SecureSphere Data Security Suite

Transcription

1 Reference Code: TA001892SEC Publication Date: April 2010 Author: Andy Kellett, Karthik Balakrishnan, Nishant Singh TECHNOLOGY AUDIT SecureSphere Data Security Suite Imperva OVUM BUTLER GROUP VIEW ABSTRACT Imperva s SecureSphere Data Security Suite combines web and database security to provide a comprehensive riskmanagement framework that defines and controls external and internal user and application access protection while continuously monitoring and auditing the infrastructure for violations. SecureSphere Data Security Suite brings together a portfolio of Imperva products including its SecureSphere web application firewall (WAF), its SecureSphere database firewalls, its database-discovery and assessment server, and its database activity monitoring (DAM) solution. The overall offering can be deployed as separate stand-alone products or as an integrated solution that combines the strengths of WAF and DAM protection to address sophisticated attacks such as SQL injection, and also enables the tracking of web application users and their database activities. Any organization delivering services or products via the Web should consider SecureSphere as a must-have piece of its IT protection infrastructure. The product set makes a strong case for itself as a leading contender in this market space. KEY FINDINGS Combines web and data security solutions in a single suite. Includes extensive pre-built compliance and risk-mitigation rules and reports. Delivers risk-score-based alerts and automated remediation through workflows. Provides automatic remediation updates through its Application Defense Center. Uses a strong patent-pending dynamicprofiling technique. Provides a centralized management server with role-based user access. A small independent vendor operating in the very competitive web & data security arena. Facilitates integration with various third-party enterprise applications. LOOK AHEAD Imperva has an established roadmap strategy in place for the future development of its SecureSphere product set. However, the company does not make this information publicly available. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 1

2 FUNCTIONALITY Enterprise systems come under attack from both external and internal sources. The majority of data breaches involve the targeting of databases or the compromising of applications. Because business applications and their data stores are regularly deployed directly to web-facing environments, often to support organizations mainstream business interactions with customers, mobile workers, and business partners, the need for applications to be adequately protected has become a major business and IT concern, and the security of applications and the protection of confidential data is a critical business requirement. If leaked, this data could create an irreparable monetary loss as well as loss of reputation. This extends the protection requirement to include database-activity monitoring to ensure that system-protection requirements and authorized data-usage controls are correctly applied and that insider threats can be dealt with. Product Analysis Imperva s SecureSphere data-security suite combines a web application firewall and a database-monitoring capability on a single security platform. The company has recognized the increasing need to control both external and internal application vulnerabilities. Placing the application firewall in front of the server is a direct attempt to prevent external exploitation, which when combined with the product s database-protection capabilities, also protects against insider threats and enables it to address an extensive range of enterprise vulnerabilities. The suite addresses all aspects of the data-security lifecycle, and helps identify sensitive applications and databases. To prevent data breaches it controls user access. It also protects applications, and helps to ensure compliancerelevant data-confidentiality by providing an audit trail of database activities as required by regulations such as SOX and PCI. A major focus for the suite is protecting corporate data, and this is done by identifying sensitive data so organizations can tune their access rules to ensure that critical data does not get into the hands of unauthorized users. The suite helps block both internal and external users from stealing business-critical data. For internal threats Imperva provides a SecureSphere database firewall and database-activity monitoring solution, while external threats are handled through the SecureSphere web application firewall. The SecureSphere Data Security Suite performs four key functions. First, it provides discovery and classification of sensitive data assessments. This involves identifying the way a database is configured, and maintaining control over known vulnerabilities and user-rights management. The second function is the setting up and maintenance of policies and controls, third is monitoring data usage by measuring risk, analyzing security events, and generating compliance reports, and fourth is enforcing policies and monitoring the data movement against these policies. Based on the policies deployed, it is capable of generating alerts and blocking suspicious activity while also capturing end-user details to ensure accountability. One of the unique advantages that SecureSphere brings into the data-protection market is its dynamic-profiling technique. While the amount of data that needs to be protected is on the rise, the dynamic nature of applications and databases makes it even more difficult for organizations to effectively manage, deploy, and maintain application-level security policies. Dynamic profiling overcomes these issues by automatically examining all live applications and their database traffic to understand database structures and how applications and databases are accessed by users. It then automatically defines access policies. This approach helps build a profile for each application and database that can be manually retuned if necessary to allow for any accepted deviations. The dynamic-profiling technique also automatically monitors valid application and database changes over time, and updates the profile according to these changes, ensuring that all security policies are up to date. Apart from retuning pre-built policies SecureSphere allows administrators to define custom-built security policies for flexibility. If required, the solution s dynamic-learning facility can be switched off (the appliance comes pre-built with the dynamic mode on) if organizations need to retain a fixed level. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 2

