Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Approaches to Database Auditing: Strengths and Weaknesses

Published byChad Cobb Modified over 10 years ago

Similar presentations

Presentation on theme: "Best Approaches to Database Auditing: Strengths and Weaknesses"— Presentation transcript:

1 Best Approaches to Database Auditing: Strengths and Weaknesses henry.parnell@lumigent.com

2 2 of 37 Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? –Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered

3 3 of 37 Why Audit: blame the government? 1995 TODAY

4 4 of 37 Audited System SQL Server Audited System Oracle Audited System Sybase Audited System DB2 “UDB” Why Audit : blame the DBMS vendors? Scalability, Recoverability, Availability, …

5 5 of 37 Audited System SQL Server Audited System Oracle Audited System Sybase Audited System DB2 “UDB” Why Audit : blame the DBMS vendors? Scalability, Recoverability, Availability, … Auditability?

6 6 of 37 Why Audit: blame ourselves? Most of our important, sensitive and private data is in the database. We MUST audit access to the database. We MUST audit usage data. We MUST audit maintenance/control/admin usage. If we don’t, we will not be in COMPLIANCE SOX GLBA BASELIIHey – audit the database ?!?!?! OK – What do you need to audit? ?!?!?! AUDITORSDBAs Hmmm…Well – audit all reads of data, all writes, all changes to the database, who did it, from where, when, how…. ?!?!?! Are you serious? OK- audit just config changes No wait – also schema changes..And – access to sensitive data. And…

7 7 of 37 Why Audit: Plenty of Blame to go around Regulations & Industry Practices Sarbanes-Oxley HIPAA GLBA SB 1386 SAS70 USA Patriot Act Moody’s 21CFR11 Basel II … People Inadequate built-in controls within DBMS systems Outsourcing Culture DBA <> User communication Insiders are the biggest threat Privileged users Human errors Fraud Malicious actions Systems and Processes

8 8 of 37 Database Auditing Requirements Critical Issues:  Passing the Audit  Reduce cost of IT controls  Regulatory and Industry Compliance  Less DBA Workload also less insider risk  Resulting in …  Mandated Record Keeping for …  Operations on Sensitive Data and Privacy  Forensic Analysis

9 9 of 37 Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? –Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered

10 10 of 37 What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, … Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, … Transaction Log Files Collecting Network Activity

11 11 of 37 The Road Less Traveled Application &/or database schema modification Shadow audit tables, triggers, … Reasons not to use Triggers: –Significant performance overhead –Easy to circumvent (alter table disable trigger all) –Costly to maintain (schema changes, code changes) –Incomplete capture Typically can only capture DML (not DDL and not SELECTS)

12 12 of 37 Audited System SQL Server 7, 2000 & 2005 Audited System Oracle 8, 9i &10g Audited System Sybase 11, 12 & 15 Audited System DB2 “UDB” 8.1, 8.2 & 9 Audit Trail Repository Anomaly Detection Policy Adherence Compliance Reporting Oracle, SQL Server or DB2 Activity Monitoring: Database Types & Versions

13 13 of 37

14 14 of 37 Native Database Audit Tools What is it? Strengths and Weaknesses Why is anything other then this needed?

15 15 of 37 Native Database Audit Tools Event systems useful for performance and audit monitoring Generally under the control of the DBA Usual output is to a “local” table or text file Often comprehensive but in no case complete Performance wise you get what you pay for Output is hard to make unimpeachable (trustworthy) Usually Low Ease of Use

16 16 of 37 Native Database Audit Tools Strengths –DB Operation coverage –Supported by Database Vendor –Comes with the database Weaknesses –Impeachability (AKA will the auditor trust the records?) –Performance for anything that happens frequently –Data impact records, (what changed, how did it change, what data did the user see, …) –Specific to the data container (the DBMS system) and not to the data contents –Incomplete

17 17 of 37 What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, … Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, … Transaction Log Files Collecting Network Activity

