Data Security Solution - ETDA · 25x more databases monitored Equivalent FTE 1000x reduction in rate of alerts 100x increase in alerts investigated Improved Effectiveness of Data

Imperva Data Security

Garen LING

Regional Director, ASEAN

Company Overview

2 Proprietary and confidential. Do not distribute.

Our Mission

To protect your data and applications from ever-changing attacks of cyber criminals


5,200+ customers worldwide

325+government agencies & departments

425+global 2000 companies

7 of the top 10global telecommunications providers

3 of the top 5

• US commercial banks

• global financial services firms

• global computer hardware companies

• global biotech companies

• global diversified insurance services

Our Customers

A Leader for Five Years in a Row

2018 Gartner Magic Quadrant for Web Application Firewalls

A few key Imperva strengths that Gartner mentions:

• Flexible licensing for organizations with a mix of on- premises and cloud-hosted applications

• Imperva is one of the only vendors providing both WAF appliances and cloud WAF service

• Attack analytics provides unified monitoring


Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Ayal Tirosh, Claudio Neiva,

August 2018

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

A Leader in The Forrester Wave™

DDoS Mitigation Solutions, Q4 2017

Top ranked in both current offering and strategy

Among the top ranked in scale and speed

Read the report to see why.


The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Market Leadership

Prevoty cited as the only Leader in the RASP market.

Forrester's research

uncovered a market

in which Prevoty

leads the pack.

Why Data Security

Proprietary and confidential. Do not distribute.

As the business becomes digital, security must become Data-Centric”– Forrester Research, 2018

Data security helps you mitigate risk most effectively.

8

Source: Breach Level Index, 2018

Proprietary and confidential. Do not distribute.9


Cybercrime Monetizeson DATA

More Data in More Places

Structured

Unstructured Big Data Cloud


Structured


More Apps are Available

Web Apps

CustomerPortal

Mobile Apps

Web Services or APIs


Structured



Web Apps

CustomerPortal

Mobile Apps


More People Can Access It

KnowledgeWorkers Customers Contractors

Privileged Users


Structured



Web Apps

CustomerPortal

Mobile Apps




Privileged Users

More Bad Actors


Structured


More Bad Actors


Web Apps

CustomerPortal

Mobile Apps




Privileged Users

Da

taA

pp

s

Org

an

iza

tio

na

l A

sse

tsExtortion Theft

Cybercrime Monetization

DDoSattacks

Ransomwareattacks

Application attacks

Insider Threats(compromised, careless, malicious)

BusinessSecurity

Risks of a Data Breach

Proprietary and confidential. Do not distribute.

Credit Card numbers are stolen.

Monetary penalties and loss of market share.

Criminal charges and civil lawsuits.

Impact on company’s reputation.

Which results in… Which results in… Which results in…

Employee supplying a competitor with trade secrets.

Competitor bringing a new product to market first.

Loss in Market share and a revenue source.

Reduction in annual revenue and stock prices.

Which results in… Which results in… Which results in…

17

The State of Data Breach Prevention

CISOsConcerned that breaches

go undetected1

19%

CISOs

Admit they are effective

at breach prevention3

Breach DetectionAverage days it takes for a

breach to be detected2

206 days

18

1. The Global CISO Study, ServiceNow, July 2017

2. Cost of Data Breach Study, Ponemon Institute, 2017

3. What CISOs Worry About in 2018, Ponemon Institute, January 2018

78%

Why Detection is Difficult


More legitimate data access.

Incident overload and alert fatigue.

Lack of skilledsecurity professional.

Malicious Careless Compromised

Mitigating risks of a data breach requires addressing all.


Is the access

OK?

How do I respond

QUICKLYif not?

Exactly

WHOIs accessing what data?

What is Imperva Data Security?

Mitigate Risk of Data Breach


Business Benefits: Imperva Data Security


Before After

2% of databases monitored 50% of databases monitored

0.25 FTE 0.25 FTE

1,000 alerts per day 15-30 alerts per day

1% of alerts investigated 100% of alerts investigated

0 significant incidents discovered 2 significant incidents discovered

RESULTS

25x more databases monitored

Equivalent FTE

1000x reduction in rate of alerts

100x increase in alerts investigated

Improved Effectiveness of

Data Security without

Increased Labor Costs.

Define

Discovery

Classification

Assessment


Investigate

Block or Alert

Mask Data

Detect

!!

!

!! !

!

!

Protect

!

