By Adam Ely
December 18, 2010
No one likes to think about database breaches, but the fact is, they
happen. Rather than cross your fingers and hope for the best, create an
incident response plan ahead of time. Without a plan, you may destroy
critical evidence that could be used to prosecute the offender. You
might also overlook just how the incident occurred, leaving you exposed
to future breaches.
Log analysis is an essential component of an incident response plan.
You'll want to review logs from the compromised machine or machines and
from other sources, including network devices and access control
A number of log types--transaction, server access, application server,
and OS--can all provide valuable information to retrace what occurred.
If your database administrator has enabled transaction logs--and it's a
big if--start there because they're a rich source of information.
Your first goal is to understand what data has been extracted, which
will help you gauge the current risk to the company. Then examine what
else the attacker may have tried to do. As you review logs, look for
queries that would match the data known to be exported. If you don't
have any evidence to match against, gather up the database
administrator, application developer, and anyone else who knows normal
application and database activity. Get a conference room, display the
logs on a projector, and have them help you look for anomalies such as
unusual queries that applications or administrators wouldn't normally
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.