Acra. Features: Data leakage detection
Cossack Labs
Posted on March 23, 2022
Data encryption is a passive security control, it works well in combination with active controls that scan the data flow and analyse the system's behaviour. We equipped Acra with several techniques to detect unauthorised behavior and effectively respond to it. Let’s explore them in more detail.
Use Acra Community Edition for free. Check out Acra Enterprise Edition tailored for solutions with high security requirements.
7️⃣ Data leakage detection
Poison records/Honeytokens
Acra provides intrusion detection capabilities using poison records (aka honeytokens).
Acra puts special data blobs in database tables that look like regular encrypted records, but their content is different (“poison”). Once they’re requested through Acra, Acra understands that it is not a typical record, raises security alarms and halts decryption.
Poison records are records specifically designed to sit quietly in the database and not be queried by legitimate users under normal circumstances. Nice to your database, fierce to intruders :)
Intruders, malicious applications, or SQL injections don’t know which records are poison, and if they read more data than they should, i.e. using SELECT * requests, then poison records appear in the database response and trigger Acra.
Arbitrary patterns
Acra can be used as conventional DLP for the database, making sure that chosen patterns or data blocks never pass Acra without an alarm.
For more technical details you can check out other blog posts related poison records:
- Poison Records In Acra—Database Honeypots For Intrusion Detection
- Explain Like I’m Five: Poison Records (Honeypots for Database Tables)
With poison records and arbitrary patterns implemented, you give your valuables another strong level of protection. Use them in combination with other Acra features and you will always know if someone is trying to steal your data.
Posted on March 23, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.