Putting security intelligence to work will provide the answers needed regarding the safeguards, baselines, and behaviors in the environment. Here are some examples of questions to be asked and the expected or abnormal activity.
Is access to the database coming from expected servers?
Expected: Connections from DBA computers and application servers
Abnormal: Different application servers that haven’t been in the usual list, or computers of people not in DBA role
Are privileged users performing tasks outside of their regular jobs?
Expected: Typical information gathered on a regular basis shows creation of objects, creation of users, and granting of standard roles; reviews of performance
Abnormal: Creating users and granting higher privileges, data being modified
Are the baseline standards in place and how often do they change?
Expected: Privileges have not changed and users are mapped to roles; parameters are set to meet the policies and are not changing on a regular basis.
Abnormal: Changes happen outside of change windows. Users have individual grants and different roles are being used.
Is data leaving the database?
Expected: Data is moving from one database to another and there are regular connections from that other database; backups are performed regularly.
Abnormal: Exports outside of maintenance windows; data moving to servers outside of normal databases or application servers
There are several other questions that can be asked to review security, but these examples illustrate the type of data to be considered and a sample of what abnormal behavior could be. The data collected will support analytics to answer these questions and also raise new questions that can be implemented.
The security logs, audit files, and all of the activity can be used to provide the intelligence and analyze the status of the environment. They can also be used to look for patterns across the databases and servers to provide the needed protection from unauthorized access.
Just as an understanding of the data classification and workflows requires collaboration with other teams, so does analysis of the logs. Network, servers, applications, and file systems can all have activity and audit logs which can be collated with the database data. This is the next level—exploring the secured environments to discover that they are remaining guarded as planned or whether there is unusual, malicious activity creeping through that may compromise data and infrastructure. Protection and automation of protective actions are then to follow.
Simplifying and analyzing to secure the data are challenges that we face. Safeguarding the environment requires layers of defense—from the network and servers to data access. Privileges need to be granted through roles that can be distributed across environments for consistent entitlements. This will ensure that data processes and large datasets are being protected from unauthorized users inside and outside of the databases. Baselines and policies also encourage standardization which can assist in simplifying the environment. These standards allow for checks to discover the configuration changes and abnormal behavior. Using big data analytics on security data can provide the intelligence to detect issues (disturbances in the force) and eventually automate protective actions.