3 Ovum is also impressed with the following capabilities of the solution: SecureSphere MX Management Server The SecureSphere MX Management Server is a web user interface (HTTP/HTTPS) command-line interface (SSH/Console)-based integrated and centralized management platform that provides a single console to manage multiple deployments of individual SecureSphere solutions as well as various components of the Data Security Suite. All changes made on the centralized console are automatically distributed to multiple gateways. The management server provides role-based management capabilities and acts as a centralized point for authorized administrators or users to aggregate security policies, perform real-time monitoring, and handle logging, auditing, and compliance reporting. The server defines policies based on a hierarchical object oriented policy framework that helps classify all the monitored IT assets based on physical sites, customer, business unit, function, or any other logical classification according to an organization s needs. The Management Server automatically retrieves audit logs from individual gateways, and stores them centrally in order to provide a unified high-level audit view. In addition, it is responsible for collecting, prioritizing, and providing real-time alerts through multiple gateways, via , phone, integrated graphical reporting, pager, and SNMP messages. All SecureSphere solutions come pre-built with a real-time dashboard that provides a high-level view of both the system status and security events. The reporting environment comprises an extensive reporting framework. This consists of huge sets of pre-defined reports, which while being flexible enough for organizations to incorporate custom reports and templates, also integrate the necessary analytical tools for adherence to compliance policies. This allows non-technical database auditors to view and analyze all database activity, and enables them to easily identify usage trends and patterns. All generated alerts can be searched, sorted, and directly linked to corresponding security rules. It also provides specific reports that help organizations to readily demonstrate compliance with SOX, PCI, and other data privacy laws. It is also possible to schedule automated reports, as well as send the output in PDF or HTML formats. Imperva Application Defense Center (ADC) All users of SecureSphere benefit from the facilities of the Imperva Application Defense Center (ADC). This is a research facility that provides core security research and analysis to help organizations proactively prevent critical attacks against sensitive enterprise applications. Directly associated with the Imperva ADC is the company s ADC Insights offering, a set of pre-packaged facilities to address specific customer problems. ADC Insights provides organizations with pre-defined audit rules, automated vulnerability assessments, table-structure awareness, and graphical reports for enterprise applications to identify specific non-complying data as well as security risks. ADC Insights packages are available for enterprise applications including SAP, Oracle E-Business Suite, and PeopleSoft. In terms of pre-built reporting ADC Insights provides over 250 detailed graphical reports, which help identify risk and measure IT compliance against regulatory demands such as SOX, PCI, and HIPAA. The Insights package gets automatic updates with new auditing knowledge from the Imperva ADC. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 3

4 Optional add-ons: SecureSphere additional add-on facilities extend the flexibility and functionality of the various SecureSphere product lines. ThreatRadar is an automated security service to the web application firewall, which helps block all traffic originating from a known attack source. It monitors live feeds from around the world, and based on its information sources, firewall policies can be continuously updated to ensure a high degree of protection against emerging zero-day attacks. Imperva User Rights Management helps organizations to automatically review and document user access to sensitive data, and validate user access based on the actual need to view sensitive data. Combined with databaseactivity monitoring, it surfaces dormant accounts and excessive rights over sensitive data. SecureSphere integrates with various third-party enterprise applications including SIEM and log-management solutions, directory solutions for role-based authentication, and web application scanning solutions such as WhiteHat for vulnerability assessment. The SecureSphere Data Security Suite is relevant to any enterprise constrained by any of today s regulatory compliance mandates such as the European Data Protection law, SOX, Basel II, HIPPA, or PCI, or has the straightforward requirement to streamline and protect existing sensitive data from unauthorized internal and external access. Imperva is one of only a few remaining independent vendors in a sector of the security market populated by some of the largest software companies in the world, most of which have entered the space through acquisitions. It is professionally funded and has an impressive list of enterprise clients, and SMBs, and enterprise organizations would do well to evaluate Imperva and its solution. Product Operation Imperva SecureSphere incorporates a multi-layer security architecture, which enables the product to analyze multiple data points to provide organizations with accurate automated attack-protection capabilities. The architecture integrates positive (white list) and negative (black list) security models, and enforces various algorithms such as signature-detection and protocol-compliance algorithms to identify and block sophisticated attacks including protocol violations, attack signatures, data leakage, and any identified discrepancies from past behavior. While the white list is updated through Imperva ADC, the black list is maintained using dynamic-profiling techniques. The SecureSphere Data Security Suite comprises the following product components: SecureSphere Web Application Firewall SecureSphere web application firewall uses a correlation engine that categorizes various attack signatures, and based on the severity of what it finds either generates alerts or completely blocks the threat from accessing targeted web applications. SecureSphere s Correlated Attack Validation technique examines information at the network and application levels in real time as well as monitoring for the reappearance of previously identified threats. This provides a collaborative approach that enables the product to differentiate between malware threats and valid traffic that should be allowed through. While individual violations might not indicate the nature of each attack, the correlation techniques clearly identify threat and violation combinations. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 4

