TRUSTWAVE DATABASE SECURITY
Securing Data Where It Lives
©2016 Trustwave Holdings, Inc.
1The Database Security Landscape
2Top Five Database Security Problems
3Business Needs & Use Cases
4Database Security Solutions
5Business Outcomes
6Case Studies
7Questions
AGENDA
©2016 Trustwave Holdings, Inc.
THE DATA SECURITY PROBLEM
•People want to steal your data
•Attackers are more sophisticated & motivated
•Databases are full of vulnerabilities
•90% of corp. data lives in databases = Target-rich environment
•Powerful attacks are easy to find & exploit
•Finding, fixing & patching security issues requires skilled staff and time
©2016 Trustwave Holdings, Inc.
CRITICAL AND SENSITIVE DATA IS EVERYWHERE!
• Personally Identifiable Information (PII)• Payment card numbers• Social security numbers• Bank account and routing numbers• Email correspondence• Usernames and passwords• Protected Health Information (PHI)• Budget information
“But at the heart of many significant applications lies a database.”
• NDA-protected information• Research and development
information• Intellectual property• Employment records• Attorney/client privileged
information• Critical infrastructure information• GPS data• INFINITELY MORE…
©2016 Trustwave Holdings, Inc.
DATA LIVES IN THE DATABASE, ATTACKERS SEEK DATA
Customer notification filed with CA Attorney General
CIO “The 15 Worst Data Security Breaches of the 21st Century
USA Today “Hacks…expose weak passwords, create new business”
Gizmodo “Hackers Dump Entire Database of…Website…Online”
©2016 Trustwave Holdings, Inc.
DATA BREACHES ARE COMMON AND EXPENSIVE
Breach Level Index (a/o June 22, 2016)
$158$4Average Total Cost of
a Data BreachPer-Record Cost of a
Data Breach
Ponemon: 2016 Cost of a Data Breach Study
76%Number of
organizations breached in 2015
CyberEdge: 2016 Cyberthreat Defense Report
Ponemon: 2016 Cost of a Data Breach Study
Million
©2016 Trustwave Holdings, Inc.
TOP 5 DATABASE PROBLEMS
©2016 Trustwave Holdings, Inc.
PATCH (GAP) MANAGEMENT• Databases are vulnerable the day a patch is released
– Exploit/POC code is published quickly– What to patch first? Critical business systems? Low
risk systems?– 58% of businesses don’t have a “fully mature”
patch management process in place 2014 Trustwave State of Risk Report
©2016 Trustwave Holdings, Inc.
• Default accounts are not good– Databases have them– Applications install them
• Weak passwords can be cracked– Google “[database type] password cracker”– Database log-in activity seldom monitored– An attacker can guess passwords all day
DEFAULT ACCOUNTS AND WEAK PASSWORDS
User: system / Password: managerUser: sys / Password: change_on_installUser: scott / Password: tiger
User: SA / Password: null
User: db2admin / Password: db2adminUser: db2as / Password: ibmdb2
User: root / Password: nullUser: admin / Password: adminUser: myusername / Password: mypassword
User: SA / Password: null
©2016 Trustwave Holdings, Inc.
SQL INJECTION IN THE DATABASE
• Same concept as with web applications– Many vulnerable web applications out there– Good news: Most really valuable apps aren’t
vulnerable• But the scary stuff isn’t just at the web app level• It’s in the Database.
– SQL Injection vulnerabilities exist in all major database platforms
– Generally resulting in privilege escalation (run SQL as DBA)
– Patching can take months (leaving you vulnerable)
©2016 Trustwave Holdings, Inc.
EXCESSIVE USER AND GROUP PRIVILEGES• Entitlements are difficult to manage
– Users can gain access by perpetual granting of roles– Default database privileges granted are often excessive and
dangerous
• “Least privilege” is great in theory, but hard to practice
Users & Groups Roles Permissions
EDIT
VIEW
ADD
IMPORT
DELETE
Normal End User
Manager
Intern
QA
EVP/SVP
TRANSLATE
DELETE FOUND
FIND
REMOVE
NAVIGATE
Application Developer
Data Entry
Database Administrator
Public
UNNECESSARY FEATURES ENABLED• Minimize the attack surface, don’t give attackers more
opportunities• Powerful features are both good and bad
– Integrated Java and other extensible languages (as we’ll see later)
– Various levels of OS access available
JavaUTL_FILE
xp_cmdshell
CREATE_NOT_FENCED (allows logins to create SPs)
Permissions on User Table (mysql.user)OLEDB Ad Hoc Query – OPENROWSET OPENDATASOURCE xp_cmdshell
DATABASE SECURITY SOLUTIONS
PROVEN DATABASE SECURITY METHODOLOGY
MonitorFor Anomalies
Protect
RespondTo Incidents
ContinuousProtection
Inventory
Test
EliminateVulnerabilities
ContinuousAssessment
EnforceLeast Privileges
©2016 Trustwave Holdings, Inc.
