This document discusses database security and auditing. It covers topics like the risks from internal and external threats to an organization's users, applications, and data. It also discusses different regulations and frameworks around data security, as well as the need to prioritize risks and classify sensitive data. Finally, it provides an overview of the SecureSphere product for database activity monitoring, access control, and security.
12. Automate and Simplify Compliance
• Establish an automated access rights review process
• OOTB policies, workflows and policy specific reports
• Consistent deployment and enforcement across all systems
Comply
PCI, HIPAA, SOX…
Dashboard,
Policy specific and custom reports
Email
Alert
SIEM -
SPLUNK
13. Security
Events &
Actions
PCI DSS
10.2
SOX (COBIT)
HIPAA
(NIST 800-66)
IT
Security
(ISO
27001)
FISMA
(NIST
800-53)
Login 10.2.5 A12.3 164.312(c)(2) A 10.10.1 AU-2
Logoff 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Unsuccessful login 10.2.4 DS5.5 164.312(c)(2) A
10.10.1
A.11.5.1
AC-7
Modify authentication
mechanisms
10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Create user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Modify user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Create role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Modify role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Grant/revoke user privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Grant/revoke role privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Privileged commands 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Modify audit and logging 10.2.6 DS5.5 164.312(c)(2) A 10.10.1 AU-2
AU-9
Objects Create/Modify/Delete 10.2.7 DS5.5 164.312(c)(2) A 10.10.1 AU-2
AU-14
Modify configuration settings 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Foundation Security Events Management
Title Slide: (Slide 1)
Host: Introduction & Housekeeping for platform
Hand-off
Presenter:
Thank you – Welcome to today’s webinar,
We all know the the frequency and sophistication of the data hackers is not going to stop any time soon and that we as security professionals need to keep pace or we will suffer both professionally and personally as our own data is traded on the black market like a commodity.
A Company’s Assets include:
Structured data in data bases
Unstructured data in files
Web applications which give user access to data
As focus moves to Users, Applications, and Data, the main security questions that businesses need to ask are:
Who has access to data from outside and inside the company?
How are applications protected from web attacks and data breaches?
Are we compliant to industry regulations and standards?
How can you “holistically” secure data, applications, and users.
<click>
EXTERNAL THREATS:
You have customers, partners, employees, and hackers, who can by-pass perimeter security and launch web-attacks – technical, logic, account takeover, and committing fraud..
<click>
You need a solution that can sit in front of all external facing web applications.
<click>
INTERNAL THREATS:
You have employees, malicious insiders, and endpoints that have been already compromised by malware. You may not be monitoring Usage or User Rights, nor blocking Unauthorized access.
<click>
You need a solution that can also discover and classify all assets based on sensitivity, and monitor and protect the data from security breaches.
Slide 5: 2016 Data Loss Breach and Data type – stats from DatalossDB.org as of September 11,th
When we talk to companies about regulation, we are typically talking to the DBA’s and Compliance team.
When we shift gears from regulation to security, we typically start talking about data loss. When talking about data loss, we are typically talking to a security team that is interested in enforcement – stopping the data from being stolen and into the investigative and forensic capabilities that will let them find out what happened and what was taken if enforcement was not in-place.
Looking at the 2015 Year-to-date Data Loss stats from DatabaseDB.org we can see that while data loss occurs in many ways, hacks remain the top reason for data loss by a large margin.
The key here is that when talking to companies they frequently start with requirements for PCI security, wanting to protect credit card data.
This is appropriate, but if we look at what data is being stolen, we see that credit card data is not in the top categories of data stolen in the United States.
Addresses, email addresses, names, SSN, and passwords are the top data items stolen.
You don’t see Credit card numbers on the list, nor do you see a lot of other types of data – not even HIPPA data.
What is important is helping teams to define what is regulated, what is sensitive and and ultimately what needs protection.
Let’s look at the next slide to see how regulations and security requirements overlap.
Slide 3: Drivers for why companies are looking to or already have invested in database audit and protection
There are 3 main drivers
Regulation – which makes sense you are driven by Various regulations PCI, Sarbanes Oxley, KSOX, JSOX, European privacy laws,
whatever regulations apply in your area and industry sector. You are driven by those laws to demonstrate compliance. These are the Must Do’s items for an organization
Next is Security – we should all do security, but the reality is that this varies and is generally directed by the in-house Chief Security Officer or CSO.
The third main reason for database security is Company Best Practices, this is typically driven by your peers in the industry. What are they doing and if I don’t keep pace will it make me the “low hanging fruit” or easy target in my sector. We are seeing more and more Board of Directors take notice of this final driver.
What is your own board saying? Are they asking questions like “What steps are we taking to not be hacked?” What processes and technologies are will implementing to not be the next victim.
Slide 6: Must Dos vs. Should Do’s
The conversation comes back to the Must Do’s vs. the Should Do’s. It really is the difference between regulation and security.
If we look at the regulations that drive people to investigate a data audit solution we see the PCI, HIPPA, Sox and all these other regulations actually overlap with Security requirements.
