Database extrusion prevention products are a bit of a cross between an intrusion prevention system (IPS) and a network behavior anomaly detection (NBAD) system. You may hear them referred to as database firewalls, but this doesn't really convey their full capabilities; they can block known attacks, prevent unauthorized access based on user roles and detect abnormal user activity. In order to control data movement, many products require a tuning period, where baselines can be set to profile and measure regular user behavior. The setup can then be adjusted to fit changing business or user needs. For example, if a user or Web application starts requesting an abnormal amount of data, the database extrusion detection product can block the request or alert an administrator who can decide whether to adjust the rule set or investigate the incident further.
Database extrusion prevention products are deployed in one of two ways: inline or out-of-band. Inline products are placed directly between the database server and the switch port, while out-of-band varieties require the use of a switched port analyzer (SPAN) port on the switch. SPAN ports analyze traffic to and from the database server. Database extrusion prevention products can stop attacks by dropping the network connection between the attacker and the database server, or by dropping malicious traffic before it reaches the database server.
Obviously, there can be a problem with false positives, and legitimate traffic may be accidentally blocked. Reducing this problem requires the database extrusion prevention product to be flexible and provide detailed reporting. Also, system administrators need to evaluate the risks of blocking legitimate business processes against the impact and costs of a possible data leak.
There are several well-known vendors in this field, such as Application Security Inc., Imperva Inc. and Symantec Corp. Although it is a relatively new technology and certainly isn't cheap, database extrusion prevention can certainly help fulfill compliance requirements, such as documenting access, separating duties and auditing user activity. Another similar technology you may also want to explore is extrusion detection, which takes advantage of the visibility that a system has of its own state. These products analyze the content and payload of all network traffic in real time, and they do so on all channels, such as HTTP, FTP, instant messaging, Internet relay chat, and P2P channels.
Dig Deeper on Data security strategies and governance
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.