Securing Data and Compliance: Database Audit and Protection Solutions
•Download as PPTX, PDF•
4 likes•2,366 views
This document discusses database security and auditing. It covers topics like the risks from internal and external threats to an organization's users, applications, and data. It also discusses different regulations and frameworks around data security, as well as the need to prioritize risks and classify sensitive data. Finally, it provides an overview of the SecureSphere product for database activity monitoring, access control, and security.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Securing Data and Compliance: Database Audit and Protection Solutions
Similar to Securing Data and Compliance: Database Audit and Protection Solutions (20)
More from Imperva
More from Imperva (19)
Recently uploaded
Recently uploaded (20)
Securing Data and Compliance: Database Audit and Protection Solutions
- 1. © 2015 Imperva, Inc. All rights reserved. Hackers, Cyber Crime and Espionage Cheryl O’Neil, Dir. Product Marketing, Imperva David O’Leary, Dir. Security Solutions, Forsythe December 2, 2015
- 2. © 2015 Imperva, Inc. All rights reserved. www.xyz.com www.xyz.com dataapps Risks: Users, Applications, and Data Business Security: -Who can access data? -How are apps and data protected? -Are we compliant? NG FW, IPS, IDS Technical Attacks Logic Attacks Account Takeover Fraud Usage User Rights Unauthorized Access • E-Commerce • E-Banking • E-Health • Financial data • Creditcard data • PII Users Careless employees Malicious insiders Compromised users INTERNAL Customers Partners Employers Hackers EXTERNAL
- 3. © 2015 Imperva, Inc. All rights reserved. 2015 Data Loss: Breach Type and Data Type * Source: Datalossdb.org – Stats as of September 11, 2015 Hack 39% 1. NAA: Names 2. EMA: Email Addresses 3. PWD: Passwords 4. ADD: Addresses 5. SSN: Social Security Number CCN: No financial data in top categories
- 4. © 2015 Imperva, Inc. All rights reserved. Three Drivers for Database Audit and Protection Breach risk Driving factor for data visibility is increased security and/or forensics Project generally owned by Security Admin team with assistance from DBA team GRC policy or an audit Driving factor to improve data visibility to meet compliance requirements Project often owned by Database Admin team or Risk/Compliance Dept. Many reasons: board/executive pressures, peer successes/failures, customer demands, etc… Project could be owned by security, DBA, Risk, etc… Regulation Security Best Practices
- 5. © 2015 Imperva, Inc. All rights reserved. Must Do vs Should Do • The requirements overlap of regulation and security varies org to org • Driving audit(security) scope strictly by regulation leaves non-regulated private data free for the taking Regulation Security PCI HIPAA NERC ISO EU MAS Data Addresses Names Passwords DOB Phone Numbers Salary
- 6. © 2015 Imperva, Inc. All rights reserved. REGULATIONS Monetary Authority of Singapore sox Assessment and Risk Management User Rights Management IB-TRM HITECH PCI-DSS EU Data Protection Directive NCUA 748 FISMA GLBA HIPAA Financial Security Law of France Italy’s L262/2005 India’s Clause 49 BASEL II MANDATES Audit and Reporting Attack Protection
- 7. © 2015 Imperva, Inc. All rights reserved. Database Audit and Protection Requirements Vary Across Departments Business Drivers and Stakeholders • Regulatory Compliance – IT Risk & Audit & DBAs • Corporate/Best Practice Policy Adherence – IT Risk & Audit, DBAs & Security • Forensic Data/Security Visibility - Security • Change Control Reconciliation – Security & DBAs • Measure DB Performance and Function - DBAs • Application Development Testing/Verification – DBAs & App Development • Etc…
- 8. © 2015 Imperva, Inc. All rights reserved. Map Requirements To An Data Audit and Protection Lifecycle Discover Assess Set Controls Audit & Secure Measure & Report Review, certify and investigate Sensitive data Vulnerabilities and security gaps Access rights and policies Monitor, alert and block
- 9. © 2015 Imperva, Inc. All rights reserved. Prioritize and Classify Your Risk Cardholder Card Intellectual Property Email Financial Personal Information Data Classification Unauthorized Alert Access • Locate all databases • Find and classify sensitive information by policy, BU, etc... • Auto create protection and compliance policies from the result Discover SecureSphere Rogue SSN Credit Cards PII
- 10. © 2015 Imperva, Inc. All rights reserved. Stop Data Theft Before It Happens PCI Data PCI Reports ATM & PIN Access Logs • Dynamic behavior profiling • Alerts and blocking • Malware detection integration (2 way) • Web Application Firewall (WAF) activity correlation Protect Hacker Database Users PCI Policies Security Policies