18 18 of 37 Transaction Log Post Processing What audit data can be found in a transaction log? What audit data cannot be found in a transaction log? Strengths and Weaknesses

19 19 of 37 Database Transaction Log A transaction log is a “write ahead” journal of all activity that alters the state of the database Binary file, platform specific, internals undocumented A database always writes to the log even when the database is in circular (non-archived) mode A database writes undo and redo records to the log for: –Roll forward recovery –Transaction atomicity (roll back to a known state) An on-line transaction log is backed up to archived files The archived log files may serve as a rich source for audit activity

20 20 of 37 Example of a Transaction Log Record

21 21 of 37 What is in the Transaction Log? All DML operations –For row Insert & Delete, all column values are generally present –For column Update, before/after values for all modified columns are generally present –Status (success or failure) –Time stamp / Transaction ID In some database systems –All DDL operations ( Oracle 9 and 10 ) –Session/UserID Identifiers shown on operation records ( Oracle 9 and 10 ) –SQL Text ( DB2 ) –Client host name or IP address ( DB2 )

22 22 of 37 What is generally Not in the Transaction Log? Read / SELECT operations Failed operations Unlogged operations example: SQL Server Simple Recovery Mode

23 23 of 37 Transaction Log - Strengths Small to no performance impact - database does the work in advance –Reading an OS file, outside of the database –Potentially using a machine that is not the DBMS Server Work shifting –Potentially at a time well after when the operation happened Time shifting Appropriate for auditing privileged users –Logs complete activity –Hard to circumvent Appropriate for auditing local access and stored procedure contents –Shared Memory, named pipes, … connections Appropriate for data modifications –Provides a full audit trail of changes to column data Resilient to system failures –Audit data is never lost; because it uses the same recovery mechanism as the DBMS Not affected by network encryption

24 24 of 37 Transaction Log - Weaknesses Unsuitable for implementing privacy auditing –Selects are not in the transaction log Unsuitable for real-time alerting –Log reading is typically batch oriented so alerts are generated at collection time rather then run time May not be used on databases that run in non logged mode Log files are binary and direct access is not a “supported” interface, hard to write your own Incomplete

25 25 of 37 What High Level Alternatives Exist? Go back to paper? Application &/or database schema modification Shadow audit tables, triggers, … Native Database System Audit Capability DB2 Audit Facility, Oracle Audit, SQL Server Trace, SybSecurity, … Transaction Log Files Collecting Network Activity

26 26 of 37 Network Capture What audit data can be found by recording the DBMS_Client DBMS_Server Network or interprocess conversation? What audit data cannot be found by recording the DBMS_Client DBMS_Server Network or interprocess conversation? Strengths and Weaknesses

27 27 of 37 Network Capture A network appliance only –Resides on the network between the database and the users –Captures TCP traffic –Extracts SQL text and stores in a file backed cache Can be either a network appliance and/or host based software agents

28 28 of 37 Deployment Details – Network Capture

29 29 of 37 How the Internet Works The Internet is “dumb” –All connections are initiated by the connected client server systems at each end –All data synchronization and retransmissions are controlled by the end systems –The network merely pushes packets along from hop to hop –If a packet is dropped in the network the end points will detect it and retransmit. Database Server Client Ethernet Switch Client - Server Communications Ethernet Switch

30 30 of 37 Sniffers Listen to Packets as They Go By Packets do get dropped in networks –Sniffers can drop packets if there is local congestion Local congestion can be caused by non audit traffic –If the sniffer in the middle drops a packet it may not be retransmitted because the endpoints may not drop the same packets Database Server Client Ethernet Switch Sniffer Database Commands and replies

31 31 of 37 What audit data can be found via Network Capture? SQL command text, exactly as it was sent to the database The SQL batch must be parsed to obtain: –Object names (affected tables) –Individual SQL commands (e.g., nested selects) –Prepared statements must be correlated, if possible Other fields can be obtained from a previous login request (if not encrypted or if auditing agent is party to the encryption key management) –User name –Application Id –Client host

