In December 2018, DSTA implemented Database Intrusion Detection Systems (DBIDS) in the Operations Support IT (OSIT) network for MINDEF and the SAF.
The systems provide a holistic overview of database security and threat protection solutions for the OSIT network. Apart from real-time data activity monitoring, they also enable a tamper-proof audit trail to secure the logs of the databases.
In particular, the systems allow real-time alerts for MINDEF’s Cyber Operations, Sensing, Monitoring and Investigation Centre (COSMIC), to detect any unauthorised access, data leakage, data tampering, vulnerability exploits and anomalous activities in the databases. To deliver these capabilities at an optimal level, the DSTA team spent significant engineering efforts in the tuning of security policies and rules, to filter false positives generated from in-house and COTS applications.
Given the diverse data in MINDEF’s IT environment, the team developed customised configurations to extend intrusion detection capabilities to unstructured data, which were unavailable in the market. The DBIDSs were then integrated with existing security systems in the OSIT network, facilitating end-to-end database forensic investigations to be conducted seamlessly if required.
The approach to monitor, learn and fine-tune based on the unique access behaviour and patterns of the database activities has improved the accuracy of threat detection, allowing COSMIC to detect and respond more effectively to security incidents in its networks.
The principles and concepts developed for database threat detection are product agnostic and can be applied to new networks and IT systems. As data security becomes increasingly important to mission success, the DBIDSs will be an important component in delivering secure IT systems to enhance cyber defence capabilities.