By using website you agree to our use of cookies as described in our cookie policy. Learn More

TDWI Upside - Where Data Means Business

How AI Helps Enterprises Avoid Insider Threats and Compromised Credentials

Stolen credentials pose a serious threat to your database security. New approaches involving machine learning and behavioral analysis might hold the solution.

Many consider the biggest insider threat to be employees trying to damage the organization or seeking personal profit by leaking proprietary information. Although this represents a credible danger, cybersecurity experts see insider threat in a risk category that is much more significant -- malicious outsiders stealing and using legitimate credentials to mine valuable data from information systems.

Insider threats have grown to become an enormous risk for nearly every organization across all industries. In the 2016 Osterman Research Survey, "Identifying Critical Gaps in Database Security," "stolen database credentials" was ranked as the primary database security threat.

Because databases house the most important information, organizations are increasing their investments in technologies to secure their databases and database infrastructure. To protect databases from attackers using stolen credentials, enterprises are beginning to adopt a new security approach -- machine learning and behavior analysis.

Uncovering Stolen Credentials

Most organizations lack the security tools to identify the difference between a legitimate user and an attacker with stolen database credentials. Some identity and access management (IAM) tools look for context -- for example, they will alert the enterprise to a database login attempt that originates from an atypical IP address. Unfortunately, through attack obfuscation an attacker may appear to originate from a legitimate IP address.

Once an attacker has access with legitimate credentials, they're basically an insider. At this point, security information and event management (SIEM) tools and security measures have proven to offer little protection. A database activity monitor (DAM) could detect unusual activity if configured properly, but agent-based DAMs can be finicky and expensive tools that are difficult to configure, and the agent must be installed on every database. Most organizations don't even know how many databases they have running. With such a large attack surface, hackers can easily attack unmonitored databases and access sensitive information.

Security analysts watching for indicators of compromise would seem to be a reasonable solution. However, information security teams are chronically understaffed. The 2016 Osterman Research report also found that 47 percent of companies don't have an individual or team specifically assigned to database security. In an organization with thousands of users and databases, no amount of human effort could reasonably be expected to detect a malicious insider.

Introducing the Data Flow Model

Analysis of authorized insiders with legitimate credentials shows they tend to use the network in a rather predictable manner, usually accessing the same database tables from the same endpoint. An intruder's network activity will differ significantly from legitimate users' baseline actions.

Detecting the activity differences between a legitimate insider and an attacker using compromised credentials is a challenge in today's networks. However, it is an area where deep protocol analysis, machine learning, and behavioral analysis forms of artificial intelligence are proving invaluable for security operations teams.

Machine learning and behavioral analysis can identify insider threats by building a model of normal operations of the data flows in the database infrastructure. In this context, the term data flow refers to the attributes required to sufficiently understand and model database usage patterns. For example, a database client will access a table by specifying the server, database, schema, and table name, and do so in read or write mode. Further, they will use a specific context -- e.g., their client IP address, username, database management system port number, and service name.

In some respects this is a logical extension of the widely popular NetFlow model but operating with much more database-specific insight. Data flows traditionally remain consistent among users and applications, allowing machine learning and behavioral analysis technologies to create a baseline of normal database operations.

Machine Learning and Behavioral Analysis

Machine-learning security appliances that can non-intrusively discover all databases, including databases that a manual audit might miss, are a new approach to protecting organizations from stolen database credentials and insider threats. By identifying all databases and analyzing their data flows, these appliances will automatically create a baseline model of legitimate activity.

Using behavioral analysis to compare new data flows against the model enables these appliances to identify and alert enterprises to the actions of an attacker who is using stolen credentials. This improved strategy provides security operations staff all the information necessary to identify the threat and thwart the attack. In addition, this approach is now field proven to be extremely accurate with very little chance of false-positive alerts.


Hackers steal database credentials to gain unauthorized access to what should be some of the most secure data on Earth. Information security experts need next-generation tools to rapidly identify such insider threats. Emerging approaches analyze and provide deep insights into all data flows throughout the database infrastructure. Enterprises can then apply machine learning and behavioral analysis to immediately identify compromised credentials so confidential data can be protected.

About the Author

Dave Rosenberg is DB Networks’ CTO of products. He is responsible for leading the advanced technical research and patent development. Prior to this, Dave served as VP of engineering at WireCache, where he and his team developed the industry’s first general-purpose Oracle database accelerator appliance. Dave earned his B.A. in Mechanical Engineering/Fluid Mechanics from UC Berkeley and served in the Air Force for six years, where he earned his M.S. in Astronautical Engineering from the Air Force Institute of Technology. (Yes, he is a rocket scientist!)

TDWI Membership

Accelerate Your Projects,
and Your Career

TDWI Members have access to exclusive research reports, publications, communities and training.

Individual, Student, and Team memberships available.