DELIVERED IN THREE WAYSManaged Security Testing (MST) – Database Scanning
AppDetectivePRO
DbProtect
©2016 Trustwave Holdings, Inc.
MANAGED DATABASE SCANNING
• Trustwave SpiderLabs’ database security experts use our technology to spot anomalies such as vulnerabilities, configuration errors, and access issues.
• Managed database scanning can: – Assess database(s) against industry best practices– Provide actionable information on vulnerabilities and
misconfigurations that will improve your security– Help measure if you have improved the security posture between
scans
Managed Security Testing (MST)
©2016 Trustwave Holdings, Inc.
De facto Standard for Database Audit and Assessment▪ Discovery▪ Pen Test (Zero-Knowledge)▪ Security Audit (Authenticated)▪ User Rights Review▪ Quick Start Features
▪ Easy to deploy: Standalone laptop▪ Bundles MS SQL Server 2014 Express (10 GB storage limit)
▪ Easy to use: Built-in regulatory frameworks▪ Always up-to-date: SpiderLabs Research ASAP updates▪ Comprehensive: Over 2,000 vulnerability checks & tests
across all major platforms
The Premier Database Scanner for Security, Risk & IT ProfessionalsAPPDETECTIVEPRO
DBPROTECTEnterprise-class database security, for organizations of all sizes
• Analyze Access Controls
• Find Privileged Users• Detail Access to
Sensitive Objects
RightsManagement
• Detect Attacks in Real Time
• Audit Privileged Users• Initiate Action with
Active Response
ActivityMonitoring
• Locate Vulnerabilities & Misconfigurations
• Perform Outside-in Pen Tests
• Conduct Inside-out Audits
VulnerabilityManagement
Vulnerability Checks | Attack Signatures | Audit Rules | Policies
Database Discovery & Inventory | Policy ManagementDashboards & Reports | Integration Framework
©2016 Trustwave Holdings, Inc.
TRUSTWAVE SPIDERLABSThe Database Security Experts
World’s largest dedicated database security research team• Most frequently published experts on database attacks• Author the database security knowledgebase, the foundation of Trustwave’s
Database Security products
Credited with finding hundreds of database vulnerabilities• Over 100 Oracle vulnerabilities since 2005• Dozens of vulnerabilities in SQL Server, DB2, Sybase, MySQL and Hadoop• Reported 80% of the vulnerabilities fixed by database vendors over the last 4 years
Most extensive database threat knowledgebase• Vulnerability checks and attack signatures for 2,000+ vulnerabilities• Monthly ASAP Updates• Built-in policies for regulatory compliance and security best practices
Database Findings and
Violations
Remediation Plan
(Go Fix it!)
Security Practitioner
Directors
Database Admins
Vulnerable Database
Protected Database
‘LAND AND EXPAND’ DBSS SALES PROCESS
DbProtect
IT Security
BUSINESS NEEDS & USE CASES
©2016 Trustwave Holdings, Inc.
WHAT DO I SELL…AND TO WHOM?“I need help running & validating database scans. I need my critical databases scanned, but I don’t have experienced staff to run them.” (Managed Service Testing)
“I have a small number of databases to scan, and prefer to run the scans and generate reports myself. (AppDetectivePRO)
“I need full control of my database security program. My organization needs full control around our established enterprise-wide database vulnerability management and security program.” (DbProtect)
“I’m an individual IT audit or security practitioner. I need a point and shoot tool to run quick database vulnerability scans & reports.” (AppDetectivePRO)
• Vulnerability scans managed by Trustwave experts
• On-demand Compliance and Security Best Practices Scans
• Validated results and reports
• Augment your team and minimize false positives
DATABASE SECURITY TESTING, ON TIME, ON BUDGET, AND ON DEMAND
Designed for organizations that don’t have the time or skilled resources to manage database vulnerability scans.
MANAGED
©2016 Trustwave Holdings, Inc.
HIGHLY SCALABLE ENTERPRISE CLASS SOLUTION
• Highly scalable precision database security and compliance solution
• Market leading Vulnerability Management, Rights Management, and Activity Monitoring capabilities
• Helps organizations control their database security processes in a smarter and more streamlined way
• Enables organizations to enforce database security, minimize risk, and achieve regulatory compliance.
DbProtect
Highly scalable, lowest TCO, software-only, and least amount of network impact of any database security solution on the market.
ENTERPRISE
©2016 Trustwave Holdings, Inc.
