use Case: Privileged User Monitoring Example 1: Normal Database Access 1. User jsmith accesses the core database server for normal use 2. Normal activity is logged, providing an audit trail 3. Activity is collected for analysis and correlation by NitroView ESM p. 15

16 Use Case: Privileged User Monitoring Example 1: Normal Database Access 1. User jsmith accesses the core database server for normal use 2. Normal activity is logged, providing an audit trail 3. Activity is collected for analysis and correlation by NitroView ESM Real Time Audit Trail of ALL SQL p. 16

17 Use Case: Database Protection Example 2: Brute Force Login 1. User jsmith logs in to core database after multiple failed logins 2. NitroGuard DBM sends an alert a. The event is collected for analysis and correlation by NitroView ESM b. The event is logged for evidentiary purposes and compliance reporting p. 17

18 Use Case: Database Protection Example 2: Brute Force Login 1. User jsmith logs in to core database after multiple failed logins 2. NitroGuard DBM sends an alert a. The event is collected for analysis and correlation by NitroView ESM b. The event is logged for evidentiary purposes and compliance reporting p. 18

19 Use Case: Database Protection Example 2: Brute Force Login 1. User jsmith logs in to core database after multiple failed logins 2. NitroGuard DBM sends an alert a. The event is collected for analysis and correlation by NitroView ESM b. The event is logged for evidentiary purposes and compliance reporting p. 19

20 Use Case: Database Protection - SQL Injection Scenario Example 3: Unusual Amount of Sensitive Data is Accessed 1. Attacker spider the web application 2. Finds a SQL Injection flaw and injects code in the database 3. Waits for legitimate user to access code using browser 4. Browser executes malicious code Web Server p. 20

21 Use Case: Database Protection - SQL Injection Scenario Example 3: Unusual Amount of Sensitive Data is Accessed 1. Attacker spider the web application 2. Finds a SQL Injection flaw and injects code in the database 3. Waits for legitimate user to access code using browser 4. Browser executes malicious code Web Server Attacker spiders the web application p. 21

22 Use Case: Database Protection - SQL Injection Scenario Example 3: Unusual Amount of Sensitive Data is Accessed 1. Attacker spider the web application 2. Finds a SQL Injection flaw and injects code in the database 3. Waits for legitimate user to access code using browser 4. Browser executes malicious code Web Server Attacker spiders the web application Looks for SQL Injection flaws Injects code in the database p. 22

23 Use Case: Database Protection - SQL Injection Scenario Example 3: Unusual Amount of Sensitive Data is Accessed 1. Attacker spider the web application 2. Finds a SQL Injection flaw and injects code in the database 3. Waits for legitimate user to access code using browser 4. Browser executes malicious code Waits for user to access the database Web Server Attacker spiders the web application Looks for SQL Injection flaws Injects code in the database p. 23

24 Use Case: Database Protection - SQL Injection Scenario Example 3: Unusual Amount of Sensitive Data is Accessed 1. Attacker spider the web application 2. Finds a SQL Injection flaw and injects code in the database 3. Waits for legitimate user to access code using browser 4. Browser executes malicious code Waits for user to access the database Browser executes malicious code Web Server Attacker spiders the web application Looks for SQL Injection flaws Injects code in the database p. 24

25 Use Case: Fraud Detection & Policy Violations Example 4: Unusual Amount of Sensitive Data is Accessed 1. User jsmith accesses critical database source 2. NitroGuard DBM detects a result size policy violation for jsmith a. An event is collected for analysis and correlation by NitroView ESM b. The event is logged for evidentiary purposes and compliance reporting p. 25

26 Use Case: Fraud Detection & Policy Violations Example 4: Unusual Amount of Sensitive Data is Accessed 1. User jsmith accesses critical database source 2. NitroGuard DBM detects a result size policy violation for jsmith a. An event is collected for analysis and correlation by NitroView ESM b. The event is logged for evidentiary purposes and compliance reporting p. 26

27 Verizon Data Breach Investigations Report Most widely used attack path Web application, 79% Most widely compromised asset by number of records Database server, 75% Most compromised data type Payment card data, 98% Type of assets misused Database Server, 23% p. 27

28 What Works in DB Monitoring p. 28

29 What Works in DB Monitoring Database Agent(s) p. 29

30 What Works in DB Monitoring Network Appliance p. 30

31 What Works in DB Monitoring Network Appliance Database Agent(s) Database Agent(s) - Performance impact on db server - Harder to deploy & manage - Limited scalability - Inferior audit logs p. 31

