E-BOOK

Database Audit and Protection Tips

Book 1: Getting Started
Content

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Tip 1: Have a Good Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Tip 2: Know the Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Tip 3: Start with Results in Mind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Tip 4: Implement a Universal Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

eBook Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Database Audit and Protection Tip Series: E-Book 1 | August 2016

Introduction

Welcome to the Imperva Database Audit

and Protection(DAP) Tip Series of eBooks
Enterprises are accustomed to hardening the perimeter and assuming their data is safe “inside the walls”.
This assumptive security model is proving ineffectual as companies looking to improve process and customer
experience move the data closer or beyond the perimeter supporting web, mobile and cloud-based applications.
Savvy thieves can infiltrate systems and exfiltrate thousands or millions of records in minutes. The risk from
inside is even more dangerous as malicious users and compromise privileged users have unlimited access to
the organization’s systems stealing data at will. Data audit – or database activity monitoring - for security and
compliance is a critical component in a data-centric security strategy. Providing clear visibility into where your
sensitive data is, the risk it poses and the data activity.
This eBook “Database Audit and Protection Tips: Getting Started” is the first in a short series aimed at providing
an actionable set of tips for companies looking to implement a data-centric security strategy that addresses data
audit and protection.
Imperva SecureSphere Database Firewall product screen shots are utilized to provided visual references to aid in
understanding of the tip.
For more information about the product please visit: imperva.com

3 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 1: Have a Good Plan

Tip 1: Have a Good Plan

Understand Obtain Know The Stick To The

What Is Needed Stakeholder Budget Plan
Buy-In-Early

The plan is a living document that reflects the lessons learned and evolving needs of the company. Ownership and
responsibility for the plan should reside with the person who will be held responsible in the event of a data breach.

4 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 1: Have a Good Plan

Understand What Is Needed

Security and compliance reporting requirements can be complex in enterprises with large
heterogeneous database environments. Fortunately, the objectives for will distil down to a set of use
Compliance data
cases with overlapping requirements. Your security strategy should reflect the company’s tolerance for
requirements are largely
risk. Auditing – or activity monitoring – for compliance only will provide little to no pro-active security
a subset of the broader
and limited forensic capabilities. Auditing for data security can be very simple or sophisticated. Some
and more time-sensitive
key differences are highlighted below:
data security requirements.

Traditional compliance monitoring

• Narrow scope and scale
• Record for historic review
COMPLIANCE
• DBA centric, scripts
• Limited correlation with best of breed security solutions

Security monitoring
SECURITY • Broad visibility and scalability
• Alert and/or block in real time on suspicious behavior
• Team and task centric
• Independent compliance and security evaluation engines
• Correlation with other best of breed security solutions

5 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 1: Have a Good Plan

Obtain Stakeholder Buy-In-Early

Successful deployment and positive quarterly results will, in large part, depend on the work you do
before you purchase the software. Early stakeholder involvement and consensus on objectives and
success criteria will reduce the number of “negative impact” concerns, speed deployment and increase
your depth and breadth of coverage.

Key Stakeholders

Dev Ops Security Mainframe Ops

Risk and DBA/Data

IT
Compliance Architect

6 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 1: Have a Good Plan

Know the Budget

Justifying the initial and on-going cost of new technology requires an understanding of the cost
factors, time frames and the current return on investment. Verify there are no hidden costs or expensive
license renewals that are not accounted for in vendor cost estimates. Ask your short-list or in-house
team for a 5-year cost analysis that includes databases and use cases you will add post phase one.
Understand that different use cases can drastically change your audit volume and velocity.
Do your homework, gather the technical, cost and risk information necessary to calculate actual costs
and return on investments. For a sample cost analysis calculate your savings using the Imperva Cost
Savings Estimator

Calculate Your
Savings

CURRENT SOLUTION YEAR 1 YEAR 2 YEAR 3 YEAR 4 YEAR 5

DB License, maintenance

Software license, maintenance

Hardware - include rack and power

Storage costs

Custom script costs

Costs for correlation, analytics and reporting

Administration

Breach costs

Failed audit costs

Understand the cost-risk balance, prepare a five years total cost of ownership report.

7 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 1: Have a Good Plan

Stick To The Plan

While the plan is a living document that reflects the lessons learned and evolving needs of the
company you must manage to the existing plan. Control scope creep and set expectations. Use a
defined change process that accounts for additional resources and budget. Implement a solution that
will integrate and leverage your existing solutions to simplify management, maintenance and updates.
People change roles, remember to educate and evangelize the on-going benefits of your data audit
and protection solution. Communicate with your stakeholders, provide regular updates that are
pertinent to their needs. Your data audit and protection solution should facilitate role and task specific
reports and dashboards that can be scheduled and routed via email or web posting.

