Security Connected

Defense In Depth: Protecting From The Inside Out

By on Mar 25, 2011

Something Changed With Aurora

Even before the China centered Operation Aurora attack (a.k.a. Google attacks) in which hackers broke into numerous high-profile organizations in the US to steal highly confidential information, I had been warning customers (and anyone in ear shot quite frankly) of the most effective strategies to protect against the deluge of advanced attacks.  Aurora would be the first to use very sophisticated hacking techniques to target high technology companies with high precision. While the techniques used in Aurora weren’t novel, the targets were, and it highlighted beyond the Defense Industrial Base (DIB) that your weakest link is your people.

Night Dragon was another attack revealed by McAfee in early 2011 that targeted global oil, gas, and petrochemical companies. Again sourced from China and targeting sensitive industry specific intellectual property. The techniques used in Night Dragon were far from sophisticated but its use of SQL injection techniques to gain internal access into sensitive internal systems highlighted the fact that this stuff is all too easy if we don’t take security seriously.

What’s Changed?

Motives, pure and simple. These high profile attacks are performed by well-organized, well-funded groups whose interest lay in financial gain, corporate espionage, state-sponsored intelligence gathering, hacktivism and cyber-terrorism.  However, executing systematic attacks has become very easy even for the novice hacker As we’ve detailed countless times in Hacking Exposed, and other publications and talks, this stuff is easy…Always has been, always will be. The harder part is protecting the assets from these threats because all the attackers need to find is one way in – you and I need to plug the 10,000 ways in.

While attackers have become more coordinated, stealthy and focused in their approach, organizational dynamics have changed making them more susceptible to being attacked. Companies are decentralizing, opening offices around the globe and, most importantly, implementing point security products with little or no integration. Also, the traditional, perimeter-centric approach to security is ineffective today because it is designed to keep bad guys out. With over 50% of breaches coming from within the organization, companies need to rethink security and risk management from the inside out. And what asset is more central to the inside of your organization than the database? Nothing.

Use Detection and Layered Protection

To stop advanced attacks, you need a holistic, coordinated strategy that canvasses data in its three states (in motion, at rest, and in use) and protects from the inside out. Historically organizations would secure the network, or the endpoint, hoping threats would be caught long before they reached the database.  Aurora, Stuxnet and Night Dragon are just a few of the recent hack events that highlight how “best practices” security is not good enough. “Good Enough” equals databases being breached.

Before you can ensure proper database protection here’s a few things you need to consider:

  1. Know the data repositories in your environment and the underlying infrastructure that supports them such as operating systems and network devices.
  2. Discover every instance of database, operating system and network device within your environment hosting database services and their related technologies.
  3. Reconcile those assets to provide a relationship between your databases and associated operating systems.
  4. Identify and remedy vulnerabilities, misconfigurations of the network, operating system, application, and databases and their supporting infrastructure. 


Once you’ve identified and filled these gaps, the next step is to design the layers of proactive protection and prevention. To counter contemporary attacks, you need to think like a hacker and implement solutions that are strategically located and are delivered in layers. When contemplating layered security you must design the inner layers on the assumption that the outer layer(s) have or can be breached. The inner layer starts with Database Activity Monitoring (DAM) which acts like a video camera on your database, recording every action and access.  Remember, database attacks come from the network, local users (privileged and otherwise), and even from inside the database, but only McAfee’s Database Activity Monitoring product can catch all three.  DAM uses memory-based sensors to catch all three types of threats in a single solution.
Database security transcends the database. It’s about protecting the complete database system and the information contained therein – from every angle. As evidence of McAfee’s total commitment to database security, we have announced our intent to acquire Sentrigo, a leader in database security solutions.  Sentrigo is currently a McAfee SIA partner and we are now taking the next step in our relationship.  This acquisition is a key part of our overall strategy to deliver the highest level of security for our customers.

You need protection from the inside out because “Good Enough” security is certainly not acceptable to me.