Advantages of Server-side Database Auditing. By SoftTree Technologies, Inc.



Similar documents
Oracle Database Security and Audit

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

MySQL Security: Best Practices

Securely maintaining sensitive financial and

Setting up an MS SQL Server for IGSS

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

Record and Replay All Windows and Unix User Sessions Like a security camera on your servers

Auditing Data Access Without Bringing Your Database To Its Knees

Vormetric Data Security

Best Approaches to Database Auditing: Strengths and Weaknesses.

Enforcive /Cross-Platform Audit

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems

Guardium S-TAP: Application Note

Securing SharePoint 101. Rob Rachwald Imperva

What s New in Centrify DirectAudit 2.0

syslog-ng Store Box PRODUCT DESCRIPTION Copyright BalaBit IT Security All rights reserved.

Secret Server Qualys Integration Guide

Introduction of Intrusion Detection Systems

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

enicq 5 System Administrator s Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

DB Audit Expert 3.1. Performance Auditing Add-on Version 1.1 for Microsoft SQL Server 2000 & 2005

PATROL From a Database Administrator s Perspective

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Guardium Change Auditing System (CAS)

The Ultimate Remote Database Administration Tool for Oracle, SQL Server and DB2 UDB

DATABASE AUDITING TOOLS AND STRATEGIES

Vistara Lifecycle Management

Enterprise Security Critical Standards Summary

Symantec NetBackup 7 Clients and Agents

Compulink Advantage Cloud sm Software Installation, Configuration, and Performance Guide for Windows

DB Audit for Oracle, Microsoft SQL Server, Sybase ASE, Sybase ASA, and IBM DB2

Oracle Net Services for Oracle10g. An Oracle White Paper May 2005

Compulink Advantage Online TM

Monitoring HP OO 10. Overview. Available Tools. HP OO Community Guides

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Introduction to Database Log Management

RemotelyAnywhere. Security Considerations

The syslog-ng Store Box 3 F2

The syslog-ng Store Box 3 LTS

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

The Comprehensive Guide to PCI Security Standards Compliance

Edit system files. Delete file. ObserveIT Highlights. Change OS settings. Change password. See exactly what users are doing!

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

Application Design and Development

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Data Replication in Privileged Credential Vaults

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Web-Based Data Backup Solutions

SERVICE SCHEDULE DEDICATED SERVER SERVICES

The Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases

ExecuTrain Course Outline MOC 6231B: Maintaining a Microsoft SQL Server 2008 R2 Database

Distributed syslog architectures with syslog-ng Premium Edition

Implementing Sarbanes-Oxley Audit Requirements WHITE PAPER

Database Security Guide

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Division of IT Security Best Practices for Database Management Systems

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Administration Guide NetIQ Privileged Account Manager 3.0.1

MySQL Strategy. Morten Andersen, MySQL Enterprise Sales. Copyright 2014 Oracle and/or its affiliates. All rights reserved.

SQL Server 2008 Designing, Optimizing, and Maintaining a Database Session 1

Alert Logic Log Manager

Securing Data in Oracle Database 12c

Securing Database Servers. Database security for enterprise information systems and security professionals

B database Security - A Case Study

Mobile Admin Architecture

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

HP OO 10.X - SiteScope Monitoring Templates

Real-Time Database Protection and. Overview IBM Corporation

An Oracle White Paper April Oracle Audit Vault and Database Firewall

Content Server Installation Guide

Product Overview. Initial Seeding

Course Title: Penetration Testing: Security Analysis

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

McAfee Database Security. Dan Sarel, VP Database Security Products

CorreLog Alignment to PCI Security Standards Compliance

Norton Mobile Privacy Notice

Syslog Analyzer ABOUT US. Member of the TeleManagement Forum

White Paper. McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

Radiological Assessment Display and Control System

New Security Options in DB2 for z/os Release 9 and 10

SOLUTIONS INC. BACK-IT UP. Online Backup Solution

Below are the some of the new features of SQL Server that has been discussed in this course

Oracle Health Sciences Network. 1 Introduction. 1.1 General Security Principles

Locking down a Hitachi ID Suite server

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Oracle Database 11g Comparison Chart

SERVICE SCHEDULE PULSANT ENTERPRISE CLOUD SERVICES

Transcription:

Advantages of Server-side Database Auditing By SoftTree Technologies, Inc.

