Many high profile database breaches have resulted from the abuse of legitimate logon credentials. Identifying these apparent “insider threats” requires a new approach. Those who were once considered trustworthy may have lost their credentials to an attacker and are now posing an insider threat. This is why identifying compromised credentials in real-time has proven elusive until now. The situation has changed, and so must the mechanisms to mitigate the risk.
In this podcast recorded at RSA Conference 2016, David Rosenberg, CTO/Products at DB Networks, talks about how they added real-time compromised credential identification capabilities to their DBN-6300 product.
Rather than inherently trusting specific clients, servers or users, the new approach of the DBN-6300 identifies normal business flows and evaluates the risk and business context of any deviation. Doing this accurately and in real-time requires deep protocol analysis on large amounts of database communications to detect when an entity demonstrates a new behavior – indicative of an attacker using stolen credentials.
The cyber criminals’ primary goal is to obtain privileged logon to gain access to sensitive and valuable data. Once the attacker has obtained the proper credentials they can pose as the privileged insider and breach the databases. At that point they can access sensitive assets and setup a channel to exfiltrate an entire data set to an off-site server.
Once a compromised credential is identified it’s critical to understand the scope of the incident. DB Networks assists security professionals with a security search tool to enable them to easily investigate any suspicious activity in the database tier. This powerful capability is extremely useful to understand the scope of activity that resulted from compromised credential.