data security solution - etda · 25x more databases monitored equivalent fte 1000x reduction in...
TRANSCRIPT
Imperva Data Security
Garen LING
Regional Director, ASEAN
Company Overview
2 Proprietary and confidential. Do not distribute.
Our Mission
To protect your data and applications from ever-changing attacks of cyber criminals
3 Proprietary and confidential. Do not distribute.
5,200+ customers worldwide
325+government agencies & departments
425+global 2000 companies
7 of the top 10global telecommunications providers
3 of the top 5
• US commercial banks
• global financial services firms
• global computer hardware companies
• global biotech companies
• global diversified insurance services
Our Customers
A Leader for Five Years in a Row
2018 Gartner Magic Quadrant for Web Application Firewalls
A few key Imperva strengths that Gartner mentions:
• Flexible licensing for organizations with a mix of on- premises and cloud-hosted applications
• Imperva is one of the only vendors providing both WAF appliances and cloud WAF service
• Attack analytics provides unified monitoring
5 Proprietary and confidential. Do not distribute.
Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Ayal Tirosh, Claudio Neiva,
August 2018
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
A Leader in The Forrester Wave™
DDoS Mitigation Solutions, Q4 2017
Top ranked in both current offering and strategy
Among the top ranked in scale and speed
Read the report to see why.
6 Proprietary and confidential. Do not distribute.
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
Market Leadership
Prevoty cited as the only Leader in the RASP market.
Forrester's research
uncovered a market
in which Prevoty
leads the pack.
Why Data Security
Proprietary and confidential. Do not distribute.
As the business becomes digital, security must become Data-Centric”– Forrester Research, 2018
Data security helps you mitigate risk most effectively.
8
Source: Breach Level Index, 2018
Proprietary and confidential. Do not distribute.9
10 Proprietary and confidential. Do not distribute.
Cybercrime Monetizeson DATA
More Data in More Places
Structured
Unstructured Big Data Cloud
More Data in More Places
Structured
Unstructured Big Data Cloud
More Apps are Available
Web Apps
CustomerPortal
Mobile Apps
Web Services or APIs
More Data in More Places
Structured
Unstructured Big Data Cloud
More Apps are Available
Web Apps
CustomerPortal
Mobile Apps
Web Services or APIs
More People Can Access It
KnowledgeWorkers Customers Contractors
Privileged Users
More Data in More Places
Structured
Unstructured Big Data Cloud
More Apps are Available
Web Apps
CustomerPortal
Mobile Apps
Web Services or APIs
More People Can Access It
KnowledgeWorkers Customers Contractors
Privileged Users
More Bad Actors
More Data in More Places
Structured
Unstructured Big Data Cloud
More Bad Actors
More Apps are Available
Web Apps
CustomerPortal
Mobile Apps
Web Services or APIs
More People Can Access It
KnowledgeWorkers Customers Contractors
Privileged Users
Da
taA
pp
s
Org
an
iza
tio
na
l A
sse
tsExtortion Theft
Cybercrime Monetization
DDoSattacks
Ransomwareattacks
Application attacks
Insider Threats(compromised, careless, malicious)
BusinessSecurity
Risks of a Data Breach
Proprietary and confidential. Do not distribute.
Credit Card numbers are stolen.
Monetary penalties and loss of market share.
Criminal charges and civil lawsuits.
Impact on company’s reputation.
Which results in… Which results in… Which results in…
Employee supplying a competitor with trade secrets.
Competitor bringing a new product to market first.
Loss in Market share and a revenue source.
Reduction in annual revenue and stock prices.
Which results in… Which results in… Which results in…
17
The State of Data Breach Prevention
CISOsConcerned that breaches
go undetected1
19%
CISOs
Admit they are effective
at breach prevention3
Breach DetectionAverage days it takes for a
breach to be detected2
206 days
18
1. The Global CISO Study, ServiceNow, July 2017
2. Cost of Data Breach Study, Ponemon Institute, 2017
3. What CISOs Worry About in 2018, Ponemon Institute, January 2018
78%
Why Detection is Difficult
Proprietary and confidential. Do not distribute.19
More legitimate data access.
Incident overload and alert fatigue.
Lack of skilledsecurity professional.
Malicious Careless Compromised
Mitigating risks of a data breach requires addressing all.
21 Proprietary and confidential. Do not distribute.
Is the access
OK?
How do I respond
QUICKLYif not?
Exactly
WHOIs accessing what data?
What is Imperva Data Security?
Mitigate Risk of Data Breach
22 Proprietary and confidential. Do not distribute.
Business Benefits: Imperva Data Security
23 Proprietary and confidential. Do not distribute.
Before After
2% of databases monitored 50% of databases monitored
0.25 FTE 0.25 FTE
1,000 alerts per day 15-30 alerts per day
1% of alerts investigated 100% of alerts investigated
0 significant incidents discovered 2 significant incidents discovered
RESULTS
25x more databases monitored
Equivalent FTE
1000x reduction in rate of alerts
100x increase in alerts investigated
Improved Effectiveness of
Data Security without
Increased Labor Costs.