First 30 days First 90 Days

4 Discover databases and sensitive data 4 52 Oracle databases

Data Audit and 4 Classify risk and prioritize 4 Teradata

Protection Plan 4 Configure PCI compliance policies and reports

4 Configure PHI compliance policies and reports
4 Hadoop cluster
❑ FireEye malware integration
4 Configure sensitive data security policies ❑ Alert Dashboard
4 Configure alert and Incident response analysis ❑ Tune dynamic profiling

8 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 2: Know The Data

Tip 2: Know The Data

Understand Identify Understand Assess

Where the Data Sensitive Data Who has Access Vulnerabilities
is Located to the Data and Gaps

The importance of data discovery and user rights analysis cannot be overemphasized.
Automate and routinely repeat the process of finding sensitive data and excessive user rights.

9 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 2: Know The Data

Understand Where the Data is Located

Automated discovery scans eliminate the need for error-prone manual database inventories. Select
a solution that finds the databases, enables single-click ”acceptance” of the new database into the
default monitoring group and provides the option to arrange databases into either logical or physical
groupings for policy application and management.
Imperva SecureSphere database
discovery screen shots:

Database Service Discovery Scan

Actionable
Automates process
of on-boarding
databases

Select technology that automates the discovery of a broad range of databases to speed deployment

10 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 2: Know The Data

Identify Sensitive Data

Consistent classification of sensitive data is mandatory, relying on users to do data consistent

classification is not scalable. Your solution should provide a large number of predefined data types and
support the definition of custom data types. Actionable scan result screens speed the on-boarding and
rollout process.

Imperva SecureSphere data

classification screen shots:

Predefined Data Types Custom Data Types

Insurance Group Number

Actionable
Automates process
of Classifying data

Classified Database Data

Payment Card

Tools with pr-defined and customizable

templates reduce the need for internal
expertise and training

11 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 2: Know The Data

Understand Who has Access to the Data

Implementing access control is part of virtually every compliance, privacy and governance policy. Use a
data audit and protection solution that provides the user database rights discovery – both granted and
Imperva SecureSphere User Rights effective with an integrated review and reporting capability.
Management screen shots:

Find excessive permissions Review effective permissions

and bad practices and manage role grants

12 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 2: Know The Data

Assess Vulnerabilities and Gaps

Systematically protecting data at scale requires a solution that can manage the complexities of multiple
and often overlapping compliance and security requirements. Leverage a solution that provides pre-
defined assessment scans and policies with regular updates from the vendor’s research team.

Imperva SecureSphere vulnerability

risk assessment and remediation
reporting screen shots:

13 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 3: Start with your results requirements in mind

Tip 3: Start with results in mind

Confirm who Leverage Prepare to Improve

needs what, when automation respond reporting

Real-time security incident response analysis and compliance reporting have overlapping but different needs.
Building and retaining in-house expertise and content are not practical for most companies. Buy a solution that
provides out-of-the-box policies and reports for both security and compliance, includes integrations to your
existing system and offers the flexibility and scalability to match your needs.

14 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 3: Start with your results requirements in mind

Confirm who needs what, when

Ensuring you deliver results that meet or exceed expectations is not an accident. Plan for the timely
delivery of the information your stakeholders require–including the information they will need as part
of an escalated audit task or security incident response.

RISK AND APPLICATION

OBJECTIVE IT DBA’S SECURITY
COMPLIANCE DEVELOPEMENT

Privileged User Monitoring 4 4 4 4

Sensitive Data Audit 4 4 4 4

Data Theft Prevention 4 4 4

Data Across Borders 4 4 4 4

Forensic data security visibility and investigation 4 4

Change control reconciliation 4 4 4 4

DB performance and optimization 4 4

Application development testing and verification 4 4 4

Create use case- stakeholder matrix

15 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 3: Start with your results requirements in mind

Leverage automation

Good automation frees up your staff to focus on the things that computers do not do well, it improves
consistency and enables scalability. Look for automation within the application and for APIs to
automate multi-system processes and facilitate integration with your IT management systems.

SCHEDULER,
ACTIONABLE FOLLOWED ACTION 3RD PARTY
BUILT-IN PROCESS REST API (SSL)
RESULTS SCRIPTING INTEGRATION
WORKFLOW

Discover, asses and classify 4 4 4 4

Set and deploy policy and controls 4 4 4 4

Audit and secure 4 4 4 4 4

Measure and Report 4 4 4

Deploy, manage and maintain 4 4 4 4

Use a checklist to verify automation and time-saving capabilities

16 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 3: Start with your results requirements in mind

Prepare to respond

A successful incident response process depends on connecting the dots, contextual information and
isolation of the abnormal behavior. When and how you respond is a reflection of the company’s or
business unit’s tolerance for risk. Low-medium risk tolerant organizations should select a solution that can:
• enrich logs with the contextual information from external systems
• provide alerts, quarantines and blocks across a flexible range of monitoring modes
• support followed action scripts for initiating external process actions
• integrate with your other tools and systems to help identify, trace and prioritize the attack points
• keep pace with your highest performing databases and Big Data instances

17 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 3: Start with your results requirements in mind

Improve reporting

All major compliance Reducing the time required and complexity of your audit reporting tasks are baseline prerequisites
regulations require reporting for your solution. More specifically, the system must provide regulation specific reporting across the
entirety of your heterogeneous database environment without the need to manually intervene. The
SOX/JSOX system should collect, consolidate and properly present the required audit information upon real-time
MAS request and at scheduled intervals.

