Building Security Audits
with Extended Events
Jason
Strate
e: jstrate@pragmaticworks.com
e: jasonstrate@gmail.com
b: www.jasonstrate.com
t: StrateSQL
Resources jasonstr...
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
• Founded 2008 by MSFT MVP Brian Knight
• Focused on the MSFT SQL Serve...
It’s 12 o’clock…
Do you know where your data is?
Do you know who is accessing your data?
> ACCESS GRANTED!
Agenda
Why
Security
Audits?
Security
Audit
Components
Building a
Login Audit
Building a
Query Audit
Agenda
Why
Security
Audits?
Security
Audit
Components
Building a
Login Audit
Building a
Query Audit
Why Do We Need Security Audits?
Regulations
Corporate Policy
Responsibilities
Most Important Reason
Everyone Lies!
Even Unicorns,
While They Are
Doing Their Jobs
Validate Security
DataUsers
Types of Audits
Common Criteria Compliance
C2 Audit Tracing
SQL Audit
Extended Events
Types of Audits
Common Criteria Compliance
C2 Audit Tracing
SQL Audit
Extended Events
CCC and C2 Concerns
• Difficult to manage
• Too much data
• Too little control
• Behavior changes in SQL
Server
MAKING BUS...
SQL Audit
• Two audit levels
– Server (Instance)
– Database
• Captures preset data
• Sync or async targets
– File
– Securi...
SQL Audit
• No control on columns
– Maybe too much data
• Limited output formats
– Maybe need in-flight
aggregation
• Need...
Do you know
SQL Audit?
SQL AUDIT
Demo
“Lower” Solution
• Less invasive
• Temporary need
• Scenarios…
– What about Bob, the New
DBA?
– How often is Sally accessi...
Agenda
Why
Security
Audits?
Security
Audit
Components
Building a
Login Audit
Building a
Query Audit
Components
Events Actions
Predicates Targets
Packages
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
Packages
Events Actions
Predicates Targets
Packages • sqlserver
• SecAudit
MAKING BUSINESS INTELLIGENT
www.pragmaticworks....
Events
Events Actions
Predicates Targets
Packages
• Logon
• Logout
• SQL Statement
Starting
• RPC Starting
• Module Start
...
Actions
Events Actions
Predicates Targets
Packages
• User Name
• Client App
Name
• Client
Hostname
• Database Id
• Databas...
PREDICATES
Events Actions
Predicates Targets
Packages
WHERE
• Equal
• Greater Than
• Less Than
• Not Equal
• LIKE
FILTERS
...
Targets
Events Actions
Predicates Targets
Packages
• File Target
• Ring Buffer
• Event Stream
MAKING BUSINESS INTELLIGENT
...
Agenda
Why
Security
Audits?
Security
Audit
Components
Building a
Login Audit
Building a
Query Audit
Login Scenario
• How often is a login being used?
• When are logins occurring?
• What applications are using a login?
• Wh...
Login Audits
• Connection Tracking template
– Login
– Logout
– Connectivity Ring Buffer Recorded
• Targets
– File target f...
LOGIN AUDITS
Demo
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
Agenda
Why
Security
Audits?
Security
Audit
Components
Building a
Permissions
Audit
Building a
Query Audit
Query Audit
• What queries did the new DBA run?
• What is being run against XYZ database?
• What is the developer doing th...
Query Audit
• Query level auditing
– RPC Starting
– Module Start
– SP Statement Starting
– SQL Batch Starting
– SQL Statem...
QUERY AUDIT
Demo
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
Any Questions?
Learn More About Extended Events
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
Services
Speed development through training, and
rapid development services from
Pragmatic Works.
Products
BI products to ...
BuildingSecurity Audits with Extended Events
Upcoming SlideShare
Loading in …5
×