Define
Discovery
Classification
Assessment
24 Proprietary and confidential. Do not distribute.
Investigate
Block or Alert
Mask Data
Detect
!!
!
!! !
!
!
Protect
!
Executive
Dashboard
25 Proprietary and confidential. Do not distribute.
!
Define
!
!
!!
Discovery
Classification
Assessment
Detect
!
!
!
!
Protect
Executive
Dashboard
Investigate
Block or Alert
Mask Data
Discovery and Assessment
Identify where your sensitive data is.
26 Proprietary and confidential. Do not distribute.
Benefits
• Discover unknown or rogue databases
• Gain visibility to where sensitive data lives
• Identify security blind spots that attackers can exploit
Key capabilities
• Automated, scheduled and on-demand scans
• Dictionary and pattern-matching classification methods
• 1,500+ pre-defined vulnerability tests
27 Proprietary and confidential. Do not distribute.
Detect
!
!
!
!
Discovery
Classification
Assessment
Define
!
!
!!
Protect
Executive
Dashboard
Investigate
Block or Alert
Mask Data
Server IP
User domain
Cli
en
t p
ort
OS user
Endpoint host name
Server IP
Operation response timeFile name
Affected rows
SQL operation and type
Table name
Schema
File type
Se
rve
r re
sp
on
se
tim
eFile type
Number of rows
Data sensitivity
Database error code
File operationFile path
Table name
Data sensitivity
Fil
e t
yp
e
Da
tab
ase
use
r n
am
e
File share IP
OS
use
rUser identity
Client IP
User department
OS user
Schema
Operation response timeFile name
Affected rows
SQL operation and type
Table name
Schema
File type
Se
rve
r re
sp
on
se
tim
eFile type
Number of rows
Data sensitivity
Database error code
File operationFile path
Table name
Data sensitivity
Fil
e t
yp
e
Schema
Server IP
User domain
Cli
en
t p
ort
OS user
Endpoint host name
Server IP
Da
tab
ase
use
r n
am
e
File share IP
OS
use
rUser identity
Client IP
User department
OS user
• Operation response time• File name• Affected rows • SQL operation and type • Schema
• Database error code • Schema• SQL operation and type • File type • Table nameServer response time
•S
erv
er
IP•
Use
r d
om
ain
•C
lie
nt
ap
pli
ca
tio
n•
Cli
en
t p
ort
• File type • Database name • Number of rows • Data sensitivity • Database error code
• File operation• Server response time • File path• Table name • Data sensitivityFile type
•D
ata
ba
se
use
r n
am
e•
Fil
e s
ha
re I
P•
OS
use
r•
Use
r D
ep
art
me
nt
•U
se
r id
en
tity
Cli
en
t IP
•U
se
r d
ep
art
me
nt
•O
S u
se
r
USER
DATA
BREACHES ARE FOUND AT THE INTERSECTION OF USERS AND DATA
•O
S u
se
r•
Cli
en
t p
ort
•E
nd
po
int
ho
st
na
me
Se
rve
r IP
BREACHES
Data Activity Monitoring
Continuously monitor interactions with data.
30 Proprietary and confidential. Do not distribute.
Benefits
• Provides visibility into who is accessing what data and when
• Protects authorized data access, including privileged users and service accounts
• Streamlines compliance with data privacy and protection regulations
Key capabilities
• Pre-defined policies and simple configuration of custom policies
• Consistent policy and standardized reporting across diverse data environments
• Detects data access anomalies and create real-time alerts
Data Risk Analytics
Detect the real threats to your data.
31 Proprietary and confidential. Do not distribute.
Benefits
• Distills millions of alerts to a handful high-risk incidents
• Reduces volume of data sent to SIEM
• Prioritizes data threats for investigation
Key capabilities
• Creates a contextual baseline with user and data profiling
• Detects specific abusive and risky data activity with pre-configured algorithms
• Scores issues by risk level
Behavior: Develop a Baseline of User Data Access
32 Proprietary and confidential. Do not distribute.
How do theyconnect to
the database?
Do their peersaccess data inthe same way?
When do theyusually work?
CustomerDatabase
What data arethey accessing?
Who is connectingto the database?
How much datado they query?
