Transcription
Solution BriefNot All Database Security SolutionsAre Created EqualCompare solutions from different vendorsDatabases: The Top RegulatoryCompliance ChallengeIn January 2012, Evalueservesurveyed 438 IT decision makers,administrators, consultants, andsecurity analysts worldwide.Respondents listed databases astheir most challenging regulatorycompliance area.Databases are the leading ITsecurity blind spotIn April 2012, Verizon Businessreleased its annual data breachsurvey (covering more than 800security breaches), which foundthat database breaches accountedfor 95% of all records breached.“We were able to get more valueout of McAfee’s DB [McAfeedatabase] security product intwo weeks than we got from ourolder DAM product in over a year.”—Director of IT SecurityFinancial services companyDatabases are the number one target of cybercriminals and disgruntled insiders. Withthe recent rash of breaches, you may have already realized that traditional perimeterand network security, as well as built-in database security measures, offer onlyvery limited protection when it comes to securing the organization’s most sensitivedata, which is often stored in databases. That’s why compliance officers as well asauditors are taking a much closer look at database security and compliance. It is alsowhy four main database security vendors have entered the market. This documenthighlights key database security capabilities and provides an objective, apples-to-applescomparison of the leading database security solutions.What Your Database Security Solution Should Do Protect all your databases across all threat vectors in real time—Partial protection or after-the-factnotifications are of little value if your database has already been compromised. Make certain thatyou protect “all doors and windows” (not only what the vendor can support) and that you receivereal-time, actionable insights. Establish and verify a security baseline across all your databases—Does the solution provide comprehensivevulnerability detection that spans all your database platforms? How often is the scan list updated by thevendor in response to new threats? Is the scan library based on a theoretical framework (for example,database vendor recommendations and industry guidelines), or is it based on real-world security knowhow? Can it integrate with your organization’s current IT security landscape: security information eventmanagement (SIEM), McAfee ePolicy Orchestrator (McAfee ePO ) software, and database administrationmanagement (DAM) system? Provide detailed reporting and continuous compliance—The ability to quickly validate and documentcompliance will become even more important going forward. Integrated compliance reporting througha central management platform is a must. Easily deploy across complex and heterogeneous IT environments (including virtual and cloud)—Today’sdatabases are a hybrid combination of dedicated and virtualized environments that span multipleplatforms. Your database security solution must protect all of them. Quickly and easily scale to meet your growth and performance needs—How quickly can the solution bedeployed? What resources are required to deploy and manage it? Does the solution require hardwareappliances? If so, how many must be added, and how will they be managed? What are the maintenanceimplications? Help ensure segregation of duties for privileged users—SOX, PCI-DSS, HITECH, and numerous globalprivacy regulations now require that your organization enforce and monitor segregation of duty accessto sensitive databases.
What Your Database Security Solution Should Not Do Create an additional security management silo—Who has time to learn and manage multiple pointproducts or manually sort through database log files? Disjointed security products that lack an integratedsecurity management console result in time-consuming, reactive, and ineffective database protectionand often involve lengthy deployment and configuration. Time-consuming, resource-intensive, andoperationally disruptive deployment and integration engagements delay protection and may result inongoing maintenance commitments. Degrade application/database performance—A database security solution cannot slow down businesscritical database services. Solutions that force you to compromise and disable certain features so as toreduce the database performance impact or reduce your network load can be counterproductive. Require substantial time and effort for setup and management—This especially a problem if this occurson an ongoing basis. Based on a business-model that is complex—Such solutions can be difficult to track and control, mayintroduce risk of future licensing surprises (for example, they cannot be properly scoped upfront), mayrequire a repurchase of the solution every few years (for example, appliance hardware refresh cycle),and could open you up to potential enforcement and litigation risks.How McAfee Database Security Solutions Stack Up Against the CompetitionTake a closer look at the key functional capabilities you need and how the McAfee Database Securitysolution compares to the competition in each of the following areas.Database vulnerability managementMost vulnerability assessment products aren’t comprehensive and intelligent enough to thoroughly testdatabase systems, putting your most sensitive and valuable data at risk. Compulsory for any databasesecurity solution is the ability to discover any and all databases on your network, identify the ones thatcontain sensitive data (credit card numbers, Social Security numbers, and passwords), determine ifthe latest patches have been applied, and perform an extensive (and regularly updated) comprehensivetesting to identify security weaknesses. Used properly, a database vulnerability management solutioncan help you establish a security baseline across a large number of sensitive databases and periodicallymonitor databases to highlight any drifts from the approved baseline.Vulnerability TestingVulnerability TestingIBM InfoSphere GuardiumImpervaSecureSphere DAMApplication SecurityAppDetective Pro/DB ProtectMcAfee DatabaseSecurity SolutionNumber of VulnerabilityTests1,000 vulnerability tests,mostly based on vendorrecommendations andindustry standards.2,000 vulnerability tests,mostly based on vendorrecommendations andindustry standards.2,000 vulnerability tests.4,700 vulnerability tests andchecks (including CIS and STIGscans).Frequency of ScanLibrary UpdateInfrequentlyInfrequentlyA few times a year.Every four weeks on average.Fast Weak PasswordScannerSlowSlowSlowVery fast scanning algorithm(more than one millioncombinations per second).McAfee ePO SoftwareIntegrationNoNoNoYes—It improves visibility andautomates management,vulnerability analysis, andreporting in a single console.