5 The solution incorporates the use of an integrated stateful firewall that helps protect both applications and data from sophisticated user attacks, protocol threats, and network-layer attacks, while also being able to defend against previously unseen zero-day web attacks through identification of unique combinations of worm and associated malware attributes. Figure:1 SecureSphere Web Application Firewall Architecture Source: Imperva O V U M In Ovum s opinion, the key advantage provided by SecureSphere comes from the fact that the solution has the ability to track and correlate multiple events at the same time, rather than depending on a one-event-at-a-time defense. This enhances the defense system and enables the product to accurately monitor and safeguard against sophisticated application attacks. SecureSphere Discovery and Assessment Server The Discovery and Assessment Server enables organizations to implement a data-risk management process starting with the automated network-based discovery of all existing databases, providing organizations with an insight into assets that require protection. The database-discovery tool set also helps organizations to home in on rogue databases and where appropriate have them removed from the network. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 5

6 One of the core roles of the product involves assessing and classifying the data held on each database. This is an important function because it helps organizations identify sensitive data across the database infrastructure, allows them to prioritize data types that need to be safeguarded according to compliance and regulatory requirements, and helps in the delivery of data-vulnerability assessments. To achieve this SecureSphere uses dictionaries and rules as key data-classification methods, plus an extensive range of standard pre-defined data-classification categories such as financial information, credit-card numbers, personal identification information, and custom data types. All discovered and classified data can be quickly added to existing server groups based on defining elements such as location, database type, or data type, which are then applied with assessment policies that enable organizations to achieve data visibility. Database-discovery and data-classification scans can be scheduled and repeated to ensure that all new databases are initially reported upon and classified at the point of installation. Another core capability of the Discovery and Assessment Server comes from its ability to identify and quantify over 1,000 different vulnerabilities by using pre-built tests for various platforms and databases. While operating systems and RDBMSs are tested for known exploits and misconfiguration, it is also possible to configure custom assessments according to an organization s specific requirements. All relevant assessment tests are then automatically updated and maintained by the Imperva ADC research team. To manage discovered database vulnerabilities the solution assigns a score to each one based on its severity. To achieve continuity across its scoring methodology the product uses the Common Vulnerability Scoring System (CVSS). Every identified vulnerability is mapped to a common vulnerabilities and exposures (CVE) list using the NIST standard. The solution also offers an interactive vulnerability dashboard and a vulnerability workbench, allowing organizations to understand and analyze the threats, and enabling users to track, manage, and mitigate against known vulnerabilities. SecureSphere Database Activity Monitoring and Database Firewall For the SecureSphere Suite, database-activity monitoring and database firewall services come into action once all sensitive database information has been discovered and assessed for vulnerabilities. While the main function of the database-activity monitoring solution is to quickly implement a pre-defined or custom set of security and audit policies as required by various compliance regulations including SOX and PCI, database-activity monitoring also ensures a continuous and automatic auditing of all database access requests. In addition, the database firewall adds the ability to block unauthorized access as well as working to remediate against new vulnerabilities as they arise through the use of virtual patching facilities. The product set enables organizations to collaboratively gain visibility into ongoing database activity, and helps to accurately measure the risk associated with each database. The SecureSphere Suite provides a detailed audit trail of all database activity. This enables organizations to capture details of who accessed what data with which application, at what time, and the type of data requested. SecureSphere captures all database activity including DML, DDL, and DCL activity, read-only activity, changes made to stored procedures, triggers, and database objects, as well as SQL errors and database login activity. The audit trail is stored in an external, secured, and hardened repository, which is accessible via a role-based access-control mechanism. All data in the repository can be secured using encryption or provided as read-only views for authorized users to ensure that audit trail integrity is maintained. To prevent the leakage of sensitive data, SecureSphere also monitors all database responses. In this context the solution is capable of effectively handling change management. It monitors all database activity, generates real-time alerts when suspected fraudulent activity is identified, and ensures that follow-up tasks are correctly assigned. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 6

