McAfee Database Security
Sagena Security Day 6September 2012
September 20, 2012
Franz HüllSenior Security Consultant
Agenda
• Overview database security
• DB security from McAfee (Sentrigo)
• VMD McAfee Vulnerability Manager for Databases• DSS McAfee Database Security Scanner• DAM McAfee Database Activity Monitoring• VPT Virtual Patching
• Demo
• Q&A
Database Security and the Enterprise
Databases power the largest applications in the world
Customers store their most critical and sensitive data in databases, any loss, interruption, or breach could be disastrous
Any vulnerability, misconfiguration or exploitation means non-compliance to audits (HIPAA, SOX, PCI, etc.)
Securing your databases can be very challenging without the right solution
4
“We have limited visibility or controls over actual
activity in our databases, especially by privileged
users.”
“I’m not even sure where all my databases are,
or how securely they are configured…”
“Many of our applications are running on top of databases that are too critical to take down, or on ones that the
DBMS vendor doesn’t even release patches for
anymore.”
“My auditors require logs showing exactly who made changes to certain data, but
some of our applications connect directly to the
database so I don’t always know who issued
commands.”
The Reality Is…
Source: Verizon Business Study 2010
Database Servers are involved in
Database Breaches account for
25% 92%of all breaches of all records breached
Databases Contain Your Crown Jewels
Customer Records and PII
• Credit card numbers, account numbers, billing information, authentication data
Employee Information
• SSNs, salary, reviews
Financial Data and IP
• Revenue, receivables, research
Need to be Compliant
• Regulations require sensitive data be handled securely• PCI DSS, Sarbanes-Oxley, HIPAA, SAS 70, GLBA, and other
industry-specific regulations
• Breach Notification Laws Increase Visibility• Originally CA SB1386, now in 46 states and widely adopted
worldwide• U.S. House passed HR 2221 in December, Senate has 2 bills on
the floor now• EU legislation expected
• Internal IT Governance Dictates Process• Timely installation of patches• Segregation of Duties
Why Isn’t My Database Secure?
• Technology• Accessed constantly by multiple
applications, users• Impossible to lock down without impacting
accessibility• Vulnerable (SQL injection, buffer overflow)
• Process• Patches (ie. Oracle CPU) not applied in
timely manner• Implementation practices (default/shared
passwords, etc.)
• People• Accessed by DBAs, Sys Admins,
programmers….
DB Security- The Products
McAfee Product Target Audience ePO Integration
MFE Vulnerability Manager for Databases (VMD) Enterprise, Government, SMB
McAfee Database Security Scanner (DSS)
Enterprise, Government, SMB, Consultants, Auditors, (DBA’s)
McAfee Database Activity Monitoring (DBM) Enterprise, Government, SMB in progress
McAfee vPatch for Databases (VPT) Enterprise, Government, SMB in progress
McAfee Database User IDentifier Enterprise, Government, SMB
VULNERABILITYASSESSMENT
McAfeeVulnerability Manager for
DatabasesMcAfee
Database Security Scanner
Where are the databases ?
Knowledge about:• Production databases• Most important
databases• Enterprise databases• HA databases
But, do you know all of the other databases as well ?• Test databases• Temporary databases• Databases used during
migrations or recovery• Project databases• Developer databases• Databases coupled with
an application
ALL of them can contain sensitive data !
Where are the databases ?
The McAfee buildt-in Network Database Scanner helps you to look for all this databases
Scanning the network• IP Address (Range/List)• Database Listener Port
(Default and other)• SID• Database Vendor
ALL of them can contain sensitive data !
About Vulnerability Manager for Databases
• Over 4,300 vulnerability checks– Patch levels– Weak passwords– Configuration base lining– Backdoor detection– Sensitive data discovery (PII, SSN, etc)– Vulnerable PL/SQL code– Unused features– Custom checks
Best-in-class Vulnerability Assessment for DBs
• Built on deep practical security knowledge – Developed with Alexander Kornbrust of Red Database Security,
one of the top authorities on database protection– Not simply based on DBMS vendors' "security guidelines"
• Provide practical remedy advice / solutions – Test and report on real issues (vs. lengthy unreadable reports)– Prioritized results include fix scripts and expert recommendations
• Enterprise Ready– Centralized reporting for up to thousands of db instances– Allow easy automation & integration with other products– Create different roles / outputs for dissimilar
stakeholders (DBAs, developers, IT Security)
Test - Test Group - Scan
VA Scan#1VA Scan
#1VA Scan#1VA Scan
#1VA Scan#1
SingleTest
TestGroup
VAScan
About 20.
