trustwave database security - e-spin group€¦ · cyberthreat defense report ponemon: 2016 cost of...

TRUSTWAVE DATABASE SECURITY

Securing Data Where It Lives

©2016 Trustwave Holdings, Inc.

1The Database Security Landscape

2Top Five Database Security Problems

3Business Needs & Use Cases

4Database Security Solutions

5Business Outcomes

6Case Studies

7Questions

AGENDA


THE DATA SECURITY PROBLEM

•People want to steal your data

•Attackers are more sophisticated & motivated

•Databases are full of vulnerabilities

•90% of corp. data lives in databases = Target-rich environment

•Powerful attacks are easy to find & exploit

•Finding, fixing & patching security issues requires skilled staff and time


CRITICAL AND SENSITIVE DATA IS EVERYWHERE!

• Personally Identifiable Information (PII)• Payment card numbers• Social security numbers• Bank account and routing numbers• Email correspondence• Usernames and passwords• Protected Health Information (PHI)• Budget information

“But at the heart of many significant applications lies a database.”

• NDA-protected information• Research and development

information• Intellectual property• Employment records• Attorney/client privileged

information• Critical infrastructure information• GPS data• INFINITELY MORE…


DATA LIVES IN THE DATABASE, ATTACKERS SEEK DATA

Customer notification filed with CA Attorney General

CIO “The 15 Worst Data Security Breaches of the 21st Century

USA Today “Hacks…expose weak passwords, create new business”

Gizmodo “Hackers Dump Entire Database of…Website…Online”


DATA BREACHES ARE COMMON AND EXPENSIVE

Breach Level Index (a/o June 22, 2016)

$158$4Average Total Cost of

a Data BreachPer-Record Cost of a

Data Breach

Ponemon: 2016 Cost of a Data Breach Study

76%Number of

organizations breached in 2015

CyberEdge: 2016 Cyberthreat Defense Report

Ponemon: 2016 Cost of a Data Breach Study

Million


TOP 5 DATABASE PROBLEMS


PATCH (GAP) MANAGEMENT• Databases are vulnerable the day a patch is released

– Exploit/POC code is published quickly– What to patch first? Critical business systems? Low

risk systems?– 58% of businesses don’t have a “fully mature”

patch management process in place 2014 Trustwave State of Risk Report


• Default accounts are not good– Databases have them– Applications install them

• Weak passwords can be cracked– Google “[database type] password cracker”– Database log-in activity seldom monitored– An attacker can guess passwords all day

DEFAULT ACCOUNTS AND WEAK PASSWORDS

User: system / Password: managerUser: sys / Password: change_on_installUser: scott / Password: tiger

User: SA / Password: null

User: db2admin / Password: db2adminUser: db2as / Password: ibmdb2

User: root / Password: nullUser: admin / Password: adminUser: myusername / Password: mypassword

User: SA / Password: null


SQL INJECTION IN THE DATABASE

• Same concept as with web applications– Many vulnerable web applications out there– Good news: Most really valuable apps aren’t

vulnerable• But the scary stuff isn’t just at the web app level• It’s in the Database.

– SQL Injection vulnerabilities exist in all major database platforms

– Generally resulting in privilege escalation (run SQL as DBA)

– Patching can take months (leaving you vulnerable)


EXCESSIVE USER AND GROUP PRIVILEGES• Entitlements are difficult to manage

– Users can gain access by perpetual granting of roles– Default database privileges granted are often excessive and

dangerous

• “Least privilege” is great in theory, but hard to practice

Users & Groups Roles Permissions

EDIT

VIEW

ADD

IMPORT

DELETE

Normal End User

Manager

Intern

QA

EVP/SVP

TRANSLATE

DELETE FOUND

FIND

REMOVE

NAVIGATE

Application Developer

Data Entry

Database Administrator

Public

UNNECESSARY FEATURES ENABLED• Minimize the attack surface, don’t give attackers more

opportunities• Powerful features are both good and bad

– Integrated Java and other extensible languages (as we’ll see later)

– Various levels of OS access available

JavaUTL_FILE

xp_cmdshell

CREATE_NOT_FENCED (allows logins to create SPs)

Permissions on User Table (mysql.user)OLEDB Ad Hoc Query – OPENROWSET OPENDATASOURCE xp_cmdshell

DATABASE SECURITY SOLUTIONS

PROVEN DATABASE SECURITY METHODOLOGY

MonitorFor Anomalies

Protect

RespondTo Incidents

ContinuousProtection

Inventory

Test

EliminateVulnerabilities

ContinuousAssessment

EnforceLeast Privileges

http://ppt/slides/slide30.xml

http://ppt/slides/slide30.xml


DELIVERED IN THREE WAYSManaged Security Testing (MST) – Database Scanning

AppDetectivePRO

DbProtect


MANAGED DATABASE SCANNING

• Trustwave SpiderLabs’ database security experts use our technology to spot anomalies such as vulnerabilities, configuration errors, and access issues.

