Like the crown jewels, many companies assign a nearly priceless value to their data. So why aren't they taking better care of the databases where they store much of their corporate data?
Forty-seven percent of companies surveyed by Osterman Research, on behalf of database security company DB Networks, do not have a dedicated team or even an individual to oversee database security. This despite the fact that such high-profile hacks as last year's breach of Anthem, which exposed 80 million customer records, were carried out by attackers who exploited database vulnerabilities.
Michael Sabo, VP of Marketing, DB Networks, said database security professionals are responsible for such important tasks as enforcing password policies, applying patches, enforcing coding best practices, suppressing error messages which can give attackers insight into database architecture and environment, and monitoring and analyzing all SQL statements generated by database-connected applications to identify vulnerabilities and rogue SQL statements.
On the latter point, when a SQL injection attack is identified in the database infrastructure, it indicates perimeter defenses have been breached and the application is being exploited, Sabo said. "Identifying rogue SQL in the core network is the last line of defense before the database is breached."
Lack of Visibility into Database Activity
Despite the importance of monitoring, 38 percent of survey respondents said they do not have the mechanisms and controls in place to allow them to continuously monitor their organization's databases in real time.
The survey also found that 59 percent of respondents lack a high degree of certainty about which applications, users and clients access their databases. In addition, just 20 percent of respondents conduct database activity assessments on a more or less continuous basis. Slightly more than half of respondents conduct such assessments no more than once per quarter, and 6 percent of organizations never conduct assessments.
This lack of visibility into database activity is a big problem, Sabo said.
"Without visibility into the database infrastructure, attackers are able to operate with impunity over a very long period of time. Attackers are presented with a very large and valuable hidden attack surface that they learn and understand often much better than the organization that actually owns it. The attackers slowly and methodically drain the organization's mission critical data over a very long period of time," he said.
The survey also revealed some startling statistics regarding credentials for database administrators. Although it was the single largest database security concern, cited by half of respondents, 39 percent of surveyed organizations lack the necessary tools to allow them to identify a database breach resulting from compromised or abused credentials.
Also, only 21 percent of survey respondents said they could discover a data breach involving compromised credentials almost immediately. Fifteen percent said they have no idea how long it would take to discover this kind of a breach.
"To identify compromised database credentials you need to be able to do deep protocol analysis of database transactions. Essentially decode SQL across multiple dialects, multiple servers, multiple packets, and understand the context of the conversation," Sabo explained. "Once you can do that, you can also identify the logins. Then you need to learn which are the truly legitimate accesses and legitimate behaviors. Once you've learned that, you can then build a model that subsequent transactions can be compared and tested against. At that point you can identify in real-time when a credential has been compromised or is being abused."
Other studies have noted a relative lack of attention to database security. Last year, for example, Ponemon Institute found that organizations allocate just 19 percent of security budgets to database security. Contrast that to network security, which commands 40 percent of security budgets.
Evolving Database Security Approaches
The Osterman Research study does show a shift away from total reliance on perimeter security toward a greater emphasis on database security, said Michael Osterman, president of Osterman Research. "Identifying compromised database credentials and insider threats will likely receive far more investment in the future."
Machine learning and behavioral analysis are approaches recommended by DB Networks. "It is field proven that it requires little effort to install and there are no signature files, white lists or black lists to maintain, further reducing staffing," Sabo said. "Machine leaning and behavioral analysis has also proven to be far more accurate at identifying actual attacks in real time. This further reduces pressure of the staff because it means they aren't spending time chasing down false positives."