Table of Contents Advantages of server-side auditing... 3 Does server-side auditing create a performance hit on the audited databases?... 3 Why would you want to use server-side auditing instead of so-called non-intrusive auditing tools?... 4 What vendors of network-based auditing tools don't want to tell you... 4 What vendors of transaction log based auditing tools don't want to tell you... 5 Sybase ASE... 6 Microsoft SQL Server 000... 7 Microsoft SQL Server 005... 8 Oracle... 0 DB... Dictionary... 5

007 SoftTree Technologies, Inc. Page 3 Advantages of server-side auditing. Server-side auditing is the only method allowing auditing of every type of database access by any type of user, regardless of whether users are network based or local to the server. Server-side auditing can also audit all types of local access to the database server performed via remote system access protocols such as Telnet, SSH, Windows RDP, Terminal servers, Citrix, Symantec pcanywere, just to name a few.. Server-side auditing also allows auditing user activities performed using encrypted network protocols (SSH, SSL, etc..) and encrypted database clientserver communication protocols (Oracle TCPS, DB APPC, ASE SSL encryption, MySQL compression, SQL Server connection encryption, etc..). All these encrypted database communication protocols can be audited just as well as regular non-encrypted protocols. 3. Server-side auditing provides reach audit-time filtering not available in other auditing products 4. Server-side auditing records data to audit trail tables or optionally to external files in a real-time and the recorded data is immediately available for use in reporting and alerting processes. This data can be used for real-time or historical forensic analysis. 5. Audit trails contain data in structured format, with audit information presented as a set of time-stamped events with a rich set of attributes. This information can be easily analyzed using any mainstream database reporting tools and you are not locked to proprietary reporting technologies and canned reports provided with the audit tools, which are usually limited in capabilities and scope. 6. The collected audit events can be easily aggregated and correlated with application and system event logs. This is especially important in web applications that utilize connection pools using a single database user account (kind of a super-user) for every application user. The correlation of database events can be performed in a real time or after the fact, linking application user names to database sessions and changes and unmasking these otherwise anonymous users. 7. The collected server-side audit events can be easily replicated to an enterprise audit repository server where they cannot be altered or modified by personnel who have local access to the audited database servers. Does server-side auditing create a performance hit? Sure, every additional processing on the database server such as auditing, inevitable creates additional I/O and requires additional CPU resources. But if the auditing is setup properly and focused on what is really needed, in other words, if you don't attempt to capture every bit of data and every command executed by every user on a very busy

007 SoftTree Technologies, Inc. Page 4 production server, the performance hit should be really negligible and more than acceptable in regard to the benefits offered by the server-side auditing. Why would you want to use server-side auditing instead of so-called non-intrusive auditing tools? Besides the advantages described in the first topic you should consider the following facts:. Server-side auditing is the only way to audit complete database server activities and every protocol and type of database access by any type of user, regardless of whether users are network based or local to the server. Server-side auditing is the only solution for monitoring every type of back-door access to the server and the data.. No changes or functionality sacrifices are required in any existing applications and systems when server-side auditing is deployed. Use whatever application or database access methods you use or want to use without any changes or restrictions. Run your regular database management tools, data load tools, such as SQL*Loader, DTS, LOAD TABLE and other directly on the server as you use them now Read the following paragraphs to find out how many different methods are available for every major database system to access the data in the database, bypassing the entire network stack and along with it, bypassing all network traffic sniffing tools as well as find out how to avoid leaving any tracks in database transaction logs. What vendors of network-based auditing tools don't want to tell you. There are many database communication protocols available. Look around; TCP is only one of many. Can your vendors handle non-tcp protocols?. Database communications can be and should be encrypted. When communications are encrypted, network based tools and hackers cannot peek into the data traveling on the network between your applications and database servers. 3. Local database access using IPC or shared memory methods cannot be audited from outside of the local system. Virtually every DBA as well as many privileged users use such database access methods!

