Review: DB Networks Enhances Database Security with Machine Learning

2 Comments

Credit: ScholarshipOwl

Protecting databases takes more than just securing the perimeter, it also takes a deep understanding of how users and applications interact with databases, as well as knowing what databases are alive and breathing on the network. DB Networks aims to provide the intelligence, analytics and tools to bring insight into the database equation.

It’s no secret that database intrusions are on the rise, much to the chagrin of those responsible for infosec.  While many have focused on the notions of protecting the edge of the network and wrapping additional security around user access, the simple fact of the matter is that databases are the primary storehouses of private and sensitive information, and are often the true targets of intruders.

Recent events, such as the Target breach, the theft of security clearance information from the US OPM (Office of Personnel Management) and the theft of medical records from Anthem Healthcare, illustrates that protecting sensitive data is quickly becoming a losing battle. DB Networks is taking steps to turn the tide and bring victory to those charged with protecting databases.

The San Diego based company offers their DBN-6300 appliance and its virtual cousin, the DBN-6300v as founts of database activity, analytics, and discovery to give today’s security professionals an edge in the ever growing cyberattacks that are targeting databases. Those products promise to equip security professionals and database administrators with the tools that can identify and mitigate breaches before irreparable damage is done.

Case in point is the ubiquitous sql injection attack, which is far more common than most will admit to. SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them. However, according to Neira Jones, the former head of payment security for Barclaycard, some 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line.

Taking a Closer Look at DBNetworks IDS-6300:

I recently had a chance to put DBNetworks IDS-6300 through its paces at the company’s San Diego Offices. The IDS-6300 is a physical appliance, built on Intel Hardware as a 2U rack mountable server. The device features four 10/100/1000 Ethernet Ports for data capture, one 10/100/1000 Ethernet admin port and one 10/100/1000 Ethernet customer service port, as well as a 480Gb SSD and 2Tb archival storage.

The device can be deployed by plugging it into either a span port or a tap port located at the core switch in front of the database servers. The idea is to place the device, logically ahead of the database servers, yet behind the application servers, so it can focus on SQL traffic. The IDS-6300 is managed via a browser based interface and supports the Chrome, Firefox and Safari browsers and will fully support IE in the near future.

I tested the device in a mock operational environment that included MS-SQL Databases with a demo version of a banking application that incorporated some known vulnerabilities. Setting up the device entailed little more than defining the capture ports and some very basic post installation items. Once configured to capture data, the next step was to identify databases.

Here, the IDS-6300 does an admirable job; it is able to automatically discover any databases that experience any traffic, even simple communications, such as a basic SQL statement. The device monitors for traffic 24/7 and continually checks for database activity.

That proves to be a critical element in the quest for securing databases – according to company representatives, many customers have discovered databases that IT was unaware operating in production environments. What’s more, the database discovery capability can be used to identify rogue databases or databases that were never shutdown after a project completed.

The database discovery information offers administrators real insight into what exactly is operating on the network, and what is vulnerable to attack – knowing that information can be the first step in mitigating security problems, before even venturing into traffic analysis and detection.

Never the less, the product’s real power comes into play when detecting SQL injection attacks. Instead of using caned templates or signatures, the IDS-6300 takes SQL attack detection to the next level – the device is able to learn what normal traffic is and record/analyze what that traffic accomplishes, and then builds a behavioral model.

Simply put, the device learns how an application communicates with a database, that information is used to create a behavioral model. Once learning is completed, the device uses multiple detection techniques to validate future SQL statements against expected behavior.  In practice, behavioral analysis proves immune to zero day attacks, newly scripted attacks and even old, recycled attacks, because all of those attacks fall out of the norms of expected behavior.

That behavioral analysis eliminates the need for signatures, black lists, white lists and other technologies that rely on pattern matching or static detection, which in turn reduces operational overhead and maintenance chores, almost converting SQL Injection attack monitoring into a plug and play paradigm.

When SQL Injection attacks occur, the IDS-6300 captures all of the traffic and transaction information around that attack. What’s more, the device categorizes, analyzes and presents the critical information about the attack so that administrators (or application engineers) can modify database code or incorporate firewall rules very quickly to remediate the problem.

Which brings up another interesting point, the IDS-6300 proves to be a good candidate for helping organizations improve application code. With many businesses turning to outsourcing and/or modifying off the shelf/open source software for application development, situations may arise where due diligence is not fully implemented and agile development projects may lead to introducing security flaws into application code.  That is not an uncommon problem,  at least according to Forrester Research’s Manatosh Das –  Poor application coding persists despite lessons learned.  Das claims that more than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall foul of SQL injection. Das adds security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.

The IDS-6300 will quickly detect those newly introduced flaws and prevent poor programing practices from creating vulnerabilities, and then provide the information that is needed to fix those flaws.

The IDS-6300 offers another advantage to customers; it can help customers to consolidate databases by identifying what databases are active and what they are used for. That in turn can lead to companies combining databases and significantly reducing licensing and support costs. DBNetworks reports that one of their customers were able to reduce database licensing costs by over $1,000,000 by detecting and consolidating databases that were discovered by the IDS-6300

The IDS-6300 starts at $25,000 and is available directly from DBNetworks and authorized partners. For more information, please visit DBNetworks.com

 

 

2 Comments

Edward W.

Well since there’s negative unemployement in cybersecurity I don’t think that will be an issue. Also I don’t want to be a Luddite, I embrace the new technologies.

Comments are closed.