DB Networks Brings Layer 7 Insider Threat Detection to Databases

 
 
By Frank Ohlhorst  |  Posted 2016-07-28
 
 
 
 
 
 
 
 
 
  • Previous
    1 - DB Networks Brings Layer 7 Insider Threat Detection to Databases
    Next

    DB Networks Brings Layer 7 Insider Threat Detection to Databases

    DB Networks' Layer 7 Database Sensor brings a new paradigm to insider threat detection by incorporating data flow analysis. Here's how it detects and responds to potential threats.
  • Previous
    2 - Main menu
    Next

    Here's the Primary GUI for the Layer 7 Database Sensor

    DB Networks takes a no nonsense approach to the main menu, offering clearly defined submenu options that make it easy to associate a given task with a visual element. Pull-down menus reveal additional features, while the primary capabilities, where administrators will spend most of their time, are presented as clickable buttons on the browser-based interface.
  • Previous
    3 - Insider Risk Analysis
    Next

    Dashboard Highlights Insider Risk Analysis

    Insider risk analysis is the name of the game with this product, and the elements that make up risk are clearly presented in a dashboard fashion. The product uses the term "stability" as the litmus test of insider threats. For example, traffic considered normal by the adaptive models is labeled as "Highly Stable." Traffic that deserves further attention is labeled "Highly Volatile." Color-coded graphs indicate the ratios of the various data flows, and administrators can simply click on most any element to drill down further into traffic data.
  • Previous
    4 - Data Flow Explorer – Deep dive into volatile events context
    Next

    Track Risk Analysis on Data Flow Explorer

    From the main dashboard, administrators can further investigate events identified as volatile. The insider risk analysis information is presented in the Data Flow Explorer using a drill-down methodology that offers the ability to highlight a particular attribute of a data flow. For example, administrators can filter by high-risk events and then delve into a particular aspect of the data flow to judge whether particular events suggest the presence of a cyber-threat.
  • Previous
    5 - Data flow explorer – drill up high and low
    Next

    Data Flow Explorer Reveals Context of Suspicious Traffic

    The Data Flow Explorer offers the ability to determine the context of an element recorded in a data flow. Here, actions that have a context of high volatility are graphed out and compared with low volatility or highly stable actions. That makes it easier for administrators to conceptualize how many data flows are suspect and the ratio of those data flows to acceptable traffic.
  • Previous
    6 - Data flow explorer – drill down to selected time frame and context volatile events
    Next

    Time Filters Help With Data Flow Analysis

    Administrators can further parse potentially suspicious events to establish time frames for when events occurred and then further drill down into the details of the data flows during that time period. Relevant information such as IP addresses, data tables impacted, services used and so forth can be readily displayed, making the forensics process that much easier.
  • Previous
    7 - Data flow explorer – drill down to access volatility
    Next

    Data Access Metrics Provide More Insight

    Data flows also record the types of access used during a transaction and then offers insight as to whether or not those access events fall out of established norms. Here the Data Flow Explorer can be used to judge how suspicious the access event was and offers a graphical representation that compares volatility with stable access. The number of flows are represented as well as what the flows consisted of.
  • Previous
    8 - Vulnerability Simulator for Building Honey Pots
    Next

    Vulnerability Simulator Tests SQL Statements

    One of the unique features included in Layer 7 Database Sensor is the ability to simulate events that can be identified as vulnerabilities. Administrators have access to a scratch pad that can be used to test SQL statements to measure how vulnerable certain transactions are and what impact those statements may have on a database server. This can be accomplished without putting live assets at risk. What's more, the vulnerability simulator can be paired with honey pot databases to attract attacks and then dissect those attacks to determine how vulnerabilities are being used.
  • Previous
    9 - Monitoring a honey pot in data flow explorer
    Next

    Using Data Flow Explorer to Monitor Activity

    Using a honey pot strategy, administrators can build traps to catch intruders in the act. Honey pots can serve multiple purposes. They can be used as decoys to keep infiltrators away from live assets, or they can be used to attract attackers as a way to monitor their activities and methods. What's more, a honey pot proves to be a useful forensic tool, one that can be used to track the transition of an attacker from the honey pot to other assets.
  • Previous
    10 - Insider Risk – Events – Why is fred in the honey pot
    Next

    Analyzing Honey Pot Intrusions

    One of the core capabilities of the product is the ability to explore events. In this example, the administrator was able to drill down to an event, which was triggered by a "monitor honey pot" rule. The event revealed that user Fred was attempting to access the honey pot, and now the administrator has the information to explore the event much further.
  • Previous
    11 - Data Flow Explorer – What else is fred up to, more than one IT
    Next

    Analyzing User Actions

    With a potential data theft identified, administrators can drill further down into the elements that made up a suspicious data access. For example, suspicious user activity can be tracked to determine what other databases the user accessed and whether or not those transactions were equally suspicious. This example reveals that user Fred has attempted to access other databases that he had not done in the past. This may indicate that Fred is an insider threat or that Fred's credentials have been compromised.
  • Previous
    12 - Data flow Explorer – Fred Has Been Reading from a Bunch of Other Databases
    Next

    Drilling Deeper Into Data Flows

    By drilling down into data flows, other relevant information can be discovered. For example, an administrator delving further into the user Fred situation was quickly able to correlate data flow events to determine that multiple databases had been accessed, indicating that data exfiltration may be occurring.
  • Previous
    13 - Data Flow – SA Gave 2 Weeks Notice – What Can he touch
    Next

    Exploring Suspicious Access With Data Flow Explorer

    The Data Flow Explorer has multiple uses when it comes to defining insider threats. In this example, a trusted employee (in this case, a systems administrator) has given two weeks' notice. That means there is a potential for data exfiltration, either intentional or not. In that situation, an organization needs to know what the employee can access. Here, the Data Flow Explorer can be used to determine what databases the user can access and how they were accessed.
  • Previous
    14 - Create Monitor SA Rule to Monitor SA activity until left
    Next

    Creating Temporary Rules to Monitor Data Access

    There are times when temporary rules must be created to watch for certain events, such as an employee giving notice. Here, DB Networks allows the creation of rules that can create alerts when certain events occur. For example, the rule outlined above will trigger an alert if user SA accesses service ATMS.
  • Previous
    15 - SA SQL Commands Discovered and relayed as events
    Next

    Setting Rules to Mine SQL Commands

    One of the more useful rule creation features offered in Layer 7 Database Sensor is the ability to mine the SQL commands discovered in an anomalous event and then create a new rule around it. Here, administrators can download the discovered statements and use that information to create new rules, test for vulnerabilities or score the likelihood that those statements reveal a vulnerability.
 

DB Networks has combined the elements of machine learning with data flow analysis to create an insider threat detection platform that couples evolving behavior models with rules-based execution. The company's Layer 7 Database Sensor can be incorporated into DB Networks' own DBN-6300 database cyber-security appliance or integrated into other OEM security appliances to bring deep protocol analysis to database traffic. DB Networks' offering brings a new paradigm to insider threat detection by incorporating a methodology known as data flow analysis. DB Networks defines a data flow as an entity that consists of 10 unambiguous attributes, which define communications with a database. The company's data flow analytics capability focuses on identity, target, payload, resources and data to determine the stability of an access event. Any transactions that fall out of the norms established by the machine learning-based models are considered suspect and can trigger various responses based upon defined rules. All that information is presented in easy-to-understand graphical dashboards that support full drill-down into individual data flows. This eWEEK slide show takes a closer look at how the DB Networks Layer 7 Database Sensor detects and responds to potential threats.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel