Monitoring mission critical data for integrity and availability

MONITORING MISSION CRITICAL DATA FOR
INTEGRITY AND AVAILABILITY


Michael Gertz
Department of Computer Science, University of California at Davis, CA USA
[email protected]
George Csaba IPLocks Inc., San Jose, CA USA [email protected] Protecting the integrity, confidentiality, and availability of mission critical data is one of the primary objectives shared among security/risk management and IT departments in various vertical industries, government, and research. Standard techniques to realize these objectives are often confined to network and host-based intrusion detection systems, which are known to be inappropriate for handling security threats caused by insiders. This paper introduces the concept of data content, metadata and privilege monitoring systems as an additional line of defense against external and internal security threats. These systems, which are closely coupled with a database managing mission critical data, provide security/risk management and IT personnel with effective means for specifying, detecting, and responding to anomalous behavior of data and data accesses caused by users and applications. 1. INTRODUCTION
The ever-growing dependence of businesses on data and increasing customer demands for more functionality to operate and utilize data has become a major challenge for security/risk management and IT personnel in charge of protecting data against various security threats. A primary security objective, in such businesses, is to guard mission critical data against breaches of integrity, availability, security and confidentiality, and thus prevent serious financial losses, damage to the reputation of the business, and legal or regulatory problems. In this paper, data integrity is concerned with actions against data that might result in incorrect or incomplete data. The focus in the context of data availability is to ensure that data is available when needed. Finally, data confidentiality is concerned with mechanisms aimed at preventing the release of and access to critical data to non-authorized users. In order to address these security concerns, which are well understood in practice and theory, today’s businesses employ a variety of techniques to ensure the above objectives. Besides role and access based security mechanisms provided by commercial database management systems (DBMS) [3], the most prominent type of technique is the usage of intrusion detection systems (IDS) [1,4,6,7]. Such systems typically operate on the network or operation system layer, resulting in so-called network and host-based intrusion detection systems, respectively. While these systems have gained quite some popularity in recent years, it is also well known that they only offer a part of the solution to the above security problems. In particular, as recent reports clearly indicate [1,9], IDS are an effective means to guard an information system infrastructure against external security threats but they are insufficient when it comes to dealing with internal security threats. That is, in case of authorized users who have legitimate access to data, IDS are typically not capable of detecting and/or preventing such users from tampering with the integrity, availability and confidentiality with the data. This problem is well known in the literature as insider problem [2,8]. What is needed is a framework that adds another layer of security mechanisms to existing IDS. Ideally, this layer should be as close to the DBMS managing the mission critical data as possible, and it should provide security, risk management and IT personnel with effective means to guard the data against various security threats. Compared to the above mentioned systems, this layer then is “data centric” in the sense that it observes and analyses the behavior of the data rather than directly the behavior of users. Naturally, such an approach seems reasonable in many practical application scenarios, for example, where applications share database accounts and thus simple auditing/logging at the database level does not provide sufficient information about insider misuse. In this paper, we present the philosophy and techniques underlying different audit system modules developed by IPLocks Inc. a leading vendor in non-intrusive, cross platform database vulnerability monitoring and assessment for mitigating information risk from security policy violations, malicious acts, data corruption and information theft. The objectives of IPLocks modules are to provide security personnel with system components that allow for the specification and analysis of the behavior of mission-critical data managed in a relational DBMS. During normal operation of the DBMS, these systems collect a variety of information about the data managed by the DBMS, establish profiles, and compare these profiles against the behavior of the data in order to determine possible vulnerabilities and security breaches. A major aim of these systems is to minimize the impact of data collection and auditing activities on the operational database and to secure the system components and collected data in a system separate from the production database. In Section 2, we describe IPLocks Content Monitor whose main function is to determine and analyze the behavior and characteristics of mission critical data managed in a DBMS. Section 3 discusses a similar approach in the context of metadata utilized by the DBMS in accordance with IPLocks Metadata Monitor. Section 4 outlines IPLocks Privilege Monitor and how information about accesses to the data is collected and analyzed. IPLOCKS CONTENT MONTOR
Security breaches are often not detected until a user or customer discovers incorrect, incomplete, or unavailable data during normal operations against a production database. Another observation is that although databases are designed with sufficient security mechanisms, these mechanisms are not kept up-to-date in the presence of new applications, users, and requirements, thus resulting in vulnerabilities malicious users can exploit. Rather than monitor the behavior of applications and users in a relatively dynamic environment, making any monitoring and auditing strategy inherently complex, the objective of IPLocks Content Monitor module is to learn and analyze the behavior of mission critical data as a starting point for discovering vulnerabilities and required security mechanisms. Deviations of the data characteristics from what has been learned or specified result in user specified actions. Given a production database, IPLocks Content Monitor is implemented as follows. First, the portion of the database containing mission critical data is identified. That is, security/risk management and IT personnel, in cooperation with the database administration, identify those relations in the database that play a crucial role in serving applications and business needs and whose integrity cannot be restored easily. Often such relations can be identified by analyzing mission critical applications or the sensitivity of data as prescribed by regulations and laws. The specification of mission critical data can occur at different levels of granularity, ranging from a group of relations to individual attributes in one or more relations. In this initial phase, the next step then is the analysis of the specified relations and attributes in terms of data characteristics. The analysis employs statistical methods. The outcome of the analysis of mission critical data not only provides for an appropriate setup for IPLocks Content Monitor but also provides security/risk management and IT personnel with important information about the characteristics of the data they are concerned about. For example, the analysis can reveal the existence of “out of bound” data showing properties that do not conform to what is assumed or expected. Data visualization tools provide security/risk management and IT personnel with an important means to inspect such data characteristics. Before initiating the audit cycle on the mission critical data based on the observed (static) characteristics, it is very important to make sure that the data to guard against security breaches are cleaned. In that respect, the setup for IPLocks Content Monitor also provides for a comprehensive model to identify data that needs to be cleaned. It is important to note that for determining security threats to the data and insider misuse in particular, it is crucial that the data to be monitored are in a “consistent state” and that the characteristics obtained from the data reflect what is expected from the data. Otherwise any data monitoring or auditing approach would operate on incorrect data (characteristics) and thus would probably result in a high number of false positives, indicating a security breach. The properties of the data analyzed are specified in the form of data profiles that describe security policies. With each profile, a set of so-called guard bands is associated. Guard bands basically describe the admissible behavior of the data (groups) and can be either user-specified or derived during the learn and guard cycle discussed below. With a guard band an action is associated that is taken once a violation of the policy has been determined during subsequent guard cycles. It is interesting to note that such profiles, including guard bands and actions, can be considered as soft integrity constraints on data or groups of data. Unlike hard integrity constraints, which typically specify semantic, domain, or foreign key constraints on relations, a violation of a soft constraint does not cause an abort of the violating transaction but a user specified action, such as an email notification, sent to the appropriate personnel. Once data profiles and guard bands have been specified, the guard and learn cycle starts. During this cycle, modifications to the mission critical data are periodically monitored and the modified data (inserted, updated, and deleted tuples) are compared to the previously determined characteristics of the data. There are three important key issues in this cycle. First, the period to monitor or check the data of concern needs to be determined. The different approaches supported by the audit systems and their performance impact are discussed in Section 5. Second, the newly computed data characteristics need to be efficiently compared against the data profiles and guard bands previously determined. Data profiles and information about guard bands and actions are kept separate from the production database, not only for security reasons but also for performance reasons. Third and most importantly, data values (attribute values, number of tuples in a group, data distribution etc.) can evolve over time. Thus, guard bands need to be adjusted appropriately to account for data behavior that lies within specified boundaries. For example, if the maximum value of an attribute gradually increases over time within a specified guard band, this boundary value needs to be updated in the data profile. While the guard component of the cycle is responsible for comparing data characteristics, the learn component of the cycle is responsible for adjusting profiles and guard bands. Different statistical analysis modules are employed to distinguish between anomalous data behavior violating (dynamic) band conditions, and dynamics of the data within the specified or recently learned boundaries. In summary, IPLocks Content Monitor can be understood as a “data centric” anomaly detection system that (1) adjusts automatically to the dynamics of the data characteristics if these characteristics are within learned or specified boundaries, and (2) performs user specified actions in case newly discovered characteristics of the data violate known properties of the data, as specified in the data profiles. During the learn and guard cycle, boundaries and monitoring periods can be adjusted by the user, depending on what has recently been learned about the data and how the workload on the data changes over time. IPLOCKS METADATA MONITOR
The IPLocks Metadata Monitor focuses on detecting metadata changes in mission critical business applications. The term metadata has slightly different meanings in the business and database contexts. Business metadata concerns definitions of objects in business processes that may be represented differently in different applications and databases. Database metadata is all data about the physical and logical layout of the production database, database schemas, stored procedures, and in particular roles, access privileges, and resources. Such metadata is typically managed within the data dictionary of a database and requires special access privileges in order to manipulate the data (typically through data definition language statements). For the purpose of this paper, metadata will coincide within the context of database metadata. The function of IPLocks Metadata Monitor is to analyze and detect possible security threats, application vulnerabilities due to metadata changes. For example, a database administrator might intentionally or unintentionally change application structures during business hours which circumvent the concept of “best practices”. A similar scenario occurs when an application is outsourced and maintaining party makes unauthorized changes in the application. IPLocks Metadata Monitor can detect anomalous events and facilitate administrators or developers point out possible vulnerabilities introduced by performing administrative tasks on the database. The configuration of the metadata management system heavily depends on the underlying production database since different commercial database management systems (DBMS) have different names for data dictionary views and tables and they also differ in terms of what metadata is provided in the data dictionary. Although today’s commercial DBMS often have several hundred data dictionary views and tables, only a fraction of these might be relevant. Similar to the setup of IPLocks Content Monitor, the security/risk management and IT personnel selects respective data dictionary views that are considered to be important. Depending on the underlying DBMS, IPLocks Metadata Monitor provides the security/risk management and IT personnel with the respective data dictionary views and tables. In particular, monitoring metadata should preferably occur in real time since anomalous behavior of the metadata can have a much more severe impact on the data managed by the database. IPLOCKS PRIVILEGE MONITOR
IPLocks Content Monitor introduced in one of the previous sections provides security/risk management and IT personnel with effective means to associate data anomaly detection mechanisms with a production database. In particular, these systems appropriately address the aspects of data integrity and availability. They do not, however, fully address the aspect of data security. A typical case of where data security is violated is when a database administrator might unintentionally or intentionally assign database privileges to a user who can exploit these privileges and gain access to data not accessible previously. A similar scenario occurs when the administrator revokes an access privilege from an application or user, resulting in unavailable data for the application. Independent of whether granting such access was intend or not, observing the behavior of the metadata that records access privileges is crucial. It is the purpose of IPLocks Privilege Monitor to allow security personnel a mechanism to conduct a database privilege assessment on a specific system, determine compliance with database specific best practices and start monitoring for privilege changes. For example, the discovery of multiple or untypical access privileges for a user/role, indicating a violation of the principle of minimal access privileges. In such cases, the metadata needs to be “cleaned”, meaning that access privileges are adjusted to what is currently known about necessary and sufficient privileges for a user/role to operate on the database. Only after such a cleaning, profiles are determined that specify the typical characteristics (signature) of users. Best practices are defined based on known vulnerabilities of mainstream databases. Default accounts need to be removed from a database, because those known accounts could be easily accessed by malicious insiders or external users. In IPLocks Privilege Monitor, security/risk management and IT personnel choose a frequency in which privilege changes are monitored. This frequency should be adjusted to the specific customer environment based on number of users/roles in the database and the frequency of adding new users to the application. Information about database users/roles which are allowed perform operations on the selected relation/object is obtained from the data dictionary. 5. CONCLUSIONS
In this paper, we have presented the components and functionality of IPLocks data content, metadata and access monitoring systems that provide security/risk management and IT personnel with flexible means to specify, analyze, and react on anomalous data and access behavior in database systems. IPLocks can be used in different context, ranging from monitoring mission critical relations to monitoring metadata related to schema and privilege changes. The monitoring mechanisms can be adjusted based on the availability of resources and mechanisms in the underlying production database. IPLocks Content Monitor, Metadata Monitor and Privilege Monitor system presented in this paper provide security/risk management and IT personnel with an additional layer of mechanisms that guard mission critical data against common security threats, with a particular focus on insider misuse. As a long term goal, businesses should not only focus on database intrusion detection system but also on IPLocks as a tool to detect vulnerabilities in production databases and to suggest repairs of such vulnerabilities, modified access privileges and usage of database roles. REFERENCES
[1] Ant Allan: Intrusion Detection Systems (IDSs): Perspective. Gartner Research Report DPRO-95367, Technical [2] Robert Anderson: RAND Corporation. Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Information Systems. Conference Proceedings CF-151-OSD, 1999. [3] Silvana Castano, Mariagrazia Fugini, Giacarlo Martella, Pierangela Samarati: Database Security, Addison-Wesley, [4] Dorothy E. Denning: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2):222-232, [5] Tom Fawcett, Foster J. Provost: Combining Data Mining and Machine Learning for Effective User Profiling. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD 1996), 8-13, AAAI Press, 1996. [6] Wenke Lee, Salvatore J. Stolfo: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3(4):227-261, 2000. [7] John McHugh: Intrusion and Intrusion Detection, International Journal of Information Security, 1(1):14-35, 2001. [8] Peter G. Neumann: The Challenges of Insider Misuse. Prepared for the Workshop on Preventing, Detecting, and Responding to Malicious Insider Misuse 16-18 August 1999, at RAND, Santa Monica, CA, http://www.csl.sri.com/users/neumann/pgn-misuse.html [9] Richard Power: 2002 CSI/FBI Computer Crime and Security Survey. Computer Security Issues &Trends, Vol. 8, No. 1, Spring 2002, Computer Security Institute, 2002. [10] Dit-Yan Yeung, Yuxin Ding: User Profiling for Intrusion Detection Using Dynamic and Static Behavioral Models. In Advances in Knowledge Discovery and Data Mining, 6th Pacific-Asia Conference (PAKDD 2002), 494-505, LNCS 2336, Springer, 2002.

Source: http://www.iplocks.co.jp/en/whitepapers/Gertz%20%20Monitoring_Mission_Critical_Data_for_Integriy_Availability.pdf