Security can use these regulatory requirements to help defines what is needs protection, but from a security perspective there are a lot of other things that need protection as well.
We find one of the biggest challenges when helping companies is having them look beyond the regulatory requirements – to take that next step to protect the sensitive data that is not regulated.
The argument for protecting this data is can be found in the headlines for the high profiles breaches of the last year. The fallout from the sensitive data made public has had dramatic impacts.
Perhaps a bit more mundane but no less important, is the value of this data on the black market. Lists of names, account ids and passwords are worth far more than a list of credit card numbers that can be reset within hours.
Slide 4: Regulations
Let’s talk briefly about regulations, most of you will be aware of some of these. While each is unique these share a commonality -
There is a requirement to protect data in databases, files, stores, SharePoint or Big Data
So the reality is that you can summarizes the various regulations that would be on the left hand side of your version of this slide into the four mandates shown here on the right side of the slide.
Using this as your guide you can now build requirements and deploy technology around this foundation. Knowing it will meet your requirements now and in the future as regulations change.
SecureSphere is one of the technologies that addresses all of these requirements, but there are others ways to achieve these mandates.
You can address all of these regulations – manually using Native Audit. Custom build an in-house solution or purchase an off-the shelf solution.
It’s all about the amount of effort and time required to get the solution in-place and cost-effective maintenance of the solution
Here’s a five step process that includes an actionable set of steps for a manageable and smooth SOX compliance effort. Using this process, IT managers will be able to satisfy the compliance requirements of auditors, as well as ensure business alignment, satisfactory control, and robust security in their IT systems.
First you need to discover sensitive data across the enterprise and gather risk profile for the different data sets. There is a need to take a top-down, risk-based approach to ensure that sufficient and appropriate attention is given to areas of highest risk.
Then the next step is to assess the discovered infrastructure (servers, databases) and identify, report and remediate vulnerabilities, misconfigurations and gaps in security best practices.
SOX requires restricting user access to sensitive data based on business need to know. You need to set controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application.
The fourth step of the compliance framework is audit & secure. You need to continuously audit and secure alert on significant changes in a person’s usage of financial data so administrators can ensure these changes are in line with compliance policies and prevent fraudulent activity.
and, you need to measure and report to demonstrate that configuration and usage are within best practice guidelines.
To do it consistently across a heterogeneous environment you need a single platform with the ability to manage and deploy policies and controls automatically
Locate all databases
Find and classify sensitive information
Auto-create protection and compliance policies from results
Find and remediate excessive rights and dormant users
…………..
This capability is valuable to nearly every database security use case. Before you can begin auditing and monitoring database activity, you need to know where your data is. Our Discovery and Classification capabilities will help you not only identify active database services, but more importantly, those that contain sensitive data.
We can scan your network and report back on all active databases. Having an accurate database inventory will help you to scope your auditing and monitoring activities, but also identify new databases that you might not know about…we sometimes refer to these are rogue databases. Obviously these can pose a risk to your business, especially if they are using production data. In addition, once these databases are discovered, you have the ability to automatically apply a general audit policy so that you can begin to capture audit details immediately.
To further assist in defining scope, SecureSphere can then create a map of database objects that contain sensitive data. For example, we can define database tables that contain credit card numbers, email address and other personally identifiable information or PII. And, because SecureSphere is highly configurable it’s easy to create your own search criteria.
[CLICK] An electronic payment processor needed to monitor database activity to comply with PCI section 10. They had deployed our Database Activity Monitoring product, applied PCI specific policies and were collecting PCI data and generating reports for their auditors.
[CLICK] During review of the audit logs, their ITSecurity team discovered some suspicious activity…ATM card numbers and associated PINs were being stolen by an outside hacker. The business challenge quickly evolved to include stopping data theft
[CLICK] They next applied some Security Policies that collected all of the details of the illicit activity and then turned over the access logs to the authorities who conducted forensics and ultimately apprehended the cyber criminals
Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity
[CLICK]
Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity
[CLICK]
Big Data, databases, file servers and SharePoint
OOTB policies and reports (HIPPA, SOX, PCI…)
Remediation workflows
Tamper-proof audit trail
Configuration and vulnerability management
Pan-estate audit reporting with drill-down dashboard
- Build yourself a matrix and map compliance drivers with the associated trigger events you may expect to see.
Tips for Improving Web Application Security Posture:
Deploy WAF in front of all web applications, in addition to perimeter controls
Ensure WAF is getting real-time threat intelligence feeds to block advanced attacks
Foster secure web application development when possible
Schedule regular vulnerability scans of all externally facing web applications
Integrate WAF with vulnerability scanners and SIEM solutions for mitigation and IR
Ensure WAF provides flexible deployment options – on-premises, cloud, hosting environments
Slide 23 DAP Feature Consideration Overview
That concludes my presentation for today, we will move to the Q&A session in a moment.
For those of you looking to create your own checklist of considerations, here is a starting point for the types of requirements you should look for in a data audit and protection solution.