- 11. © 2015 Imperva, Inc. All rights reserved. Stop Data Theft Before It Happens Protect Dynamic behavior profiling Blocking and alerts Web Application Firewall(WAF) activity correlation Malware detection integration PCI Data PCI Reports ATM & PIN Hacker Database Users PCI Policies Security Policies Access Logs UPDATE orders set client ‘first Unusual Activity X Allow Block Network User, DBAs, Sys Admin X
- 12. Automate and Simplify Compliance • Establish an automated access rights review process • OOTB policies, workflows and policy specific reports • Consistent deployment and enforcement across all systems Comply PCI, HIPAA, SOX… Dashboard, Policy specific and custom reports Email Alert SIEM - SPLUNK
- 13. Security Events & Actions PCI DSS 10.2 SOX (COBIT) HIPAA (NIST 800-66) IT Security (ISO 27001) FISMA (NIST 800-53) Login 10.2.5 A12.3 164.312(c)(2) A 10.10.1 AU-2 Logoff 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Unsuccessful login 10.2.4 DS5.5 164.312(c)(2) A 10.10.1 A.11.5.1 AC-7 Modify authentication mechanisms 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Create user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Modify user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Create role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Modify role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Grant/revoke user privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Grant/revoke role privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Privileged commands 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Modify audit and logging 10.2.6 DS5.5 164.312(c)(2) A 10.10.1 AU-2 AU-9 Objects Create/Modify/Delete 10.2.7 DS5.5 164.312(c)(2) A 10.10.1 AU-2 AU-14 Modify configuration settings 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2 Foundation Security Events Management
- 14. © 2015 Imperva, Inc. All rights reserved. SecureSphere Deployment Architecture MX Management MX Management Users • Flexible deployment • Fully transparent • Rapid deployment • High availability • Clustering • Appliance or virtual • Multiple modes: agent, spanning, bridge • Broad coverage • Out of the box content AWS cloud enabled Gateway Gateway
- 15. © 2015 Imperva, Inc. All rights reserved. Tips For Improving Overall Security Posture 15 Data Security • Have a plan and know desired results needed • Know and classify your data • Implement a universal platform and policies • Audit what matters – don’t audit what doesn’t • Constantly think security – TEST IT • Look to the future – scale, cloud, Big Data Security • Continuously assess your security posture • Enhance your detection visibility capabilities • Enforce separation of duties & least privilege • Ensure security awareness & training • Monitor user behavior • Develop a formal incident response plan
- 16. © 2015 Imperva, Inc. All rights reserved. “Imperva blows them away in terms of response time, time to resolution, and uptime of the system. I would put them at Best in Class. We essentially maintained 100% uptime over a 3 year period.” Ross Bobenmoyer, VP Information Security, Republic Bancorp, September 2015
- 17. © 2015 Imperva, Inc. All rights reserved. DAP Feature Considerations Overview • Enterprise design and deployment • Architecture • Scale DAP appliance to DB server ratio • DB agent monitoring only • Hybrid monitoring agent/DAP • DAP inline enforcement • High availability (HA) • Clustering • DAM Agents • Agent deployment / change management • Centralized agent management • Upgrades and backward-forward compatibility • Manageability • Enterprise central management • Role based management (LDAP) • DAP upgrades and patches • Backward and forward compatibility • Capacity management • Up-time • Audit, security and compliance • Database audit • Effective policy management • Storage analytics • Data enrichment • Security • Dynamic user behavioral profiling • Threat management • Anti-malware integration • Malicious user detection • Compromised applications • Operations and notifications • Real-Time notification • Splunk and 3rd party integrations • Discovery and assessment • DB vulnerability assessment and patching • Data discovery and classification • User rights management
Editor's Notes
- Title Slide: (Slide 1) Host: Introduction & Housekeeping for platform Hand-off Presenter: Thank you – Welcome to today’s webinar, We all know the the frequency and sophistication of the data hackers is not going to stop any time soon and that we as security professionals need to keep pace or we will suffer both professionally and personally as our own data is traded on the black market like a commodity.
