For years, organizations have been faced with a trade-off between risk mitigation and business continuity. One security methodology characterized by this trade-off is the “blocking” function found in most database activity monitoring offerings. Also called virtual patching or intrusion prevention, the technology’s basic blocking capabilities fail to consider that environments and applications differ, and not all bad actions have the same impact. As a result, typical blocking functionality can erroneously block authorized activity or create “false positives”, resulting in costly and unnecessary business interruption.
“We have repeatedly heard from security pros and DBAs that traditional DAM blocking implementations have severe limitations and are often not deployed in production environments,” said Josh Shaul, Chief Technology Officer, AppSecInc. “We designed Active Response to give customers the flexibility to implement a broad range of responses and apply those responses to very specific events. This precision-controlled approach ensures an active and appropriate response, while minimizing false positives and business disruption.”
DbProtect Active Response: Not Just Blocking
Driven by DbProtect’s powerful policy engine, Active Response allows organizations to define and map appropriate responses to specific activities and specific users. By providing a fine level of granularity, organizations can strengthen the incident response process. While offering the flexibility required by an organization’s unique environment Active Response includes the capabilities to:
Block suspicious activity
Initiate malware (and other security) scans
Disable inappropriate application users
Notify SIEM systems of suspicious activity for correlation with web applications
Open trouble tickets and assign to appropriate system
Configure database to deny access to suspicious users or machines
Send alerts to IT staff to initiate investigation and response
Revoke administrative privileges
Key capabilities of DbProtect Active Response include the ability to:
Detect suspicious activity to prevent attacks: Exploits of known vulnerabilities or database misconfigurations can be mistaken for normal activity. Detecting suspicious activity and locking out the user accounts exploited by attackers can halt a database attack before damage is done.
Satisfy audit requirements by enforcing Segregation of Duties (SoD) rules: By enforcing SoD rules on privileged users, users with excess privileges are blocked from accessing information stored in databases that is not relevant to their responsibilities. Organizations can now readily satisfy information security concerns that have become common in audit findings.
Reduce risk through virtual patching: Patching is expensive and sometimes difficult to perform in a timely manner. Active Response offers interim protection and reduces the need for patching. When the vulnerability is identified, organizations can implement a policy to block activity or take other action if an attempt is made to exploit that vulnerability.
Prevent data leakage to limit exposure: Data leakage is often a forensic, rather than preventative activity. For example, in most cases, employees should not be allowed to store sensitive data on their laptops. Blocking unauthorized queries that attempt to extract large amounts of sensitive data ensures that data does not leave the database and eliminates the risk associated with the loss of personal computing devices.
“Blocking capabilities are an important part of an effective database security strategy, but current competitive offerings are not without significant flaws,” added Shaul. “Active Response addresses those shortcomings and provides a flexible user experience that is not only empowering, but meets the unique needs of any organization.”
DbProtect Active Response is generally available and included as part of the DbProtect 6.3 Database Activity Monitoring module.
About Application Security, Inc.
AppSecInc is a pioneer and leading provider of database security, risk and compliance (SRC) solutions for the enterprise. By providing strategic and scalable software-only solutions – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – AppSecInc supports the database SRC lifecycle for some of the most complex and demanding environments in the world across more than 2,000 commercial and government customers.