White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere



Similar documents
Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

White Paper. Imperva Data Security and Compliance Lifecycle

An Oracle White Paper January Oracle Database Firewall

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

An Oracle White Paper January Oracle Database Firewall

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

10 Things Every Web Application Firewall Should Provide Share this ebook

10 Building Blocks for Securing File Data

Networking and High Availability

White Paper. Managing Risk to Sensitive Data with SecureSphere

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Securely maintaining sensitive financial and

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack

Imperva SecureSphere Data Security

End-to-End Application Security from the Cloud

Securing SharePoint 101. Rob Rachwald Imperva

The New PCI Requirement: Application Firewall vs. Code Review

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

The Comprehensive Guide to PCI Security Standards Compliance

An Oracle White Paper April Oracle Audit Vault and Database Firewall

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

Networking and High Availability

CorreLog Alignment to PCI Security Standards Compliance

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Implementing Sarbanes-Oxley Audit Requirements WHITE PAPER

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

Database Monitoring and Security Solutions. Olivier Gillet

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

INCIDENT RESPONSE CHECKLIST

GFI White Paper PCI-DSS compliance and GFI Software products

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

The Cloud App Visibility Blindspot

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

IBM QRadar Security Intelligence April 2013

Top Ten Database Security Threats

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

DATABASE AUDITING TOOLS AND STRATEGIES

Real-Time Database Protection and. Overview IBM Corporation

Enterprise Security Solutions

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Facing Reality: Top Database Security Trends. Database security continues to be a top priority. » SQL Injection Attacks

Network- vs. Host-based Intrusion Detection

Enterprise-Grade Security from the Cloud

How To Manage Log Management

Feature. Log Management: A Pragmatic Approach to PCI DSS

Scalability in Log Management

Enterprise Database Security & Monitoring: Guardium Overview

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Top Five Security Must-Haves for Office 365. Frank Cabri, Vice President, Marketing Shan Zhou, Senior Director, Security Engineering

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Introduction of Intrusion Detection Systems

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

How To Manage A Privileged Account Management

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

SecureSphere Data Security Suite

SharePoint Governance & Security: Where to Start

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

White Paper. PCI Guidance: Microsoft Windows Logging

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Inspection of Encrypted HTTPS Traffic

Network Access Control in Virtual Environments. Technical Note

Auditing Data Access Without Bringing Your Database To Its Knees

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Database Security in Virtualization and Cloud Computing Environments

ForeScout CounterACT. Continuous Monitoring and Mitigation

B database Security - A Case Study

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

PCI Compliance for Cloud Applications

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Compliance Management, made easy

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

On-Premises DDoS Mitigation for the Enterprise

FISMA / NIST REVISION 3 COMPLIANCE

ISO COMPLIANCE WITH OBSERVEIT

March

Technical Note. ForeScout CounterACT: Virtual Firewall

Payment Card Industry Data Security Standard

Transcription:

Protecting Databases from Unauthorized Activities Using Imperva SecureSphere White Paper As the primary repository for the enterprise s most valuable information, the database is perhaps the most sensitive segment of the IT landscape. Many organizations are learning that database assets are vulnerable to both external attackers via Web applications and internal employees who take advantage of more direct privileges. Customer records, financial reports, and patient data are all at risk. The threat of compromising sensitive information either by leakage or unauthorized changes is driving compliance regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and others, which require organizations to implement strong database access controls. Imperva SecureSphere helps organizations protect databases from unauthorized activities by enabling them to:» Achieve unparalleled visibility into database activities» Enforce accurate and granular database and data access policies» Deliver proactive database protection against external attacks and internal misuse In the following White Paper, we present the range of blocking options that can enforce and deliver better access controls and protection again suspicious database activities.

Monitoring Privileged Database Activities Privileged users, including DBAs, are required to manage and maintain databases, but their powerful database privileges also pose a concern. Since these users often need to access databases directly and perform highly sensitive operations on database configurations and content, they are often provided with unlimited access to sensitive content and containers. Abusing these database privileges can compromise the organizations databases and data, impacting business operations, enabling data leakage and fraudulent activity. In order to ensure complete database security, inspection of all privileged database activity is required. Real-time alerts on suspicious activities must be sent and a detailed audit trail must be kept for forensic investigations. The SecureSphere solution monitors all access paths to data, providing 360 degree data protection. The solutions hybrid architecture enables maximum visibility into database activity, with minimal overhead. This hybrid architecture combines the following components:» Network monitoring appliances: provide early network-based detection and protection with zero impact on the monitored systems» Light host based agents: add visibility into direct/local privileged activity and eliminate blind spots. Full agent based database activity monitoring is available as well.» Agentless collection of 3rd party audit logs (including native audit logs): covering areas where network or agent based monitoring cannot be implemented This hybrid architecture offers the most flexible deployment options to match any unique topology, and ensures that all paths to data are always monitored. When Monitoring Privileged Activities Is Not Enough SecureSphere DAM (Database Activity Monitoring) protects databases by generating detailed audit trails and real-time security alerts whenever anomalous activity is detected or access policies are violated including privileged user violations. But while monitoring privileged activities is an important element of a defense strategy, being a monitoring only solution it is limited to providing detective controls (alerts and reports) rather than preventive controls (enforcing access controls and blocking unauthorized activities). In order to enforce better controls over privileged activities that may compromise the database, some organizations are looking for solutions that can block unauthorized privileged activities and quarantine suspect users. While a suspect user is in quarantine, its privileges should be suspended until reviewed and authorized. Preventing Unauthorized Privileged Activities Using SecureSphere SecureSphere Database Firewall, which is also a part of the SecureSphere Data Security Suite, supports four (4) different techniques for blocking and preventing unauthorized privileged activities: 1. Inline network blocking To achieve inline blocking capabilities, SecureSphere gateway appliances are deployed in inline mode. In this scenario, the gateway appliance acts as a bridging device between the external network and the protected database server. The gateway will inspect every packet (including encrypted traffic) which goes through the bridged appliance. Each network packet is analyzed in real-time to understand the activity behind it, and if the requested activity violates security and/or access policies, SecureSphere will block the malicious traffic by dropping request or packet that triggers the event. Inline deployment introduces minimal latency (sub-millisecond), and is the most effective way to block database attacks seen on the network. < 2 >

