Since agent are installed on the OS that the DB sits on, your best course of action is to monitor on the OS itself.
Few things you can do are:
- Ensure proper audit trails are in place to ensure any agent manipulation is tracked.
- Setup monitoring on the OS to ensure that the service/executable is running
A few self protection built in is to enable certificate based communication between agent and GW but thats more about encryption in transist.
You can also setup rules on siem for DAM/DBF when an agent does not sent traffic after a certain time.
------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------
Original Message:
Sent: 12-18-2024 22:16
From: Son Hoang Cao
Subject: How does Imperva Database Firewall protect its agents from unauthorized removal?
Hi Imperva Community,
I'm seeking clarification about the protection mechanisms for Imperva DBFW agents. Specifically, I'm interested in understanding:
- What security measures are in place to prevent unauthorized removal of DBFW agents?
- In a scenario where attackers gain access to the database server, what controls prevent them from disabling or removing the agent?
- Are there any self-protection features built into the agent?
- How does the MX monitor and respond to attempted agent tampering?
This information would be valuable for security architects and database administrators in planning their defense-in-depth strategy.
Looking forward to insights from the community and Imperva experts.
#DatabaseActivityMonitoring #ImpervaAgent
#DatabaseActivityMonitoring
------------------------------
Son Hoang
Product Consultant
M-Security Technology Indochina Pte. Ltd
Hanoi
------------------------------