• Managed database scanning can: – Assess database(s) against industry best practices– Provide actionable information on vulnerabilities and

misconfigurations that will improve your security– Help measure if you have improved the security posture between

scans

Managed Security Testing (MST)


De facto Standard for Database Audit and Assessment▪ Discovery▪ Pen Test (Zero-Knowledge)▪ Security Audit (Authenticated)▪ User Rights Review▪ Quick Start Features

▪ Easy to deploy: Standalone laptop▪ Bundles MS SQL Server 2014 Express (10 GB storage limit)

▪ Easy to use: Built-in regulatory frameworks▪ Always up-to-date: SpiderLabs Research ASAP updates▪ Comprehensive: Over 2,000 vulnerability checks & tests

across all major platforms

The Premier Database Scanner for Security, Risk & IT ProfessionalsAPPDETECTIVEPRO

DBPROTECTEnterprise-class database security, for organizations of all sizes

• Analyze Access Controls

• Find Privileged Users• Detail Access to

Sensitive Objects

RightsManagement

• Detect Attacks in Real Time

• Audit Privileged Users• Initiate Action with

Active Response

ActivityMonitoring

• Locate Vulnerabilities & Misconfigurations

• Perform Outside-in Pen Tests

• Conduct Inside-out Audits

VulnerabilityManagement

Vulnerability Checks | Attack Signatures | Audit Rules | Policies

Database Discovery & Inventory | Policy ManagementDashboards & Reports | Integration Framework


TRUSTWAVE SPIDERLABSThe Database Security Experts

World’s largest dedicated database security research team• Most frequently published experts on database attacks• Author the database security knowledgebase, the foundation of Trustwave’s

Database Security products

Credited with finding hundreds of database vulnerabilities• Over 100 Oracle vulnerabilities since 2005• Dozens of vulnerabilities in SQL Server, DB2, Sybase, MySQL and Hadoop• Reported 80% of the vulnerabilities fixed by database vendors over the last 4 years

Most extensive database threat knowledgebase• Vulnerability checks and attack signatures for 2,000+ vulnerabilities• Monthly ASAP Updates• Built-in policies for regulatory compliance and security best practices

Database Findings and

Violations

Remediation Plan

(Go Fix it!)

Security Practitioner

Directors

Database Admins

Vulnerable Database

Protected Database

‘LAND AND EXPAND’ DBSS SALES PROCESS

DbProtect

IT Security

BUSINESS NEEDS & USE CASES


WHAT DO I SELL…AND TO WHOM?“I need help running & validating database scans. I need my critical databases scanned, but I don’t have experienced staff to run them.” (Managed Service Testing)

“I have a small number of databases to scan, and prefer to run the scans and generate reports myself. (AppDetectivePRO)

“I need full control of my database security program. My organization needs full control around our established enterprise-wide database vulnerability management and security program.” (DbProtect)

“I’m an individual IT audit or security practitioner. I need a point and shoot tool to run quick database vulnerability scans & reports.” (AppDetectivePRO)

• Vulnerability scans managed by Trustwave experts

• On-demand Compliance and Security Best Practices Scans

• Validated results and reports

• Augment your team and minimize false positives

DATABASE SECURITY TESTING, ON TIME, ON BUDGET, AND ON DEMAND

Designed for organizations that don’t have the time or skilled resources to manage database vulnerability scans.

MANAGED


HIGHLY SCALABLE ENTERPRISE CLASS SOLUTION

• Highly scalable precision database security and compliance solution

• Market leading Vulnerability Management, Rights Management, and Activity Monitoring capabilities

• Helps organizations control their database security processes in a smarter and more streamlined way

• Enables organizations to enforce database security, minimize risk, and achieve regulatory compliance.

DbProtect

Highly scalable, lowest TCO, software-only, and least amount of network impact of any database security solution on the market.

