Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
IT Defense Database Logs D3

IT Defense Database Logs D3

Ratings: (0)|Views: 1|Likes:
Published by Anton Chuvakin

More info:

Published by: Anton Chuvakin on Jul 27, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





The Underutilized Security Bulwark: Database Logs
 Dr. Anton ChuvakinWRITTEN: 2007 
:Security is a rapidly changing field of human endeavor. Threats we face literally changeevery day; moreover, many security professionals consider the rate of change to beaccelerating. On top of that, to be able to stay in touch with such ever-changing reality,one has to evolve with the space as well. Thus, even though I hope that this documentwill be useful for to my readers, please keep in mind that is was possibly written yearsago. Also, keep in mind that some of the URL might have gone 404, please Googlearound.As security breaches like that of TJ Maxx grab headlines and as corporateregulations like Sarbanes-Oxley and PCI continue to emphasize preserving and securingdata and assurance of IT controls, organizations are increasingly turning to log data to provide a continuous fingerprint of everything that happens within the security perimeter.Enterprises look to logs from network systems (routers, switches, firewalls), securitydevices (IDS/IPS, firewalls), and/or servers (Windows, Unix, Linux, and evenmainframes) to gain insight into their system, protect from internal and external securitythreats, and satisfy auditors. However, another crucial, log-generating part of the ITinfrastructure, the database, has been capturing more attention recently, even though mostsecurity issues surrounding databases have existed since commercial database systemswere introduced a few decades ago.Over the past few years, insider attacks have caused more headaches thanoccasional malware-related incidents. According to recent surveys, a majority of respondents attribute at least some amount of data loss to insiders. Perhaps the top reasonwhy paying attention to database security is crucial to improving enterprise informationsecurity posture is that database systems are deployed deep inside the company network.This is also why databases are less visible on a security radar—their internal deploymentis seen as a shield that protects them from Internet attacks. However, such database placement makes them a prime target for insiders, who have the best opportunity toattack, compromise, and steal the data. Although, it is not just insider threats that present problems. Databases that house confidential client information (e.g. medical records or credit card numbers) that need to be available to partners and other outside parties canalso be penetrated by outsiders, possibly through web application vulnerabilities. Such a breach is guaranteed to have deleterious effects. The term “database security” connotescontrolling access to database software, structures (or “metadata”), the data itself,database configuration hardening, database data encryption, and database vulnerabilityscanning, all of which are underscored by database logging, which stands as the last butmost critical line of defense against insider attacks as well as compliance risks.
 Database Logging is Difficult…
Databases offer different arrays of logging options, but most are capable of logging user logins and logouts, database system starts, stops, restarts, various systemfailures and errors, user privilege changes, database structure changes, databaseadministrator actions, and database data access. These logged events provide deepinsight into the IT infrastructure and business data- insight that can help enterprises meettheir security, compliance, and IT operational needs. The question then becomes if databases offer extensive logs that are crucial for accurate and effective user-activitytracking and/or preventing insider attacks, why do database logs remain the forgottenchildren of the log family?There are several reasons that database log management and analysis does nothappen to the extent that it should. First, it is inherently complicated—the logsthemselves are unclear and often difficult to analyze; many databases log in multi-lineformat, where a single record might be spread across multiple lines of log data. Inaddition, all but the most basic database logging capabilities are typically turned “off” bydefault, however shocking that sounds in today’s compliance-heavy environment. Toenable proper database logging, a database administrator (DBA) must set specialconfiguration options or sometimes restart the database software, both of which taketime, manpower, and expertise. Further, unlike other areas of the IT infrastructure, wherelogging has a negligible impact on system performance, database logging does actuallyslow down the database, especially when all access to data is recorded. High- performance databases are meant to provide thousands of data transactions per second,and logging all of those events takes power and space that most DBA’s don’t want tosacrifice. From the DBA perspective, their job is not to log, but to ensure the smoothfunctioning of the database and quick responses to database queries by customers. To topit off, few security professionals are familiar with in-depth details of database logging.
 But it Has to be Done…
Despite these challenges, database logging must be enabled and log review musthappen. For example, viewing the authentication logs is the only way to verify whataccess control decisions are made, who views and downloads what data, who isconnected to the server, who is deleting or corrupting data, and whether or not a security breach has led to unauthorized access to critical and supposedly secure information.Reviewing database logs is the only way to know the “who, what, where, and how” if adisgruntled employee accesses a secure customer list to steal confidential data or, worse,to modify it to cause embarrassing problems for company executives (!). It is unlikelythat intrusion detection or other security technology would stop this type of problematicuser-activity in time, but records of the employee’s search would be found, immutable, indatabase logs. Having such logs ready for real-time analysis and reports could mitigatethe damage from that type of attack or abuse. In fact, one of the more important databaselogs is actually a log of DBA activity. DBA’s have access to all sorts of confidentialinformation that is stored in the database—patient information in hospitals, financialinformation in financial institutions, and credit card information in retail stores. They
also have the best ability to modify or corrupt covert data. It is essential that DBAactivity logs be collected, reviewed, and—yes!—protected from DBAs themselves as a“separation of duty” measure, because with near-unbridled access to the company crown jewels, they could present an internal threat to company security. Of course, this bringsup another known point of resentment for DBA’s towards logging!In addition to security, database logging and log analysis must be performed for IT auditors to enable regulatory compliance with the slew of government mandates for  preserving and securing data. Payment Card Industry Data Security Standards (PCI-DSS), designed to enhance payment account data security, mandates that companiesmonitor their logs; although it does not specify database logs, this information would becrucial to guaranteeing secure payment information, since this data is stored in adatabase. The Sarbanes-Oxley Act (SOX) mandates that companies must have anassurance of internal controls. In spirit, this regulation means that officers of thecompany should be sure that their financial records, stored in databases, remain intact andunmodified. Of course, it is a logical conclusion that if financial data is stored indatabases and this financial data must be locked, safe and secure, the best way toguarantee data security and integrity is to review the database logs. The Health InsurancePortability and Accountability Act (HIPAA) requires that patient information (again,stored in a database) is kept secure and controlled. Imagine if a nurse were interested in peeking at celebrity health records. If she isn’t caught red-handed at the computer, howwould anyone know? The answer should already be obvious- look at the logs. Perhapsthe user name of Nurse Smith, who has no business accessing the database, will show upas having viewed a chart detailing the latest Hollywood star’s emergency-room treatmentfor a drug overdose, and the hospital will know that she has accessed confidentialrecords. More generally, IT governance best practices frameworks such as the ControlObjectives for Information and related Technology (COBIT) also steer IT users towardsdatabase logging.
 Database Logging Doesn’t Have to be A Challenge…
Enterprises are faced with a staggering amount of logs, and databases are amongthe most “chatty” log sources. The presence of these logs and their review and analysisare essential to ensure IT security and compliance, but, unfortunately, for a variety of reasons, the cards are stacked against their easy and comprehensive collection, review,and analysis due to the reasons mentioned above. So what’s to be done?As mentioned before, most commercial databases log surprisingly few events bydefault. For those companies that use database logging capabilities in only the most basicway, a manual log review may be suitable. However, if any kind of database security“best practices” are being followed and more comprehensive logging is enabled,automation of log analysis and log management via some technology is required.Simpler log analysis tools, often provided by database vendors, allow skilled DBAs toreview logs on a specific database server and gain some insight into database activity, butdo not provide any real-time analysis in the form of alerting or alarms.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->