Joe Tod Sam Application Servers IMPERVA SECURESPHERE Database Servers Figure 1: Inline network blocking 2. Non-Inline session blocking Non-inline blocking capabilities are available when SecureSphere gateway appliances are deployed in non-inline (sniffing) mode. While Imperva recommends In-line deployments for achieving most efficient database activity blocking, the non-inline deployment mode protects database servers with zero-risk to the overall performance of the application. In this scenario, the gateway is not acting as a bridge and is only getting a mirrored copy of the traffic, so it can t drop the packets. Instead the gateway appliance will issue a TCP reset command to drop malicious traffic. Since the appliance is remote to the malicious traffic, this creates a race condition between the malicious activity and TCP reset. As a result, if the TCP reset is too slow to block the attack, it might get through. Non-Inline session blocking is considered less effective, however it does not introduce any latency. In addition to sending a TCP reset for blocking network activity, Imperva SecureSphere can also block sessions directly on the protected database server. Using the session information the appliance can send a remote command to block the session on the server itself. This does not require a SecureSphere agent on the protected server. Joe Tod Sam Application Servers IMPERVA SECURESPHERE Figure 2: Non-Inline session blocking (network and local session) 3. Terminating unauthorized privileged activities Privileged users and DBAs are responsible for the administration and maintenance of databases and require elevated privileges and access to system resources. Complete visibility into privileged activity and real-time alerts ensure that only authorized applications and users are accessing sensitive data, or performing changes to database schemas and values. The challenge of monitoring and controlling privileged database activities is due to the fact that most privileged database activities are performed locally on the database server (e.g., a database administrator accesses the database host directly or using a remote shell or a VPN/secure channel). When database activities are performed locally on the database server, there is no network traffic (or, at least, no external network traffic) available for the SecureSphere gateway appliance to examine. < 3 >

To gain the required visibility, the SecureSphere solution uses a light-weight database agent, which inspects the database host s internal network activity on the protected server for all user initiated activities. SecureSphere agents eliminate blind spots by ensuring full visibility and protection capabilities to all network and local privileged operations. This includes Data Definition Language (DDL) commands, Data Control Language (DCL) commands, Data Manipulation Language (DML) commands, read-only (SELECTs), and mores. The agent sends monitored activity details to a remote SecureSphere gateway appliance which analyzes the activity. If the activity violates security policies, the appliance will then send a command back to block the activity on the protected server. As a secondary option, SecureSphere can quarantine the privileged user, denying all activities from the offending user until these activities are reviewed and authorized by the security and management team. This is covered in the next section. Direct Access Privileged Users (DBAs, Developers...) IMPERVA SECURESPHERE DATABASE FIREWALL Figure 3: Terminating unauthorized privileged activities 4. User quarantine SecureSphere can also quarantine offending database users by removing their RDBMS privileges. Privileged account quarantine not only ensures that a specified user is unable to execute any further actions, but also removes their ability to login to the database. To reinstate a quarantined account, a security review is required. Only after the review and authorization process the user can be reactivated. For organizations who have review processes in place, ScureSphere can provide an automated notification to security-management and ticketing systems (including BMC Remedy and ArcSight SIEM) to alert that a user has been quarantined. The review team will then utilize SecureSphere Interactive Audit Analytics to review the relevant event details and related user activities and decide whether the user should, or shouldn t, access the database, and if so, which privileges should be assigned to the user. In addition, user quarantine notifications can be sent directly through email, or to a syslog where it can be picked by various solutions. User quarantine allows IT security departments to stop insider data breaches at the source, and prevent any subsequent attempts by the same individual to compromise the company s assets. Privileged Users (DBAs, Developers...) Alert, E-mail, and/or Notify 3rd party systems IMPERVA SECURESPHERE DATABASE FIREWALL Figure 4: User quarantine < 4 >

Summary SecureSphere Data Security Suite and Database Firewall solutions provide unmatched, full 360 degrees database protection. SecureSphere supports network-based monitoring and real-time blocking of unauthorized activity by trusted insiders. In addition SecureSphere can terminate local user activity and quarantine user accounts in the event of a security policy violation. SecureSphere helps organizations address the growing risk of insider abuse, with the ability to detect, block, and prevent subsequent attempts by privileged users to breach security policies through direct access to the database server. SecureSphere also enables organizations to enforce better access controls and ensure only authorized activities are preformed on their databases. Imperva Americas Headquarters International Headquarters 3400 Bridge Parkway 125 Menachem Begin Street Suite 101 Tel-Aviv 67010 Redwood Shores, CA 94065 Israel Tel: +1-650-345-9000 Tel: +972-3-6840100 Fax: +1-650-345-9004 Fax: +972-3-6840200 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com Copyright 2009, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-SECURESPHERE_BLOCKING_OPTIONS-0709rev1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information