Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

More Databases. More Hackers. More Audits.

1.855 visualizaciones

Publicado el

Exploding data growth doesn’t mean you have to sacrifice data security or compliance readiness. The more clarity you have into where your sensitive data is and who is accessing it, the easier it is to secure and meet compliance regulations.

Walk through this presentation to learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse data environments
- Simplify compliance enforcements and reporting
- Take control of escalating costs.

Publicado en: Software
  • Sé el primero en comentar

More Databases. More Hackers. More Audits.

  1. 1. © 2016 Imperva, Inc. All rights reserved. More Databases. More Hackers. More Audits. Terry Ray and Cheryl O’Neill
  2. 2. Speakers 2 Terry Ray Chief Product Strategist Cheryl O’Neill Product Marketing Director, Data Security
  3. 3. Who has access to your data and why? How do you respond to suspicious activity? 3
  4. 4. © 2016 Imperva, Inc. All rights reserved. Reasons to Invest in Database Audit and Protection Security and Compliance Factors for Consideration 1
  5. 5. © 2016 Imperva, Inc. All rights reserved. Database monitoring considerations circa 2014 The normal • Audit for compliance on critical systems – Monitor logins/logouts and failed attempts – Monitor privileged activities • Policies vary by department and database • Database audit logs consolidated quarterly • Ad hoc user rights review and management • Change tickets manually reconciled for audit The exception • Monitor for audit and data security – All sensitive data – All user database activity • Unified compliance policies and reports • Alerts integrated with real-time security monitoring process • User rights review and management automated • Change ticket verification and reconciliation
  6. 6. © 2016 Imperva, Inc. All rights reserved. Database audit and protection circa 2016 The normal • Monitor for data security – All sensitive data – All user database activity • Unified compliance policies and reports • Integrate Alerts with real-time security monitoring process • Block suspicious behavior on critical systems • Automate user rights review and management • Integrate change management The exception • Monitor extended data stores – Cloud based databases and SaaS – Big Data • User behavior profile analysis • Track user role characteristics • Mask data in non-production systems • Security database audit analysis • Centralized data security and incident response
  7. 7. Compliance reports do not protect data DBA A compliance only focus 1. Inconsistent policy application 2. Audit • login, logout, failed attempts • Privileged actions 3. Ad hoc user rights review 4. Quarterly compliance reports Multi-staged attack compromises users Application exploit compromises applications Quarterly audit reports Limited audit, No data security Undetected breach and data loss Compromised privileged access via apps and direct database root access
  8. 8. Data breach trends 2015 - 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500 2011 2012 2013 2014 2015 Number of Incidents - 200,000,000 400,000,000 600,000,000 800,000,000 1,000,000,000 1,200,000,000 2011 2012 2013 2014 2015 Number of Exposed Records 3053 Outside Attacks 749 Outside Attacks Inside incidents represent 22% of total incidents, but result in 49% of record exposure Hacking, 59% Web, 31% Fraud, 6% Other, 4% Source: 2015 Data Breach Trends, Data Breach Quick View, January 2016 29% 37% 18% 11% 3% 2% 2015 Percentage of total Unknown # of Rec. 1 to 100 101 to 1,000 1,001 to 10,000 10,001 - 100,000 Over 100,000 - 200 400 Outside Inside Total Inside-Accidental Inside-Malicious Inside-Unknown Unknown Threat Vec. Millions 2015 Records Exposed Top 3 items stolen: 1. Passwords 2. Email addresses 3. User name Inside IncidentTotal Outside IncidentTotal
  9. 9. © 2016 Imperva, Inc. All rights reserved. Database audit policy vs. database security policy • Database audit – Record for future review – Narrow scope – Does not invoke “action” – Legal record of events • Database security – Alert in real time on suspicious behavior – Broad visibility – Block in real time against obvious bad behavior – Implies “action”
  10. 10. Active monitoring protects data DBA Multi-staged attack compromises users and DBA SecureSphere for database detects, alerts, and stops unauthorized or anomalous behavior by legitimate users and hackers Breach attempt detected and stopped SecureSphere WAF blocks web application exploits Any time audit reports Data centric audit and protection A security first focus 1. Web Application Firewall 2. Privileged user monitoring 3. Monitor for audit and data security 4. Uniform application of policies 5. Alerts 6. Block suspicious behavior 7. Automated user rights mgmt. 8. Integrate change ticket mgmt. Real-time security analysis
  11. 11. Practical applications of activity monitoring Project Goal Sensitive data audit • Streamline audit for PCI, SOX and other compliance purposes Privileged user monitoring • Enforce separation of duties • Monitor all activity, including local DB server access • Block if necessary Data theft prevention • Protect Sensitive data • Prevent the loss of sensitive data Data across borders • International privacy regulations limit what data can be accessed by users outside the borders defined by the regulation Change reconciliation • Show the compliance (i.e. SOX) auditors that changes to database could be traced to approved change tickets Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core systems like SAP, Oracle Financials and PeopleSoft Ethical walls Maintain strict separation between business groups within a larger organization. To comply with M&A requirements, government clearance, … User tracking Map true web application end user to the shared application/database user to final data access Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion
  12. 12. © 2016 Imperva, Inc. All rights reserved. Plan for Long Term Protection Efficient and Cost Effective Monitoring 2
  13. 13. © 2016 Imperva, Inc. All rights reserved. No protection, no compliance No protection, poor compliance Protection and compliance Utilize built in “Native Audit” capabilities Do not audit Implement a dedicated database auditing solution
  14. 14. © 2016 Imperva, Inc. All rights reserved. Why do organizations choose no audit over native audit? • Database performance impact • Audit data storage impact • Manually intensive in a heterogeneous environment • Complexities of regulatory requirements are overwhelming • Time consuming difficult to use Native Audit log output • Don’t know what to audit • Not aware of the location of all sensitive data • DBA team is small and usually busy
  15. 15. Confidential15
  16. 16. Confidential17
  17. 17. © 2016 Imperva, Inc. All rights reserved. Performance Impact Video Demo SecureSphere Agent adds 2% CPU overhead, with no impact on HD I/O or TPS Native audit increase HD I/O, slows response time and cuts TPS by 50%
  18. 18. © 2016 Imperva, Inc. All rights reserved. Database Audit and Protection TCO The Monetary and Human Costs Associated with DAP 3
  19. 19. Know your challenges with native audit • Know that most organizations have more than one DB vendor • The perimeter will be breached • End points are vulnerable • Internal users are a risk • Privileged users accounts are data wells waiting to be tapped
  20. 20. © 2016 Imperva, Inc. All rights reserved. Database audit and protection – DAP solutions • Imperva SecureSphere • IBM Guardium
  21. 21. © 2016 Imperva, Inc. All rights reserved. The difference Major computer manufacturer • 65 VM Appliances • Monitoring >1050 DB Servers • Replaced IBM and deployed on 1050 DBs within 6 months • 10 FTE less than 50% of role. • Expanded scope to include blocking and additional audit. • 135 VM Appliances • Maximum monitored 500 DB Servers • Deployment project >3 years – were never able to finish. • 10 FTE using 100% of role. • Audit gaps, no blocking Imperva IBM Compare
  22. 22. © 2016 Imperva, Inc. All rights reserved. Red Italian car
  23. 23. © 2016 Imperva, Inc. All rights reserved. Capacity design comparison summary Imperva: • Big Data model • Distributed flat file • Optimal for writes • High fidelity data retention • Compresses audit data 20x • Real time data access from MX due to flat file architecture IBM Guardium: • Traditional relational DB model • Structured rows & columns • Optimal for reads, poor for writing • Alters repetitive data to minimize some writes • Less compression on archive due to RDBMS components in data structure • Delayed data access due to RDBMS architecture and batch aggregation
  24. 24. © 2016 Imperva, Inc. All rights reserved. Identical coverage deployment comparison
