McAfee Database Security. DOAG SIG SECURITY Leipzig Franz Hüll Senior Security Engineer

Transcription

1 McAfee Database Security DOAG SIG SECURITY Leipzig Franz Hüll Senior Security Engineer

2 Agenda Database Activity Monitoring DB security from McAfee (Sentrigo) Brief products Overview MVM (McAfee vulnerability Manager) SSD (Security Scanner for Databases) DAM (Database Activity Monitoring) Demo Q&A

3 McAfee Facts 125 million McAfee users 180+ million mobile devices shipped with McAfee 5 million single largest McAfee deployment 9 Gartner Magic Quadrants that feature McAfee 480 McAfee patents, more pending 110+ McAfee Security Innovation Alliance partners 6,595 McAfee employees globally* 120 countries that make up McAfee s global footprint *As of July 2, 2011

4 Security: the Third Pillar of Computing BETTER SECURITY SOLUTIONS & PRODUCTS POWER EFFICIENT PERFORMANCE INTERNET CONNECTIVITY SECURITY

5 Database Security and the Enterprise Databases power the largest applications in the world Customers store their most critical and sensitive data in databases, any loss, interruption, or breach could be disastrous Any vulnerability, misconfiguration or exploitation means non-compliance to audits (HIPAA, SOX, PCI, etc.)

6 Where are the goods? Database servers are involved in 25% of all breaches Database breaches account for 92% of all records breached Sophisticated attacks make up 15% of all attacks Sophisticated attacks account for 87% of all records breached # of Breaches DB # of Breaches # of Records Other # of Records Source: Verizon Business Study 2010 High Low/Mod

7 The Challenge Your Most Valuable Data is in Databases Customer Records and PII Credit card numbers, account numbers, billing data, authentication data Employee Information SSNs, salary, reviews Financial Data & IP Revenue, receivables, research

8 Why Isn t My Database Secure? Technology Accessed constantly by multiple applications, users Impossible to lock down without impacting accessibility Vulnerable (SQL injection, buffer overflow) Process Patches (ie. Oracle CPU) not applied in timely manner Implementation practices (default/shared passwords, etc.) People Accessed by DBAs, Sys Admins, programmers.

9 Need to be Compliant Regulations require sensitive data be handled securely PCI DSS, Sarbanes-Oxley, HIPAA, SAS 70, GLBA, and other industry-specific regulations Breach Notification Laws Increase Visibility Originally CA SB1386, now in 46 states and widely adopted worldwide U.S. House passed HR 2221 in December, Senate has 2 bills on the floor now EU legislation expected Internal IT Governance Dictates Process Timely installation of patches Segregation of Duties

10 Database Security from McAfee SENTRIGO

11 Acquisition of Sentrigo! McAfee broadens its Database Security solutions with the acquisition of Sentrigo Database Activity Monitoring, Vulnerability Management, and Virtual Patching Proven technology, strong differentiation Scalable from SMB to largest global enterprise Compatible with existing Risk and Compliance portfolio

12 McAfee Vulnerability Manager for Databases VULNERABILITY ASSESSMENT

13 About Vulnerability Manager for Databases Over 4,200 vulnerability checks Patch levels Weak passwords Configuration base lining Backdoor detection Sensitive data discovery (PII, SSN, etc) Vulnerable PL/SQL code Unused features Custom checks

14 McAfee Database Activity Monitoring TRUSTED AUDIT AND REAL- TIME INTRUSION PREVENTION

15 Fundamental Principles Protection from the Inside Out More effective More efficient Better fit with today s IT environment Lower Cost and Complexity of Implementation Software-only solution Easy to download, evaluate, and buy Fastest Time-to-Compliance No Downtime!

