Organizations should be putting in database security products to protect the data where it lives, instead of relying on the perimeter.
When cyber-attackers breach an organization's network, the
database is usually their target. However, many organizations are so focused on
protecting the perimeter that they don't think about protecting the database
itself, according to several security experts.
Many organizations still think that protecting the perimeter
is sufficient to protect the data, but as recent data breaches at Epsilon
have shown, traditional perimeter security can't be relied on to protect
the data, Josh Shaul, CTO of Application Security, told eWEEK. It's a "losing
battle" to try to protect every single endpoint within the organization, Shaul
That's not to suggest that organizations shouldn't be
investing in firewalls and other security products. Shaul recommended the
layered model, where attackers have to get past multiple gatekeepers before
they even get to the database. Organizations should be thinking, "When the
perimeter fails, what's next?" and combining all the layers to pinpoint when
something is wrong, according to Shaul.
It's ironic that "the closer we get to the data, we see
fewer preventive controls and more detection measures," Shaul said. IT
departments are more likely to have deployed products that send out alerts that
a breach has occurred, than ones that actively block the threat from getting in
to the database. Most blocking technologies are still deployed on the
perimeter, according Shaul.
Organizations still assume that all activity hitting the
database is "untrusted," Shaul said. Instead, they should monitor all requests
to figure out whether the activity is normal or malicious.
Continuous, real-time monitoring is crucial to detect
suspicious or unauthorized activity within the database, Phil Neray, vice
president of data security strategy and information management at IBM, told
eWEEK. Database activity monitoring allows security managers to catch anyone
who is trying to get access to information they shouldn't be able to obtain.
"Outsiders typically look like insiders once they can log in
to the network," Neray said.
Suspicious activity could take the form of a single user
account, such as a customer service representatitive, downloading hundreds of
sensitive data records in a single day. Organizations should also be monitoring
"privileged users," or users with special authority or permissions over
multiple applications or systems, to ensure they have not been hijacked.
Attackers often go after "softer, easier targets" such as
support systems and use that to gain a foothold in the network, Shaul said.
Once in, they can expand to more critical and valuable systems by looking for
other user accounts that have access. The idea that requests from some user
accounts are safe should be "thrown out the window," Shaul said.
Attackers often gain control of privileged accounts via SQL
injection, according to Neray. Database activity monitoring can detect
third-party intrusions as well as detect "behavioral" issues such as when user
accounts are being shared, he said.
SQL injection attacks, where attackers embed database
queries into a form on a Website and submit them to trick the database into
returning results, remains a popular attack vector because they lead an
attacker directly to the database, Shaul said.
While database activity monitoring is not new, it has only
been "within the last couple years" that the technology has really taken off,
according to Adrian Lane, CTO and analyst at Securosis.
Many customers are not sure whether they should be investing
in hardware, virtual systems or software products to protect the database, Lane
said. Even after they figure out what product to use, they are still unsure
about basic setup and administration.
In a white paper, "Software
vs. Appliance: Database Activity Monitoring Deployment Tradeoffs
noted that while there was no "single -best' deployment model," the
"functional" capabilities within software-based, hardware-based and virtualized
database activity monitoring products were "shrinking." Organizations should
consider the products in the context of their environment, such as not getting
an appliance if the corporate goal is to virtualize all servers, for example.