DATABASE SCANNING FOR IT AUDITORS & SECURITY PRACTITIONERS
• Find vulnerabilities, configuration issues, weak passwords, patch issues, access control issues, and other problems that could lead to user privilege escalation.
• The most comprehensive, portable database scanner on the market.
• Evaluate the effectiveness of controls around sensitive data.
• Assess more in-scope databases in less time, and with the least amount of effort.
Our tactical scanner is used by nearly 90% of the IT Audit & Advisory community to assess audit compliance, risk & security.
IT AUDITOR DB ASSESSMENT TOOL
AppDetectivePRO
©2016 Trustwave Holdings, Inc.
DATABASE SCANNING FOR THE INTERNAL CORPORATE USER
• Quick and accurate vulnerability assessment and user rights review scans of databases and Big Data stores.
• Identify vulnerabilities, configuration issues, weak passwords, patch and access control issues, and other settings that can lead to user privilege escalation.
• Effortlessly transfer scan results between our Self-Service solution, back into our Enterprise solution.
• Know what the auditors will find, before they show up!
AppDetectivePRO
Our Self-Service offering provides the quickest and most accurate database security scans in the market – all in a single-user solution.
SINGLE-USER DATABASE SCANNER
BUSINESS OUTCOMES
©2016 Trustwave Holdings, Inc.
VULNERABILITY TESTING
• Clinical assessment of database vulnerabilities– Identify all known vulnerabilities– Scan with database credentials
• Deep analysis of database configuration, Including:– Security Settings– Patches– Audit Subsystem– Operating System Issues
Managed Database Scanning
Database Challenges Addressed
©2016 Trustwave Holdings, Inc.
VULNERABILITY MANAGEMENT• Discover and inventory databases on the network• Clinical assessment of database vulnerabilities
– Identify all known vulnerabilities– Scan with or without database credentials
• Deep analysis of database configuration, including:– Security Settings– Patches– Audit Subsystem– Operating System Issues
• Automation and workflow
Enterprise & Tactical Scanning
Database Challenges Addressed
©2016 Trustwave Holdings, Inc.
RIGHTS MANAGEMENT
• Analyze database access controls– Examine all users, objects and privileges– Uncover all DBA and other privileged accounts – Identify any access to sensitive data– Locate segregation of duties problems
Enterprise & Tactical Scanning
Database Challenges Addressed
©2016 Trustwave Holdings, Inc.
ACTIVITY MONITORING – (DBPROTECT)
• Identify and stop database attacks– Virtual patching
• Automated reactions to policy violations and suspicious behavior– Alert, Block, Quarantine
• Designed for high performance systems– Security Monitoring that won’t slow you down
Ideal for Security Threat Monitoring
Database Challenges Addressed
©2016 Trustwave Holdings, Inc.
CASE STUDIES•
©2016 Trustwave Holdings, Inc.
MULTI-NATIONAL BANKSituation• Customer is a global bank with over 3,100 branches and offices operating in more
than 55 countries. Growth through acquisition has left disparate IT systems operating around the world, each with their own policies, standards, regulations and controls.
• Attackers constantly target the bank’s assets. Corporate security team responsible for ensuring database security regardless of where systems are located.
Solution• DbProtect Vulnerability Assessment scans are run by the security team across the
enterprise using a single policy that encompasses all assessment requirements.• DbProtect report filters derive individualized views for each geography based on their
local regulations and controls.
Results• Consistent scanning of databases across the globe on a daily basis using only one full
time resource. • One scan of each database system yields results for multiple constituencies without
any manual data massaging or intervention.
©2016 Trustwave Holdings, Inc.
Situation • Company is regularly subject to Industrial espionage attempts, potential exposure of
Intellectual Property, exposure of sensitive data, and has a very large attack surface.• IT Auditors using automated tools (AppDetectivePRO) generated findings on our
Customer’s databases• Large number of disparate databases made it impractical and inefficient to assess,
monitor and audit manually
Solution• DbProtect deployed across enterprise to establish continuous compliance for all
database instances.• AppDetectivePRO installed on laptops to assess remote databases on oil platforms.
Results uploaded to DbProtect afterwards.
Outcome• Scaled database SRC objectives enterprise wide. Resolved SOX Audit Finding and
significantly reduced the resource burden on IT security and DBA infrastructure teams
ENERGY COMPANY
©2016 Trustwave Holdings, Inc.
COMPETITIVE ADVANTAGES
• Quality of knowledgebase of checks and tests – SpiderLabs!
• Active Database Discovery• Highly-scalable, software-only form factor• More accurate database activity monitoring
(DAM) through scanning integration• Intuitive user interface, powerful reporting
& analytics• Supports multi-tenancy deployments
THANK YOU
QUESTIONS?