Best Approaches to Database Auditing: Strengths and Weaknesses. henry.parnell@lumigent.com

Similar documents
Auditing Data Access Without Bringing Your Database To Its Knees

Privileged User Monitoring for SOX Compliance

Real-Time Database Protection and. Overview IBM Corporation

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

DATABASE AUDITING TOOLS AND STRATEGIES

Enterprise Database Security & Monitoring: Guardium Overview

Securely maintaining sensitive financial and

Database Auditing and Compliance in a Mainframe Environment. Craig S. Mullins, Corporate Technologist, NEON Enterprise Software, Inc.

Oracle Database: SQL and PL/SQL Fundamentals NEW

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Facilitating Efficient Data Management by Craig S. Mullins

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

MySQL Security: Best Practices

Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

Comprehensive Approach to Database Security

<Insert Picture Here> Oracle Database Security Overview

DB Audit for Oracle, Microsoft SQL Server, Sybase ASE, Sybase ASA, and IBM DB2

The Comprehensive Guide to PCI Security Standards Compliance

Advantages of Server-side Database Auditing. By SoftTree Technologies, Inc.

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

An Oracle White Paper April Oracle Audit Vault and Database Firewall

SQL Server Auditing. By Minette Steynberg. Audit all SQL Server activities using ApexSQL Comply

Oracle Database 11g: Security. What you will learn:

Enforcive / Enterprise Security

Oracle Database Security Solutions

UNIVERSITY AUTHORISED EDUCATION PARTNER (WDP)

McAfee Database Security. Dan Sarel, VP Database Security Products

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

Database Assessment. Vulnerability Assessment Course

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

CorreLog Alignment to PCI Security Standards Compliance

Securing Oracle E-Business Suite in the Cloud

Complete Database Security. Thomas Kyte

Oracle Database 11 g Performance Tuning. Recipes. Sam R. Alapati Darl Kuhn Bill Padfield. Apress*

B database Security - A Case Study

Oracle 11g Database Administration

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Installing and Configuring Guardium, ODF, and OAV

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

<Insert Picture Here> Oracle Database Vault

Securing and Accelerating Databases In Minutes using GreenSQL

Oracle Database 12c: Administration Workshop NEW

INTRUSION DETECTION SYSTEMS and Network Security

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

PATROL From a Database Administrator s Perspective

Clavister InSight TM. Protecting Values

Many DBA s are being required to support multiple DBMS s on multiple platforms. Many IT shops today are running a combination of Oracle and DB2 which

Oracle Database 12c: Admin, Install and Upgrade Accelerated

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

Teleran PCI Customer Case Study

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Securing Data in Oracle Database 12c

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

D12C-AIU Oracle Database 12c: Admin, Install and Upgrade Accelerated NEW

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

Making Database Security an IT Security Priority

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

<Insert Picture Here> Oracle SQL Developer 3.0: Overview and New Features

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

74% 96 Action Items. Compliance

Copying data from SQL Server database to an Oracle Schema. White Paper

SAP Business Objects Business Intelligence platform Document Version: 4.1 Support Package Data Federation Administration Tool Guide

Websense Support Webinar: Questions and Answers

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

AV-004: Administering and Programming with ORACLE

Division of IT Security Best Practices for Database Management Systems

Hedgehog: Host-Based Database Activity Monitoring & Prevention

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

B.Sc (Computer Science) Database Management Systems UNIT-V

Enable Audit Events in MS SQL Server EventTracker v6.x, v7.x

Scalability in Log Management

Guide to Auditing and Logging in the Oracle E-Business Suite

Defending the Database Techniques and best practices

THE FIRST UNIFIED DATABASE SECURITY SOLUTION. Product Overview Security. Auditing. Caching. Masking.

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Enforcive /Cross-Platform Audit

March

Best Practices for Database Security

Boosting enterprise security with integrated log management

SQL Server 2008 Designing, Optimizing, and Maintaining a Database Session 1

An Oracle White Paper January Oracle Database Firewall

Oracle Database 12c: Performance Management and Tuning NEW

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Implementing Database Security and Auditing

Critical Database. Oracle Enterprise Manager Oracle Open World 2010 Presented dby Venkat Tekkalur. Prem Venkatasamy. Principal Technical Architect

Database Security & Auditing

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Transcription:

Best Approaches to Database Auditing: Strengths and Weaknesses henry.parnell@lumigent.com

Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered 2of 37

Why Audit: blame the government? 1995 TODAY 3 of 37

Why Audit: blame the DBMS vendors? Audited System Audited System Audited System Audited System DB2 UDB Oracle SQL Server Sybase Scalability, Recoverability, Availability, 4of 37

Why Audit: blame the DBMS vendors? Audited System Audited System Audited System Audited System DB2 UDB Oracle SQL Server Sybase Scalability, Recoverability, Availability, Auditability? 5of 37

Why Audit: blame ourselves? Most of our important, sensitive and private data is in the database. We MUST audit access to the database. We MUST audit usage data. We MUST audit maintenance/control/admin usage. If we don t, we will not be in COMPLIANCE SOX BASELII Hey audit the database GLBA?!?!?! OK What do you need to audit??!?!?! Hmmm Well audit all reads of data, all writes, all changes to the database, who did it, from where, when, how. AUDITORS?!?!?! Are you serious? DBAs OK- audit just config changes No wait also schema changes..and access to sensitive data. And 6of 37

Why Audit: Plenty of Blame to go around Regulations & Industry Practices People Systems and Processes Sarbanes-Oxley HIPAA GLBA SB 1386 SAS70 USA Patriot Act Moody s 21CFR11 Basel II Insiders are the biggest threat Privileged users Human errors Fraud Malicious actions Inadequate built-in controls within DBMS systems Outsourcing Culture 7of 37

Database Auditing Motivation Critical Issues: Passing the Audit Reduce cost of IT controls Regulatory and Industry Compliance Less DBA Workload also less insider risk Resulting in Mandated Record Keeping for Operations on Sensitive Data and Privacy Forensic Analysis 8of 37

Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered 9of 37

Activity Monitoring: Database Types & Versions Audited System SQL Server 7, 2000 & 2005 Audited System Policy Adherence Compliance Reporting Anomaly Detection Oracle 8, 9i &10g Audited System Sybase 11, 12 & 15 Audit Trail Repository Oracle, SQL Server or DB2 Audited System DB2 UDB 8.1, 8.2 & 9 10 of 37

11 of 37

What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables with application functionality to load them Database Triggers Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, Transaction Log Files Collecting Network Activity 12 of 37

The Road Less Traveled Application &/or database schema modification Shadow audit tables, triggers, Reasons not to use Triggers: Significant performance overhead Easy to circumvent (alter table disable trigger all) Costly to maintain (schema changes, code changes) Incomplete capture Typically can only capture DML (not DDL and not SELECTS) 13 of 37

What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, Transaction Log Files Collecting Network Activity 14 of 37

Native Database Audit Tools What is it? How does it work? Strengths and Weaknesses Why is anything other then this needed? 15 of 37

Native Database Audit Tools Event systems useful for performance and audit monitoring Generally under the control of the DBA Usual output is to a local table or text file Often comprehensive but in no case complete Performance wise you get what you pay for Output is hard to make unimpeachable (trustworthy) Usually Low Ease of Use 16 of 37

Native Database Audit Tools Strengths DB Operation coverage Supported by Database Vendor Comes with the database Weaknesses Impeachability (AKA will the auditor trust the records?) Performance for anything that happens frequently Data impact records, (what changed, how did it change, what data did the user see, ) Specific to the data container (the DBMS system) and not to the data contents Incomplete 17 of 37

What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, Transaction Log Files Collecting Network Activity 18 of 37

Transaction Log Post Processing When we say Transaction Log what do we mean? Strengths and Weaknesses 19 of 37

Database Transaction Log A transaction log is a write ahead journal of all activity that alters the state of the database Binary file, platform specific, internals undocumented A database always writes to the log even when the database is in circular (non-archived) mode A database writes undo and redo records to the log for: Roll forward recovery Transaction atomicity (roll back to a known state) An on-line transaction log is backed up to archived files The archived log files may serve as a rich source for audit activity 20 of 37

Example of a Transaction Log Record 21 of 37

What is in the Transaction Log? All DML operations For row Insert & Delete, all column values are generally present For column Update, before/after values for all modified columns are generally present Status (success or failure) Time stamp / Transaction ID On some platforms All DDL operations Application name shown on operation records Session/UserID Identifiers shown on operation records SQL Text Client host name (or IP address) 22 of 37

What is generally Not in the Transaction Log? Read / SELECT operations Failed operations Unlogged operations example: SQL Server Simple Recovery Mode 23 of 37