Executive

Dashboard


!

Define

!

!

!!

Discovery

Classification

Assessment

Detect

!

!

!

!

Protect

Executive

Dashboard

Investigate

Block or Alert

Mask Data

Discovery and Assessment

Identify where your sensitive data is.


Benefits

• Discover unknown or rogue databases

• Gain visibility to where sensitive data lives

• Identify security blind spots that attackers can exploit

Key capabilities

• Automated, scheduled and on-demand scans

• Dictionary and pattern-matching classification methods

• 1,500+ pre-defined vulnerability tests


Detect

!

!

!

!

Discovery

Classification

Assessment

Define

!

!

!!

Protect

Executive

Dashboard

Investigate

Block or Alert

Mask Data

Server IP

User domain

Cli

en

t p

ort

OS user

Endpoint host name

Server IP

Operation response timeFile name

Affected rows

SQL operation and type

Table name

Schema

File type

Se

rve

r re

sp

on

se

tim

eFile type

Number of rows

Data sensitivity

Database error code

File operationFile path

Table name

Data sensitivity

Fil

e t

yp

e

Da

tab

ase

use

r n

am

e

File share IP

OS

use

rUser identity

Client IP

User department

OS user

Schema

Operation response timeFile name

Affected rows

SQL operation and type

Table name

Schema

File type

Se

rve

r re

sp

on

se

tim

eFile type

Number of rows

Data sensitivity

Database error code

File operationFile path

Table name

Data sensitivity

Fil

e t

yp

e

Schema

Server IP

User domain

Cli

en

t p

ort

OS user

Endpoint host name

Server IP

Da

tab

ase

use

r n

am

e

File share IP

OS

use

rUser identity

Client IP

User department

OS user

• Operation response time• File name• Affected rows • SQL operation and type • Schema

• Database error code • Schema• SQL operation and type • File type • Table nameServer response time

•S

erv

er

IP•

Use

r d

om

ain

•C

lie

nt

ap

pli

ca

tio

n•

Cli

en

t p

ort

• File type • Database name • Number of rows • Data sensitivity • Database error code

• File operation• Server response time • File path• Table name • Data sensitivityFile type

•D

ata

ba

se

use

r n

am

e•

Fil

e s

ha

re I

P•

OS

use

r•

Use

r D

ep

art

me

nt

•U

se

r id

en

tity

Cli

en

t IP

•U

se

r d

ep

art

me

nt

•O

S u

se

r

USER

DATA

BREACHES ARE FOUND AT THE INTERSECTION OF USERS AND DATA

•O

S u

se

r•

Cli

en

t p

ort

•E

nd

po

int

ho

st

na

me

Se

rve

r IP

BREACHES

Data Activity Monitoring

Continuously monitor interactions with data.


Benefits

• Provides visibility into who is accessing what data and when

• Protects authorized data access, including privileged users and service accounts

• Streamlines compliance with data privacy and protection regulations

Key capabilities

• Pre-defined policies and simple configuration of custom policies

• Consistent policy and standardized reporting across diverse data environments

• Detects data access anomalies and create real-time alerts

Data Risk Analytics

Detect the real threats to your data.


Benefits

• Distills millions of alerts to a handful high-risk incidents

• Reduces volume of data sent to SIEM

• Prioritizes data threats for investigation

Key capabilities

• Creates a contextual baseline with user and data profiling

• Detects specific abusive and risky data activity with pre-configured algorithms

• Scores issues by risk level

Behavior: Develop a Baseline of User Data Access


How do theyconnect to

the database?

Do their peersaccess data inthe same way?

When do theyusually work?

CustomerDatabase

What data arethey accessing?

Who is connectingto the database?

How much datado they query?

Identifying Data Breaches Requires User and Data

DATA

Database name

Table name

Data sensitivity

Schema

SQL operation

SQL operation Type

Database name

Data sensitivity

Table name

Schema

Number of rows

SQL operation

Database name

Table name

SQL operation

SQL operation type

Database name

SQL operation

SQL operation type

Query

File operation

File path

File name

File type

File share name

RISKCONTEXT

Suspicious

Application

Data Access

Excessive

Database

Record Access

Service

Account Abuse

Suspicious

Dynamic SQL

Activity

Suspicious

File Access

USER

User identity

Client IP

Server IP

Client app

User identity

User department

User identity

Client IP

Server IP

Client app

User identity

Client IP

Server IP

Client app

User identity

User department

Data Use Analytics

Typical UEBA


Detect

!

