Government CIOs and CISOs need to use every tool at their disposal to protect their networks and data. While more – and newer – technology can help, there may be more ways to shore up your defenses through existing assets. A database audit strategy that goes beyond the basics can help spot improper access and may also prevent incursions through tighter controls and monitoring. But doing it well takes planning and diligence, as well as a different view of how to use the tools you already have.
To break down the essential components of this approach, we asked with Paul Parker, Chief Technologist – Federal & National Government, for SolarWinds, to explain how to use database audits as a key element in your cyber strategy.
Government Technology Insider (GTI): Database audits are a basic function for IT managers. At the root, it’s a matter of making sure you’re reviewing performance data and access logs as well as performing patching and maintenance. But from a security standpoint, it’s more than just going down the daily checklist. So, what’s the minimum that IT leadership should insist on?
Paul Parker (PP): As you mentioned, database security has never been a bigger issue, especially in light of the recent Marriott data breach that was announced on November 20, 2018. The idea of an exploit is not all that uncommon anymore, nor is the idea that the breach went unnoticed for four years while the hackers have been mining data unnoticed. But what this breach lends credence to is the importance of database auditing and the forensics associated with it.
There’s a lot that really goes into that in terms of what are you going to do around your access and your authentication, your users and your administrators. What are your potential vulnerabilities and threats? What about change auditing? These are all things that play a role in it and something that you should have a well-established plan to address.
GTI: That daily checklist idea of, “OK everything looks fine. We can move on to the next thing” or “Let’s wait for an alarm bell to go off before we take action” just isn’t going to cut it anymore. What should high performing organizations be doing? And how do you add more layers of assurance without bogging down business operations?
PP: Well the biggest thing to do is plan, plan, plan. Obviously, there must be an ‘execute’ somewhere in there, as well. But, we can’t just simply rely on the fact that we think our people are doing the right things. It really is critical that you start taking a outside-in and inside-out look at your organization as a whole — who’s accessing your data versus who’s allowed to have access to it. The answer really does come down to your organization.
What are high performing organizations doing? They’re leveraging tools that give them visibility. They are enacting plans specifically around ensuring that a breach doesn’t happen as well as what would happen if a breach were to happen. You simply look at things like GDPR and the effect that’s had on many of the organizations as well as basic functions like the cookie notifications we get on all the websites we’re visiting today. There are a lot of layers of assurance that really have to be brought into play.
You specifically called out ‘bogging down business operations.’ You can’t look at it in a negative mindset, saying that we’re bogging something down. What we’re really trying to do is ensure the protection of our customer data and ensure that we respect their business.
So, what that means is a greater emphasis on spending for IT tools, greater emphasis on spending for training and education and continuous training for our staff — a lot of the things that we really should be doing, but now that the spotlight’s shining brightly on us, spending more time focused on that.
GTI: There are legal requirements, legal ramifications, but also ethical ramifications with allowing breaches to occur, if you had the opportunity to stop them. What are some of the things that IT can be doing specifically to make sure that the database is staying secure and intact?
PP: Databases are really some of the most critical assets on the network now, in terms of what are they storing, how are they storing it and who has access to that data. Our most critical applications are relying on databases in some way shape or form, and the relation of those. It really gets down to the total security program.
Are you looking at your traffic? It’s not just the database and the server that it’s running on, it’s looking at the traffic coming into and out of that database, looking at the IP addresses that are associated with that traffic. Is that somebody who’s a known trusted source or an unknown vulnerability?
Stay in touch with your vendors, because applying the latest patch is not a security strategy. You need to make sure that you understand what patch you’re applying. In theory, by securing one lock you may be unlocking another. And we find that to be extremely common. So, looking at your patch management strategy, looking at your network IP management strategy, looking at your rogue device strategy — these all have a complete 360 view into this and the process itself.
GTI: From a policy and procedure standpoint what can be done to ensure the reliability of the database.
PP: Policy drives everything else. You have to have a rule to enforce, very much like raising children. If they don’t know that they have to be home at a certain time, they’ll come home when they feel like it. So, organizational leaders have to start with that policy. But they should also solicit feedback from the people that the policy affects to find out are there additional unintended consequences of this or does it need to be tweaked and modified. It should be a living breathing document.
But you start with a minimum secure baseline, implement things like principles of least privilege, look at what defense in depth you’re providing at all the different layers. There’s organizations like ISACA out there who can absolutely give you tips and guidelines and recommendations on somewhere to start.
We frequently use the adage about reinventing the wheel. We’re not going to reinvent the wheel. What we’re trying to do is make a bigger, better, stronger version of a run-flat wheel. Let’s not start from scratch let’s take something that’s hardened and make it better.
GTI: How does the cloud impact your database auditing? If some of your data is onsite, offsite, in multiple places?
PP: They are simply additional areas of the network that you have to worry about. We can’t think of a network in terms of we have control of everything, everything is on-premise today. There are always going to be areas that are dependent on it. Having a database offsite is not all that different than relying on city power, water and sewage. It’s the same sort of thing. These are all threats to your organization and that really comes into, again, that total security plan of the inside-out and outside-in approach of looking at every possible environmental variable that occurs.
Cloud is just another way of doing business nowadays and it’s a tremendous growth opportunity for businesses. But, as I frequently lament, along with that there are additional challenges from a security aspect because you no longer maintain the physical security of the asset, you no longer maintain the network security of the asset. We don’t have the ability to affect who Amazon or Microsoft are hiring to run their data centers. We just have to trust that they are following good security practices themselves.
GTI: Any final thoughts on how to approach database auditing in terms of security?
PP: The biggest thing is, again, start with the basics and work your way up. Let’s get less complex to more complex and not the other way around. Look at your encryption layers, look at things like your password policies. Honestly, look at everything and ultimately rely on your information assurance teams to do their jobs and make sure that you’re hiring the best people for that.
The idea of the network nerd isn’t always necessarily the best thing. It is a checks and balances system with multiple people who are all stakeholders having a dialogue and a seat at the table to figure out what that comprehensive strategy looks like.
An earlier Government Technology Insider article on improving cybersecurity through database auditing was one of our most viewed pages. To read the complete article – including the 6 steps IT pros should take now – click here.