Application Security updated its database-activity-monitoring tool with threat blocking that responds to suspicious database activity.
The enhancements to DbProtect version 6.3 include the ability to block real-time attacks and unauthorized activities, Application Security said June 13. Blocking will be added to the audit and threat-management module in DbProtect and will depend on the company's SHATTER Knowledgebase to get the most updated information on database vulnerabilities and threats.
Application Security also incorporated a set of incident response actions that allow DbProtect to automatically quarantine accounts and send alerts to appropriate staff members. The tool's management console will allow the database administrators to specify which blocking actions should be used for which conditions.
"Today's cyber-threats pose significant risk to the confidentiality of digital information within companies, and blocking adds an additional layer of defense to thwart unauthorized activity," said Josh Shaul, CTO of AppSec.
Administrators can configure DbProtect to automatically block users when "inappropriate activity," is detected. The blocking rule will be triggered whenever there's any communication between the user and the database that violates a security policy. For example, if an employee responsible for database performance tries to access data stored in the database for which they aren't responsible, then a rule enforcing segregation of duties would be triggered and that employee's access blocked.
It can also be used as part of the organization's data-leakage-protection strategy. The administrator can set up a policy that would be triggered whenever anyone attempts to download large amounts of sensitive data or performed downloads at odd times. Blocking these queries ensures the data does not leave the database, according to Application Security.
"The closer we get to the data, we see fewer preventive controls and more detection measures," Shaul told eWEEK. Organizations often deploy database-security products that sent out alerts when there's unauthorized activity instead of the ones that actively block the threat, Shaul said. Additionally, organizations are often not monitoring database activity or responding appropriately when they uncover a problem in the logs.
Many exploits and attacks could be easily mistaken for normal database activity by IT professionals without specific database-security experience. It would be difficult for an administrator to distinguish between normal user activity and activity from a user account being exploited by an attacker, but DbProtect would be able to easily check user privileges and automatically respond. The automated response is critical to stop the breach before the attacker can do real damage, according to Application Security.
Blocking should be considered a last line of defense against intruders that have managed to slip past other security measures protecting the database, Shaul said.
Noting that it can be difficult and expensive to patch databases "within a reasonable timeframe," the blocking capability can be used to supplement the company's security update service, according to Application Security. Administrators can set up policies to detect activity exploiting a known database vulnerability and block all attempts to compensate for the fact that it hasn't been patched yet, the company told eWEEK.
Application Security also added rights-management support for DB2 and Sybase environments to DbProtect. Support already exists for Oracle and Microsoft SQL Server. The Rights Management module allows administrators to identify all privileged users and review capabilities in a heterogeneous database environment. The module also allows organizations to implement the principle of least privilege, which provides users and applications the minimum amount of information they need.
DbProtect 6.3 is expected in the third quarter and will be included as a free upgrade for existing customers.