32 32 of 37 What audit data cannot be found via Network Capture? Operations executed from a stored procedure ( server side logic ) DML data impact, if not included as a literal in SQL command text (what was deleted, what was inserted, what was a data value before and after an update) Encrypted sessions, unless auditing a party to certificate management Local, on database server access, direct, shared memory, named pipes, Oracle BEQ, …

33 33 of 37 Network Capture - Strengths Suitable for privacy, most efficient “Select/Read” collection If collected on database server, very small performance load; if collected remote zero impact: Same work and time shifting possibilities as log reading Suitable basis of real-time alerting Less Integration and therefore complication with the DBMS itself, easier implementation then native or T-log If you are a DBA the network topology and network security are usually “Somebody Else's Problem”

34 34 of 37 Network Capture - Weaknesses Difficulty auditing privileged users and or local host access Difficulty handling session encryption –SSL, IPSec –Encrypted login packets Inability to audit server side logic stored procedures –Cannot capture activity of stored procedures, triggers packages Inability to track changes to data values Not resilient to failure –If a network capture component fails to record traffic, the audit data is lost and cannot be recovered Hard to do, not a supported interface relative native capture

35 35 of 37 Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? –Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered

36 36 of 37 The Data Compliance Spectrum

37 37 of 37 Highly tuned production systemHighly tuned production system Very high service level requirementsVery high service level requirements No stored data valuesNo stored data values Companies often blanket the spectrum Multiple DBs Migration of servers Rolling out encryption Financial and operational data Past privileged user access issues Before and after value audit trail required The Data Compliance Spectrum

38 38 of 37 Mapping Technology to Real-World Requirements Transaction Log Reading Network Capture All my database activity is encrypted (i.e. SSL, IPSec, etc…) I need to monitor all forms of privileged user access I need to see the results from stored procedures & triggers I need to see the data impact for SOX compliance and provide “before and after” values I need real-time security alerts I need to capture a high volume of SELECTs for PCI compliance I cannot have any impact on the database I don’t have database logging enabled and I cannot change this

39 39 of 37 CREATE TABLE [dbo].[overtime] ( [emp_id] [empid] NULL, [empid] [int] NULL, [rate] [decimal](18, 0) NULL ) ON [PRIMARY] create procedure sp_salary @sal int, @emp int as update overtime set rate = @sal where empid = @emp delete overtime where empid = @emp+1 go declare @handle int set @handle = NULL exec sp_prepare @handle OUTPUT, N'@p1 varchar(80)', N'update overtime set rate = @p1 where empid = 5', 1 exec sp_execute @handle, 100 go declare @str nvarchar(500) set @str = N'delete overtime where empid = 12' execute sp_executesql @str go Auditing Stored Procedure Example

40 40 of 37 Auditing Stored Procedure Network Capture Only

41 41 of 37 Auditing Stored Procedure Both NetCap and TLog 1 0f 3

42 42 of 37 Auditing Stored Procedure Both NetCap and TLog 2 0f 3

43 43 of 37 Auditing Stored Procedure Both NetCap and TLog 3 0f 3

44 44 of 37 Audit Collection Technology Choice: Conclusions None of the alternatives are comprehensive Avoid use of Native Audit Tools for operations that happen frequently Log Reading is best for DML auditing Network Capture is best for Select/Read auditing

45 45 of 37 Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult? Given the requirement what technical alternatives are available for database audit data collection? What issues should be considered in choosing among these alternatives? –Review and explain the alternatives above in light of the issues that need to be considered Beyond collection technology choice what other requirements should be considered

46 46 of 37 Beyond Collection Method Audit Policy Deployment Configuration

47 47 of 37

48 48 of 37 Audit Policy Configuration “What Records to keep?” Policies can conditionally qualify otherwise raw database events to: –Produce a more effective and accurate audit trail –Identify violations of policy –Classify events based on context –Issue alerts to initiate immediate response Definition of a complete, specific, database monitoring filter; abstracted away from details of database type and collection method. All privileged user activity: Audit If activity is outside of maintenance window: Critical If activity results in update to SOX scope data: Alert If host or application is determined to be un trusted POLICY Consolidated definition of acceptable use Rules

