Transcription
TRUSTWAVE DATABASE SECURITYSecuring Data Where It Lives
AGENDA1The Database Security Landscape2Top Five Database Security Problems3Business Needs & Use Cases4Database Security Solutions5Business Outcomes6Case Studies7Questions 2016 Trustwave Holdings, Inc.
THE DATA SECURITY PROBLEM People want to steal your data Attackers are more sophisticated & motivated Databases are full of vulnerabilities 90% of corp. data lives in databases Target-rich environment Powerful attacks are easy to find & exploit Finding, fixing & patching security issues requires skilled staff and time 2016 Trustwave Holdings, Inc.
CRITICAL AND SENSITIVE DATA IS EVERYWHERE!“But at the heart of many significant applications lies a database.” Personally Identifiable Information (PII)Payment card numbersSocial security numbersBank account and routing numbersEmail correspondenceUsernames and passwordsProtected Health Information (PHI)Budget information NDA-protected informationResearch and developmentinformationIntellectual propertyEmployment recordsAttorney/client privilegedinformationCritical infrastructure informationGPS dataINFINITELY MORE 2016 Trustwave Holdings, Inc.
DATA LIVES IN THE DATABASE, ATTACKERS SEEK DATACIO “The 15 Worst Data Security Breaches of the 21st CenturyCustomer notification filed with CA Attorney GeneralGizmodo “Hackers Dump Entire Database of Website Online”USA Today “Hacks expose weak passwords, create new business” 2016 Trustwave Holdings, Inc.
DATA BREACHES ARE COMMON AND EXPENSIVEBreach Level Index (a/o June 22, 2016)Number oforganizationsbreached in 201576%CyberEdge: 2016Cyberthreat Defense ReportAverage Total Cost ofa Data BreachPer-Record Cost of aData Breach 4 158MillionPonemon: 2016 Cost of a DataBreach Study 2016 Trustwave Holdings, Inc.Ponemon: 2016 Cost of a DataBreach Study
TOP 5DATABASEPROBLEMS 2016 Trustwave Holdings, Inc.
PATCH (GAP) MANAGEMENT Databases are vulnerable the day a patch is released– Exploit/POC code is published quickly– What to patch first? Critical business systems? Lowrisk systems?– 58% of businesses don’t have a “fully mature”patch management process in place 2014Trustwave State of Risk Report 2016 Trustwave Holdings, Inc.
DEFAULT ACCOUNTS AND WEAK PASSWORDS Default accounts are not good– Databases have them– Applications install them Weak passwords can be cracked– Google “[database type] password cracker”– Database log-in activity seldom monitored– An attacker can guess passwords all dayUser: system / Password: managerUser: sys / Password: change on installUser: scott / Password: tigerUser: SA / Password: nullUser: db2admin / Password: db2adminUser: db2as / Password: ibmdb2User: root / Password: nullUser: admin / Password: adminUser: myusername / Password: mypasswordUser: SA / Password: null 2016 Trustwave Holdings, Inc.
SQL INJECTION IN THE DATABASE Same concept as with web applications– Many vulnerable web applications out there– Good news: Most really valuable apps aren’tvulnerable But the scary stuff isn’t just at the web app level It’s in the Database.– SQL Injection vulnerabilities exist in all majordatabase platforms– Generally resulting in privilege escalation (runSQL as DBA)– Patching can take months (leaving youvulnerable) 2016 Trustwave Holdings, Inc.
EXCESSIVE USER AND GROUP PRIVILEGES Entitlements are difficult to manage– Users can gain access by perpetual granting of roles– Default database privileges granted are often excessive anddangerous “Least privilege” is great in theory, but hard to practiceUsers & GroupsRolesPermissionsApplication DeveloperNormal End UserInternTRANSLATEDELETE FOUNDData EntryManagerFINDDatabase AdministratorQAPublicREMOVEEVP/SVP 2016 Trustwave Holdings, Inc.NAVIGATEEDITVIEWADDIMPORTDELETE
UNNECESSARY FEATURES ENABLED Minimize the attack surface, don’t give attackers moreopportunitiesPowerful features are both good and bad– Integrated Java and other extensible languages (as we’llsee later)– Various levels of OS access availableJavaUTL FILExp cmdshellCREATE NOT FENCED (allowslogins to create SPs)OLEDB Ad Hoc Query – OPENROWSETOPENDATASOURCExp cmdshellPermissions on User Table (mysql.user)
DATABASESECURITYSOLUTIONS
PROVEN DATABASE SECURITY METHODOLOGYEnforceRespondLeast PrivilegesTo For Anomalies
DELIVERED IN THREE WAYSManaged Security Testing(MST) – Database ScanningDbProtect 2016 Trustwave Holdings, Inc.AppDetectivePRO
MANAGED DATABASE SCANNINGManaged Security Testing (MST) Trustwave SpiderLabs’ database security experts use ourtechnology to spot anomalies such as vulnerabilities, configurationerrors, and access issues. Managed database scanning can:– Assess database(s) against industry best practices– Provide actionable information on vulnerabilities andmisconfigurations that will improve your security– Help measure if you have improved the security posture betweenscans 2016 Trustwave Holdings, Inc.
