McAfee Database Security

Sagena Security Day 6September 2012

September 20, 2012

Franz HüllSenior Security Consultant

Agenda

• Overview database security

• DB security from McAfee (Sentrigo)

• VMD McAfee Vulnerability Manager for Databases• DSS McAfee Database Security Scanner• DAM McAfee Database Activity Monitoring• VPT Virtual Patching

• Demo

• Q&A

Database Security and the Enterprise

Databases power the largest applications in the world

Customers store their most critical and sensitive data in databases, any loss, interruption, or breach could be disastrous

Any vulnerability, misconfiguration or exploitation means non-compliance to audits (HIPAA, SOX, PCI, etc.)

Securing your databases can be very challenging without the right solution

4

“We have limited visibility or controls over actual

activity in our databases, especially by privileged

users.”

“I’m not even sure where all my databases are,

or how securely they are configured…”

“Many of our applications are running on top of databases that are too critical to take down, or on ones that the

DBMS vendor doesn’t even release patches for

anymore.”

“My auditors require logs showing exactly who made changes to certain data, but

some of our applications connect directly to the

database so I don’t always know who issued

commands.”

The Reality Is…

Source: Verizon Business Study 2010

Database Servers are involved in

Database Breaches account for

25% 92%of all breaches of all records breached

Databases Contain Your Crown Jewels

Customer Records and PII

• Credit card numbers, account numbers, billing information, authentication data

Employee Information

• SSNs, salary, reviews

Financial Data and IP

• Revenue, receivables, research

Need to be Compliant

• Regulations require sensitive data be handled securely• PCI DSS, Sarbanes-Oxley, HIPAA, SAS 70, GLBA, and other

industry-specific regulations

• Breach Notification Laws Increase Visibility• Originally CA SB1386, now in 46 states and widely adopted

worldwide• U.S. House passed HR 2221 in December, Senate has 2 bills on

the floor now• EU legislation expected

• Internal IT Governance Dictates Process• Timely installation of patches• Segregation of Duties

Why Isn’t My Database Secure?

• Technology• Accessed constantly by multiple

applications, users• Impossible to lock down without impacting

accessibility• Vulnerable (SQL injection, buffer overflow)

• Process• Patches (ie. Oracle CPU) not applied in

timely manner• Implementation practices (default/shared

passwords, etc.)

• People• Accessed by DBAs, Sys Admins,

programmers….

DB Security- The Products

McAfee Product Target Audience ePO Integration

MFE Vulnerability Manager for Databases (VMD) Enterprise, Government, SMB

McAfee Database Security Scanner (DSS)

Enterprise, Government, SMB, Consultants, Auditors, (DBA’s)

McAfee Database Activity Monitoring (DBM) Enterprise, Government, SMB in progress

McAfee vPatch for Databases (VPT) Enterprise, Government, SMB in progress

McAfee Database User IDentifier Enterprise, Government, SMB

VULNERABILITYASSESSMENT

McAfeeVulnerability Manager for

DatabasesMcAfee

Database Security Scanner

Where are the databases ?

Knowledge about:• Production databases• Most important

databases• Enterprise databases• HA databases

But, do you know all of the other databases as well ?• Test databases• Temporary databases• Databases used during

migrations or recovery• Project databases• Developer databases• Databases coupled with

an application

ALL of them can contain sensitive data !

Where are the databases ?

The McAfee buildt-in Network Database Scanner helps you to look for all this databases

Scanning the network• IP Address (Range/List)• Database Listener Port

(Default and other)• SID• Database Vendor

ALL of them can contain sensitive data !

About Vulnerability Manager for Databases

• Over 4,300 vulnerability checks– Patch levels– Weak passwords– Configuration base lining– Backdoor detection– Sensitive data discovery (PII, SSN, etc)– Vulnerable PL/SQL code– Unused features– Custom checks

Best-in-class Vulnerability Assessment for DBs

• Built on deep practical security knowledge – Developed with Alexander Kornbrust of Red Database Security,

one of the top authorities on database protection– Not simply based on DBMS vendors' "security guidelines"

• Provide practical remedy advice / solutions – Test and report on real issues (vs. lengthy unreadable reports)– Prioritized results include fix scripts and expert recommendations

• Enterprise Ready– Centralized reporting for up to thousands of db instances– Allow easy automation & integration with other products– Create different roles / outputs for dissimilar

stakeholders (DBAs, developers, IT Security)

Test - Test Group - Scan

VA Scan#1VA Scan

#1VA Scan#1VA Scan

#1VA Scan#1

SingleTest

TestGroup

VAScan

About 20.

