Chris Gale

Partner Director EMEA

Chris.gale@imperva.com

Protecting the Data that Drive Business

Almost Twenty Years Ago Today...

Fleischmann & Pons

‘Cold fusion’

Tim Berners-Lee

‘Distributed hypertext system’

PH

YS

ICA

L S

TO

RE

CO

RP

OR

ATE H

EA

DQ

UA

RTER

S

AUTHORIZATION FROM ACQUIRING BANK

IN-STORE SERVER

POS TERMINALS (CASH REGISTER)

ONLINE STORE

HQ SERVER

TRANSACTION DATABASES

STAGING SERVER

DATABASES

INTERNAL CORPORATE SYSTEMS

TRANSACTION INFOTO ACQUIRING BANK

Today’s Business Application Data Flow

CONFIDENTIAL - Imperva

Web/Web services

Applications

Business Application Data Security Challenge

Browser

DBA

Thin Client3 Tier App

ApplicationInterface

SQL

Data

Database systems are often very complex, combining the core database with a collection of applications…It is not sufficient to protect the database alone, all the associated applications need to be secured.

--SANS Top 20 Internet Security Risks of 2007

CONFIDENTIAL - Imperva

Thick Client2 Tier App

Why Should You Care?

Sources: Privacy Rights Clearinghouse & Ponemon Institute Survey, “The Business Impact of Data Breach”

Theft, Abuse, Misuse & LeakageHappen Even in Leading

Organizations

85% of organizations have experienced a data breach

CONFIDENTIAL - Imperva

Why Should You Care?

PCI – Required to process credit card transaction

SOX – Required to report financial results

EU DD Privacy – Required to process personal data

What do regulations require of you?

Data governance is not optional

CONFIDENTIAL - Imperva

New Web 2.0 – Old Threats & New

92% of Web applications have vulnerabilities 93% of vulnerable sites are still vulnerable after code fixes!!

SQL Injection – still majority cause of data leakage Ponemon estimates breaches cost on average $202 per

compromised record April 08: automated SQL injection affects 500k IIS webpages July 08: Asprox ‘infects’ reputable sites including NHS

Exploiting server’s trust in the client (versus XSS) Cross Site Request Forgery (CSRF) & JS-Hijacking (AJAX) Growing cause of web fraud

Worrying Threat Trends in 2008

Majority of malware now ‘cloaked’ in Web protocols Both exploits and Command & Control HTTP poorly monitored – traffic volume, SSL & difficult to block

Indirect attacks exploiting ‘trusted’ websites for malware distribution

Implicitly trusted by the user – ‘Drive-by’ downloads Sophos reported 1 webpage ‘infected’ every 5secs during

2008

‘Google Hacking’ & ‘Web worms’ – search-engine seeded attacks & data breach discovery

Concept first analyzed in March 2004 ADC paper: “Web Application Worms: Myth or Reality?”

Traditional firewalls only detect network attacks Only inspect IP address, port/service number

IPS/IDS signatures only detect known threats No application understanding No user/session tracking High rate of false positives/negatives No protection of SSL traffic

Web Servers

Firewall

Cookie Injection

IPS or Deep Inspection

firewall

XSS AttackZero DayWorm

Hacker

User

Data Center

INTERNET

CONFIDENTIAL - Imperva

Can Existing Controls Help?

Founded in 2002

CEO Shlomo Kramer – CEO of the Year, co-founder of Check Point

The leader in Data Security

Global company with over 40% international revenue North American HQ in California; International HQ in Israel

Local presence in all major markets (EMEA, APAC, Japan)

Customers in 35+ countries

Over 700 customers and 4500+ organizations protected

CONFIDENTIAL - Imperva

- CONFIDENTIAL -

Business application Data Security experts

Research the latest threats and compliance best practices

Applications (SAP, Oracle EBS, PeopleSoft & others)

Databases (Oracle, DB2, SQL-Server & others)

Compliance mandates (SOX, PCI, HIPAA & others)

Deliver actionable, up-to-date content to Imperva customers

Imperva Application Defence Centre

Modular SecureSphere 7.0 Packaged for Specific Use Cases

SecureSphere Data Security Suite

- CONFIDENTIAL -12

Data Security Suite Full Visibility and Control

Web Application Firewall Security for Web Applications

Database Firewall Auditing & Protection for Databases

Database Activity Monitoring Visibility into Database Usage

Discovery and Assessment Server Discovery and Assessment for Databases

SecureSphere Platform

Dis

cove

ry

Ass

essm

ent

Au

dit

/ M

on

ito

r

Tra

ckin

g

En

forc

emen

t

SecureSphere Management

SecureSphere Architecture

CONFIDENTIAL - Imperva13

ADC Insights

Database Activity Monitoring

Discovery & Assessment Server

Database Monitor Agent

Management Server (MX)

Web

Database

Internet

Database Firewall

Web Application

Firewall

SecureSphere Universal User TrackingWho Is Really Accessing Data?

End-to-end visibility of the real application user ‘Pooled’ application user accounts

No re-writing of application or database code

Web to DB User Tracking

SQL Connection User Tracking

No real user Knowledge

alex@imperva.com Webapp.company.com

End-to-end real userKnowledge

alex@imperva.com

Limited real user Knowledge

alex@imperva.com Webapp.company.com

SELECT … WHERE

ID = ‘alex@imperva.com’

Shared & dedicated DB user connections

End-to-end real userKnowledge

alex@imperva.com

SELECT … WHERE

ID = ‘alex@imperva.com’

CONFIDENTIAL - Imperva

Best Practice Data Security Recommendations

1. Locate & classify sensitive data2. Regularly test for vulnerabilities

Buy time, mitigate critical risks with WAF & DB firewalls If possible, remediate by fixing the code

3. Protect critical web applications Deploy WAF to prevent data breach Audit access by actual application users – not ‘pooled’ accounts

4. Monitor sensitive data stores Use DAM for visibility Privileged users (DBAs) Consider protecting access to most sensitive data with DB

firewalls

PCI DSS Compliance & SecureSphere

6.6Application layer firewall or external code review

SecureSphere WAF: Cost-effective, non-intrusive threat mitigation

10 Track and monitor all access to cardholder data

SecureSphere DAM: SQL auditing, tamper-proof, separation of duty

3.4Compensating controls for protecting stored cardholder data

SecureSphere DB Firewall: Prevents unauthorised access to card holder data

Veteran leadership with deep industry expertise• Industry veterans in security

• ADC - only research team dedicated to business application data security

Consistent growth fueled by•Surge in data breaches

•Regulatory compliancerequirements

•Tightening Data Security legislation

More application data security deployments than any other vendor

• Over 700 direct customers

• 54 Fortune 1000

• 86 Global 2000

• Over 4500 protected organizations

Imperva The Leader in Data Security

Only complete solution for visibility and control over business data

• Dynamic Profiling & Universal User Tracking

• Consistent industry recognition of technical superiority

CONFIDENTIAL - Imperva

www.imperva.com

Thank You