White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Transcription

1 Protecting Databases from Unauthorized Activities Using Imperva SecureSphere White Paper As the primary repository for the enterprise s most valuable information, the database is perhaps the most sensitive segment of the IT landscape. Many organizations are learning that database assets are vulnerable to both external attackers via Web applications and internal employees who take advantage of more direct privileges. Customer records, financial reports, and patient data are all at risk. The threat of compromising sensitive information either by leakage or unauthorized changes is driving compliance regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and others, which require organizations to implement strong database access controls. Imperva SecureSphere helps organizations protect databases from unauthorized activities by enabling them to:» Achieve unparalleled visibility into database activities» Enforce accurate and granular database and data access policies» Deliver proactive database protection against external attacks and internal misuse In the following White Paper, we present the range of blocking options that can enforce and deliver better access controls and protection again suspicious database activities.

2 Monitoring Privileged Database Activities Privileged users, including DBAs, are required to manage and maintain databases, but their powerful database privileges also pose a concern. Since these users often need to access databases directly and perform highly sensitive operations on database configurations and content, they are often provided with unlimited access to sensitive content and containers. Abusing these database privileges can compromise the organizations databases and data, impacting business operations, enabling data leakage and fraudulent activity. In order to ensure complete database security, inspection of all privileged database activity is required. Real-time alerts on suspicious activities must be sent and a detailed audit trail must be kept for forensic investigations. The SecureSphere solution monitors all access paths to data, providing 360 degree data protection. The solutions hybrid architecture enables maximum visibility into database activity, with minimal overhead. This hybrid architecture combines the following components:» Network monitoring appliances: provide early network-based detection and protection with zero impact on the monitored systems» Light host based agents: add visibility into direct/local privileged activity and eliminate blind spots. Full agent based database activity monitoring is available as well.» Agentless collection of 3rd party audit logs (including native audit logs): covering areas where network or agent based monitoring cannot be implemented This hybrid architecture offers the most flexible deployment options to match any unique topology, and ensures that all paths to data are always monitored. When Monitoring Privileged Activities Is Not Enough SecureSphere DAM (Database Activity Monitoring) protects databases by generating detailed audit trails and real-time security alerts whenever anomalous activity is detected or access policies are violated including privileged user violations. But while monitoring privileged activities is an important element of a defense strategy, being a monitoring only solution it is limited to providing detective controls (alerts and reports) rather than preventive controls (enforcing access controls and blocking unauthorized activities). In order to enforce better controls over privileged activities that may compromise the database, some organizations are looking for solutions that can block unauthorized privileged activities and quarantine suspect users. While a suspect user is in quarantine, its privileges should be suspended until reviewed and authorized. Preventing Unauthorized Privileged Activities Using SecureSphere SecureSphere Database Firewall, which is also a part of the SecureSphere Data Security Suite, supports four (4) different techniques for blocking and preventing unauthorized privileged activities: 1. Inline network blocking To achieve inline blocking capabilities, SecureSphere gateway appliances are deployed in inline mode. In this scenario, the gateway appliance acts as a bridging device between the external network and the protected database server. The gateway will inspect every packet (including encrypted traffic) which goes through the bridged appliance. Each network packet is analyzed in real-time to understand the activity behind it, and if the requested activity violates security and/or access policies, SecureSphere will block the malicious traffic by dropping request or packet that triggers the event. Inline deployment introduces minimal latency (sub-millisecond), and is the most effective way to block database attacks seen on the network. < 2 >

