How to detect suspicious activity in databases till information gets exported
23.06.2020Back to blog list
As SearchInform releases Database Monitor we want to detail the way to use the DAM solution so that violating access rights and making changes to sensitive documents become transparent for those responsible for risk mitigation and data protection.
The software will help you detect:
- Changes made to critical data in order to blackmail or commit fraud
- Data deletion
- Information leakage or unauthorised copying
- As databases represent the core assets of a business, they are always in demand.
Here are some real life cases from different industries.
An employee of the telecom service center accessed the database, re-issued customer SIM cards in order to withdraw money. The violator searched subscribers in the database who had more than 100 dollars in the account, forged a subscriber’s application in which it was asked to create an additional card to the personal account. Then the manager accessed the database, carried out some operations and tied a new SIM card to the subscriber’s personal account. Then he inserted the SIM card into his phone, sent a USD request (4 digits) for withdrawing money from the account and sent it to his personal account. He would begin with small amounts and wait for the reaction of the security service. And if there was no reaction, he withdrew the entire amount from the personal account. The damage amounted to nearly 10 000 dollars.
A sales director was going to quit and take contractors’ data, product information, prices, commercial outcome details with her to a new job. This information was copied from a database, exported data was saved as files on her computer. She sent documents by corporate email to her personal mailbox and to the email of the competitor she was going to work for.
A manager increased the limit of his own payment card several times in the software for working with cards, later he did the same to the card of his accomplice. The amount was moderate but soon went up to 370 000 dollars. The accomplice helped withdraw money and purchased six cars (Audi, Volvo, Mercedes-Benz), gold bars, mobile phones and jewelry. The insider wasn’t identified straight away, as the accomplice didn’t try to turn him in.
These cases were investigated when the crime had been already committed (when information had been copied or even breached). Companies usually implement control at the level of DBMS in order to detect suspicious activity when a user only attempted to access a database. It is quite a complicated way of detecting incidents. It takes a specialist a lot of time to investigate an incident. DAM solutions don’t have such issues.
Let’s have a look at the functionality which is available in the launched Database Monitor.
The software controls all the requests sent to databases and responses, identifies users who try to access a database and work (open, change, copy) with the information stored in it. User requests and SQL-server responses go through a proxy server and are recorded into a temporary storage which then gets indexed.
Search and demonstration of results after detection of requests to databases are carried out in the client application if done “manually”.
A specialist responsible for security can create reports within any time period which show:
- Account activity of applications connected to databases
- Requests to databases
- Request statistics
Monitoring can be automated and configured so that you can see detected requests and responses. A specialist will be alerted to the policy violation, for example, if a big amount of data is exported or a VIP customer database is accessed.
The solution can be integrated into other already installed systems, such as SearchInform Risk Monitor, FileAuditor, SIEM. Like this Database Monitor ensures comprehensive protection of IT infrastructure at any level (end user, file system, databases) and allow for a faster incident detection. It makes a violation identification possible when it is not committed yet: at the moment of a request to a database (including a request outside the company), storing on the workstation, data transfer.