Database activity monitoring (DAM)Perimeter and network protection measures and basic security measures built into databases do not provideadequate security to sensitive databases. They don’t protect you from today’s sophisticated hackers andmalicious insiders. An effective database activity monitoring solution must be easy to manage and providecomprehensive protection against modern threats and be able to not only alert, but also stop attacks beforethey can cause damage.Database Performance Impact of Activity MonitoringYour database and the networks that provide access to them must remain available and responsive. Inaddition, you need a database security solution that can provide real-time, actionable insights, not justafter-the-fact forensics. The McAfee Database Security solution provides a clear competitive advantagein these areas:PerformanceImpervaSecureSphereOracle DataWallNo—Sensors must send trafficover the network to a collectorappliance for analysis, increasingboth server and network load.Agents cache traffic to localdisk consuming server I/O andimpacting database performance.Blocking requires proxy agents(S-Gate) that introduce latency.No—Database host agents mustsend traffic over the network tothe SecureSphere appliance(s) foranalysis, increasing network load.No—Database host agents mustsend traffic over the network tothe SecureSphere appliance(s) foranalysis, increasing network load.Yes—Minimal performanceimpact: is less than 5% of a singlehost core CPU per monitoredinstance, less than 100 MB ofRAM. No I/O consumption.Sensors do not introduce latency.Frequency of ScanLibrary UpdateDisruptive—Requires database/server shutdown for initialinstallation and subsequentagent upgrades.Requires database/servershutdown for initial installationand subsequent agent upgrades.Requires database/servershutdown for initial installationand subsequent agent upgrades.Transparent—Agent installationand subsequent upgrade doesnot involve server or databaseshutdown.Agent ArchitectureIntrusive—Agents operate atIntrusive—Agents operateIntrusive—Agents operatethe kernel level and can affectat the kernel level and can affect at the kernel level and can affectdatabase and server performance. database and server performance. database and server performance.Blocking agents (S-Gate) installedas proxies introducing latency.PerformanceIBM InfoSphere GuardiumAutonomous Agents(minimize network trafficand server I/O consumption)McAfee DatabaseSecurity SolutionNon-intrusive—Sensors notinstalled at the kernel level andtherefore cannot interfere withdatabase/server performance.