3 Joe Tod Sam Application Servers IMPERVA SECURESPHERE Database Servers Figure 1: Inline network blocking 2. Non-Inline session blocking Non-inline blocking capabilities are available when SecureSphere gateway appliances are deployed in non-inline (sniffing) mode. While Imperva recommends In-line deployments for achieving most efficient database activity blocking, the non-inline deployment mode protects database servers with zero-risk to the overall performance of the application. In this scenario, the gateway is not acting as a bridge and is only getting a mirrored copy of the traffic, so it can t drop the packets. Instead the gateway appliance will issue a TCP reset command to drop malicious traffic. Since the appliance is remote to the malicious traffic, this creates a race condition between the malicious activity and TCP reset. As a result, if the TCP reset is too slow to block the attack, it might get through. Non-Inline session blocking is considered less effective, however it does not introduce any latency. In addition to sending a TCP reset for blocking network activity, Imperva SecureSphere can also block sessions directly on the protected database server. Using the session information the appliance can send a remote command to block the session on the server itself. This does not require a SecureSphere agent on the protected server. Joe Tod Sam Application Servers IMPERVA SECURESPHERE Figure 2: Non-Inline session blocking (network and local session) 3. Terminating unauthorized privileged activities Privileged users and DBAs are responsible for the administration and maintenance of databases and require elevated privileges and access to system resources. Complete visibility into privileged activity and real-time alerts ensure that only authorized applications and users are accessing sensitive data, or performing changes to database schemas and values. The challenge of monitoring and controlling privileged database activities is due to the fact that most privileged database activities are performed locally on the database server (e.g., a database administrator accesses the database host directly or using a remote shell or a VPN/secure channel). When database activities are performed locally on the database server, there is no network traffic (or, at least, no external network traffic) available for the SecureSphere gateway appliance to examine. < 3 >

4 To gain the required visibility, the SecureSphere solution uses a light-weight database agent, which inspects the database host s internal network activity on the protected server for all user initiated activities. SecureSphere agents eliminate blind spots by ensuring full visibility and protection capabilities to all network and local privileged operations. This includes Data Definition Language (DDL) commands, Data Control Language (DCL) commands, Data Manipulation Language (DML) commands, read-only (SELECTs), and mores. The agent sends monitored activity details to a remote SecureSphere gateway appliance which analyzes the activity. If the activity violates security policies, the appliance will then send a command back to block the activity on the protected server. As a secondary option, SecureSphere can quarantine the privileged user, denying all activities from the offending user until these activities are reviewed and authorized by the security and management team. This is covered in the next section. Direct Access Privileged Users (DBAs, Developers...) IMPERVA SECURESPHERE DATABASE FIREWALL Figure 3: Terminating unauthorized privileged activities 4. User quarantine SecureSphere can also quarantine offending database users by removing their RDBMS privileges. Privileged account quarantine not only ensures that a specified user is unable to execute any further actions, but also removes their ability to login to the database. To reinstate a quarantined account, a security review is required. Only after the review and authorization process the user can be reactivated. For organizations who have review processes in place, ScureSphere can provide an automated notification to security-management and ticketing systems (including BMC Remedy and ArcSight SIEM) to alert that a user has been quarantined. The review team will then utilize SecureSphere Interactive Audit Analytics to review the relevant event details and related user activities and decide whether the user should, or shouldn t, access the database, and if so, which privileges should be assigned to the user. In addition, user quarantine notifications can be sent directly through , or to a syslog where it can be picked by various solutions. User quarantine allows IT security departments to stop insider data breaches at the source, and prevent any subsequent attempts by the same individual to compromise the company s assets. Privileged Users (DBAs, Developers...) Alert, , and/or Notify 3rd party systems IMPERVA SECURESPHERE DATABASE FIREWALL Figure 4: User quarantine < 4 >

5 Summary SecureSphere Data Security Suite and Database Firewall solutions provide unmatched, full 360 degrees database protection. SecureSphere supports network-based monitoring and real-time blocking of unauthorized activity by trusted insiders. In addition SecureSphere can terminate local user activity and quarantine user accounts in the event of a security policy violation. SecureSphere helps organizations address the growing risk of insider abuse, with the ability to detect, block, and prevent subsequent attempts by privileged users to breach security policies through direct access to the database server. SecureSphere also enables organizations to enforce better access controls and ensure only authorized activities are preformed on their databases. Imperva Americas Headquarters International Headquarters 3400 Bridge Parkway 125 Menachem Begin Street Suite 101 Tel-Aviv Redwood Shores, CA Israel Tel: Tel: Fax: Fax: Toll Free (U.S. only): Copyright 2009, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-SECURESPHERE_BLOCKING_OPTIONS-0709rev1