In today's rapidly evolving financial landscape, maintaining data security posture and regulatory compliance are paramount for institutions handling sensitive financial information. A leading global, full-service investment banking and capital markets firm, with approximately $10B in annual revenue had a significant amount of transactional data in SQL Server. Maintaining Data Security Posture was critical since the transactional data contained sensitive information related to stock investments and finances. Safeguarding this data is not only a matter of preventing breaches but also adhering to stringent industry regulations such as FINRA and SOC, which demand robust security protocols and auditable data practices.

In this blog, we'll explore how TrustLogix provided a complete Data Security Posture from not only monitoring anomalous activities to tracking unauthorized data movements but also enabling ongoing compliance with evolving regulations.

The Challenge: Existing Toolset Limitations

Invasive and Proxy Based

Initially, the bank's security team relied on a traditional set of monitoring tools that used proxies and agents to oversee network traffic between data platforms and consumers.These tools were not built for high scale workloads and added performance overhead. The tools required routed the data through their proxies in order to manage data access and redaction, adding complexity w.r.t their data architecture and a potential threat vector if those tools were compromised (such as “man in the middle”). The security team required a solution that was non-invasive to underlying data platforms and pipelines, and could not see or touch the data itself.

Data Security Posture at Scale 

As the bank scaled, more lines of business (LOBs) were onboarded, which required even more comprehensive monitoring capabilities which existing toolset could not provide :   

   Are unapproved or non-whitelisted tools attempting connection, risking data being copied to unmonitored locations or deleting the data?
   Are unapproved or non-whitelisted IP Addresses attempting to login potentially causing compliance violations or data leakage?
5. Detect Suspicious Data Movement out of the SQL Server 
    Are there backups performed over data classified as sensitive to external systems? 
    Are unapproved or unlisted users copying sensitive data?

Additionally, the team sought a solution that could be customized to meet evolving security requirements. As business needs change, the bank needed the flexibility to create custom security controls and policies that could adapt to new threats or compliance mandates.

Ensuring Compliance and Risk Detection

The CISO team also struggled with audit efforts and timely compliance reports. They also wanted detected risks integrated with external Security Information and Event Management  systems.

The Solution : TrustLogix - A Cloud-Native, Non-Invasive Security Platform

Built as a cloud-native solution and designed as a non-invasive solution so it cannot see or touch the data itself, TrustLogix provides a Data Security Posture Management for SQL Server and other data platforms both Cloud and On-Premise. 

TrustLogix Monitoring Policies: Visibility into SQL Server Data Risks

TrustLogix offers a suite of monitoring policies that address various SQL data security risks. These policies track specific events and activities within SQL Server environments, offering detailed visibility into critical operations.

1. Detect Multiple Login Failures
   Monitors and alerts on consecutive login failures to detect potential brute-force attacks. 
2. Monitor for SQL Injection Queries
   SQL injection is one of the most common attack vectors targeting SQL Server The policy tracks suspicious query patterns to identify potential SQL injection attempts.
3. Monitor DDL Operations on Sensitive Objects and from Privileged Users
   Data Definition Language (DDL) operations like CREATE, ALTER, and DROP are closely monitored, particularly when they target sensitive or classified objects or involve privileged users to prevent unauthorized changes.  
4. Monitor DDL Operations on Specific Tables
   Allows granular monitoring of DDL operations targeting specific tables that have been classified as high-risk.
5. Detect Suspicious Data Movement Activity
   Flags unusual data movement across the system, including the copying, transferring, or exfiltrating of sensitive data.
6. Monitor Account Modification: Tracks changes to user accounts, permissions, and roles to ensure that only authorized personnel can make modifications.
7. Monitor OS Operations: Monitors operating system-level activities to detect unauthorized changes or suspicious behavior in the infrastructure.

SQL Server Based Monitoring policies - Failed Logins,DDL Operations tracking, Suspicious PII Data Movement 

Additional TrustLogix Monitoring Policies: Fine-Tuning Security to Bank’s Needs

TrustLogix also provided additional monitoring policies to fine-tune security based on the bank’s specific requirements, further strengthening its protection capabilities. 

1. Monitor Copy of Sensitive Objects by Unlisted Tools
   Tracks attempts to copy sensitive data using tools that are not explicitly listed or authorized, identifying potential insider threats or attacks.
2. Monitor Login Activity from Non-Whitelisted IP Addresses
   Flags unapproved or suspicious login attempts from IP addresses not on a whitelist helping detect potential breaches.
3. Monitor Copy of PII Objects by Unlisted Users
   Alerts when unlisted users try to access or copy Personally Identifiable Information (PII).
4. Monitor Brute Force Login Attempts from Non-Whitelisted IPs
   Detects brute-force login attempts from unauthorized IPs to prevent account compromise.
5. Monitor Backup of Databases Classified as Sensitive
   Monitors backup operations involving sensitive databases to prevent unauthorized backups that could lead to data leakage or exfiltration.
6. Monitor Deletion of Sensitive Objects by Unlisted Tools
   Tracks deletion operations on sensitive objects by unlisted or unauthorized tools, ensuring data destruction is legitimate and authorized.

TrustLogix Activity Reports: Timely and Defensible Compliance Audits

With TrustLogix, the CISO team could leverage automated reporting streamlining audit efforts and generating timely compliance reports. TrustLogix offers robust activity reporting features that allow security teams to gain deep insights into all operations related to SQL Server. TrustLogix empowers the CISO or security officer to establish a stronger, more defensible position during audits with regulatory and compliance teams. The team can now demonstrate a proactive, compliant security posture which not only minimizes the risk of non-compliance but also positions the organization as a responsible, risk-aware entity, ready to handle scrutiny and regulatory requirements effectively. The team can show the proof of protected data and fine graned data access. Furthermore, the tool’s integration with external Security Information and Event Management (SIEM) systems allowed for a more holistic view of the bank’s security posture.

Key Audit Reports include:

1. Summary Report of Login Activity
   Overview of successful and failed logins helping admins to track who is accessing the database and when.
2. Details of All Client Tools Used to Connect to SQL Server
   Identifies tools used to connect to SQL Server, ensuring connections are being made using authorized software.
3. Database Management and Read-Write Activity Report
   Summarizes actions related to database management, including both read and write activities. Helps security teams track changes, queries, and critical actions.
4. Summary Report of Data Access Activities on Classified Objects
   Monitors access to Sensitive or classified data objects, helping security teams monitor who is accessing high-risk data and why.

Report on Login Activity, Tools Connecting to SQL Server and Data Access Activities on Classified Objects 

Conclusion: Driving Data Success: Unlocking Potential, Accelerating Projects, and Building Trust

By adopting TrustLogix, the the bank’s security teams were empowered to maintain Data Security Posture by detecting and mitigating risks before they escalate.TrustLogix also enhanced the bank’s ability to maintain compliance with ever-evolving regulatory frameworks, reducing the complexity and time required to produce timely compliance reports. 

In a highly competitive industry where data breaches can have significant financial and reputational consequences, TrustLogix provides the Financial Institution with a strategic advantage: the ability to foster trust with clients and stakeholders, ensure regulatory adherence, and unlock new opportunities for innovation and growth. In an age where data is one of the most valuable assets, safeguarding it with a proactive, scalable, and non-invasive solution like TrustLogix is not just a security measure—it’s a critical business enabler.

Ready to try it for yourself? Get a free data security assessment on your SQL Server as well as other cloud and on-premise data platforms by registering for a free 90-day data protection service or request a demo.