...

> 4,300

...

AUDIT CustomData Discovery

ALTER USER not

audited

SYSTEM has default password

PATCH Information

Custom Test

Vulnerability Scanner for Databases (v4.5)

Connectivity to Databases

(SQL-Connect)

ePO(≥4.6)ePO(≥4.6)

CloudCloud

Network

DBDB

DB

DBDBDBDB

DB

Database Browser screen shot

Management summary reportScreen shot

Supported databases

• Oracle 8i and up• MS SQL 2000 and up• DB2 (LUW) 8.1 and up• MySQL 4.0 and up• PostgreSQL 8.3 and up• Sybase ASE 12.5 and up• SQL Azure

McAfee Database Activity Monitoring (DAM)

TRUSTED AUDIT AND REAL-TIMEINTRUSION PREVENTION

Fundamental Principles

• Protection from the Inside Out• More effective• More efficient• Better fit with today’s IT environment

• Lower Cost and Complexity of Implementation• Software-only solution• Easy to download, evaluate, and buy• Fastest “Time-to-Compliance”

No Downtime !

Stored Proc.

Trigger

ViewData

Shared Memory

DBMSLi

sten

er

DATABASES CAN BE ACCESSED FROM THREE SOURCES:

SAP

Beq

ueat

h

DB ADMINSSYS ADMINS

PROGRAMMERS

Protect the Database Across ALL Threat Vectors

Local Connection

Network Connection

1 2 3From the network From the host From within the

database (Intra-DB)

intra-DB threats

McAfee DAM: Enterprise Deployment

Sensor

Web-based Admin Console

Alerts / Events

ePOePOCloudCloud

McAfee Database Security Server

(software)Network

Sensor Sensor

DBDB

DBDBDBDBDB

DB

Sensor

Reaction in Real-time

• Memory-based, Read-only Sensor is Close Enough to Intervene in Response to Threats

• Alerting via dashboard or other tools• Session termination (via Native DB APIs)• User quarantine• Firewall update via OPSEC

Only Solution for Virtualization/Cloud

• Virtualization• Memory-based monitoring sees

VM-to-VM traffic• Efficient local rules processing• Works well in a dynamic environment

• Cloud Computing• Distributed model functions well even

in WAN environments• Automated provisioning and

segregation of duties allows in-house monitoring of managed services

Cloud Computing

Infrastructure

DB D

B DB D

B

Database Dashboard

Supported databases

• Oracle version 8.1.7 or later, running onSun Solaris, IBM AIX, Linux, HP-UX, Microsoft Windows

• Teradata 12, 13, 13.1 and 14 on Linux• MySQL 5.1 and 5.5 on Linux• Microsoft SQL 2000, 2005, and 2008 on any supported

Windows platform• Sybase ASE 12.5 or later on all supported platforms• IBM DB2 LUW 9.5 and 9.7• IBM Mainframe / zos

McAfee Database Activity Monitoring

VIRTUAL PATCHINGvPatch

Why Virtual Patching?

• Applying DBMS security patches is painful:• Requires extensive testing and db downtime• Often results in business disruption

• Sometimes it's near impossible:• 24/7/365 operations (one maintenance window per year)• Heavily customized applications• DBMS versions that are no longer supported by vendor (e.g. 8i)• Resources are limited

• Solution: Virtual Patching• Protects against known and zero-day vulnerabilities without any

downtime or code changes until you can patch

Patch Cycle

•Database Vendor Patch:

– Time between Report and Install: Months or Years– Patches are publish on a monthly or quaterly base– Multiple security fixes are collected in a single patch

Report: Reporting a vulnerability to the DB vendor Analyze: Analyzing done by the DB vendor Patch: Providing security patch by the DB vendor Install: Installing the patch by the customer

Patch InstallReport Analyze

Patch Cycle

•Virtual Patching (by McAfee)

– Time between Report and Install: Days or Weeks– vPatch updates are published whenever available– Installing vPatch automatically or manually– NO downtime of the Database– 1 FIX = 1 vPatch rule

Report: Reporting a vulnerability to the McAfee Team Analyze: Analyzing done by the McAfee Team Patch: Providing vPatch Rule by the McAfee Team Install: Installing vPatch Rule by the customer (automatically/manually)

P IR A P IR A P IR A P IR A

Patch InstallReport Analyze

DEMOMcAfee Database Security