In the first and second posts in this series, we explained why traditional approaches are no longer viable to take on today’s threat landscape and showed why internally-generated attacks are so difficult to stop. In this post, we’ll identify the critical elements of a highly effective database analytics solution and explain why they are essential for managing today’s cybersecurity threats.
The three building blocks of dynamic, scalable database analytics
Firstly, an effective database analytics solution must combine the power of anomaly detection with attack vectors in the database space. For instance, from a security incident perspective, a privileged user accessing data from a new source (e.g., a new computer or VPN pool) is unremarkable. If we were to observe that same privileged user accessing data from a new source and using an interactive tool to run select commands on sensitive tables/columns that he has never accessed in the past, nor has anyone in the user’s work group ever accessed any of the data that this user is trying to access, that would be remarkable and likely warrant further investigation. These conditions represent combined anomalies that match known breach patterns and operate on a sliding scale that is constantly evolving, resulting in highly probable incidents.
Secondly, the solution must also have the capacity to aggregate events across the enterprise and score them, so that the incident response team has an immediate view of the most critical activity in the environment as well as assist them in understanding how the event was detected, and how best to mitigate.
Thirdly, the solution must leverage orchestration and automation functionality to quickly mitigate the threat before it turns into a full-on breach. To perform the analysis and interpretation required to automate preventative action and rapid remediation responses to security threats, your solution must enable users to gain access to data flows from key activity domains (e.g., Sessions/Logins, Exceptions/Errors, or Policy Violations) from an unlimited number of sources in a single platform, and view them in a single pane of glass. Next, your security teams should be able to run sophisticated, unsupervised analytics engines automatically to respond to predefined events, such as locking out a user when the system identifies a suspicious behavior.
The solution should also enable your security teams to perform an analysis of enriched contextual data to detect behavioral anomalies – like account abuse, code injection, insider threat, etc. – and automate remediation responses to prevent future security events. Users can join related information such as metadata, vulnerability assessment, classification, and entitlements from any number of sources to substantially boost the context and value of all data. This results in a more efficient interpretation and processes, as well as accelerated communication and faster remediation actions.
A principal challenge for security teams in automating preventative action and rapid remediation responses is the bottleneck that often exists in processing event-level workflow communications. The result of this bottleneck is slow responses to data-centric events. Let’s take a moment to compare enterprise security practices to the fraud management practices credit card companies use. Credit card fraud mitigation teams extend incident reviews to customers for validation. Proper security requires incident response outside the SOC. Enterprise security teams must ensure the proper person is reviewing the incident and not just a SOC admin with no real context.
Your solution should offer customized and pre-built event-level workflows. This eliminates the need for manual routing and entitlement review processes, report sign-off, trusted connections validation, and change management processes, which will improve response times and streamline overall communication among stakeholders. Finally, your solution should provide playbooks for managing sensitive data alerts, importing assets, running or disabling scans, and database discovery that integrate with SOAR systems to prevent security events before they occur, mitigating the damage a prospective breach could cause.
In the last post in this series, we’ll offer insights into how you can put a modern database analytics solution into practice in your organization; one that enables you to identify attackers performing reconnaissance activities and stop breaches before they happen. Stay tuned…
Try Imperva for Free
Protect your business for 30 days on Imperva.