7 A key advantage of the database firewall is its ability to automatically perform virtual patching to remediate vulnerable databases, rather than waiting for the RDBMS vendor or outsourcer to develop and implement a scheduled patch cycle. To support its patching capability the firewall inspects network and host-based activity to block attempts to exploit known vulnerabilities before they reach the database. SecureSphere performs its patching by actively monitoring real-time database activity, and identifying database attacks that occur either at the OS and protocol level or at SQL activity level. Once a database vulnerability is discovered, a granular database firewall rule is applied to ensure blocking is effective, with new firewall rules deployed without the involvement of either the DBA or affecting the database itself. Using this approach new firewall patching rules can be quickly tested and rolled back in line with the organization s future needs. SecureSphere supports a broad range of high-availability options including Imperva High Availability (IMPVHA) subsecond failover, Virtual Router Redundancy Protocol (VRRP) router or proxy deployments, Active-Active and Active- Passive Redundancy external availability mechanisms, Fail-open interfaces single-gateway availability, and Noninline deployment zero -risk monitoring and assessment. Product Emphasis Imperva through its SecureSphere Data Security Suite brings together a web application firewall and a databaseactivity monitoring solution that has the capability to provide a holistic view on all internal database usage/access permissions and restrictions. Based on its intelligence-led approach to threat identification, SecureSphere enables organizations to fine-tune both web and database policies, and monitor database activity to prevent leakage of sensitive data. SecureSphere s strength lies in being able to correlate activity reports on the web and database tiers. It also addresses compliance-management and core governance requirements. To deliver its range of services, it uses dynamic-profiling technology, which by continuously examining live applications and database traffic creates a maintainable and continuously updatable database management structure. Ovum believes that Imperva SecureSphere is among the leading data-security solutions on the market today. DEPLOYMENT Imperva SecureSphere is available for deployment in various modes including Transparent Bridge (Layer 2), Reverse Proxy, Non-inline sniffer, and Transparent Proxy. It is appliance-based and can be deployed to work in either a pure sniffing-and-monitoring mode, or in full threat-identification and blocking mode, and is flexible enough to be adjusted to take on the operating mode that fits organizational needs. To eliminate blind spots and ensure all database activity is captured, including local privileged activity, the solution also offers host-based agents. The SecureSphere agents can work in two modes: local and global. Local mode audits only local activities performed directly on the monitored server. It is usually combined with network-activity monitoring. Global mode audits all activities, performed locally or through the network, on monitored servers. This agent has a higher overhead and should be used when an appliance cannot be positioned in a location where it can capture network traffic such as a small remote site with only one or two database servers. An Imperva SecureSphere implementation typically requires one dedicated person who is provided with training to understand the tuning requirements of the appliance in line with operational and environmental needs. Because Imperva can be deployed in a variety of operational modes, deployment and testing times vary significantly, ranging from two days to two weeks depending on complexity. In terms of business-procedure changes, Imperva is aware that enterprises may need to change certain processes to ensure that alerts from security events can be managed effectively. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 7