BuildingSecurity Audits with Extended Events

2,229 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

BuildingSecurity Audits with Extended Events

  1. 1. Building Security Audits with Extended Events
  2. 2. Jason Strate e: jstrate@pragmaticworks.com e: jasonstrate@gmail.com b: www.jasonstrate.com t: StrateSQL Resources jasonstrate.com/go/xevents Introduction MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  3. 3. MAKING BUSINESS INTELLIGENT www.pragmaticworks.com • Founded 2008 by MSFT MVP Brian Knight • Focused on the MSFT SQL Server Platform • Provides services, training and software • MSFT/HP “go to” partner: • Gold Certified: o BI o Data Management o SQL Performance • Team led by multiple MVP’s • Offices throughout the US with Corporate HQ in Jacksonville, FL Pragmatic Works Company History
  4. 4. It’s 12 o’clock…
  5. 5. Do you know where your data is?
  6. 6. Do you know who is accessing your data?
  7. 7. > ACCESS GRANTED!
  8. 8. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
  9. 9. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
  10. 10. Why Do We Need Security Audits? Regulations Corporate Policy Responsibilities
  11. 11. Most Important Reason Everyone Lies! Even Unicorns, While They Are Doing Their Jobs
  12. 12. Validate Security DataUsers
  13. 13. Types of Audits Common Criteria Compliance C2 Audit Tracing SQL Audit Extended Events
  14. 14. Types of Audits Common Criteria Compliance C2 Audit Tracing SQL Audit Extended Events
  15. 15. CCC and C2 Concerns • Difficult to manage • Too much data • Too little control • Behavior changes in SQL Server MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  16. 16. SQL Audit • Two audit levels – Server (Instance) – Database • Captures preset data • Sync or async targets – File – Security log – Application log • Standard and Enterprise – SQL Server 2012 MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  17. 17. SQL Audit • No control on columns – Maybe too much data • Limited output formats – Maybe need in-flight aggregation • Need something less? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com Perfect for tracking permissions changes, login creation, DBCC activity, backups and restores, etc.
  18. 18. Do you know SQL Audit?
  19. 19. SQL AUDIT Demo
  20. 20. “Lower” Solution • Less invasive • Temporary need • Scenarios… – What about Bob, the New DBA? – How often is Sally accessing the database? – What is the application logon/logout frequency? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  21. 21. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
  22. 22. Components Events Actions Predicates Targets Packages MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  23. 23. Packages Events Actions Predicates Targets Packages • sqlserver • SecAudit MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  24. 24. Events Events Actions Predicates Targets Packages • Logon • Logout • SQL Statement Starting • RPC Starting • Module Start • SQL Batch Starting MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  25. 25. Actions Events Actions Predicates Targets Packages • User Name • Client App Name • Client Hostname • Database Id • Database Name • NT Username • Server Instance Name • Server Principal Name • SQL Text • User Name MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  26. 26. PREDICATES Events Actions Predicates Targets Packages WHERE • Equal • Greater Than • Less Than • Not Equal • LIKE FILTERS • AND • OR MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  27. 27. Targets Events Actions Predicates Targets Packages • File Target • Ring Buffer • Event Stream MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  28. 28. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
  29. 29. Login Scenario • How often is a login being used? • When are logins occurring? • What applications are using a login? • What host has the most logins? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  30. 30. Login Audits • Connection Tracking template – Login – Logout – Connectivity Ring Buffer Recorded • Targets – File target for long term analysis – Ring buffer for shorty term activity – Event stream for real-time analysis MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  31. 31. LOGIN AUDITS Demo MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  32. 32. Agenda Why Security Audits? Security Audit Components Building a Permissions Audit Building a Query Audit
  33. 33. Query Audit • What queries did the new DBA run? • What is being run against XYZ database? • What is the developer doing that keeps causing SEVERITY 20 errors? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  34. 34. Query Audit • Query level auditing – RPC Starting – Module Start – SP Statement Starting – SQL Batch Starting – SQL Statement Starting • Targets – Same as Login Audit MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  35. 35. QUERY AUDIT Demo MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  36. 36. Any Questions?
  37. 37. Learn More About Extended Events MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
  38. 38. Services Speed development through training, and rapid development services from Pragmatic Works. Products BI products to covert to a Microsoft BI platform and simplify development on the platform. Foundation Helping those who do not have the means to get into information technology achieve their dreams. For more information… Name: Jason Strate Email: jstrate@pragmaticworks.com Blog: www.jasonstrate.com Resource: jasonstrate.com/go/xevents

×