...
> 4,300
...
AUDIT CustomData Discovery
ALTER USER not
audited
SYSTEM has default password
PATCH Information
Custom Test
Vulnerability Scanner for Databases (v4.5)
Connectivity to Databases
(SQL-Connect)
ePO(≥4.6)ePO(≥4.6)
CloudCloud
Network
DBDB
DB
DBDBDBDB
DB
Database Browser screen shot
Management summary reportScreen shot
Supported databases
• Oracle 8i and up• MS SQL 2000 and up• DB2 (LUW) 8.1 and up• MySQL 4.0 and up• PostgreSQL 8.3 and up• Sybase ASE 12.5 and up• SQL Azure
McAfee Database Activity Monitoring (DAM)
TRUSTED AUDIT AND REAL-TIMEINTRUSION PREVENTION
Fundamental Principles
• Protection from the Inside Out• More effective• More efficient• Better fit with today’s IT environment
• Lower Cost and Complexity of Implementation• Software-only solution• Easy to download, evaluate, and buy• Fastest “Time-to-Compliance”
No Downtime !
Stored Proc.
Trigger
ViewData
Shared Memory
DBMSLi
sten
er
DATABASES CAN BE ACCESSED FROM THREE SOURCES:
SAP
Beq
ueat
h
DB ADMINSSYS ADMINS
PROGRAMMERS
Protect the Database Across ALL Threat Vectors
Local Connection
Network Connection
1 2 3From the network From the host From within the
database (Intra-DB)
intra-DB threats
McAfee DAM: Enterprise Deployment
Sensor
Web-based Admin Console
Alerts / Events
ePOePOCloudCloud
McAfee Database Security Server
(software)Network
Sensor Sensor
DBDB
DBDBDBDBDB
DB
Sensor
Reaction in Real-time
• Memory-based, Read-only Sensor is Close Enough to Intervene in Response to Threats
• Alerting via dashboard or other tools• Session termination (via Native DB APIs)• User quarantine• Firewall update via OPSEC
Only Solution for Virtualization/Cloud
• Virtualization• Memory-based monitoring sees
VM-to-VM traffic• Efficient local rules processing• Works well in a dynamic environment
• Cloud Computing• Distributed model functions well even
in WAN environments• Automated provisioning and
segregation of duties allows in-house monitoring of managed services
Cloud Computing
Infrastructure
DB D
B DB D
B
Database Dashboard
Supported databases
• Oracle version 8.1.7 or later, running onSun Solaris, IBM AIX, Linux, HP-UX, Microsoft Windows
• Teradata 12, 13, 13.1 and 14 on Linux• MySQL 5.1 and 5.5 on Linux• Microsoft SQL 2000, 2005, and 2008 on any supported
Windows platform• Sybase ASE 12.5 or later on all supported platforms• IBM DB2 LUW 9.5 and 9.7• IBM Mainframe / zos
McAfee Database Activity Monitoring
VIRTUAL PATCHINGvPatch
Why Virtual Patching?
• Applying DBMS security patches is painful:• Requires extensive testing and db downtime• Often results in business disruption
• Sometimes it's near impossible:• 24/7/365 operations (one maintenance window per year)• Heavily customized applications• DBMS versions that are no longer supported by vendor (e.g. 8i)• Resources are limited
• Solution: Virtual Patching• Protects against known and zero-day vulnerabilities without any
downtime or code changes until you can patch
Patch Cycle
•Database Vendor Patch:
– Time between Report and Install: Months or Years– Patches are publish on a monthly or quaterly base– Multiple security fixes are collected in a single patch
Report: Reporting a vulnerability to the DB vendor Analyze: Analyzing done by the DB vendor Patch: Providing security patch by the DB vendor Install: Installing the patch by the customer
Patch InstallReport Analyze
Patch Cycle
•Virtual Patching (by McAfee)
– Time between Report and Install: Days or Weeks– vPatch updates are published whenever available– Installing vPatch automatically or manually– NO downtime of the Database– 1 FIX = 1 vPatch rule
Report: Reporting a vulnerability to the McAfee Team Analyze: Analyzing done by the McAfee Team Patch: Providing vPatch Rule by the McAfee Team Install: Installing vPatch Rule by the customer (automatically/manually)
P IR A P IR A P IR A P IR A
Patch InstallReport Analyze
DEMOMcAfee Database Security