Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    DB Networks Brings Layer 7 Insider Threat Detection to Databases

    By
    Frank J. Ohlhorst
    -
    July 28, 2016
    Share
    Facebook
    Twitter
    Linkedin

      PrevNext

      1DB Networks Brings Layer 7 Insider Threat Detection to Databases

      1 - DB Networks Brings Layer 7 Insider Threat Detection to Databases

      DB Networks’ Layer 7 Database Sensor brings a new paradigm to insider threat detection by incorporating data flow analysis. Here’s how it detects and responds to potential threats.

      2Here’s the Primary GUI for the Layer 7 Database Sensor

      2 - Main menu

      DB Networks takes a no nonsense approach to the main menu, offering clearly defined submenu options that make it easy to associate a given task with a visual element. Pull-down menus reveal additional features, while the primary capabilities, where administrators will spend most of their time, are presented as clickable buttons on the browser-based interface.

      3Dashboard Highlights Insider Risk Analysis

      3 - Insider Risk Analysis

      Insider risk analysis is the name of the game with this product, and the elements that make up risk are clearly presented in a dashboard fashion. The product uses the term “stability” as the litmus test of insider threats. For example, traffic considered normal by the adaptive models is labeled as “Highly Stable.” Traffic that deserves further attention is labeled “Highly Volatile.” Color-coded graphs indicate the ratios of the various data flows, and administrators can simply click on most any element to drill down further into traffic data.

      4Track Risk Analysis on Data Flow Explorer

      4 - Data Flow Explorer – Deep dive into volatile events context

      From the main dashboard, administrators can further investigate events identified as volatile. The insider risk analysis information is presented in the Data Flow Explorer using a drill-down methodology that offers the ability to highlight a particular attribute of a data flow. For example, administrators can filter by high-risk events and then delve into a particular aspect of the data flow to judge whether particular events suggest the presence of a cyber-threat.

      5Data Flow Explorer Reveals Context of Suspicious Traffic

      5 - Data flow explorer – drill up high and low

      The Data Flow Explorer offers the ability to determine the context of an element recorded in a data flow. Here, actions that have a context of high volatility are graphed out and compared with low volatility or highly stable actions. That makes it easier for administrators to conceptualize how many data flows are suspect and the ratio of those data flows to acceptable traffic.

      6Time Filters Help With Data Flow Analysis

      6 - Data flow explorer – drill down to selected time frame and context volatile events

      Administrators can further parse potentially suspicious events to establish time frames for when events occurred and then further drill down into the details of the data flows during that time period. Relevant information such as IP addresses, data tables impacted, services used and so forth can be readily displayed, making the forensics process that much easier.

      7Data Access Metrics Provide More Insight

      7 - Data flow explorer – drill down to access volatility

      Data flows also record the types of access used during a transaction and then offers insight as to whether or not those access events fall out of established norms. Here the Data Flow Explorer can be used to judge how suspicious the access event was and offers a graphical representation that compares volatility with stable access. The number of flows are represented as well as what the flows consisted of.

      8Vulnerability Simulator Tests SQL Statements

      8 - Vulnerability Simulator for Building Honey Pots

      One of the unique features included in Layer 7 Database Sensor is the ability to simulate events that can be identified as vulnerabilities. Administrators have access to a scratch pad that can be used to test SQL statements to measure how vulnerable certain transactions are and what impact those statements may have on a database server. This can be accomplished without putting live assets at risk. What’s more, the vulnerability simulator can be paired with honey pot databases to attract attacks and then dissect those attacks to determine how vulnerabilities are being used.

      9Using Data Flow Explorer to Monitor Activity

      9 - Monitoring a honey pot in data flow explorer

      Using a honey pot strategy, administrators can build traps to catch intruders in the act. Honey pots can serve multiple purposes. They can be used as decoys to keep infiltrators away from live assets, or they can be used to attract attackers as a way to monitor their activities and methods. What’s more, a honey pot proves to be a useful forensic tool, one that can be used to track the transition of an attacker from the honey pot to other assets.

      10Analyzing Honey Pot Intrusions

      10 - Insider Risk – Events – Why is fred in the honey pot

      One of the core capabilities of the product is the ability to explore events. In this example, the administrator was able to drill down to an event, which was triggered by a “monitor honey pot” rule. The event revealed that user Fred was attempting to access the honey pot, and now the administrator has the information to explore the event much further.

      11Analyzing User Actions

      11 - Data Flow Explorer – What else is fred up to, more than one IT

      With a potential data theft identified, administrators can drill further down into the elements that made up a suspicious data access. For example, suspicious user activity can be tracked to determine what other databases the user accessed and whether or not those transactions were equally suspicious. This example reveals that user Fred has attempted to access other databases that he had not done in the past. This may indicate that Fred is an insider threat or that Fred’s credentials have been compromised.

      12Drilling Deeper Into Data Flows

      12 - Data flow Explorer – Fred Has Been Reading from a Bunch of Other Databases

      By drilling down into data flows, other relevant information can be discovered. For example, an administrator delving further into the user Fred situation was quickly able to correlate data flow events to determine that multiple databases had been accessed, indicating that data exfiltration may be occurring.

      13Exploring Suspicious Access With Data Flow Explorer

      13 - Data Flow – SA Gave 2 Weeks Notice – What Can he touch

      The Data Flow Explorer has multiple uses when it comes to defining insider threats. In this example, a trusted employee (in this case, a systems administrator) has given two weeks’ notice. That means there is a potential for data exfiltration, either intentional or not. In that situation, an organization needs to know what the employee can access. Here, the Data Flow Explorer can be used to determine what databases the user can access and how they were accessed.

      14Creating Temporary Rules to Monitor Data Access

      14 - Create Monitor SA Rule to Monitor SA activity until left

      There are times when temporary rules must be created to watch for certain events, such as an employee giving notice. Here, DB Networks allows the creation of rules that can create alerts when certain events occur. For example, the rule outlined above will trigger an alert if user SA accesses service ATMS.

      15Setting Rules to Mine SQL Commands

      15 - SA SQL Commands Discovered and relayed as events

      One of the more useful rule creation features offered in Layer 7 Database Sensor is the ability to mine the SQL commands discovered in an anomalous event and then create a new rule around it. Here, administrators can download the discovered statements and use that information to create new rules, test for vulnerabilities or score the likelihood that those statements reveal a vulnerability.

      PrevNext
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×