  25. 25. © 2016 Imperva, Inc. All rights reserved. Lower total cost of ownership Major Computer Manufacturer • Labor cost dropped by over 50% compared with the Guardium deployment • 60 days to roll out SecureSphere to the 500 databases • Expanded the SecureSphere roll out to a total of 1050 databases • SecureSphere cut the annual cost by 72%, to $744 per database The result
  26. 26. © 2016 Imperva, Inc. All rights reserved. Monitor more • Separation of duties • Pre-built purpose specific policies • Autonomous rule evaluation • High-speed evaluation • In-line, sniffing, or hybrid monitor • Secure storage of compliance audit • Contextual security alerts Monitor Compliance audit Security audit Login/Logout Yes Yes Security exceptions (failed login, connection errors, SQL errors) Limited Yes Data access Limited Yes Data modification Limited Yes SQL statements Limited Yes User name Limited Yes Views No Yes Stored procedures No Yes Table groups No Yes Triggers No Yes Privileged operations Limited Yes Protocol violations No Yes Source IP, OS, application No Yes
  27. 27. © 2016 Imperva, Inc. All rights reserved. Users Deployment options & performance considerations Management Server (MX) Agent auditing Enterprise databases Agent auditing DAP non-inline Network auditing DAP inline Network auditing DBA/Sys admin DBA/Sys admin • Agent architecture: Impact to DB server • Appliance architecture: Capacity to capture necessary DB traffic and audit data • Management Server: Backwards and forwards compatibility down to agent level • Proactive: Real-time event notification and blocking Gateway Appliances
  28. 28. © 2016 Imperva, Inc. All rights reserved. Architecture overview MX Management AdminMgmt.AnalysisCollection Gateway GatewayGateway Tap Ticketing SQLLDAP SIEMSyslog | LDAP | SQL REST | SOAP | SNMP Syslog SNMP
  29. 29. © 2016 Imperva, Inc. All rights reserved. SecureSphere leverages your other investments • Limit risk with FireEye – Automatically monitor ALL activity or restrict data access of compromised hosts • Improve visibility and analysis with Splunk & SIEM solutions – Holistic analyze consolidated security data and alerts • Add contextual intelligence with LDAP and data lookups – User verification and data enrichment • Enforce change management polices with ticketing systems – Automatically verify and log existence of an approved change request • Track users from web app to database activity with SecureSphere WAF – Correlate user activity across sessions and systems
  30. 30. © 2016 Imperva, Inc. All rights reserved. Position yourself for the future Big Data engines Cloud adoption SecureSphere Data Protection for SecureSphere for Big Data Imperva CounterBreach Protecting the weakest link - users Insider threat protection
  31. 31. © 2016 Imperva, Inc. All rights reserved. How do I respond QUICKLY if not? Exactly WHO Is accessing my data? ? Truly detecting and containing breaches requires addressing all OK? Is the access
  32. 32. 41
  33. 33. CounterBreach User Interface Behavior machine learning Visibility Contain and Investigate Deception Imperva SecureSphere LEARN AND DETECT BLOCK / QUARANTINE MONITOR Imperva SecureSphere Databases and Files
  34. 34. © 2016 Imperva, Inc. All rights reserved. Big Picture Competitive Environment – DCAP Gartner Market Guide for Data- Centric Audit and Protection Figure 2. Schematic Representation of the DCAP Market Showing How a Sample of Vendors Operates Across Different Data Silos Detection tools may be applicable across multiple silos through a single management console but other functionality is limited Source: Gartner, Market Guide for Data-Centric Audit and Protection, 22 November 2014
  35. 35. © 2016 Imperva, Inc. All rights reserved. Food for thought: questions companies should be able to answer 1) Where specifically, is your private data located? 2) Who is accessing your data? 3) How do they access your data? 4) Should they have access to your data? 5) What users have access to your data, but do not use it? 6) Who is responsible if data is lost? – Often Security 7) Who is responsible for monitoring that data? – Usually Database Administration 8) Is the data being used appropriately? 9) Does anything provide timely and actionable security intelligence?
  36. 36. © 2016 Imperva, Inc. All rights reserved. For More Information: +1(866) 926-4678 – Americas +44 01189 497 130 – EMEA