Transaction Log - Strengths Small performance impact database does the work in advance Reading an OS file, outside of the database Potentially using a machine that is not the DBMS Server Work shifting Potentially at a time well after when the operation happened Time shifting Appropriate for auditing privileged users Logs complete activity Hard to circumvent Appropriate for auditing local access and Stored procedure contents Shared Memory, named pipes, connections Appropriate for data modifications Provides a full audit trail of changes to column data Resilient to system failures Audit data is never lost; because it uses the same recovery mecagnism as the DBMS Not affected by network encryption 24 of 37

Transaction Log - Weaknesses Unsuitable for implementing privacy auditing Selects are not in the transaction log Unsuitable for real-time alerting Log reading is typically batch oriented that runs during scheduled times May not be deployed on databases that run in (non-archived log mode) Log files are binary and direct access is not a supported interface, hard to write your own Incomplete 25 of 37

What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, Transaction Log Files Collecting Network Activity 26 of 37

Network Capture When we say Network Capture what do we mean? Issues Strengths and Weaknesses 27 of 37

Network Capture A network appliance only Resides on the network between the database and the users Captures TCP traffic Extracts SQL text and stores in a file backed cache Can be either a network appliance and/or host based software agents 28 of 37

How the Internet Works Database Server Client - Server Communications Client Ethernet Switch Ethernet Switch The Internet is dumb All connections are initiated by the connected client server systems at each end All data synchronization and retransmissions are controlled by the end systems The network merely pushes packets along from hop to hop If a packet is dropped in the network the end points will detect it and retransmit. 29 of 37

Sniffers Listen to Packets as They Go By Database Server Database Commands and replies Client Ethernet Switch Sniffer Packets do get dropped in networks Sniffers can drop packets if there is local congestion Local congestion can be caused by non audit traffic If the sniffer in the middle drops a packet it may not be retransmitted because the endpoints may not drop the same packets 30 of 37

What is in a TCP Packet? A SQL Text command, exactly as it was sent to the database The SQL batch must be parsed to obtain: Object names (affected tables) Individual SQL commands (e.g., nested selects) Prepared statements must be correlated, if possible Other fields must be obtained from a previous login request (if not encrypted) User name Application id Client host 31 of 37

Network Capture - Strengths Suitable for privacy Very small additional load performance impact Same work and time shifting possibilities as log reading Suitable for basis of real-time alerting Less Integration and therefore complication with the DBMS itself If you are a DBA the network topology and network security are Somebody Else's Problem 32 of 37

Network Capture - Weaknesses Difficulty auditing privileged users and or local host access Difficulty handling session encryption SSL, IPSec Encrypted login packets Inability to audit server side logic Cannot capture activity of stored procedures, triggers packages Inability to track changes to data values Not resilient to failure If a network capture component fails to record traffic, the audit data is lost and cannot be recovered Hard to do, not a supported interface 33 of 37

Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered 34 of 37

The Data Compliance Spectrum 35 of 37

The Data Compliance Spectrum Highly tuned production system Very high service level requirements No stored data values Multiple DBs Migration of servers Rolling out encryption Financial and operational data Past privileged user access issues Before and after value audit trail required Companies often blanket the spectrum 36 of 37

Mapping Technology to Real-World Requirements Transaction Log Reading Network Capture All my database activity is encrypted (i.e. SSL, IPSec, etc ) I need to monitor all forms of privileged user access I need to see the results from stored procedures & triggers I need to see the data impact for SOX compliance and provide before and after values I need real-time security alerts I need to capture a high volume of SELECTs for PCI compliance I cannot have any impact on the database I don t have database logging enabled and I cannot change this 37 of 37

Over all Conclusion None of the alternatives are comprehensive Avoid use of Native Audit Tools for operations that happen frequently Log Reading is best for DML auditing Network Capture is best for Select/Read auditing 38 of 37

Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered 39 of 37

Beyond Collection Method Audit Policy Deployment Configuration 40 of 37

41 of 37

Audit Policy Configuration What Records to keep? Policies can conditionally qualify otherwise raw database events to: Produce a more effective and accurate audit trail Identify violations of policy Classify events based on context Issue alerts to initiate immediate response Definition of a complete, specific, database monitoring filter; abstracted away from details of database type and collection method. Rules All privileged user activity: Audit If activity is outside of maintenance window: Critical If activity results in update to SOX scope data: Alert If host or application is determined to be un trusted POLICY Consolidated definition of acceptable use 42 of 37

