Security breaches are constantly in the news. Take, for example, the Target debacle, the Niemen Marcus disaster, and the Snapchat catastrophe, all of which could have been prevented if only those charged with IT security had the actionable threat intelligence to proactively harden their systems.
While many different elements contributed to those breaches, some of which may never be known, those security failings all have one thing in common: a lack of in-depth knowledge. A lack of in-depth knowledge about how systems were secured, a lack of in-depth knowledge about where vulnerabilities were exposed, and a lack of in-depth knowledge about what the long-term damage may be.
San Diego-based DB Networks may very well have the answers to many of those security shortcomings in the form of their IDS-6300, a security appliance which detects intrusions into databases and provides administrators with the intelligence to stop them.
Case in point: the ubiquitous SQL injection attack, which is far more common than most will admit. SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them. However, according to Neira Jones, former head of payment security for Barclaycard, some 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line.
With that in mind, DB Networks’ solution may prove to be the best friend any security administrator could have.
Taking a closer look at the DBNetworks IDS-6300
I recently had a chance to put the DB Networks IDS-6300 through its paces at the company’s San Diego offices. The IDS-6300 is a physical appliance, built on Intel Hardware as a 2U rack-mountable server. The device features four 10/100/1000 Ethernet Ports for data capture, one 10/100/1000 Ethernet admin port and one 10/100/1000 Ethernet customer service port, as well as a 480Gb SSD and 2Tb archival storage.
The device can be deployed by plugging it into either a span port or a tap port located at the core switch in front of the database servers. The idea is to place the device logically ahead of the database servers, yet behind the application servers, so it can focus on SQL traffic. The IDS-6300 is managed via a browser-based interface and supports the Chrome, Internet Explorer, Firefox and Safari browsers. It will also fully support IE11 in the near future.
I tested the device in a mock operational environment that included MS-SQL databases with a demo version of a banking application that incorporated some known vulnerabilities. Setting up the device entailed little more than defining the capture ports and some very basic post installation items. Once configured to capture data, the next step was to identify databases.
Here, the IDS-6300 does an admirable job. It is able to automatically discover any databases that experience traffic, even simple communications such as basic SQL statements. The device monitors for traffic 24/7 and continually checks for database activity.
That proves critical in the quest for securing databases. According to company representatives, many customers have discovered databases that IT was unaware were operating in production environments. What’s more, the database discovery capability can be used to identify rogue databases or databases that were never shut down after a project completed.
The database discovery information offers administrators real insight into what exactly is operating on the network and what is vulnerable to attack. Knowing that information can be the first step in mitigating security problems, even before venturing into traffic analysis and detection.
Database detection finds all active databases
Nevertheless, the product’s real power comes into play when detecting SQL injection attacks. Instead of using canned templates or signatures, the IDS-6300 takes SQL attack detection to the next level. The device is able to learn what normal traffic is, record/analyze what that traffic accomplishes, and build a behavioral model based on that knowledge.
Simply put, the device learns how an application communicates with a database and uses information to create a behavioral model. Once learning is completed, the device uses multiple detection techniques to validate future SQL statements against expected behavior. In practice, behavioral analysis proves immune to zero day attacks, newly scripted attacks and even old, recycled attacks, because all of those attacks fall out of the norms of expected behavior.
That behavioral analysis eliminates the need for signatures, blacklists, whitelists and other technologies that rely on pattern matching or static detection. This in turn reduces operational overhead and maintenance chores, almost converting SQL injection attack monitoring into a plug-and-play paradigm.
When SQL injection attacks occur, the IDS-6300 captures all of the traffic and transaction information around that attack. What’s more, the device categorizes, analyzes and presents the critical information about the attack so that administrators (or application engineers) can modify database code or incorporate firewall rules quickly to remediate the problem.
Which brings up another interesting point. The IDS-6300 makes a strong ally for organizations trying to improve application code. With many businesses turning to outsourcing and/or modifying off-the-shelf/open source software for application development, situations may arise where due diligence is not fully implemented and agile development projects may lead to introducing security flaws into application code. That is not an uncommon problem, at least according to Forrester Research’s Manatosh Das. Poor application coding persists despite lessons learned. Das claims that more than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall victim to SQL injection. Das added that security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.
Full drill-down into attacks provides ample information
The IDS-6300 will quickly detect those newly introduced flaws and prevent poor programing practices from creating vulnerabilities. It will then provide the information needed to fix those flaws.
The IDS-6300 offers another advantage to customers: Its ability to identify what databases are active and what they are used for can help companies consolidate databases and significantly reduce licensing and support costs. DB Networks reports that one of their customers reduced database licensing costs by over $1 million this way.
Of course, DB Networks isn’t the only player in the SQL injection detection game. Vendors such as Impervia, F5 Networks, Dell, and many others offer technologies to deal with injection-based attacks. However, unlike DB Networks, those other solutions rely on whitelisting, template-based detection and other static technologies to identify attacks. Currently, DB Networks is the only vendor using behavioral analysis, coupled with machine learning to deal with detecting SQL injection.
The IDS-6300 starts at $25,000 and is available directly from DB Networks and authorized partners.
Photo courtesy of Shutterstock.