ENTERPRISE


DATABASE SCANNING FOR IT AUDITORS & SECURITY PRACTITIONERS

• Find vulnerabilities, configuration issues, weak passwords, patch issues, access control issues, and other problems that could lead to user privilege escalation.

• The most comprehensive, portable database scanner on the market.

• Evaluate the effectiveness of controls around sensitive data.

• Assess more in-scope databases in less time, and with the least amount of effort.

Our tactical scanner is used by nearly 90% of the IT Audit & Advisory community to assess audit compliance, risk & security.

IT AUDITOR DB ASSESSMENT TOOL

AppDetectivePRO


DATABASE SCANNING FOR THE INTERNAL CORPORATE USER

• Quick and accurate vulnerability assessment and user rights review scans of databases and Big Data stores.

• Identify vulnerabilities, configuration issues, weak passwords, patch and access control issues, and other settings that can lead to user privilege escalation.

• Effortlessly transfer scan results between our Self-Service solution, back into our Enterprise solution.

• Know what the auditors will find, before they show up!

AppDetectivePRO

Our Self-Service offering provides the quickest and most accurate database security scans in the market – all in a single-user solution.

SINGLE-USER DATABASE SCANNER

BUSINESS OUTCOMES


VULNERABILITY TESTING

• Clinical assessment of database vulnerabilities– Identify all known vulnerabilities– Scan with database credentials

• Deep analysis of database configuration, Including:– Security Settings– Patches– Audit Subsystem– Operating System Issues

Managed Database Scanning

Database Challenges Addressed


VULNERABILITY MANAGEMENT• Discover and inventory databases on the network• Clinical assessment of database vulnerabilities

– Identify all known vulnerabilities– Scan with or without database credentials

• Deep analysis of database configuration, including:– Security Settings– Patches– Audit Subsystem– Operating System Issues

• Automation and workflow

Enterprise & Tactical Scanning



RIGHTS MANAGEMENT

• Analyze database access controls– Examine all users, objects and privileges– Uncover all DBA and other privileged accounts – Identify any access to sensitive data– Locate segregation of duties problems

Enterprise & Tactical Scanning



ACTIVITY MONITORING – (DBPROTECT)

• Identify and stop database attacks– Virtual patching

• Automated reactions to policy violations and suspicious behavior– Alert, Block, Quarantine

• Designed for high performance systems– Security Monitoring that won’t slow you down

Ideal for Security Threat Monitoring



CASE STUDIES•


MULTI-NATIONAL BANKSituation• Customer is a global bank with over 3,100 branches and offices operating in more

than 55 countries. Growth through acquisition has left disparate IT systems operating around the world, each with their own policies, standards, regulations and controls.

• Attackers constantly target the bank’s assets. Corporate security team responsible for ensuring database security regardless of where systems are located.

Solution• DbProtect Vulnerability Assessment scans are run by the security team across the

enterprise using a single policy that encompasses all assessment requirements.• DbProtect report filters derive individualized views for each geography based on their

local regulations and controls.

Results• Consistent scanning of databases across the globe on a daily basis using only one full

time resource. • One scan of each database system yields results for multiple constituencies without

any manual data massaging or intervention.


Situation • Company is regularly subject to Industrial espionage attempts, potential exposure of

Intellectual Property, exposure of sensitive data, and has a very large attack surface.• IT Auditors using automated tools (AppDetectivePRO) generated findings on our

Customer’s databases• Large number of disparate databases made it impractical and inefficient to assess,

monitor and audit manually

Solution• DbProtect deployed across enterprise to establish continuous compliance for all

database instances.• AppDetectivePRO installed on laptops to assess remote databases on oil platforms.

Results uploaded to DbProtect afterwards.

Outcome• Scaled database SRC objectives enterprise wide. Resolved SOX Audit Finding and

significantly reduced the resource burden on IT security and DBA infrastructure teams

ENERGY COMPANY


COMPETITIVE ADVANTAGES

• Quality of knowledgebase of checks and tests – SpiderLabs!

• Active Database Discovery• Highly-scalable, software-only form factor• More accurate database activity monitoring

(DAM) through scanning integration• Intuitive user interface, powerful reporting

& analytics• Supports multi-tenancy deployments

THANK YOU

QUESTIONS?

trustwave database security - e-spin group€¦ · cyberthreat defense report ponemon: 2016 cost of...

Documents