Transcript Small clues can show You big issues - Imperva

Imperva Breach Prevention
Protect enterprise data from insider threats
Piotr Motłoch
October 2016
© 2016 Imperva, Inc. All rights reserved.
<szydera warning>
People are the
WEAK LINK
Compromised
Careless
Malicious
?
Exactly
Is the access
WHO
OK?
How do I respond
QUICKLY
if not?
Is accessing my data?
Truly Detecting and Containing Breaches Requires Addressing All
6
© 2016 Imperva, Inc. All rights reserved.
Confidential
Detecting and Containing Breaches
MONITOR
7
© 2016 Imperva, Inc. All rights reserved.
LEARN AND DETECT
Confidential
BLOCK /
QUARANTINE
MONITOR
BLOCK /
QUARANTINE
LEARN AND DETECT
Deception Tokens
Imperva
Skyfence
Imperva
Skyfence
Contain
and
Investigate
Visibility
Monitor access
to databases,
file servers and
cloud apps
Behavior
Analytics
machine
learning
Imperva
SecureSphere
CounterBreach
User Interface
Imperva
SecureSphere
OS user
SQL operation and type
Data sensitivity
Endpoint host name
Number of rows
File share IP
Database error code
Server IP
Schema
Data sensitivity
User domain
File type
Operation response time
OS user
Server IP
File name
File path
Affected rows
User department
User identity
Client IP
Table name
Client port
File type
Schema
Server response time
File operation
Database user name
OS user
Table name
File type
File type
Number of rows
Server response time
File operation
nt IP • User department • User identity • OS user
BREACHES
ARE FOUND AT
Data sensitivity
Schema
THE INTERSECTION OF
Endpoint host name
USERS AND
DATA
Operation response time
OS user
OS user • File share IP • Database user name • U
Client port
IP • User domain •
• Client application • Server
File type
IP • Endpoint host name • OS user • Client port
OS user
Database user name
Table name
SQL operation and type
User domain
OS user
USER
Server IP
File name
File path
File share IP
• Data sensitivity • File type • Database name • Number of rows • Database error code
Affected rows
Database error code
esponse time • SQL operation and type • Database error code • Schema • File type • Tab
User department
User identity
BREACHES
Server
IP
File type • Table name • Server response time • File operation • File path • Data sensitivit
Client IP
Table name
Affected rows • File nameSchema
• Operation response time • SQL operation and type • Schema
File type
Data sensitivity
DATA
10
Behavior: Develop a Baseline of User Data Access
PCI Database
Who is connecting to the
database?
What data are they
accessing?
How do they connect to
the database?
14
© 2016 Imperva, Inc. All rights reserved.
How much data do they
query?
Do their peers access
data in the same way?
Confidential
When do they usually
work?
Key Indicators of Data Access Abuse
Service Account Abuse
Data Access Outside of Working Hours
Suspicious Application Data Access
Excessive Failed Logins by User
Machine Takeover
Excessive Database or File Access
16
Excessive Failed Logins from App Server
Findings in Customer Environments
21
© 2016 Imperva, Inc. All rights reserved.
Confidential
Suspicious Application Data Access
Transportation Authority
Service Account Abuse
Incident
Interactive User
“Liana”
Query Tool
“redgate”
Service Account
“CrimeDB”
Typical Behavior
Database Used
by FBI
• Malicious user access sensitive database using highly privileged account
• Bypasses access controls
• Activity is untraceable
Application
FBI Personnel
23
Suspicious Application Data Access
Healthcare
Incident
Interactive User
“Tyler”
Query Tool
“MS SQL Server
Mgmt Studio”
Typical Behavior
Personal DB Account
“domain/tyler”
Application
“hrP”
Authorized User
Sensitive HR Employee
Feedback
• Unauthorized access to a large quantity of sensitive HR data
• Investigation shows that the AD account was locked (contractor)
• User retrieved data before leaving the company
25
Excessive Database or File Access
Financial Services
Incident
Interactive User
“Rick”
Query Tool
“Aqua Data Studio”
Retrieves 9.7M
rows
Typical Behavior
Personal DB Account
“domain/rick”
Application
.net sqlclient
“AuditLog”
Database Tables
• Interactive user retrieves 9.7M rows from “auditlog” tables
• Direct access using DB query tool, not the app account
• Flagged as possible attempt to modify audit log data
31
CounterBreach
Deception Tokens
32
© 2016 Imperva, Inc. All rights reserved.
Confidential
Deception Tokens – Pinpoint Compromised Devices
• Detects endpoints compromised by
attackers
Database credentials
Links to network files
• Lures attackers with fictitious information
tokens
– Completely passive; planted on workstations
and appear authentic
• Token triggers flagged in CounterBreach
• Complements Behavior Analytics
Web browser cookies
33
Product Tour
CounterBreach
35
© 2016 Imperva, Inc. All rights reserved.
Confidential
CounterBreach Dashboard
CounterBreach
protects data
on-prem and in
the cloud
`
`
View threat
indicators across all
enterprise data
Drill down into users,
hosts and servers with
most severe incidents
36
Confidential
CounterBreach User Screen
Click a user to see their
behavior across data
assets
`
37
Confidential
CounterBreach User Screen
`
`
Drill into
incidents and
anomalies
View user details,
including John’s
manager
`
38
Confidential
See what data
John has been
accessing
CounterBreach Incidents Screen
`
View all open incidents
for John Heidorn
CounterBreach Incidents Screen
Drill down into
an incident
`
`
View all open
incidents
Drill down into an incident
Description of
the incident and
its implications
`
Drill down into John
Heidorn’s behavior
profile
`
Database tables
accessed by the
user
`
View the operation type
and number of records
accessed
`
User Behavior Profile Screen
Endpoints used
by John to
access data
`
`
Typical
working hours
`
Database
access activity
John’s file
access activity
File access of
John’s peer
group
File access
compared to the
organization
`
`
`
Whitelist an incident
Name the
whitelist rule
and set an
expiration date
`
Information about the
incident automatically
populated for the
whitelist
`