- A Company’s Assets include: Structured data in data bases Unstructured data in files Web applications which give user access to data As focus moves to Users, Applications, and Data, the main security questions that businesses need to ask are: Who has access to data from outside and inside the company? How are applications protected from web attacks and data breaches? Are we compliant to industry regulations and standards? How can you “holistically” secure data, applications, and users. <click> EXTERNAL THREATS: You have customers, partners, employees, and hackers, who can by-pass perimeter security and launch web-attacks – technical, logic, account takeover, and committing fraud.. <click> You need a solution that can sit in front of all external facing web applications. <click> INTERNAL THREATS: You have employees, malicious insiders, and endpoints that have been already compromised by malware. You may not be monitoring Usage or User Rights, nor blocking Unauthorized access. <click> You need a solution that can also discover and classify all assets based on sensitivity, and monitor and protect the data from security breaches.
- Slide 5: 2016 Data Loss Breach and Data type – stats from DatalossDB.org as of September 11,th When we talk to companies about regulation, we are typically talking to the DBA’s and Compliance team. When we shift gears from regulation to security, we typically start talking about data loss. When talking about data loss, we are typically talking to a security team that is interested in enforcement – stopping the data from being stolen and into the investigative and forensic capabilities that will let them find out what happened and what was taken if enforcement was not in-place. Looking at the 2015 Year-to-date Data Loss stats from DatabaseDB.org we can see that while data loss occurs in many ways, hacks remain the top reason for data loss by a large margin. The key here is that when talking to companies they frequently start with requirements for PCI security, wanting to protect credit card data. This is appropriate, but if we look at what data is being stolen, we see that credit card data is not in the top categories of data stolen in the United States. Addresses, email addresses, names, SSN, and passwords are the top data items stolen. You don’t see Credit card numbers on the list, nor do you see a lot of other types of data – not even HIPPA data. What is important is helping teams to define what is regulated, what is sensitive and and ultimately what needs protection. Let’s look at the next slide to see how regulations and security requirements overlap.
- Slide 3: Drivers for why companies are looking to or already have invested in database audit and protection There are 3 main drivers Regulation – which makes sense you are driven by Various regulations PCI, Sarbanes Oxley, KSOX, JSOX, European privacy laws, whatever regulations apply in your area and industry sector. You are driven by those laws to demonstrate compliance. These are the Must Do’s items for an organization Next is Security – we should all do security, but the reality is that this varies and is generally directed by the in-house Chief Security Officer or CSO. The third main reason for database security is Company Best Practices, this is typically driven by your peers in the industry. What are they doing and if I don’t keep pace will it make me the “low hanging fruit” or easy target in my sector. We are seeing more and more Board of Directors take notice of this final driver. What is your own board saying? Are they asking questions like “What steps are we taking to not be hacked?” What processes and technologies are will implementing to not be the next victim.
- Slide 6: Must Dos vs. Should Do’s The conversation comes back to the Must Do’s vs. the Should Do’s. It really is the difference between regulation and security. If we look at the regulations that drive people to investigate a data audit solution we see the PCI, HIPPA, Sox and all these other regulations actually overlap with Security requirements. Security can use these regulatory requirements to help defines what is needs protection, but from a security perspective there are a lot of other things that need protection as well. We find one of the biggest challenges when helping companies is having them look beyond the regulatory requirements – to take that next step to protect the sensitive data that is not regulated. The argument for protecting this data is can be found in the headlines for the high profiles breaches of the last year. The fallout from the sensitive data made public has had dramatic impacts. Perhaps a bit more mundane but no less important, is the value of this data on the black market. Lists of names, account ids and passwords are worth far more than a list of credit card numbers that can be reset within hours.