32 What Works in DB Monitoring Network Appliance Database Agent(s) Network Appliance Database Agent(s) - Performance impact on db server - Harder to deploy & manage - Limited scalability - Inferior audit logs p. 32

33 Pitfalls with Native DBMS Controls Performance impact on db server Harder to deploy & manage Limited scalability Inferior audit logs Cannot easily segregate database security duties from the DBA Cannot correlate series of events for root cause analysis Cannot discover and prevent database attacks Cannot monitor response/content Cannot track a person using a generic database login Cannot mask sensitive content No integration with SIEM, Log Mgmt, Alerting, Enterprise solutions No secure central logging, reporting and notification p. 33

34 Monitoring Technologies at a Glance Source Gartner SIEM DAM DLP Fraud Detection Application activity Application access Database activity File access DB activity: privileged user System activity: privileged user Network activity: user User activity at this layer is not visible This technology is a primary monitoring method for this layer. User activity at this layer is visible in a broad set of use cases, but other technologies provide deeper monitoring. User activity at this layer is visible, but monitoring is limited to the primary use cases of the technology. p. 34

35 Integrated Database & Application Security p. 35

36 Integrated Database & Application Security DBM agent NitroView DBM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 36

37 Integrated Database & Application Security DBM agent NitroView DBM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 37

38 Integrated Database & Application Security Block database exploits and SQL Injection attacks before they reach the network core NitroGuard IPS DBM agent NitroView DBM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 38

39 Integrated Database & Application Security Monitor all OS security events - users logging in/out, access/change to database config files & backups Block database exploits and SQL Injection attacks before they reach the network core NitroView Receivers NitroGuard IPS DBM agent NitroView DBM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 39

40 Integrated Database & Application Security Monitor all OS security events - users logging in/out, access/change to database config files & backups Block database exploits and SQL Injection attacks before they reach the network core NitroView Receivers NitroGuard IPS DBM agent NitroView DBM Monitor potential leakage of sensitive database content via , chat, web, P2P NitroView ADM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 40

41 Integrated Database & Application Security SOC/NOC Compliance DBA s Management Event correlation Incidence response VA integration User activity profiling Central policy & mgt Analysis & forensics Reporting, notification NitroView ESM Monitor all OS security events - users logging in/out, access/change to database config files & backups Block database exploits and SQL Injection attacks before they reach the network core NitroView Receivers NitroGuard IPS DBM agent NitroView DBM Monitor potential leakage of sensitive database content via , chat, web, P2P NitroView ADM Full-session capture of SQL activity, db content use, db server discovery Log DBA console activity p. 41

42 Product Demonstration NitroSecurity: Unifying Information Security page 42

43 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting NitroSecurity: Unifying Information Security page 43

44 NitroSecurity: Unifying Information Security page 44

45 Full Session Detail NitroSecurity: Unifying Information Security page 45

46 NitroSecurity: Unifying Information Security page 46

47 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting NitroSecurity: Unifying Information Security page 47

48 Database Activity & Event Correlation Advanced Visualization, Activity Baselining, Event Analysis & Drill-down p. 48

49 Central Policy Management & Rollout p. 49

50 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting p. 50

51 Discovery of Sensitive Content p. 51

52 p. 52

53 p. 53

54 Correlation Rule Editor Correlation with security events, flows, application logs, identity & VA tools Over 150 devices support out-of-box p. 54

55 User Activity Profiling Commands and objects are accessed by a user and deviation from normal behavior p. 55

56 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting p. 56

57 Discovery of Sensitive Content p. 57

58 Customized Application Views p. 58

59 Top Use Cases Privileged user monitoring Database protection Detect fraud & policy violations Top consumers of sensitive data Reduce cost of breach notification reporting p. 59

60 Pre-defined Database Views and Graphical Reports p. 60

61 Monitoring of Database Config & Backup Files p. 61

62 Auto Discovery of Databases & Easy 1-Step Setup Database Discovery Setup & Configuration - Add DBM Device, Add Database Servers, Add Optional Database Agents p. 62

63 Easy Setup, Deployment & Management p. 63

64 Integrated Agent Management p. 64

65 Database Change Control Management p. 65

66 Application User Tracking Correlating the SQL transaction with another data source Identifying a user-identifier/token in the SQL p. 66

67 Sensitive Data Masking p. 67

68 QUESTIONS VISIT US AT p. 68