Changing regulatory requirements for protection and privacy of data and increasing numbers of data breaches are driving a greater focus on data protection. Understanding who is accessing critical data, what was accessed and when it was accessed is a critical component of strong security operations. One important process for that purpose is Data Activity Monitoring, which supports the ability to identify and report on fraudulent, illegal or other undesirable behavior, with minimal impact on user operations and productivity.
While privileged users’ activity isn’t the only activity you should monitor for compliance and security purposes, those users are especially important to monitor as they have greater access to data and can inflict the most damage from their accounts.
(If attacks leveraging privileged data store users worry you, please check out our related webinar held with the International Information System Security Certification Consortium (ISC(2)), “Best Practices for Mitigating Data Breach Risks.”)
Access for the privileged user
A privileged user is someone who has access to critical systems and data. This user is typically a DBA, but not exclusively. These users have potentially unrestricted access to perform actions not available to non-privileged users, such as:
- Modify the structure of the database and its components
- Modify user profiles and privileges, including their own
- Access to all data, including confidential and sensitive data
Besides the possibility that the privileged user will inadvertently or maliciously impact the database through such actions, an attacker can attempt to gain access via the privileged user account. Those accounts are a prime target for attackers who wish to hijack the account to access data or to introduce malware.
The examples below, drawn from public accounts of actual data breaches, are cases where the breach was enabled by insufficient controls of privileged user accounts.
Access to Data – The Swedish Transport Agency outsourced its database administration to IBM without restricting access to database records. Administrators in Eastern Europe had access to all data, including infrastructure details, personal data and classified information about military vehicles.
Role specific access – Attackers in the massive data breach of credit card data of 40 million Target customers gained access to the system with credentials stolen from a service company. From there the attackers were able move about in the system and upload malware to Target’s point of sale systems. The service company’s access was required to carry out tasks like monitoring energy consumption and should have been segregated to not allow access to other segments of the system.
As you can see implementing proper controls is critical. In the next section we’ll review steps needed to properly manage privileges and monitor activity of privileged users.
Identify and manage privileged access
Ongoing discovery and management of privileged accounts and sensitive assets is key for visibility and control. Discover and profile all known and unknown assets, privileged user accounts, shared accounts, and service accounts.
The discovery and monitoring system must regularly check which users have privileged access and ensure the privileged user:
- Requires that privilege for his role
- Has appropriate credentials, such as a strong password expected of a privileged user
- Has his own unique account, not shared with others
- Has only the access required for his role. For example, the privileged user might require read access, but that can be limited to exclude sensitive data or to only access a small number of records.
Monitor privileged user usage
While it might be reasonable to monitor and log only certain actions, or a sample of actions, from non-privileged users, all privileged user usage should be monitored. This is especially true for the sensitive actions listed above. Include in the log all information that would be required to trace actions, including the user ID, time, database object, exact action executed, and list of records accessed or altered.
Ensure that the logs cannot be modified by the very users that are being monitored, by hosting the log separate from the databases, and restricting write access for those users.
Establish policies that define legitimate behavior for the privileged user, and then in real time identify actions that violate the policy. Identify all sensitive actions and verify they are authorized. When violations occur, block the suspicious activity or send an alert.
Besides monitoring the established policies, it is important to identify deviations from typical user behavior with the data. These can indicate malicious user activity or a database attack that causes the atypical behavior. An example would be a privileged user account that normally reads a few records a day from certain tables, as part of regular maintenance, and then unexpectedly reads many times that number of records. For this purpose, employ machine learning (ML) that will baseline typical access for the privileged user and send alerts on deviations from that behavior.
Machine learning analytics can also learn what data is business critical and see if a privileged user can access that data (even though they should focus on metadata). This allows identification of the highest security risk activity identified in the monitoring alerts. With the potentially large number of alerts from large database systems, it is crucial to ensure immediate focus on those highest risk alerts.
Besides real-time monitoring, provide reporting based on the accumulated logs that can trace a privileged user’s activities and the full details of any transaction. The reporting will also provide the ability to trace the origin of any suspicious activity.
The Imperva Solution
Imperva SecureSphere provides the database auditing and monitoring that can be applied to privileged users of all your databases. It then integrates with Imperva CounterBreach to provide the analytics required for a complete audit and monitoring system.