Database monitoring - First and Last Line of Defense

© 2015 Imperva, Inc. All rights reserved.

Database MonitoringFirst and Last Line of DefenseCheryl O’NeillNovember 12, 2015


Speaker

2

Cheryl O’NeillDirector, Product Marketing,Database Security, Imperva

Cheryl is a 15-year information security and compliance technologist, working with the largest financial services, life science and Fortune 500 companies to safely secure their most sensitive and regulated data. In her current role, Cheryl manages the Imperva SecureSphere data security solutions.


Why You Should Protect and Audit Critical Data

1. Data breaches are getting more expensive2. More regulations, and more costly penalties3. Your personal employee data is at risk

3

Business social, and personal consequences


Challenge: Protect Your Data At The Source

4

• The perimeter will be breached• End points are vulnerable• Internal users are a risk• Privileged users accounts are data wells waiting to be tapped

Challenge: Simplify Your Compliance Process

5

REGULATIONS

MonetaryAuthorityof Singapore

sox

IB-TRMHITECH

PCI-DSS

EU Data Protection Directive

NCUA748

FISMA

GLBA

HIPAA

Financial Security Law of France

India’s Clause 49

BASEL II

Best Practices

Risk Assessment

Monitor and audit

User Rights Management

Attack Protection

Task & policy specific reporting

Data Is A Company AssetProtecting Data Is A Company-wide Necessity

IT Security DBA’s Risk and audit


Audit Policy vs. Database Security Policy

• Database Audit– Record for future review– Broad scope– Does not invoke “action”– Legal record of events

• Database Security– Alert in real time on suspicious behavior

– Block in real time against obvious bad behavior

– Implies “action”

7


Tools vs. Solutions

• Tools – perform a set of specific tasks• Solutions – solve a business problem

• Native audit is a logging tool with no security or policy specific capabilities• SecureSphere is a data protection and audit solution

• Improves database security• Simplifies compliance

8


Things For You To Consider

• Architecture– Monitoring efficiency – Scale DPA to DB server ratio– DB agent, network or hybrid – Clustering & high availability

• Deployment, updates, and maintenance– Out-of-the-Box expertise & content– Agent deployment/update automation– Upgrades/backward-forward compatibility

• Task and system visibility– Policy specific reports– Centralized management– Role based functions and reports

• Database identification and prioritization– Data discovery – Risk classification– User rights management

• Monitoring Intelligence– Effective policy management– Data enrichment– Uniform policy enforcement

• Security interlock– User tracking and dynamic profiling– Threat correlation– Alerts– Blocking (speed and flexibility)

9

Enterprise Design and Deployment Efficiency Audit, Security, and Compliance Functionality


SecureSphere Security Capabilities

1. Inspects more – process less– Independent high-performance monitoring channels – Inspect all activity for security purposes– Audit (log) only data needed for compliance reporting

2. Exchanges and correlates information– Id and track users, add context, verify information– WAF, Ticketing Systems, LDAP, FireEye, and SIEM / Splunk

3. Spots and stops suspicious activity– Dynamic profiling, learns automatically over time – Fine tune without a need to create policies– Alert, Quarantine and/or Block

10


SecureSphere Compliance Capabilities

1. Finds2. Classifies 3. Monitors 4. Audits5. Enforces 6. Reports

11

Discover rogue databases

Map and classify sensitive information

Default and custom policy

trees

300+ Out of the box policies

Automate user rights analysis and verification

Id and track vulnerabilities

Simple policy and rule creation Data enrichment Activity

monitoring

Privileged user monitoring

Pan-enterprise reporting

Investigate and analyze


SecureSphere Leverags Your Other Investments

• Limit risk with FireEye– Automatically monitor ALL activity or restrict data access of compromised hosts

• Improve visibility and analysis with Splunk & SIEM solutions– Holistic analyze consolidated security data and alerts

• Add contextual intelligence with LDAP and data lookups– User verification and data enrichment

• Enforce change management polices with ticketing systems– Automatically verify and log existence of an approved change request

• Track users from web app to database activity with SecureSphere WAF– Correlate user activity across sessions and systems

12


Smarter Policy Evaluation: More Context = Better Results PCI: Shared user “sa” just ran a backup of all customer data tables at noon • Is there a change control ticket number for that?

SOX: DBuser “wGa779a” modified 3 of the corporate financial tables at 3 AM• Who is DBuser name = wGa779a (real name, role, department, email address)?

HIPAA: “FlorenceN” accessed the Governor's medical history last week • What type of Doctor/Nurse is she?

EventTime DBuser Operation Object12:05:19 sa backup customerdb1

EventTime DBuser Operation Object03:00:47 wGa779a update quarterrslt03

EventTime DBuser Operation Object TicketID12:05:19 sa backup customerdb1 54321

EventTime DBuser DomainUser Department Operation Object03:00:47 wGa779a hq\cjohnson Finance update quarterrslt03

EventTime DBuser Role Ward Operation Object15:38:11 FlorenceN Nurse Maternity select carehistory

13


Enterprise fit and function

• Rapid, flexible deployment• Less hardware/VMs required• Predictable performance at scale• Out-of-the-box integrations, expertise and content

14

I must say, I REALLY like the agent update process you guys have!Assistant Vice President, IT, a Fortune 500 financial holding company, Nov 5th, 2015


Position Yourself For The Future

Only 27% of Big Data apps are in production

83% of Big Data apps will require some form of

compliance

77% No audit solution

Big Data Engines

30% CAGR IaaS/PaaS;; $46B on database

64% view compliance as barrier to cloud adoption

No off-database enterprise solution

Cloud Adoption


Position Yourself For The Future

16

Only 27% of Big Data apps are in production

83% of Big Data apps will require some form of

compliance

77% lack an audit solution

30% CAGR IaaS/PaaS;; $46B on database

64% view compliance as barrier to cloud adoption

No off-database enterprise DAP solution

Big Data Engines Cloud Adoption

SecureSphereData

Protectionfor

SecureSphere for Big Data


Your Action Plan for Better Data Security

• Have a plan and know desired results

• Know and classify your data

• Implement a universal platform and policies

• Monitor more -- audit what matters

• Constantly think security – TEST IT

• Look to the future – scale, cloud, Big Data

17


Smarter Policy Evaluation: More Context = Better Results PCI: Shared user “sa” just ran a backup of all customer data tables at noon • Is there a change control ticket number for that?

SOX: DBuser “wGa779a” modified 3 of the corporate financial tables at 3 AM• Who is DBuser name = wGa779a (real name, role, department, email address)?

HIPAA: “FlorenceN” accessed the Governor's medical history last week • What type of Doctor/Nurse is she?

EventTime DBuser Operation Object12:05:19 sa backup customerdb1

EventTime DBuser Operation Object03:00:47 wGa779a update quarterrslt03

EventTime DBuser Operation Object TicketID12:05:19 sa backup customerdb1 54321

EventTime DBuser DomainUser Department Operation Object03:00:47 wGa779a hq\cjohnson Finance update quarterrslt03

EventTime DBuser Role Ward Operation Object15:38:11 FlorenceN Nurse Maternity select carehistory

19

Technology

Database monitoring - First and Last Line of Defense