Sentrigo uses context-aware technology to detect and block SQL injection attacks in the database.In an age of multimillion-dollar data breaches, detecting and
thwarting SQL injection attacks against databases has never been more
important.
However, doing that means more than analyzing applications for
vulnerabilities during the development process. It also means being
able to monitor and detect whats happening to a database.
Sentrigo, based in Woburn, Mass., is hoping to make its mark by
bringing context-aware technology down to the database level to detect
SQL injection attacks, a tactic company officials said is superior to
other methods of detection.
Sentrigos product, Hedgehog, directly monitors the databases
memory and examines the context from which the SQL statements
originate, as well as the types of commands used and the database
access privileges of the user.
Context-based detection is better than other methods for three reasons, said Sentrigo Chief Technology Officer Slavik Markovich.
"One, unlike signature-based methods, it doesnt rely on
expression matching in the SQL statement itself and therefore cannot be
evaded using small variations on the original exploit," he said.
"Two, it is false-positive proof. If you detect, for example,
a privilege grant command attempt from within a package that would have
no business issuing such commands, you can know for sure it is the
result of an exploit. There is simply no reason for anyone to do this
for kosher reasons."
The third reason, said Markovich, is that because context-based
detection uses context to determine the legitimacy of command coming
from packages, it is effective against zero-day exploits.
"We dont need to know the exact SQL injection or even somewhat
different hacking methods—if they target built-in packages and attempt
privilege escalation we will catch it," he said.
Officials at Imperva, which competes with the smaller Sentrigo
in database security, said a more holistic approach to combating SQL
injections is needed, not just monitoring the database for activity at
the object level. Imperva introduced profile-based detection technology
known as Dynamic Profiling in 2002, which creates a model profile of
every user and blocks malicious activity and policy violations by
comparing user behavior to the profile.
"Impervas SecureSphere provides more effective security by
protecting the database as well as all avenues for accessing the
database including Web/application servers, application processing
requests, the operating system and the protocols being used to
transport sensitive information," said Imperva CTO Amichai Shulman.
"If any of these elements are left unmonitored and
unprotected, a product is only securing the front door, while the back
door is wide open, leaving data at risk."
To Shulman, monitoring database activity without any
information about the application and Web side of the transaction
provides only half the context necessary to make accurate decisions.
"Both halves of the equation are needed to block all attacks,
while avoiding false positives and permitting legitimate usage," he
said.
In an ideal world, SQL injection problems would be solved by
removing the vulnerability from the Web application to begin with by
using tools from companies such as Watchfire and others, said Neil
MacDonald, an analyst with Gartner.
Sentrigo upgrades database security product. Click here to read more.
"What Sentrigo is talking about is not conceptually different
than Web application firewalls, which can look at inbound and outbound
traffic and enforce rules on what the application receives as input and
what the application should send as output," he said.
"Adding context into security decisions results in better,
more relevant security decisions—for example, fewer false positives and
false negatives. This trend is occurring in all aspects of information
security. "
Still, analyst Eric Ogren of the Ogren Group is skeptical that
an organization that will block a SQL instruction from executing based
on a dynamic assessment of abhorrent behavior. Organizations need both
a signature and context-based approach for effective security, he said.
"Its hard to argue with the value of signatures for predictable
reactions to know security events," he said. "However, vendor
signatures can never catch anything new or reflect unique business
deployments. Sentrigos approach is very useful in alerting security to
a problem, and the problem will be corrected with virtual patching,
signature filters, or other static means."
Ogren added that there is no easy answer for database security.
"It is not a defense-in-depth story; rather [it requires] an integrated
approach," he said.
Check out eWEEK.coms for the latest database news, reviews and analysis.