8 The SecureSphere appliance is available in a wide range of form factors, from the X4500 appliance with a throughput of 1Gbps, to the X6500 (2Gbps) and X2500 (500Mbps). Imperva also provides the X2000 (500 Mbps) and X1000 (100Mbps) series of appliances aimed at smaller organizations. The SecureSphere MX Management Server appliance is available in two form factors: M150 series and M100 series. SecureSphere appliances can be either deployed individually as a complete single-box solution, or as a multiple interconnected appliance approach to support the scalability, failover, and high-availability requirements of enterprise deployments. Post implementation, an enterprise will typically require only in-house resources for tracking alerts and customizing policies. However, support overheads will vary depending on deployment size and complexity. Imperva also offers an option of an onsite manager at additional cost. Imperva s training options include computer-based self-training or three-day and five-day courses conducted onsite or at Imperva. Imperva provides various options for worldwide technical support: Standard (between 8am and 6pm local time), and Enhanced and Premium Support (24x7x365). The difference between Enhanced and Premium is that enhanced support includes only a standard hardware-replacement policy, while premium support offers extended hardware replacement. PRODUCT STRATEGY Imperva SecureSphere is targeted at enterprises of all sizes. However given that Imperva s revenues from SMBs increased in 2009, it is clear that this is a potential area for growth. To date the SecurSphere s most successful markets have included the retail, banking, and government sectors because these industries are required to comply with a stricter system of regulations than most others. Imperva s product does however have the potential for a broader audience. Any organization that has a need to comply with industry regulations such as PCI (most business sectors) and an ongoing need to adequately protect itself against the risk of data breaches, internal fraud, or loss of intellectual property, is in the overall scope of SecureSphere s target market. The company s route to market is mainly through the channel, which accounts for nearly 90% of revenues. In terms of pricing, the SecureSphere appliance ranges from $15,000 to $120,000, about 90% of which is product costs, and the rest services (mostly training-related). The cost of SecureSphere MX Management Server appliance ranges from $1,000 to $15,000, and average support and maintenance fees, which include policy updates from ADC and various support options, is 20% of the list price. Imperva s technology and business partners include WhiteHat Sentinel, Cenzic Hailstorm, IBM Rational AppScan, HP WebInspect, and NT OBJECTives. COMPANY PROFILE Founded in 2002 by Check Point founder Shlomo Kramer and Amichai Shulman, Imperva is focused on developing security solutions that help safeguard sensitive business data and applications. The company is headquartered in Redwood Shores, US, with a second office in Tel Aviv, Israel that focuses on R&D. The company has 281 employees with 40% based in the US, 40% in Israel, and the rest at international sales offices in the UK, Singapore, Germany, and Australia. The company is privately held and investors include USVP and Greylock. Imperva SecureSphere is deployed across more than 50 countries with more than 1,000 direct customers. Reference clients include Agilent, TechSoup Global, Fiserv, Apple, TDAmeritrade, Wells Fargo, BetFair, and O2. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 8

9 SUMMARY The Imperva SecureSphere product set brings together an integrated web application firewall and database-activity monitoring solution that is relevant to any organization that is looking to combine web and database-protection services. The market for web applications is extensive and maturing fast. The sheer volume of web attacks is growing in line with everyday usage, making the need for good quality protection a necessity. Another major concern for organizations is understanding and controlling the threats posed against database resources. The volume of internal as well as external access requests and the associated audit logs that need to be analyzed and maintained is becoming increasingly problematic. Imperva, with its SecureSphere offering, addresses both of these concerns by bringing together web application firewall protection and intelligence-led database monitoring, management, and protection. The web and data-protection arena is a highly competitive sector that includes many large infrastructure vendors as well as a significant number of smaller specialist providers. However, with a 30% growth rate in 2009, Imperva appears to be successful, and much of the credit for this should go to the strength of its product set. In Ovum s opinion, the SecureSphere solution merits a closer evaluation by any organization keen on building a risk-based approach to managing and controlling access to critical web and database applications and achieving adherence to necessary regulatory demands. Table 1: Contact Details Imperva Headquarters 3400 Bridge Parkway, Suite 101 Redwood Shores, CA USA Tel: +1 (650) Fax: +1 (650) Imperva UK Ltd 200 Brook Drive Green Park, Reading Berkshire, RG2 6UB UK Tel: +44 (0) Fax: +44 (0) Source: Imperva O V U M Headquarters Shirethorn House, 37/43 Prospect Street, Kingston upon Hull, HU2 8PX, UK Tel: +44 (0) Fax: +44 (0) Australian Sales Office Level 46, Citigroup Building, 2 Park Street, Sydney, NSW, 2000, Australia Tel: + 61 (02) Fax: + 61 (02) End-user Sales Office (USA) 245 Fifth Avenue, 4th Floor, New York, NY 10016, USA Tel: Fax: For more information on OVUM Butler Group s Subscription Services please contact one of the local offices above. Important Notice This report contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 9