16 Listener Bequeath Full Coverage of All Accesses Databases can be accessed from three sources: 1) From the network 2) From the host 3) From within the database (Intra-DB) Intra-DB DB Admins Sys Admins Programmers SAP Local Connection Network Connection DBMS Shared Intra- Memory Data Stored Proc. Trigger View McAfee Sensor (OS Service)

17 McAfee DAM: Enterprise Deployment Cloud Network DB Alerts / Events epo McAfee Database Security Server (software) Sensor Sensor Sensor DB DBDBDB DB DB DB Web-based Admin Console

18 Reaction in Real-time Memory-based, Read-only Sensor is Close Enough to Intervene in Response to Threats Alerting via dashboard or other tools Session termination (via Native DB APIs) User quarantine Firewall update via OPSEC

19 Segregation of Duties and Audit Trail Database Administrators (DBA) helps define policy with compliance System Administrators install sensors InfoSec monitors alerts and sensor status

20 Only Solution for Virtualization/Cloud Virtualization Memory-based monitoring sees VM-to-VM traffic Efficient local rules processing Works well in a dynamic environment Cloud Computing Distributed model functions well even in WAN environments Automated provisioning and segregation of duties allows inhouse monitoring of managed services Cloud Computing Infrastructure D B D B D B D B

21 McAfee Database Activity Monitoring Virtual Patching vpatch

22 Why Virtual Patching? Applying DBMS security patches is painful: Requires extensive testing and db downtime Often results in business disruption Sometimes it's near impossible: 24/7/365 operations (one maintenance window per year) Heavily customized applications DBMS versions that are no longer supported by vendor (e.g. 8i) Resources are limited Solution: Virtual Patching Protects against known and zero-day vulnerabilities without any downtime or code changes until you can patch

23 Unpatched Database HUGE Risk Zero Day Reported Vulnerability Patch Issued Patch Installed High Low Months/Years Months/Years Exploits published on the web Often do not require DBA-level skill and automated tools now available vpatch Rule released Risk highest after patch is issued Risk window is months long, sometimes years

24 Database Dashboard

25 More McAfee Application Control Prevents execution non authorized Programs Application Whitelisting McAfee Change Control Monitors changes on Folders, Files, Registry Keys Prevents changes McAfee Data Loss Prevention

26 Was ist McAfee Application Control? Schutz des Systems basiert auf dynamischem Whitelisting Definiert welche Programme ausgeführt werden dürfen (Whitelist) Die Whitelist beinhaltet Datei-Systempfad, Hash, Dateityp Ein Anti-Virus Produkt nutzt hier als Vergleich eine Blacklist, alle Programme im Signatur-Paket dürfen nicht ausgeführt werden und sind potentiell böse (Blacklist Ansatz) Deploy and Forget Ansatz McAfee Application Control benötigt keine definierten Regeln und keine Signaturen Keine False-positives oder False-negatives im laufenden Betrieb Schutz des Hauptspeichers Nicht autorisierter Code kann nicht ausgeführt werden Nicht autorisierter Code wird gestoppt, bevor es zu unerlaubten Ausführungen kommt Buffer overflow, Heap overflows und vergleichbare Angriffe werden abgefangen

27 McAfee Change Control Sichtbarkeit und Enforcement für Ende-zu-Ende Compliance Integrity Monitoring Alarmierung bei kritischen und nicht autorisierten Veränderungen Change Prevention X Selektives Verhindern von Out-of-policy Veränderungen. Logerstellung bei jedem Versuch einer Out-of-policy Veränderung Read und/oder Write Deny auf Textdateien Write deny auf Registrykeys

28 Database Security Architecture Database Assessment Database Protection OS Assessment OS Protection Network Assessment Network Protection Network Monitoring Database Activity Monitoring OS Monitoring

29 Database Security Architecture McAfee Vulnerability Manager for Databases McAfee Change Control McAfee Vulnerability Manager McAfee Network Security Platform McAfee Firewall Enterprise McAfee Application Control McAfee DLP McAfee Database Activity Monitoring(virtual patching) McAfee epolicy Orchestrator McAfee Database Activity Monitoring McAfee Change Control

30 McAfee Database Security DEMO

31