!

!

!

Discovery

Classification

Assessment

Define

!

!

!!

Protect

Executive

Dashboard

Investigate

Block or Alert

Mask Data

Protect and Respond

Stop risky or suspicious activity.


Benefits

• Contain data breaches

• Prevent unauthorized data access

• Streamline incident investigation

Key capabilities

• Defines policies to alert, block, quarantine, report on inappropriate data activity

• Explains incidents in plain language that security teams understand

• Masks sensitive data with fictional but realistic data

Continuously Mitigate Breach Risk


Protect & Respond

Monitor

Discover& Assess

Detect

Relational Databases

Big Data

Mainframe

Amazon RDS & Azure

© 2018 Imperva, Inc. All rights reserved.

A Support Engineer Selects andUpdates Credit Card Data

Example 1

Suspicious Application Data Access

25

• John Smith is an Applications Support Engineer per his Active Directory record.

• A number of Incidents were detected around John’s interaction with company data.

• Here we focused on one of these that stood out.


INCIDENT DESCRIPTIONJohn was identified as directly accessing business data (cc info) that should normally only be accessed via an application.



A number of service accounts (applications) are typically used to access this data. CounterBreach flagged a human touching this data.

40 Proprietary and confidential. Do not distribute.27


A Developer Accesses Volumes of Production Data

Example 2


25

• Laura Smith is a Principal Developer and a member of the Engineering Group per her Active Directory record.

• Laura should only be working within the database Dev environment and with non-production databases and data-sets.


INCIDENT DESCRIPTIONLaura retrieves an excess of 11.6 million records using ‘microsoft sql server management studio’ from a production database which is abnormally high. Usually two specific applications would access these records directly.



A Contractor Accesses Excessive Multiple Databases

Example 3

Example of a Database Incident


• The user attempted to access 29 different DBs over a short period of time.

• Prioritize what matters the most.

• Interpret security incident in plain language.

On-Prem Hybrid Cloud


DATA APIs

APPs

Outside theOrganization

Partners

Customers

Contractors

Bad bots

Hackers

Inside theOrganization

Trusted

Privileged

Malicious

Careless

Compromised

Secure AppDelivery

CDN

Load balancing

WAF

RASP

DDoS

Bot Protections

Data Security& Compliance

Visibility

Policies

Reporting

Monitoring

Blocking

Masking

Attack Analytics Data Risk Analytics

SIEM

Proven Solution


Imperva Data Security has won

2019 Best Database Security Solution award

I don’t worry about whether something is getting past us anymore.

Imperva’s analytics engine looks at usage and patterns of usage to

help us focus our time on what matters most.

“

”--Director of Information Security and Data Protection,

A large healthcare organization in United States

Imperva Data Security

• Identify the most critical threats to your data.

• Improve breach detection effectiveness without increasing labor cost.

• Provide visibility into your data environment.

• Comply with various data privacy and protection regulations.


Thank You

[email protected]

Garen LING

5050

Who consumes the cake?

Finance

Management

HR

IT

DATA!!!

Why not put a cover over the cake?

51

You Just Need to Monitor the Cover Now!

52

53

Key Advantage: Automate Service ID Learning Behavior

Many man-hours saved!

Look out for suspicious SQL activities. How?

Practical use-case applications using DB Firewall

Project Goal

Sensitive data audit • Streamline audit for security and compliance purposes

Privileged user monitoring • Enforce separation of duties• Monitor all activity, including local DB server access• Block if necessary

Data theft prevention • Protect Sensitive data• Prevent the loss of sensitive data

Data across borders • International privacy regulations limit what data can be accessed by users outside the borders defined by the regulation

Change reconciliation • Show the compliance auditors that changes to database could be traced to approved

change tickets

Malware and targeted attack use case • Detect when a privileged user account has been compromised and is being used in an attack

VIP data privacy Maintain strict access control on highly sensitive company data, including data stored in core systems

Ethical walls Maintain strict separation between business groups within a larger organization. To complywith M&A requirements, government clearance, …

Secure audit trail archiving Secure the audit trail from tamper, modification, or deletion