49 49 of 37 Audit Policy Rules? Supported attributes that can be used: –User ID –Application Name (Oracle and SQL Server data sources only) –Object (table, column, view, stored procedure) –Database Operation (insert, update, delete, grant, select …) –Client Host Name –Date Time range Supported Actions: –Collect, record the audit record in the Audit DB repository, mark the audit record with the policy name that was “true” –Annotate the collected audit record with a severity level –Send an alert

50 50 of 37 Grant of new Privileges Changes to Stored Procedures DML and Selects on employee table … Consolidated Runtime Audit Rules Company (enterprise) policy Division policy Department policy Instance policy Database policy Multiple Policies with distinct objectives collected concurrently Each collected audit record annotated with the policy or policies that triggered collection Each audit record prioritized Conditional immediate alerting

51 51 of 37 Deployment Configuration Data Assets DB Version, Patches & Configuration DB Access Control Host – OS Firewall, Version, Patches, Configuration IDS – Deep Packet Inspection Network – Firewalls & Access Control

52 52 of 37 Audited System SQL Server 7, 2000 & 2005 Audited System Oracle 8, 9i &10g Audited System Sybase 11, 12 & 15 Audited System DB2 “UDB” 8.1, 8.2 & 9 Audit Trail Repository Anomaly Detection Policy Adherence Compliance Reporting Oracle, SQL Server or DB2 Deployment Configuration

53 53 of 37 Deployment Configuration Assumptions: 8 database instances per DB Server DB2 per instance –90 Trans./Sec –500 Mega bytes/DB Oracle per instance –90 Trans./Sec –1.50 Gigabytes/DB Sybase (per instance) –40 Trans/Sec –300 Megabytes/DB SQLServer per instance –3 Trans./Sec –50 Megabytes/DB Router Ethernet Switch SQL Sever Oracle Sybase DB2 Oracle Router Campus 1 Ethernet Switch Oracle Sybase DB2 Oracle Router DB2 Building 2 Building 1 SQL Sever SQL Sever SQL Sever Ethernet Switch Ethernet Switch Ethernet Switch Ethernet Switch Campus 4 Campus 3 Campus 2 Router Ethernet Switch Campus 5 Ethernet Switch SQL Sever SQL Cluster Oracle RAC Clients DB2 5 5 5 5 5 5 5 5 5 3 3 1 5 Agg (2) 5 Agg First level sniffers First level aggregation Second level aggregation Agg Agg (2) Agg (1) Operations Parameters 141 transactions/second for first level sniffers 10 first level sniffers on an aggregation box 2 levels of aggregation

54 54 of 37 Summary Compliance presents multiple auditing requirements: –Privileged user, privacy, data auditing, completeness, separation of duties, etc. The requirements need to be implemented in a variety of existing production environments: –Performance sensitive systems –Systems that use network encryption –Warehouses that run in circular log mode No single technology alone can meet all auditing requirements. No single technology alone can fit all IT environments. An appropriate combination of native audit, transaction log reading, and network capture can be selected to match specific audit requirements and IT infrastructure.

55 55 of 37 Thank you! Questions? Lumigent Technologies, Inc. henry.parnell@lumigent.com

Download ppt "Best Approaches to Database Auditing: Strengths and Weaknesses"

Similar presentations

Database Architectures and the Web

Database Architectures and the Web
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
High Availability Group 08: Võ Đức Vĩnh50703006 Nguyễn Quang Vũ50703033.

High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.

A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Audit Next Generation Monitoring, Compliance & QAUDJRN Reporting.

1 Audit Next Generation Monitoring, Compliance & QAUDJRN Reporting.
Chapter 1 Introduction to Databases

Chapter 1 Introduction to Databases
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Security Guidelines and Management

Security Guidelines and Management
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.

Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Similar presentations

Ads by Google