APPDETECTIVEPROThe Premier Database Scanner for Security, Risk & IT ProfessionalsDe facto Standard for Database Audit and Assessment Discovery Pen Test (Zero-Knowledge) Security Audit (Authenticated) User Rights Review Quick Start Features Easy to deploy: Standalone laptop Bundles MS SQL Server 2014 Express (10 GB storage limit) Easy to use: Built-in regulatory frameworks Always up-to-date: SpiderLabs Research ASAP updates Comprehensive: Over 2,000 vulnerability checks & testsacross all major platforms 2016 Trustwave Holdings, Inc.
DBPROTECTEnterprise-class database security, for organizations of all sizesVulnerabilityManagement Locate Vulnerabilities &Misconfigurations Perform Outside-in PenTests Conduct Inside-outAuditsRightsManagementActivityMonitoring Analyze AccessControls Detect Attacks in RealTime Find Privileged Users Audit Privileged Users Detail Access toSensitive Objects Initiate Action withActive ResponseVulnerability Checks Attack Signatures Audit Rules PoliciesDatabase Discovery & Inventory Policy ManagementDashboards & Reports Integration Framework
TRUSTWAVE SPIDERLABSThe Database Security ExpertsWorld’s largest dedicated database security research team Most frequently published experts on database attacksAuthor the database security knowledgebase, the foundation of Trustwave’sDatabase Security productsCredited with finding hundreds of database vulnerabilities Over 100 Oracle vulnerabilities since 2005Dozens of vulnerabilities in SQL Server, DB2, Sybase, MySQL and HadoopReported 80% of the vulnerabilities fixed by database vendors over the last 4 yearsMost extensive database threat knowledgebase Vulnerability checks and attack signatures for 2,000 vulnerabilitiesMonthly ASAP UpdatesBuilt-in policies for regulatory compliance and security best practices 2016 Trustwave Holdings, Inc.
‘LAND AND EXPAND’ DBSS SALES PROCESSSecurityPractitionerDatabaseFindings nPlan(Go Fix it!)DirectorsIT SecurityDatabaseAdminsProtectedDatabase
BUSINESSNEEDS & USECASES
WHAT DO I SELL AND TO WHOM?“I need help running & validating database scans. I need mycritical databases scanned, but I don’t have experiencedstaff to run them.” (Managed Service Testing)“I need full control of my database security program. Myorganization needs full control around our establishedenterprise-wide database vulnerability management andsecurity program.” (DbProtect)“I’m an individual IT audit or security practitioner. I need apoint and shoot tool to run quick database vulnerabilityscans & reports.” (AppDetectivePRO)“I have a small number of databases to scan, and prefer torun the scans and generate reports myself.(AppDetectivePRO) 2016 Trustwave Holdings, Inc.