007 SoftTree Technologies, Inc. Page 5 4. Internal database activities and data relations cannot be sniffed or audited from outside. For example, table A can be accessed via view B and that view is referenced in views C, D and F, Each view has some joins and data filters (WHERE or HAVING clauses). If users never reference table A directly in their SQL commands, how can you know when table A is really accessed and which part of it? Network-based side SQL sniffing is no help here. 5. SQL sniffing off the network and parsing the captured traffic data without physical database connection and inside the database user session context is simply unreliable by design. Just think of user impersonation, use of database views and object aliases and other database things that exist specifically to prevent direct user access to the underlying data. 6. Network-based auditing tools cannot tell you which privileges are actually used by users to perform database operations. 7. There is no way to correlate or see the real impact and data-access resulting for each SQL command. Consider, for example, a hacker sending a command to the database that schedules an automated job to save employee data to a file during late night hours. The data is not updated or retrieved over the wire by that command. Moreover, the leak of this sensitive data doesn't even happen in the same user session or same time. The hacker can later pick the created file from the operation system without accessing the database again. What vendors of transaction log based auditing tools don't want to tell you. Only small subset of user activities is tracked in transaction logs. It is fair to say that less then 0 % of database operations are typically recorded in these logs. Transaction log records only cover database updates, but what about SELECT, EXECUTE and other common commands used to access data in the database?. Transaction logs typically do not contain any information about unauthorized activities, making it impossible to backtrack any unauthorized access and update attempts, security violations and other related events considered as a must-have for any system which is subject to auditing for SOX compliance and other government regulations. 3. In case of failed data updates, the database system rolls back all intermediate changes and as a result the associated log data completely vanishes from the transaction logs. 4. Transaction logs are limited in size. Many database systems use log rotation or truncation during backups in which case the logged transaction data simple disappears from the transaction logs. As a result, transaction logs become unusable for backtracking old activities and for performing accurate analysis of user activity patterns.

007 SoftTree Technologies, Inc. Page 6 Appendix A: Use of non TCP-based protocols and data encryptions methods Sybase ASE

007 SoftTree Technologies, Inc. Page 7 Microsoft SQL Server 000

007 SoftTree Technologies, Inc. Page 8 Microsoft SQL Server 005

007 SoftTree Technologies, Inc. Page 9

007 SoftTree Technologies, Inc. Page 0 Oracle 3 3

007 SoftTree Technologies, Inc. Page DB 3

007 SoftTree Technologies, Inc. Page 3

007 SoftTree Technologies, Inc. Page 3 MySQL

007 SoftTree Technologies, Inc. Page 4

007 SoftTree Technologies, Inc. Page 5 Appendix B: Dictionary A number of common abbreviations and technical terms were used on the screenshots provided in this document. Here is brief description of these terms. IPC - the Inter-Process Communication (IPC) protocol is used for client applications that are on the same computer as the Oracle listener. IPC doesn't use network stack and allows client communicate with the local server directly. Shared Memory this is just another kind of IPC. Named Pipes the Named Pipes is used for client applications that are not using TCP/IP. Named Pipes method is available on both Windows and Unix systems. NMP - this is essentially the same as Named Pipes TCPS - the TCP/IP with Secure Sockets Layer (SSL) protocol enables a client application on a client to communicate with remote databases through TCP/IP and SSL using SSL encryption applied to the messages they exchange. TCP/IP SSL this is the same as TCPS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information