Cyber-Attacks Highlight Need to Focus on Stronger Database Security

Organizations should be putting in database security products to protect the data where it lives, instead of relying on the perimeter.

When cyber-attackers breach an organization's network, the database is usually their target. However, many organizations are so focused on protecting the perimeter that they don't think about protecting the database itself, according to several security experts.

Many organizations still think that protecting the perimeter is sufficient to protect the data, but as recent data breaches at Epsilon and Sony have shown, traditional perimeter security can't be relied on to protect the data, Josh Shaul, CTO of Application Security, told eWEEK. It's a "losing battle" to try to protect every single endpoint within the organization, Shaul said.

That's not to suggest that organizations shouldn't be investing in firewalls and other security products. Shaul recommended the layered model, where attackers have to get past multiple gatekeepers before they even get to the database. Organizations should be thinking, "When the perimeter fails, what's next?" and combining all the layers to pinpoint when something is wrong, according to Shaul.

It's ironic that "the closer we get to the data, we see fewer preventive controls and more detection measures," Shaul said. IT departments are more likely to have deployed products that send out alerts that a breach has occurred, than ones that actively block the threat from getting in to the database. Most blocking technologies are still deployed on the perimeter, according Shaul.

Organizations still assume that all activity hitting the database is "untrusted," Shaul said. Instead, they should monitor all requests to figure out whether the activity is normal or malicious.

Continuous, real-time monitoring is crucial to detect suspicious or unauthorized activity within the database, Phil Neray, vice president of data security strategy and information management at IBM, told eWEEK. Database activity monitoring allows security managers to catch anyone who is trying to get access to information they shouldn't be able to obtain.

"Outsiders typically look like insiders once they can log in to the network," Neray said.

Suspicious activity could take the form of a single user account, such as a customer service representatitive, downloading hundreds of sensitive data records in a single day. Organizations should also be monitoring "privileged users," or users with special authority or permissions over multiple applications or systems, to ensure they have not been hijacked.

Attackers often go after "softer, easier targets" such as support systems and use that to gain a foothold in the network, Shaul said. Once in, they can expand to more critical and valuable systems by looking for other user accounts that have access. The idea that requests from some user accounts are safe should be "thrown out the window," Shaul said.

Attackers often gain control of privileged accounts via SQL injection, according to Neray. Database activity monitoring can detect third-party intrusions as well as detect "behavioral" issues such as when user accounts are being shared, he said.

SQL injection attacks, where attackers embed database queries into a form on a Website and submit them to trick the database into returning results, remains a popular attack vector because they lead an attacker directly to the database, Shaul said.

While database activity monitoring is not new, it has only been "within the last couple years" that the technology has really taken off, according to Adrian Lane, CTO and analyst at Securosis.

Many customers are not sure whether they should be investing in hardware, virtual systems or software products to protect the database, Lane said. Even after they figure out what product to use, they are still unsure about basic setup and administration.

In a white paper, "Software vs. Appliance: Database Activity Monitoring Deployment Tradeoffs," Lane noted that while there was no "single -best' deployment model," the "functional" capabilities within software-based, hardware-based and virtualized database activity monitoring products were "shrinking." Organizations should consider the products in the context of their environment, such as not getting an appliance if the corporate goal is to virtualize all servers, for example.