Database Activity Monitoring Implementation and CapabilitiesDatabase ActivityMonitoringIBM InfoSphereGuardiumImpervaSecureSphere DAMOracle DataWall(formerly Secerno)Application SecurityDB-ProtectMcAfee DatabaseSecurity SolutionUnderlying MonitoringTechnologySQL sniffing via networkappliances and/or local hostforwarding agents. Limitedvisibility and easy to evade(relies only on the actualtext of the SQL command).SQL sniffing via networkappliances and local hostforwarding agents. Limitedvisibility and easy to evade(relies only on the actualtext of the SQL command).SQL sniffing via networkappliances and local hostforwarding agents. Limitedvisibility and easy to evade(relies only on the actualtext of the SQL command).SQL sniffing via forwardingagents. Limited visibility andeasy to evade (relies only onthe actual text of the SQLcommand).Monitors by analyzing thedatabase shared memory,providing much morevisibility into threats (ableto monitor transactionsthat originate inside thedatabase itself and ableto understand how thedatabase interpretedobfuscated SQL payloads).Autonomous versusConsole-DependentAnalysis and BlockingDependent—Databaseserver agent(s) forwardall database trafficback to one or moreappliances (collectors) foractual analysis. Requiresmanagement applianceto aggregate and managethe collectors.Dependent—Appliancemonitors network traffic(requires SPAN/TAP port),and database-serveragent(s) forward(s) all localdatabase traffic back tothe network appliance(s)for analysis.Dependent—Appliancesmonitor network traffic(requires SPAN/TAP port),and database-serveragent(s) forward(s) all localdatabase traffic back tothe network appliance(s)for analysis.Dependent—Databaseserver agent(s) forward(s)all database traffic back toappliance(s) for analysis.Autonomous—Softwareonly solution utilizes hostbased non-intrusive andlightweight autonomousagents (sensors) thatmonitor the databasememory. The autonomoussensors perform themonitoring locally anddo not need to forwardthe full database trafficto an external appliancefor analysis. Only relevantevents are forwarded tothe management console.Sensors do not operate atthe kernel level and do notcache traffic to the serverhard disk.Smart, ComprehensiveAgent TechnologyNo—Intrusive (kernellevel) agents that forwarddatabase traffic to anexternal collector foranalysis. Caches trafficto local disk (degradingdatabase performance).S-Gate (blocking) agentsact as proxies, delayingtransaction execution. Lacksvisibility into intra-databaseactivity (dynamic storedprocedures, triggers, views,obfuscated payloads, andmore). Database and hostcrashes and restarts are notuncommon.No—Kernel-basedagent involves DBMSinstrumentation anddegrades performance.Agent monitors only thelocal host traffic butdoesn’t provide visibilityinto intra-database activity.NoNoYes—Intelligent, autonomous agent monitorsdatabase memory andprovides full visibility into alldatabase activity, includingtransactions originatingfrom inside the databaseitself (intra-database traffic).YesPartial—Based oncorrelating event information from WAF logsand DAM logs. Accuracy ofmatching is not guaranteedand deteriorates rapidly astraffic volume grows.NoNoYes (accurate)—McAfeeiDentifier module capturesend-user identity with100% accuracy regardlessof traffic volume, providingfull visibility and reportinginto who is doing what inthe database.No—Cannot monitor atthe database object level(limited to only seeing thetext of the SQL command)and blind obfuscated SQLpayloads that can be usedby hackers/insiders to easilybypass monitoring.No—Cannot monitor atthe database object level(limited to only seeing thetext of the SQL command)and blind obfuscated SQLpayloads that can be usedby hackers/insiders to easilybypass monitoring.No—Cannot monitor atthe database object level(limited to only seeing thetext of the SQL command)and blind obfuscated SQLpayloads that can be usedby hackers/insiders to easilybypass monitoring.Yes—McAfee memorybased sensors can see theactual database objectbeing accessed (even if it isnot mentioned in the SQLcommand text). Allowsseamless monitoring of alldatabase traffic, includingobfuscated payloads (whichare visible to the sensor “inthe clear” in the databasememory).User-Based ApplicationMonitoring for MultitierEnvironmentsMonitors at the Database No—Cannot monitor atObject Level andthe database object levelObfuscated Payloads(limited to only seeing thetext of the SQL command)and blind obfuscated SQLpayloads that can be usedby hackers/insiders to easilybypass monitoring.This read-only processat the operating systemlevel does not require anydatabase or host downtime,generate any latency, orconsume any input/output.