DATABASE SECURITY TESTING, ONTIME, ON BUDGET, AND ON DEMAND Vulnerability scans managed byTrustwave experts On-demand Compliance and SecurityBest Practices Scans Validated results and reports Augment your team and minimize falsepositivesDesigned for organizations that don’t have the time orskilled resources to manage database vulnerabilityscans.MANAGED
HIGHLY SCALABLE ENTERPRISE CLASS SOLUTIONDbProtect Highly scalable precision database security and compliancesolutionMarket leading Vulnerability Management, RightsManagement, and Activity Monitoring capabilitiesHelps organizations control their database securityprocesses in a smarter and more streamlined wayEnables organizations to enforce database security,minimize risk, and achieve regulatory compliance.Highly scalable, lowest TCO, software-only, and leastamount of network impact of any database securitysolution on the market. 2016 Trustwave Holdings, Inc.ENTERPRISE
DATABASE SCANNING FOR IT AUDITORS & SECURITYPRACTITIONERSAppDetectivePRO Find vulnerabilities, configuration issues, weakpasswords, patch issues, access control issues, andother problems that could lead to user privilegeescalation.The most comprehensive, portable database scanneron the market.Evaluate the effectiveness of controls aroundsensitive data.Assess more in-scope databases in less time, andwith the least amount of effort.Our tactical scanner is used by nearly 90% of the ITAudit & Advisory community to assess auditcompliance, risk & security. 2016 Trustwave Holdings, Inc.IT AUDITOR DBASSESSMENT TOOL
DATABASE SCANNING FOR THE INTERNAL CORPORATEUSERAppDetectivePRO Quick and accurate vulnerability assessment and userrights review scans of databases and Big Data stores. Identify vulnerabilities, configuration issues, weakpasswords, patch and access control issues, and othersettings that can lead to user privilege escalation. Effortlessly transfer scan results between our Self-Servicesolution, back into our Enterprise solution. Know what the auditors will find, before they show up!Our Self-Service offering provides the quickest andmost accurate database security scans in the market –all in a single-user solution. 2016 Trustwave Holdings, Inc.SINGLE-USERDATABASE SCANNER
BUSINESSOUTCOMES
VULNERABILITY TESTINGManaged Database Scanning Clinical assessment of database vulnerabilities– Identify all known vulnerabilities– Scan with database credentials Deep analysis of database configuration, Including:– Security Settings– Patches– Audit Subsystem– Operating System IssuesDatabase Challenges Addressed 2016 Trustwave Holdings, Inc.
VULNERABILITY MANAGEMENTEnterprise & Tactical Scanning Discover and inventory databases on the network Clinical assessment of database vulnerabilities– Identify all known vulnerabilities– Scan with or without database credentials Deep analysis of database configuration, including:– Security Settings– Patches– Audit Subsystem– Operating System Issues Automation and workflowDatabase Challenges Addressed 2016 Trustwave Holdings, Inc.
RIGHTS MANAGEMENTEnterprise & Tactical Scanning Analyze database access controls––––Examine all users, objects and privilegesUncover all DBA and other privileged accountsIdentify any access to sensitive dataLocate segregation of duties problemsDatabase Challenges Addressed 2016 Trustwave Holdings, Inc.
ACTIVITY MONITORING – (DBPROTECT)Ideal for Security Threat Monitoring Identify and stop database attacks– Virtual patching Automated reactions to policy violations and suspiciousbehavior– Alert, Block, Quarantine Designed for high performance systems– Security Monitoring that won’t slow you downDatabase Challenges Addressed 2016 Trustwave Holdings, Inc.
CASE STUDIES 2016 Trustwave Holdings, Inc.
MULTI-NATIONAL BANKSituation Customer is a global bank with over 3,100 branches and offices operating in morethan 55 countries. Growth through acquisition has left disparate IT systems operatingaround the world, each with their own policies, standards, regulations and controls. Attackers constantly target the bank’s assets. Corporate security team responsible forensuring database security regardless of where systems are located.Solution DbProtect Vulnerability Assessment scans are run by the security team across theenterprise using a single policy that encompasses all assessment requirements. DbProtect report filters derive individualized views for each geography based on theirlocal regulations and controls.Results Consistent scanning of databases across the globe on a daily basis using only one fulltime resource. One scan of each database system yields results for multiple constituencies withoutany manual data massaging or intervention. 2016 Trustwave Holdings, Inc.
ENERGY COMPANYSituation Company is regularly subject to Industrial espionage attempts, potential exposure ofIntellectual Property, exposure of sensitive data, and has a very large attack surface. IT Auditors using automated tools (AppDetectivePRO) generated findings on ourCustomer’s databases Large number of disparate databases made it impractical and inefficient to assess,monitor and audit manuallySolution DbProtect deployed across enterprise to establish continuous compliance for alldatabase instances. AppDetectivePRO installed on laptops to assess remote databases on oil platforms.Results uploaded to DbProtect afterwards.Outcome Scaled database SRC objectives enterprise wide. Resolved SOX Audit Finding andsignificantly reduced the resource burden on IT security and DBA infrastructure teams 2016 Trustwave Holdings, Inc.
COMPETITIVE ADVANTAGES Quality of knowledgebase of checks andtests – SpiderLabs! Active Database Discovery Highly-scalable, software-only form factor More accurate database activity monitoring(DAM) through scanning integration Intuitive user interface, powerful reporting& analytics Supports multi-tenancy deployments 2016 Trustwave Holdings, Inc.
QUESTIONS?THANK YOU
2016 Trustwave Holdings, Inc. VULNERABILITY MANAGEMENT Discover and inventory databases on the network Clinical assessment of database vulnerabilities . One scan of each database sy
