McAfee Database Security Sagena Security Day 6 September 2012 September 20, 2012 Franz Hüll Senior Security Consultant
Agenda Overview database security DB security from McAfee (Sentrigo) VMD McAfee Vulnerability Manager for Databases DSS McAfee Database Security Scanner DAM McAfee Database Activity Monitoring VPT Virtual Patching Demo Q&A
Database Security and the Enterprise Databases power the largest applications in the world Customers store their most critical and sensitive data in databases, any loss, interruption, or breach could be disastrous Any vulnerability, misconfiguration or exploitation means non-compliance to audits (HIPAA, SOX, PCI, etc.)
Securing your databases can be very challenging without the right solution I m not even sure where all my databases are, or how securely they are configured We have limited visibility or controls over actual activity in our databases, especially by privileged users. My auditors require logs showing exactly who made changes to certain data, but some of our applications connect directly to the database so I don t always know who issued commands. Many of our applications are running on top of databases that are too critical to take down, or on ones that the DBMS vendor doesn t even release patches for anymore. 4
The Reality Is Database Servers are involved in Database Breaches account for 25% 92% of all breaches of all records breached Source: Verizon Business Study 2010
Databases Contain Your Crown Jewels Customer Records and PII Credit card numbers, account numbers, billing information, authentication data Employee Information SSNs, salary, reviews Financial Data and IP Revenue, receivables, research
Need to be Compliant Regulations require sensitive data be handled securely PCI DSS, Sarbanes-Oxley, HIPAA, SAS 70, GLBA, and other industry-specific regulations Breach Notification Laws Increase Visibility Originally CA SB1386, now in 46 states and widely adopted worldwide U.S. House passed HR 2221 in December, Senate has 2 bills on the floor now EU legislation expected Internal IT Governance Dictates Process Timely installation of patches Segregation of Duties
Why Isn t My Database Secure? Technology Accessed constantly by multiple applications, users Impossible to lock down without impacting accessibility Vulnerable (SQL injection, buffer overflow) Process Patches (ie. Oracle CPU) not applied in timely manner Implementation practices (default/shared passwords, etc.) People Accessed by DBAs, Sys Admins, programmers.
DB Security- The Products McAfee Product MFE Vulnerability Manager for Databases (VMD) McAfee Database Security Scanner (DSS) Target Audience Enterprise, Government, SMB Enterprise, Government, SMB, Consultants, Auditors, (DBA s) epo Integration McAfee Database Activity Monitoring (DBM) Enterprise, Government, SMB in progress McAfee vpatch for Databases (VPT) Enterprise, Government, SMB in progress McAfee Database User IDentifier Enterprise, Government, SMB
McAfee Vulnerability Manager for Databases McAfee Database Security Scanner VULNERABILITY ASSESSMENT
Where are the databases? Knowledge about: Production databases Most important databases Enterprise databases HA databases But, do you know all of the other databases as well? Test databases Temporary databases Databases used during migrations or recovery Project databases Developer databases Databases coupled with an application ALL of them can contain sensitive data!
Where are the databases? The McAfee buildt-in Network Database Scanner helps you to look for all this databases Scanning the network IP Address (Range/List) Database Listener Port (Default and other) SID Database Vendor ALL of them can contain sensitive data!
