I am very much interested in anything that helps an organization get a handle on the kinds of “attacks” this device is intended to detect.
My first reaction when I read “The current version of the Symantec appliance does not actually block suspicious queries — it simply monitors and reports on what the database is up to — but that feature is being considered for a future version…” was – Wow, doesn’t that make this a pretty useless piece of tech then?
However, when I think back on all the customers with whom I’ve worked, I’ve found that most of them are happy enough to be able to detect unauthorized behaviour. Sure, if preventative controls cost no more (time, effort, resources, usability) than the equivalent detective control, they’d be happy to use that instead. However, most of us have had enough experience with “prevention is the only path to security” approaches to understand that preventative security can only guarantee that it’ll block some form of intended usage, and that (as Schneier so often points out) the bad guys will always find some other way to accomplish their goals, if they’re determined enough.
Such as: if you block unauthorized use through a database “intrusion prevention” appliance, the bad guys will then try other attack vectors such as:
- escalating the privilege of an account that doesn’t start with sufficient privilege
- finding an account that does have sufficient privilege and breaking its password
- finding an alternate path to the database that doesn’t go through the database IP appliance
- cracking the appliance (sure, of course it’s impregnable, but…)
- DoS’ing the appliance (say if nothing else worked, and they’re just frustrated enough to want to do *some* harm)
Bottom line: I like the thinking that went into Symantec’s database security appliance, and I hope to see more creative ideas like this in the future. As the article said, “…enterprise users are becoming increasingly focused on data security and regulation compliance.” [emphasis mine]