The digital world relies on data, which because of its considerable value, is constantly targeted by skilled cybercriminals who have spent years developing methods and tools to gain access to even the most secure databases.
Never mind those databases whose owners only pay lip service to security.
Traditional security approaches that focus on network perimeters are no longer sufficient in today's evolving threat landscape. With the rise of ransomware, phishing, botnets, and insider threats, organizations need to shift towards a data-centric security approach.
Technology alone will not reduce your risk of database compromise. A complete program incorporates people, processes, and technology. Instituting a proven methodology and identifying the individuals directly responsible for delivering on the program objectives will prevent the over-extension of resources, which can include personnel, IT infrastructure, business operations, application integrity, budget, or political capital.
Determining and establishing the appropriate policies, roles, accountability, workflow, mitigations, reporting, and ongoing management will set all stakeholders on a course to achieve your program goals.
1. Define a database security program with actionable processes
A plan is the key to success. With all stakeholders at the table, create a project team who can identify your existing processes, people, and technologies to help drive the rapid development of your template model. This project team will also define the scope and phases of implementation and identify any gaps in people, process, or technology.
2. Clarify the scope of your program through database discovery and inventory
You need to know where your data resides in order to protect it. Do you currently have a single “source of truth” that can identify all the databases across your entire enterprise environment? An accurate inventory of database instances in your environment is a critical step in establishing a holistic and effective database security program.
It only takes one unpatched, rogue database on the network or in your cloud environment to potentially expose your organization to unchecked, malicious activity.
Application developers often complicate matters by “temporarily” copying production data to development systems to test their latest software builds. More often than not, this data is stored on an unprotected (and many times unpatched) system outside the normal scope of compliance and security controls.
You need an accurate inventory of all databases (production and non-production) in your infrastructure both on premises and in the cloud in order to identify, classify and prioritize systems that require attention. A baseline inventory of your database systems will also help you identify which systems should be considered in scope for your security and compliance policies.
3. Define security standards and compliance policies
Managing policy is a continuous process. Without defined policies and standards to conform to, an organization cannot measure compliance or progress against benchmarks.
In our work, we find that while many organizations have developed corporate policies for data security, those policies are rarely mapped to the systems that store data—the databases themselves.
Database vendors rarely enforce more than the most obvious weaknesses in the out-of-the-box installations of their platforms. When database security weaknesses are remediated, more often than not, it’s a reaction to an incident rather than a proactive response to a standard or policy. When vendors do patch vulnerabilities or ship new versions of software, an organization needs to review policies to ensure they account for new and updated configurations and settings.
4. Conduct vulnerability and configuration assessments
Many organizations need to demonstrate compliance with more than one set of business, security, or regulatory policies.
Since databases are often an organization’s largest repository of sensitive data, they usually fall into scope for regulatory compliance and the inevitable IT audit. Databases may need evaluation to ensure they fulfill any number of standards and requirements, such as: FISMA, DISA-STIG, CIS, GDPR, PDPA, APRA CPS 234, and more.
To demonstrate effective controls surrounding sensitive data, organizations will need to run a baseline assessment and establish a practice of continuous assessment to ensure issues are remediated in a timely manner.
The US Department of Homeland Security (DHS) established an excellent example of this process with its Continuous Diagnostics and Mitigation (CDM) mandate. The DHS established standards for database security requiring the scanning of databases at an acceptable frequency to ensure they remain compliant with the vulnerability assessment policy.
5. Identify excessively privileged user accounts
One particularly challenging question for many organizations is, “Who has access to my sensitive data?” Many database scanning technologies can not only identify vulnerabilities and misconfigurations, but also users, roles, and privileges.
The only way to establish meaningful controls that track how users interact with the data, or to capture an audit trail for use in a breach investigation, is to know who has access to what data and why/how they’ve been granted that access. For example, you might not be comfortable with the amount of employee and customer data your HR department’s summer intern is capable of accessing.
Your journey to database security can start today, click the image above.
6. Implement risk mitigation and compensating controls
Remediating high-risk vulnerabilities and misconfigurations within your database will not only reduce your risk of compromise, but it also narrows the scope of any required compensating controls, such as exploit monitoring (e.g., Intrusion Detection).
Digital Asset Management can also be an appropriate compensating control for vulnerabilities you cannot remediate or patch in a timely manner. Using data analytics to associate risk scores with the results/findings of your vulnerability assessment will help identify your most exposed systems or groups. You can then focus your efforts where you stand to make the most impact (i.e., reduce the most risk).
7. Establish acceptable user and user activity policies
A number of technologies facilitate user profiling, with database auditing being one method. If you currently perform database auditing, you probably have a means of identifying which user accounts have high levels of database privileges. However, as duties change, new employees join the organization and others leave, regular evaluation of database account privileges become more important.
Such an assessment should also identify unauthorized accounts or those with excessive privileges. Many native database platforms include profiling tools. The best practice is to verify the existence of any native auditing or profiling capabilities, and request access to any related information.
8. Audit privileged user behavior in real-time
DAM is a class of technologies that allows you to collect a forensic audit trail of all privileged activities in a database. Many compliance regulations require tracking of structural changes in your information, which means auditing privileged (administrative) activity, not just the actions of known privileged users.
9. Deploy policy-based activity monitoring
Working in tandem with database audit logging technologies, your DAM security and compliance policies should trigger alerts when activity that violates those policies is detected.
Every database is different and supports a different application. Policies should be customized to support the different environments and different database accounts. To increase the time to detection of any suspicious activity, behavioral models should be used in conjunction with policies. Behavioral models can trigger anomalies of suspicious logins or when accounts access data beyond their normal data access patterns.
As part of our pragmatic approach to database security, we recommend the definition of a policy-based monitoring methodology that meets an organization’s specific security and audit requirements.
A policy-based DAM solution utilizes vulnerability, configuration, and user data, unified by a comprehensive vulnerability and threat intelligence knowledgebase, to produce accurate, efficient monitoring policies resulting in a much more manageable set of actionable security and compliance alerts.
10. Detect, alert, and respond to policy violations in real time
Most real-time DAM solutions can send alert messages in a variety of formats so that operations center personnel can take action when a security violation is identified. Many organizations then choose to feed these events into a SIEM or network management tool if/when suspicious or malicious activity is detected.
Depending on the policy violation and the sensitivity of the affected system or data, automated and scripted responses (“active responses”) can contain the threat and give the security team time to investigate and take corrective action.
Examples of active responses may include: terminating the user session, locking out the offending user account and triggering a database vulnerability/configuration scan, and/or an antimalware scan of the database host.
To fit the output of the DAM data into your security infrastructure and IT operational ecosystem, it is important to have a proper reporting system in place. This should be integrated into the overall operational model of your organization.
As you continue to design and refine your database security program, you will gain a better understanding of the data you need and how to distribute it effectively.
It is recommended to integrate your database security program with a centralized security solution, as this will streamline the design and planning phases. However, it is crucial to collaborate with all of your data-consumer communities before taking any detailed integration steps, as this could potentially add extra work if not agreed upon and planned carefully beforehand.
