DB Networks Brings Layer 7 Insider Threat Detection to Databases

DB Networks’ Layer 7 Database Sensor brings a new paradigm to insider threat detection by incorporating data flow analysis. Here’s how it detects and responds to potential threats.

DB Networks takes a no nonsense approach to the main menu, offering clearly defined submenu options that make it easy to associate a given task with a visual element. Pull-down menus reveal additional features, while the primary capabilities, where administrators will spend most of their time, are presented as clickable buttons on the browser-based interface.

Insider risk analysis is the name of the game with this product, and the elements that make up risk are clearly presented in a dashboard fashion. The product uses the term “stability” as the litmus test of insider threats. For example, traffic considered normal by the adaptive models is labeled as “Highly Stable.” Traffic that deserves further attention is labeled “Highly Volatile.” Color-coded graphs indicate the ratios of the various data flows, and administrators can simply click on most any element to drill down further into traffic data.

From the main dashboard, administrators can further investigate events identified as volatile. The insider risk analysis information is presented in the Data Flow Explorer using a drill-down methodology that offers the ability to highlight a particular attribute of a data flow. For example, administrators can filter by high-risk events and then delve into a particular aspect of the data flow to judge whether particular events suggest the presence of a cyber-threat.

The Data Flow Explorer offers the ability to determine the context of an element recorded in a data flow. Here, actions that have a context of high volatility are graphed out and compared with low volatility or highly stable actions. That makes it easier for administrators to conceptualize how many data flows are suspect and the ratio of those data flows to acceptable traffic.

Administrators can further parse potentially suspicious events to establish time frames for when events occurred and then further drill down into the details of the data flows during that time period. Relevant information such as IP addresses, data tables impacted, services used and so forth can be readily displayed, making the forensics process that much easier.

Data flows also record the types of access used during a transaction and then offers insight as to whether or not those access events fall out of established norms. Here the Data Flow Explorer can be used to judge how suspicious the access event was and offers a graphical representation that compares volatility with stable access. The number of flows are represented as well as what the flows consisted of.

One of the unique features included in Layer 7 Database Sensor is the ability to simulate events that can be identified as vulnerabilities. Administrators have access to a scratch pad that can be used to test SQL statements to measure how vulnerable certain transactions are and what impact those statements may have on a database server. This can be accomplished without putting live assets at risk. What’s more, the vulnerability simulator can be paired with honey pot databases to attract attacks and then dissect those attacks to determine how vulnerabilities are being used.

Using a honey pot strategy, administrators can build traps to catch intruders in the act. Honey pots can serve multiple purposes. They can be used as decoys to keep infiltrators away from live assets, or they can be used to attract attackers as a way to monitor their activities and methods. What’s more, a honey pot proves to be a useful forensic tool, one that can be used to track the transition of an attacker from the honey pot to other assets.

One of the core capabilities of the product is the ability to explore events. In this example, the administrator was able to drill down to an event, which was triggered by a “monitor honey pot” rule. The event revealed that user Fred was attempting to access the honey pot, and now the administrator has the information to explore the event much further.

With a potential data theft identified, administrators can drill further down into the elements that made up a suspicious data access. For example, suspicious user activity can be tracked to determine what other databases the user accessed and whether or not those transactions were equally suspicious. This example reveals that user Fred has attempted to access other databases that he had not done in the past. This may indicate that Fred is an insider threat or that Fred’s credentials have been compromised.

By drilling down into data flows, other relevant information can be discovered. For example, an administrator delving further into the user Fred situation was quickly able to correlate data flow events to determine that multiple databases had been accessed, indicating that data exfiltration may be occurring.

The Data Flow Explorer has multiple uses when it comes to defining insider threats. In this example, a trusted employee (in this case, a systems administrator) has given two weeks’ notice. That means there is a potential for data exfiltration, either intentional or not. In that situation, an organization needs to know what the employee can access. Here, the Data Flow Explorer can be used to determine what databases the user can access and how they were accessed.

There are times when temporary rules must be created to watch for certain events, such as an employee giving notice. Here, DB Networks allows the creation of rules that can create alerts when certain events occur. For example, the rule outlined above will trigger an alert if user SA accesses service ATMS.

One of the more useful rule creation features offered in Layer 7 Database Sensor is the ability to mine the SQL commands discovered in an anomalous event and then create a new rule around it. Here, administrators can download the discovered statements and use that information to create new rules, test for vulnerabilities or score the likelihood that those statements reveal a vulnerability.