Identifying Data Breaches Requires User and Data
DATA
Database name
Table name
Data sensitivity
Schema
SQL operation
SQL operation Type
Database name
Data sensitivity
Table name
Schema
Number of rows
SQL operation
Database name
Table name
SQL operation
SQL operation type
Database name
SQL operation
SQL operation type
Query
File operation
File path
File name
File type
File share name
RISKCONTEXT
Suspicious
Application
Data Access
Excessive
Database
Record Access
Service
Account Abuse
Suspicious
Dynamic SQL
Activity
Suspicious
File Access
USER
User identity
Client IP
Server IP
Client app
User identity
User department
User identity
Client IP
Server IP
Client app
User identity
Client IP
Server IP
Client app
User identity
User department
Data Use Analytics
Typical UEBA
34 Proprietary and confidential. Do not distribute.
Detect
!
!
!
!
Discovery
Classification
Assessment
Define
!
!
!!
Protect
Executive
Dashboard
Investigate
Block or Alert
Mask Data
Protect and Respond
Stop risky or suspicious activity.
35 Proprietary and confidential. Do not distribute.
Benefits
• Contain data breaches
• Prevent unauthorized data access
• Streamline incident investigation
Key capabilities
• Defines policies to alert, block, quarantine, report on inappropriate data activity
• Explains incidents in plain language that security teams understand
• Masks sensitive data with fictional but realistic data
Continuously Mitigate Breach Risk
36 Proprietary and confidential. Do not distribute.
Protect & Respond
Monitor
Discover& Assess
Detect
Relational Databases
Big Data
Mainframe
Amazon RDS & Azure
© 2018 Imperva, Inc. All rights reserved.
A Support Engineer Selects andUpdates Credit Card Data
Example 1
Suspicious Application Data Access
25
• John Smith is an Applications Support Engineer per his Active Directory record.
• A number of Incidents were detected around John’s interaction with company data.
• Here we focused on one of these that stood out.
Proprietary and confidential. Do not distribute.38
INCIDENT DESCRIPTIONJohn was identified as directly accessing business data (cc info) that should normally only be accessed via an application.
2639 Proprietary and confidential. Do not distribute.
Suspicious Application Data Access
A number of service accounts (applications) are typically used to access this data. CounterBreach flagged a human touching this data.
40 Proprietary and confidential. Do not distribute.27
© 2018 Imperva, Inc. All rights reserved.
A Developer Accesses Volumes of Production Data
Example 2
Suspicious Application Data Access
25
• Laura Smith is a Principal Developer and a member of the Engineering Group per her Active Directory record.
• Laura should only be working within the database Dev environment and with non-production databases and data-sets.
Proprietary and confidential. Do not distribute.42
INCIDENT DESCRIPTIONLaura retrieves an excess of 11.6 million records using ‘microsoft sql server management studio’ from a production database which is abnormally high. Usually two specific applications would access these records directly.
3143 Proprietary and confidential. Do not distribute.
© 2018 Imperva, Inc. All rights reserved.
A Contractor Accesses Excessive Multiple Databases
Example 3
Example of a Database Incident
45 Proprietary and confidential. Do not distribute.
• The user attempted to access 29 different DBs over a short period of time.
• Prioritize what matters the most.
• Interpret security incident in plain language.
On-Prem Hybrid Cloud
Proprietary and confidential. Do not distribute.46
DATA APIs
APPs
Outside theOrganization
Partners
Customers
Contractors
Bad bots
Hackers
Inside theOrganization
Trusted
Privileged
Malicious
Careless
Compromised
Secure AppDelivery
CDN
Load balancing
WAF
RASP
DDoS
Bot Protections
Data Security& Compliance
Visibility
Policies
Reporting
Monitoring
Blocking
Masking
Attack Analytics Data Risk Analytics
SIEM
Proven Solution
47 Proprietary and confidential. Do not distribute.
Imperva Data Security has won
2019 Best Database Security Solution award
I don’t worry about whether something is getting past us anymore.
Imperva’s analytics engine looks at usage and patterns of usage to
help us focus our time on what matters most.
“
”--Director of Information Security and Data Protection,
A large healthcare organization in United States
Imperva Data Security
• Identify the most critical threats to your data.
• Improve breach detection effectiveness without increasing labor cost.
• Provide visibility into your data environment.
• Comply with various data privacy and protection regulations.
48 Proprietary and confidential. Do not distribute.
5050
Who consumes the cake?
Finance
Management
HR
IT
DATA!!!
Why not put a cover over the cake?
51
You Just Need to Monitor the Cover Now!
52
53
Key Advantage: Automate Service ID Learning Behavior
Many man-hours saved!
Look out for suspicious SQL activities. How?
Practical use-case applications using DB Firewall
Project Goal
Sensitive data audit • Streamline audit for security and compliance purposes
Privileged user monitoring • Enforce separation of duties• Monitor all activity, including local DB server access• Block if necessary
Data theft prevention • Protect Sensitive data• Prevent the loss of sensitive data
Data across borders • International privacy regulations limit what data can be accessed by users outside the borders defined by the regulation
Change reconciliation • Show the compliance auditors that changes to database could be traced to approved
change tickets
Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack
VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core systems
Ethical walls Maintain strict separation between business groups within a larger organization. To complywith M&A requirements, government clearance, …
Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion
55 Proprietary and confidential. Do not distribute.55
Satisfies audit requirements
IM8, MAS TRM, PCI, ISO27001, SOX, etc
Solves security audit review problem
No policies required
Imperva understands data context
• No need to understand data types
Solves manpower & skillset problem
CounterBreach - Machine Learning & User Behavior Analytics in-built
Unsupervised learning
No expensive data modeling required
Fast time-to-value
High degree of accuracy55
Service Account Abuse
Suspicious Application Data Abuse
Machine Takeover
Excessive Database or File Access
Suspicious Dynamic SQL Activity
Data Access Outside of Working Hours
Excessive Failed Logins by User
Excessive Failed Logins from App Server
Suspicious File Access by User
SQL
Imperva DB Security Business Outcome – Audit, Machine Learning & UBA
Success story 1: Large Investment Firm in ASEAN
56
Interactive User
“Liana”
Privileged Account“sa”
Database
Application191 investment
agents
• “sa” account widely abused and misused in this environment
• Learnt the “normal behavior” in this environment• Sensitive tables also usually accessed by apps only
• DBA abused the sa rights and accessed sensitive tables
Query Tool“MSSQL Studio”
Typical BehaviorIncident
• CRM• Payroll• Trading• HR
.NET trading AppCRM AppEmailAppAutofax
Privileged
Account“sa”
600k records restrievedfrom:• TradingTransaction• Payroll• Customer_credit
Retrieves 600K rows
Success story 2: Large Bank in ASEAN
57
• Interactive user retrieves 38k rows from payroll & hrms tables• Direct access using DB query tool, not the app account• Flagged as possible attempt to access sensitive data• What happened?
• Data patching exercise which security team doesn’t even know• Could have been a real data breach since they are not aware of
what’s happening
“payroll”, “hrms” Database Tables
Interactive User“Rick”
Application.net sqlclient
Retrieves 38K rows
Personal DB Account“domain/rick”
Query Tool“Aqua Data Studio”
Typical BehaviorIncident
Decommissioned App
Daily failed login at
2am
PCI service accountpci_svc
58
Success story 3: Top 20 Global University
58
• Unauthorized access to a large quantity of data flagged as sensitive by CounterBreach• Investigation shows that this data isn’t accessed by this user before• DBA confirmed that the flagged table is a finance table in Peoplesoft
• Human review might have never picked this table up as sensitive
Interactive User“Tyler”
Application“hrP”
Sensitive table“psxjyua25”
Authorized UserQuery Tool
“MS SQL Server Mgmt Studio”
Personal DB Account“domain/tyler”
Typical BehaviorIncident
5959
How Imperva DAM solves the problem?
Imperva Data Collection &
Analytics Engine
DB Hardening Assessment
Sensitive DB Data
Definition
DB Server Farms with Imperva
Agents
Real-time DB Activities
DB AuditingCompliance Reporting
Meeting Audit Requirements
Forensics
Real-time Security
Alert & Block
Governance Policies
Service ID Behavior Profiling
Imperva Automation Layer
Long-Term Data RetentionMachine Learning
Historical Data Analysis
60
Imperva SecureSphere DAM/DBF & CounterBreach Logical Architecture
• Audit Data• Online Audit• Config Backup
NAS or SAN or NFS/CIFS File Share
Long Term Storage
Ad
min
Ma
na
ge
me
nt
An
aly
sis
Da
ta
Co
llectio
n
Acce
ss
SecureSphere Administrator
(Web Browser)
Management Server (MX)
• DB/400• AWS RDS Oracle• AWS RDS
PostgreSQL
Direct User Access Web
Server
DBA BusinessApplication
Middleware Server
SQL
LDAP Ticketing
SIEM
Third Party IT Ecosystems
DB Server
DB Agent
DB Server
DB Agent
DB Server
Syslog/ LDAP/ SQL/ SOAP/ SMTP/ SNMP/
Scripts
Syslog/ SNMP
Daily CounterBreach
Audit Archive (SCP)
CB Analytics
Server
(Learn & Detect)
CB Admin
Server
Send Incidents/
Anomalies
SecureSphere logs are copied over to CounterBreach. The
product will not interfere with existing SecureSphere
deployments.
Imperva CounterBreach (CB)
Web Server
Middleware Server
Audit Data
Passive Gateway
Audit Data
Active Gateway
Events Platform (EX)
DB Agent
Imperva Gateway Cluster (N+1)
DB Server
DB Agent
Weekly MX Export Backup
Real-time DB audit
activities
61 Proprietary and confidential. Do not distribute.61
Supported DatabasesDatabase Supported DB
Azure SQL Service
The following DB is supported:MS-SQL 2016, 2017