- Slide 4: Regulations Let’s talk briefly about regulations, most of you will be aware of some of these. While each is unique these share a commonality - There is a requirement to protect data in databases, files, stores, SharePoint or Big Data So the reality is that you can summarizes the various regulations that would be on the left hand side of your version of this slide into the four mandates shown here on the right side of the slide. Using this as your guide you can now build requirements and deploy technology around this foundation. Knowing it will meet your requirements now and in the future as regulations change. SecureSphere is one of the technologies that addresses all of these requirements, but there are others ways to achieve these mandates. You can address all of these regulations – manually using Native Audit. Custom build an in-house solution or purchase an off-the shelf solution. It’s all about the amount of effort and time required to get the solution in-place and cost-effective maintenance of the solution
- Here’s a five step process that includes an actionable set of steps for a manageable and smooth SOX compliance effort. Using this process, IT managers will be able to satisfy the compliance requirements of auditors, as well as ensure business alignment, satisfactory control, and robust security in their IT systems. First you need to discover sensitive data across the enterprise and gather risk profile for the different data sets. There is a need to take a top-down, risk-based approach to ensure that sufficient and appropriate attention is given to areas of highest risk. Then the next step is to assess the discovered infrastructure (servers, databases) and identify, report and remediate vulnerabilities, misconfigurations and gaps in security best practices. SOX requires restricting user access to sensitive data based on business need to know. You need to set controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application. The fourth step of the compliance framework is audit & secure. You need to continuously audit and secure alert on significant changes in a person’s usage of financial data so administrators can ensure these changes are in line with compliance policies and prevent fraudulent activity. and, you need to measure and report to demonstrate that configuration and usage are within best practice guidelines. To do it consistently across a heterogeneous environment you need a single platform with the ability to manage and deploy policies and controls automatically
- Locate all databases Find and classify sensitive information Auto-create protection and compliance policies from results Find and remediate excessive rights and dormant users ………….. This capability is valuable to nearly every database security use case. Before you can begin auditing and monitoring database activity, you need to know where your data is. Our Discovery and Classification capabilities will help you not only identify active database services, but more importantly, those that contain sensitive data. We can scan your network and report back on all active databases. Having an accurate database inventory will help you to scope your auditing and monitoring activities, but also identify new databases that you might not know about…we sometimes refer to these are rogue databases. Obviously these can pose a risk to your business, especially if they are using production data. In addition, once these databases are discovered, you have the ability to automatically apply a general audit policy so that you can begin to capture audit details immediately. To further assist in defining scope, SecureSphere can then create a map of database objects that contain sensitive data. For example, we can define database tables that contain credit card numbers, email address and other personally identifiable information or PII. And, because SecureSphere is highly configurable it’s easy to create your own search criteria.
- [CLICK] An electronic payment processor needed to monitor database activity to comply with PCI section 10. They had deployed our Database Activity Monitoring product, applied PCI specific policies and were collecting PCI data and generating reports for their auditors. [CLICK] During review of the audit logs, their ITSecurity team discovered some suspicious activity…ATM card numbers and associated PINs were being stolen by an outside hacker. The business challenge quickly evolved to include stopping data theft [CLICK] They next applied some Security Policies that collected all of the details of the illicit activity and then turned over the access logs to the authorities who conducted forensics and ultimately apprehended the cyber criminals Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
- Now the payment processor not only has an audit trail for PCI But they alert on any suspicious database access activity [CLICK]
- Big Data, databases, file servers and SharePoint OOTB policies and reports (HIPPA, SOX, PCI…) Remediation workflows Tamper-proof audit trail Configuration and vulnerability management Pan-estate audit reporting with drill-down dashboard
- - Build yourself a matrix and map compliance drivers with the associated trigger events you may expect to see.
- Tips for Improving Web Application Security Posture: Deploy WAF in front of all web applications, in addition to perimeter controls Ensure WAF is getting real-time threat intelligence feeds to block advanced attacks Foster secure web application development when possible Schedule regular vulnerability scans of all externally facing web applications Integrate WAF with vulnerability scanners and SIEM solutions for mitigation and IR Ensure WAF provides flexible deployment options – on-premises, cloud, hosting environments
- Slide 23 DAP Feature Consideration Overview That concludes my presentation for today, we will move to the Q&A session in a moment. For those of you looking to create your own checklist of considerations, here is a starting point for the types of requirements you should look for in a data audit and protection solution.