Database extrusion prevention products are a bit of a cross between an intrusion prevention system (IPS) and a network behavior anomaly detection (NBAD) system. You may hear them referred to as database firewalls, but this doesn't really convey their full capabilities; they can block known attacks, prevent unauthorized access based on user roles and detect abnormal user activity. In order to control data movement, many products require a tuning period, where baselines can be set to profile and measure regular user behavior. The setup can then be adjusted to fit changing business or user needs. For example, if a user or Web application starts requesting an abnormal amount of data, the database extrusion detection product can block the request or alert an administrator who can decide whether to adjust the rule set or investigate the incident further.
Database extrusion prevention products are deployed in one of two ways: inline or out-of-band. Inline products are placed directly between the database server and the switch port, while out-of-band varieties require the use of a switched port analyzer (SPAN) port on the switch. SPAN ports analyze traffic to and from the database server. Database extrusion prevention products can stop attacks by dropping the network connection between the attacker and the database server, or by dropping malicious traffic before it reaches the database server.
Obviously, there can be a problem with false positives, and legitimate traffic may be accidentally blocked. Reducing this problem requires the database extrusion prevention product to be flexible and provide detailed reporting. Also, system administrators need to evaluate the risks of blocking legitimate business processes against the impact and costs of a possible data leak.
There are several well-known vendors in this field, such as Application Security Inc., Imperva Inc. and Symantec Corp. Although it is a relatively new technology and certainly isn't cheap, database extrusion prevention can certainly help fulfill compliance requirements, such as documenting access, separating duties and auditing user activity. Another similar technology you may also want to explore is extrusion detection, which takes advantage of the visibility that a system has of its own state. These products analyze the content and payload of all network traffic in real time, and they do so on all channels, such as HTTP, FTP, instant messaging, Internet relay chat, and P2P channels.
Dig Deeper on Data security strategies and governance
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.