Satisfies audit requirements

IM8, MAS TRM, PCI, ISO27001, SOX, etc

Solves security audit review problem

No policies required

Imperva understands data context

• No need to understand data types

Solves manpower & skillset problem

CounterBreach - Machine Learning & User Behavior Analytics in-built

Unsupervised learning

No expensive data modeling required

Fast time-to-value

High degree of accuracy55

Service Account Abuse

Suspicious Application Data Abuse

Machine Takeover

Excessive Database or File Access

Suspicious Dynamic SQL Activity

Data Access Outside of Working Hours

Excessive Failed Logins by User

Excessive Failed Logins from App Server

Suspicious File Access by User

SQL

Imperva DB Security Business Outcome – Audit, Machine Learning & UBA

Success story 1: Large Investment Firm in ASEAN

56

Interactive User

“Liana”

Privileged Account“sa”

Database

Application191 investment

agents

• “sa” account widely abused and misused in this environment

• Learnt the “normal behavior” in this environment• Sensitive tables also usually accessed by apps only

• DBA abused the sa rights and accessed sensitive tables

Query Tool“MSSQL Studio”

Typical BehaviorIncident

• CRM• Payroll• Trading• HR

.NET trading AppCRM AppEmailAppAutofax

Privileged

Account“sa”

600k records restrievedfrom:• TradingTransaction• Payroll• Customer_credit

Retrieves 600K rows

Success story 2: Large Bank in ASEAN

57

• Interactive user retrieves 38k rows from payroll & hrms tables• Direct access using DB query tool, not the app account• Flagged as possible attempt to access sensitive data• What happened?

• Data patching exercise which security team doesn’t even know• Could have been a real data breach since they are not aware of

what’s happening

“payroll”, “hrms” Database Tables

Interactive User“Rick”

Application.net sqlclient

Retrieves 38K rows

Personal DB Account“domain/rick”

Query Tool“Aqua Data Studio”


Decommissioned App

Daily failed login at

2am

PCI service accountpci_svc

58

Success story 3: Top 20 Global University

58

• Unauthorized access to a large quantity of data flagged as sensitive by CounterBreach• Investigation shows that this data isn’t accessed by this user before• DBA confirmed that the flagged table is a finance table in Peoplesoft

• Human review might have never picked this table up as sensitive

Interactive User“Tyler”

Application“hrP”

Sensitive table“psxjyua25”

Authorized UserQuery Tool

“MS SQL Server Mgmt Studio”

Personal DB Account“domain/tyler”


5959

How Imperva DAM solves the problem?

Imperva Data Collection &

Analytics Engine

DB Hardening Assessment

Sensitive DB Data

Definition

DB Server Farms with Imperva

Agents

Real-time DB Activities

DB AuditingCompliance Reporting

Meeting Audit Requirements

Forensics

Real-time Security

Alert & Block

Governance Policies

Service ID Behavior Profiling

Imperva Automation Layer

Long-Term Data RetentionMachine Learning

Historical Data Analysis

60

Imperva SecureSphere DAM/DBF & CounterBreach Logical Architecture

• Audit Data• Online Audit• Config Backup

NAS or SAN or NFS/CIFS File Share

Long Term Storage

Ad

min

Ma

na

ge

me

nt

An

aly

sis

Da

ta

Co

llectio

n

Acce

ss

SecureSphere Administrator

(Web Browser)

Management Server (MX)

• DB/400• AWS RDS Oracle• AWS RDS

PostgreSQL

Direct User Access Web

Server

DBA BusinessApplication

Middleware Server

SQL

LDAP Ticketing

SIEM

Third Party IT Ecosystems

DB Server

DB Agent

DB Server

DB Agent

DB Server

Syslog/ LDAP/ SQL/ SOAP/ SMTP/ SNMP/

Scripts

Syslog/ SNMP

Daily CounterBreach

Audit Archive (SCP)

CB Analytics

Server

(Learn & Detect)

CB Admin

Server

Send Incidents/

Anomalies

SecureSphere logs are copied over to CounterBreach. The

product will not interfere with existing SecureSphere

deployments.

Imperva CounterBreach (CB)

Web Server

Middleware Server

Audit Data

Passive Gateway

Audit Data

Active Gateway

Events Platform (EX)

DB Agent

Imperva Gateway Cluster (N+1)

DB Server

DB Agent

Weekly MX Export Backup

Real-time DB audit

activities


Supported DatabasesDatabase Supported DB

Azure SQL Service

The following DB is supported:MS-SQL 2016, 2017

Thank You

[email protected]

Garen LING

Documents

Data Security Solution - ETDA · 25x more databases monitored Equivalent FTE 1000x reduction in rate of alerts 100x increase in alerts investigated Improved Effectiveness of Data