About Vulnerability Manager for Databases Over 4,300 vulnerability checks Patch levels Weak passwords Configuration base lining Backdoor detection Sensitive data discovery (PII, SSN, etc) Vulnerable PL/SQL code Unused features Custom checks
Best-in-class Vulnerability Assessment for DBs Built on deep practical security knowledge Developed with Alexander Kornbrust of Red Database Security, one of the top authorities on database protection Not simply based on DBMS vendors' "security guidelines" Provide practical remedy advice / solutions Test and report on real issues (vs. lengthy unreadable reports) Prioritized results include fix scripts and expert recommendations Enterprise Ready Centralized reporting for up to thousands of db instances Allow easy automation & integration with other products Create different roles / outputs for dissimilar stakeholders (DBAs, developers, IT Security)
Test - Test Group - Scan VA Scan VA Scan VA #1Scan VA #1Scan VA #1Scan VA #1Scan #1 Test Group AUDIT Data Discovery... About 20. Custom Single Test ALTER USER not audited SYSTEM has default password... > 4,300 PATCH Information Custom Test
Vulnerability Scanner for Databases (v4.5) Cloud DB Network Connectivity to Databases (SQL-Connect) epo ( 4.6) DB DBDBDB DB DB DB
Database Browser screen shot
Management summary report Screen shot
Supported databases Oracle 8i and up MS SQL 2000 and up DB2 (LUW) 8.1 and up MySQL 4.0 and up PostgreSQL 8.3 and up Sybase ASE 12.5 and up SQL Azure
McAfee Database Activity Monitoring (DAM) TRUSTED AUDIT AND REAL-TIME INTRUSION PREVENTION
Fundamental Principles Protection from the Inside Out More effective More efficient Better fit with today s IT environment Lower Cost and Complexity of Implementation Software-only solution Easy to download, evaluate, and buy Fastest Time-to-Compliance No Downtime!
Protect the Database Across ALL Threat Vectors DATABASES CAN BE ACCESSED FROM THREE SOURCES: DB ADMINS SYS ADMINS PROGRAMMERS 1 2 3 From the network From the host From within the database (Intra-DB) SAP Local Connection Network Connection Bequeath Listener DBMS Shared Memory Data Stored Proc. Trigger View intra-db threats
McAfee DAM: Enterprise Deployment Cloud Sensor DB Alerts / Events epo Network McAfee Database Security Server (software) Sensor Sensor Sensor DB DBDBDB DB DB DB Web-based Admin Console
Reaction in Real-time Memory-based, Read-only Sensor is Close Enough to Intervene in Response to Threats Alerting via dashboard or other tools Session termination (via Native DB APIs) User quarantine Firewall update via OPSEC
Only Solution for Virtualization/Cloud Virtualization Memory-based monitoring sees VM-to-VM traffic Efficient local rules processing Works well in a dynamic environment Cloud Computing Distributed model functions well even in WAN environments Automated provisioning and segregation of duties allows in-house monitoring of managed services Cloud Computing Infrastructure D B D B D B D B
Database Dashboard
Supported databases Oracle version 8.1.7 or later, running on Sun Solaris, IBM AIX, Linux, HP-UX, Microsoft Windows Teradata 12, 13, 13.1 and 14 on Linux MySQL 5.1 and 5.5 on Linux Microsoft SQL 2000, 2005, and 2008 on any supported Windows platform Sybase ASE 12.5 or later on all supported platforms IBM DB2 LUW 9.5 and 9.7 IBM Mainframe / zos
McAfee Database Activity Monitoring VIRTUAL PATCHING vpatch
Why Virtual Patching? Applying DBMS security patches is painful: Requires extensive testing and db downtime Often results in business disruption Sometimes it's near impossible: 24/7/365 operations (one maintenance window per year) Heavily customized applications DBMS versions that are no longer supported by vendor (e.g. 8i) Resources are limited Solution: Virtual Patching Protects against known and zero-day vulnerabilities without any downtime or code changes until you can patch
Patch Cycle Database Vendor Patch: Report Analyze Patch Install Time between Report and Install: Months or Years Patches are publish on a monthly or quaterly base Multiple security fixes are collected in a single patch Report: Analyze: Patch: Install: Reporting a vulnerability to the DB vendor Analyzing done by the DB vendor Providing security patch by the DB vendor Installing the patch by the customer
Patch Cycle Report Analyze Patch Install Virtual Patching (by McAfee) R A P I R A P I R A P I R A P I Time between Report and Install: Days or Weeks vpatch updates are published whenever available Installing vpatch automatically or manually NO downtime of the Database 1 FIX = 1 vpatch rule Report: Reporting a vulnerability to the McAfee Team Analyze: Analyzing done by the McAfee Team Patch: Providing vpatch Rule by the McAfee Team Install: Installing vpatch Rule by the customer (automatically/manually)
McAfee Database Security DEMO