Audit Policy Rules? Supported attributes that can be used: User ID Application Name (Oracle and SQL Server data sources only) Object (table, column, view, stored procedure) Database Operation (insert, update, delete, grant, select ) Client Host Name Date Time range Supported Actions: Collect, record the audit record in the Audit DB repository, mark the audit record with the policy name that was true Annotate the collected audit record with a severity level Send an alert 43 of 37

Grant of new Privileges Company (enterprise) policy Changes to Stored Procedures Division policy DML and Selects on employee table Department policy Instance policy Database policy Multiple Policies with distinct objectives collected concurrently Each collected audit record annotated with the policy or policies that triggered collection Each audit record prioritized Conditional immediate alerting Consolidated Runtime Audit Rules 44 of 37

Multi-Layer Data Protection Framework Data Assets DB Version, Patches & Configuration DB Access Control Host OS Firewall, Version, Patches, Configuration IDS Deep Packet Inspection Network Firewalls & Access Control 45 of 37

Deployment Configuration Audited System SQL Server 7, 2000 & 2005 Audited System Policy Adherence Compliance Reporting Anomaly Detection Oracle 8, 9i &10g Audited System Sybase 11, 12 & 15 Audit Trail Repository Oracle, SQL Server or DB2 Audited System DB2 UDB 8.1, 8.2 & 9 46 of 37

Deployment Configuration Operations Parameters 141 transactions/second for first level sniffers 10 first level sniffers on an aggregation box 2 levels of aggregation Campus 4 Clients Ethernet Switch Agg Clients Agg (1) Router Router SQL Sever SQL Sever SQL Sever Ethernet Switch Router SQL Sever SQL Sever SQL Cluster 1 Campus 3 Clients Router Router Ethernet Switch Oracle 5 Agg (2) Agg (2) Ethernet Switch Agg (2) 5 Oracle DB2 5 3 3 Ethernet Switch Sybase Sybase Building 1 5 5 DB2 DB2 Assumptions: 8 database instances per DB Server DB2 per instance 90 Trans./Sec 500 Mega bytes/db Oracle per instance 90 Trans./Sec 1.50 Gigabytes/DB Sybase (per instance) 40 Trans/Sec 300 Megabytes/DB SQLServer per instance 3 Trans./Sec 50 Megabytes/DB 5 First level sniffers Router DB2 5 Ethernet Switch 5 DB2 Agg First level aggregation Ethernet Switch Ethernet Switch 5 Oracle RAC DB2 5 5 DB2 Building 2 Agg Second level aggregation Campus 5 Oracle Oracle Campus 1 Campus 2 47 of 37

Summary Compliance presents multiple auditing requirements: Privileged user, privacy, data auditing, completeness, separation of duties, etc. The requirements need to be implemented in a variety of existing production environments: Performance sensitive systems Systems that use network encryption Warehouses that run in circular log mode No single technology alone can meet all auditing requirements. No single technology alone can fit all IT environments. An appropriate combination of native audit, transaction log reading, and network capture can be selected to match specific audit requirements and IT infrastructure. 48 of 37

Thank you! Questions? Lumigent Technologies, Inc. henry.parnell@lumigent.com 49 of 37

Auditing Stored Procedure Example create procedure sp_salary @sal int, @emp int as update overtime set rate = @sal where empid = @emp delete overtime where empid = @emp+1 go declare @handle int set @handle = NULL exec sp_prepare @handle OUTPUT, N'@p1 varchar(80)', N'update overtime set rate = @p1 where empid = 5', 1 exec sp_execute @handle, 100 go declare @str nvarchar(500) set @str = N'delete overtime where empid = 12' execute sp_executesql @str go CREATE TABLE [dbo].[overtime] ( [emp_id] [empid] NULL, [empid] [int] NULL, [rate] [decimal](18, 0) NULL ) ON [PRIMARY] 50 of 37

Auditing Stored Procedure Network Capture Only 51 of 37

Auditing Stored Procedure Both NetCap and TLog 10f3 52 of 37

Auditing Stored Procedure Both NetCap and TLog 20f3 53 of 37

Auditing Stored Procedure Both NetCap and TLog 30f3 54 of 37

Thank you! Questions? Lumigent Technologies, Inc. henry.parnell@lumigent.com 55 of 37

Deployment Details Network Capture 56 of 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information