I'm taking on a database mapping project that involves identifying the data egress points of our databases and then developing a plan to better secure them. What's the best way to go about this, and are there any tools that can help make this job easier?
Ask the Expert
Have an application security or platform security question for Michael Cobb? Submit it via email! (All questions are anonymous
There are two things you must do in order to identify and better secure the data egress points in your databases: find out where sensitive data is located (content discovery) and determine where it is leaving the network (network monitoring). To get an idea of the scale of the undertaking, enterprises should run Nmap to generate a report of which database servers and gateway devices are operating, and map out the network to see which OSes and software are installed. Having a good understanding of the topology of your network will make the task of configuring content discovery and network monitoring tools much easier.
While a tool like Nmap will find database servers on the network, sensitive data is usually widely dispersed throughout an enterprise, making it a major task to track down each and every file and its location. For example, users can output data from a database to an Excel spreadsheet and save it on their desktop for analysis, or email sensitive reports to a personal email account to study later at home. Tools such as McAfee DLP Discover can find sensitive information by using network crawling technology, which searches systems based on LAN segment, IP address range, network group and other easily defined criteria. Also, information held in databases can be searched without the help of a database administrator.
On even a relatively small network, a decent data loss prevention (DLP) product should be able to discover, monitor and protect confidential data at rest or in motion. It must support all the operating systems used on your network and be able to understand any nonstructured data formats used, such as audio, CAD or PDF files. Websense Data Security Suite, for example, uses optical character recognition to identify sensitive data embedded within images. Specialized content discovery applications are worth considering for certain compliance audits. Ground Labs Card Recon, for example, is a primary account-number detection tool that helps ensure compliance with the Payment Card Industry Data Security Standard, or PCI DSS.
Once all sensitive enterprise data has been located, it should be protected according to its classification needs. Tools such as Websense Data Discover and Symantec DLP will automatically perform remediation actions wherever sensitive data is found, and relocate exposed files and folders to a secure location.
There are plenty of monitoring tools available that can record when and how data leaves through one of a network's egress points and can identify the protocol or port that is used. This information can help identify and rectify incorrectly configured perimeter defenses, fix business processes that are leaking or exposing data, and stop inappropriate user behavior or malicious activity.
Because two of the most common channels of data loss are email and the Web, monitoring outbound messages and posts is vital. Having insight into the source or destination of a file, and the user or application moving it can also provide valuable data points while strengthening defenses. Many products are available that can detect unusual behavior, such as small amounts of confidential data being sent over multiple communications channels or over an extended period of time.
Finally, the completeness of any reports produced during these processes should be taken into account when evaluating various products, as well as the intuitiveness of the management dashboard.
This was first published in January 2014