NERC Accounting for change is another baseline requirement. Look for a vendor that has a history of
delivering compliance-specific policies and reports that can be configured to your unique needs
HIPPA without compromising functionality and upgradability. Verify centralization is supported by all reports,
PCI-DSS not just a handful.
GDPR

SecureSphere: Provides over 300

predefined reports, customizable
templates and a custom report writer.

18 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 4: Implement a universal solution

Tip 4: Implement a universal solution

Inventory type, Scope the Plan for Support

volume and velocity data rules and compatability multiple use
of databases policies cases

Unmonitored databases are a gap in your compliance and security profile. Mapping out your database
environment by type, volume and velocity provides a quick checklist to validate your solution. Implement a
solution that can monitor local system access, do network based monitoring or a hybrid of both
monitoring deployment options.

19 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 4: Implement a universal solution

Inventory type, volume and velocity of databases

Unmonitored databases are a gap in your compliance and security profile. Mapping out your database
environment by type, volume and velocity provides a quick checklist to validate your solution.
Implement a solution that can monitor local system access, do network based monitoring or a hybrid
of both monitoring deployment options.

Oracle mongoDB Progress SAP HANA SAP ASE PostgreSQL SQLServer

IBM
MySQL Netezza SybaseIQ IMS-IBM Cassandra Teradata
Informix

Amazon IBM- Apache

SQLAzure Cloudera Hortonworks DB2
Web Services BigInsights Antelope

20 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 4: Implement a universal solution

Scope the data rules and policies

Select a solution that provides a versatile, easy-to-use policy management system that can process the
SecureSphere policy list and rule sets across the entirety of your environment regardless of velocity or volume.
definition screen shots

21 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 4: Implement a universal solution

Plan for compatability

Simplify your deployment, maintenance and upgrades projects by implementing a solution that is
designed to work with your other technology investments and IT project cadence.
Solutions to avoid:
• vendor-centric solutions that lead you into a “good-enough” paradigm
• solutions that that actually increase the total cost-of-ownership due to expensive custom
integrations to your environment and on-going professional services required to keep them up-
to-date
• Solutions that lack backward and forward compatibility between all component levels, requiring
top-down or all-at-once upgrades

Backward
and forward
Best-of-breed compatibility
across all
tiers
Rest API

Out-of-the-box
integrations

Eliminate gaps with integration and compatibility

22 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Tip 4: Implement a universal solution

Support multiple use cases

Compliance and security mandates are often rolled out to support specific audit and security
“use cases”. Prioritize your use cases, map out the basic requirements, determine the overlap in
requirements and gain buy-in from the stakeholders for which use-cases will be implemented in
what phases of the project.

Common Data Audit and Protection Use Cases

• Sensitive data auditing • Database risk assessment • Malware and targeted attacks defense
• Data theft prevention • Change management • VIP data privacy
• Data across borders • Ticket reconciliation • Ethical walls

23 Database Audit and Protection Tip Series: E-Book 1 | August 2016

Summary

Summary

An effective audit and protection solution provides tangible data security benefits while simplifying the compliance audit process. A good
understanding of the options and requirements will improve your ability to successfully select and implement a solution that meets both
your immediate and future needs.

Tip 1: Have a Good Plan Tip 3: Start with Results in Mind

Understand what is needed Confirm who needs what, when

Obtain stakeholder buy-in early Leverage automation

Know the budget Prepare to respond

Stick to the plan Improve reporting

Tip 2: Know the Data Tip 4: Implement a Universal Solution

Understand where the data is Located Inventory type, volume and velocity of databases

Identify sensitive data Scope the data rules and policies

Understand who has access to the data Plan for compatibility

Assess vulnerabilities and gaps Support multiple use cases

Download the Seven Keys to a Secure Data Solution white paper for more information.

24 Database Audit and Protection Tip Series: E-Book 1 | August 2016

eBook Series

Imperva Database Audit

and Protection eBooks
Audit Series
Book 1: Getting Started

Book 2: The Data - Coming Soon

Book 3: Rules and Polices

Book 4: User Rights Management

Special Interest Series

Monitoring for GDPR - Fall 2016

To Learn more
about database
auditing and
protection visit
imperva.com

25 Database Audit and Protection Tip Series: E-Book 1 | August 2016

© 2016, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, ThreatRadar,
Skyfence and CounterBreach are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product
names are trademarks or registered trademarks of their respective holders. EBook_SecureSphere_DAP_0716-V1
imperva.com