Database Activity Monitoring Implementation and CapabilitiesDatabase ActivityMonitoringIBM InfoSphereGuardiumImpervaSecureSphere DAMOracle DataWall(formerly Secerno)Application SecurityDB-ProtectMcAfee DatabaseSecurity SolutionEffective Preventionof Unauthorized LocalTransactionsPartial (very intrusive andrarely used)—Can missmalicious or unauthorizedactivity as SQL traffic is sentback to the managementappliance for analysis.By the time a statementis defined as rogue, it istoo late to be blocked.Additionally, blockingrequires use of a differentagent (S-GATE), which actsas a proxy, adding latencyand consuming I/O (cachestraffic to disk). It can beeasily bypassed by accessingthe original database port.Partial—Network blockingonly (no local host trafficblocking). Networkappliance must be in-lineto block network threats,introducing a single pointof failure in the criticalpath. Agents cannotblock local traffic at all.Partial—Network blockingonly (no local host trafficblocking). Networkappliance must be in-lineto block network threats,introducing a single pointof failure in the criticalpath. Agents cannotblock local traffic at all.NoYes—McAfee caneffectively block manytypes of malicious orunauthorized activity inreal time. Becausethe sensor monitorstransactions in memory,operates autonomouslyand resides on the hostsystem, it can interveneand terminate connectionsimmediately.Establishes Segregationof DutiesPartial—Due to thelimitations of SQL sniffingtechnology, privilegedinsiders and sophisticatedhackers can evademonitoring/detection simplyby using obfuscated SQLpayloads, dynamic views,and stored procedures.Partial—Due to thelimitations of SQL sniffingtechnology, privilegedinsiders and sophisticatedhackers can evademonitoring/detection simplyby using obfuscated SQLpayloads, dynamic views,and stored procedures.Partial—Due to thelimitations of SQL sniffingtechnology, privilegedinsiders and sophisticatedhackers can evademonitoring/detection simplyby using obfuscated SQLpayloads, dynamic views,and stored procedures.Partial—Due to thelimitations of SQL sniffingtechnology, privilegedinsiders and sophisticatedhackers can evademonitoring/detection simplyby using obfuscated SQLpayloads, dynamic views,and stored procedures.Yes—Database memorymonitoring technology seesall database transactions,including access originatinginside the databases. Ableto detect the actual objectsaccessed by the databaseand monitor obfuscatedSQL payloads (which aremonitored in the clear inthe database memory).Establishes strict separationof duties.Script signingNoNoNoNoYes—The ability to digitallysign database scriptsensures that they are notmodified prior to execution(patent pending).Ability to identify SUDUusersNoNoNoNoYesEase of use and deploymentComplex security products require more training and additional consulting and integration costs, whichshould be taken into account when calculating the total cost of ownership of a solution. What’s more,their complexity often results in partial use of product features, resulting in reduced database protection.Solutions that generate too much data or hard-to-decipher security data in unusable formats complicatethe database security challenge.
Ease of Deployment and UseEase of Deployment and UseIBM InfoSphere GuardiumImpervaSecureSphereApplication SecurityMcAfee Database SecuritySolutionEasy to InstallNo—Routinely requires weeks ofprofessional services to deployand configure.No—Routinely requires weeks ofprofessional services to deployand configure.No—Routinely requires weeks ofprofessional services to deployand configure.Yes—Software-only solution, easyto install and configure. Does notrequire network setup changes,SPAN/TAP port provisioning.Simple installations completedin hours.Agents Installation andUpgrade ProcessIntrusive—Often requiresdatabase/server restart.Intrusive—Often requiresdatabase/server restart.Intrusive—Often requiresdatabase/server restart.Non-intrusive—Installation andupgrades of the sensors do notrequire any database or serverrestart.Flexible Deployment inDifferent Network Topologies/Distributed EnvironmentsNo—Requires one or morecollector appliances per location.YesYesYes—Software only and networkagnostic. Topology doesn’t impactease of use or management.Smart sensors run in memoryon each database. Thousands ofsensors monitoring databases inmultiple geographies can all bemanaged from a single MDAMmanagement console.Effective in Cloud andVirtualized EnvironmentsNo—All traffic must be sent tocentral server for evaluation;dynamic infrastructures createout-of-date configurations.No—All traffic must be sent tocentral server for evaluation;dynamic infrastructures createout-of-date configurations.No—Some tools (such asdatabase firewall) requireappliance installation.Yes—Sensor-based architectureperforms perfectly in distributedmodels, including virtualmachines and cloud-basedarchitectures.McAfee ePO cle DataWallMcAfee Database SecuritySolutionBusiness Model DifferencesEase of Deployment and UseIBM InfoSphere GuardiumTotal Cost of OwnershipAppliance-based model requirescostly appliance upgrades everythree to five years. Large/complexenvironments require manyappliances (collectors).Appliance-based model requirescostly appliance upgradesevery three to five years. Large/complex environments requiremany appliances (collectors).Requires TAP/SPAN ports, whichmight entail additional hardwarecosts. Appliances may requireunexpected costly upgradesonce traffic volume exceeds theappliance rated capacity.Appliance-based model requirescostly appliance upgrades everythree to five years. Large/complexenvironments require manyappliances (collectors). RequiresTAP/SPAN ports, which mightentail additional hardware costs.Appliances might require costlyupgrades once traffic volumeexceeds the appliance ratedcapacity.No appliances, no hardwareupgrade c
management (SIEM), McAfee . over the network to a collector appliance for analysis, increasing both server and network load. Agents cache traffic to local disk consuming server I/O and impacting database performance. Blocki
