Imperva CounterBreach

DA T A SH E E T

Protect Your Data from Insider Threats

The greatest threat to enterprise security is the people already on the payroll. To do
their jobs, employees, contractors, consultants and vendors must have legitimate access
to sensitive and valuable data stored in enterprise databases, file shares and SaaS
applications. However, when insiders abuse this access, or when insiders are exploited
by outside attackers, enterprise data is exposed. Detection and containment of insider
threats requires an expert understanding of both users and how they use enterprise data.

Employees require access to Imperva CounterBreach

Imperva CounterBreach protects enterprise data stored in enterprise databases, file
information assets to perform
shares and SaaS applications from the theft and loss caused by compromised, careless
their jobs, but malicious or or malicious users. By dynamically learning users’ normal data access patterns and then
identifying inappropriate or abusive access activity, CounterBreach proactively alerts
ignorant abuse of authorized IT teams to dangerous behavior. CounterBreach also uses deception technology to
access is difficult to detect and deterministically identify end-point devices that have been compromised by external
attackers, adding additional context to user data access learning.
high-risk.
GARTNER, BEST PRACTICES FOR
MANAGING ‘INSIDER’ SECURITY
THREATS, ANDREW WALLS,
17 JUNE, 2014

1
 D ATASHE E T

Information security Detect Dangerous User Data Access

strategies need to CounterBreach detects potential breaches by pinpointing risky data access events and
the user associated with the risky access event.
shift from a bottom-up
device and network-centric CounterBreach Behavior Analytics
strategy to a top-down, CounterBreach Behavior Analytics uses machine learning and peer group analytics to
automatically uncover anomalous data access events. This establishes a full contextual
information-centric baseline of typical user access to database tables, files stored in file shares and objects
strategy focused on the stored in cloud apps, and then detects and prioritizes anomalous activity. Combining
an expert understanding of users and how they access data equips enterprises with the
information itself. context and accuracy required to detect data breach incidents. With CounterBreach,
security teams can quickly discern between malicious and normal activity so they can
GARTNER, PREVENTION IS FUTILE
IN 2020: PROTECT INFORMATION
immediately identify and act upon risky behavior.
VIA PERVASIVE MONITORING AND Accurately identifying potential data breaches requires deep contextual understanding
COLLECTIVE INTELLIGENCE, NEIL of not just user activity, but the data users access and how they access it. Without visibility
MACDONALD, 27 JANUARY, 2016 into the data itself, and an understanding of the indicators of data abuse, one half of the
equation is missing. The table below shows examples of common data abuse indicators,
and the user and data details needed to do identify them.

D A T A A B U S E IN D I C A TORS LE ARNE D U SER DETAILS LEARN ED DATA ACCESS DET AI LS

Database name
Suspicious Application Data Access User identity Table name
Flags interactive (non-application) users that Client IP Data sensitivity
directly accesses sensitive application table Server IP Schema
data on a database. Client app SQL operation
SQL operation type

Excessive Database Record Access Database name

Uncovers users that access an unusually high Data sensitivity
number of database records, as compared to User identity Table name
their typical behavior and the actions of their User department Schema
peer group. Number of rows involved in operation
SQL operation

User identity Database name

Service Account Abuse
Client IP Database table access patterns SQL
Detects an interactive (non-application) user
Server IP operation patterns
logs into a database using a service account.
Client app SQL operation type

File operation
File path
Slow Rate File Access
User identity File name
Pinpoints users that access or copy a certain
User department Folder type
number of files at an unusually slow rate.
File share name
Operation response time

Excessive File Access File operation

Flags users that access or copy an abnormally File path
User identity
high number of files from their personal File name
User department
folder, department folder or network file File type
share from multiple hosts. File share name

2
 D ATASHE E T

CounterBreach spotlights CounterBreach Deception Tokens

the riskiest users, client CounterBreach Deception Tokens detect endpoints compromised by cybercriminals.
Once an endpoint is compromised, the threat moves directly from the outside to the
hosts and servers so inside of the organization. This deterministic identification of compromised endpoints
adds additional context to CounterBreach Behavior Analytics.
that security teams can
This patented deception technology lures attackers at the earliest stage of an attack
prioritize the most with fictitious information tokens that bad actors probe for upon gaining access to the
serious incidents. internal network. Deception tokens include fictitious database credentials, shortcuts to
seemingly enticing files and web browser cookies. Deception tokens – which are entirely
passive -- are planted on user workstations and appear authentic to the organization
Key Capabilities and to hackers. Once an attacker attempts to use a Deception Tokens to access data
repositories, CounterBreach flags the incident in real-time. The tokens are deterministic
• Detect critical data misuse
in nature, so security teams can ensure that the alerts generated are highly accurate and
• Accelerate incident response time
indicate deliberate intention to access and steal enterprise data.
• Simplify investigations

CounterBreach Key Capabilities

Detect Critical Data Misuse
Incidents detected by Behavior Analytics and Deceptions Tokens are populated into an
easy-to-navigate dashboard. CounterBreach spotlights the riskiest users, client hosts
and servers so that IT staff can prioritize the most serious data access incidents. Security
analysts can also drill down into a view of all open incidents and investigate all the details
pertaining to an event. 

The CounterBreach dashboard aggregates threat indicators across all enterprise data.
3
D ATASHE E T

Accelerate Incident Response Time

Security teams can efficiently investigate the most risky data access events by filtering
open incidents by severity as well as by a specific user, server or client host. Users can
then drill deeper into a specific incident to review a detailed description of the event
and view granular information about the use and the data that was accessed. From here,
SOC staff can close the incident or whitelist behavior that is authorized or unable to be
remediated right away.

Simplify Investigations
Security teams can analyze the data access behavior of particular users with the user
dashboard. With a consolidated view into database, file and cloud app activity, security
analysts have a full picture of the user’s data access across the organization. Security
teams can investigate incidents and anomalies specific to the individual, and then drill
down to the behavior profile to the view baseline of typical user activity and compare
a given user with that user’s peer group.

The CounterBreach
incident screen shows
critical data access
anomalies prioritized from
critical to low severity.

The CounterBreach user screen provides an at-a-glance look at individual access to enterprise data
and highlights risky user behavior. 4
 D ATASHE E T
Users
CounterBreach integrates
with Imperva SecureSphere
and Imperva Skyfence to
pinpoint critical anomalies
that indicate misuse of
enterprise data
Prevent Data Breaches with Imperva
To detect and contain data breaches, organizations need to have visibility into who
is accessing enterprise data, understand if that access is legitimate and respond
immediately if it’s not. CounterBreach integrates with Imperva SecureSphere and
Imperva Skyfence solutions to pinpoint critical anomalies that indicate misuse of
enterprise data stored in databases, file servers and cloud apps.
Learn
Monitor Contain
and Detect
Databases and
File Servers
Cloud-based Apps
Monitor
Imperva data protection solutions directly monitor all user access to data repositories
on-premise or in the cloud. SecureSphere provides visibility into which users access
database and file servers, giving IT organizations insight into the ‘who,’ ‘what’ and
‘when’ of access to sensitive information. Skyfence continuously monitors user uploads,
downloads and sharing of sensitive data within cloud-based apps such as Office 365,
Salesforce and Box.
Learn and Detect
CounterBreach combines Imperva expertise in monitoring and protecting data with
advanced machine learning to uncover dangerous user data access activity. Based on
granular inputs from SecureSphere and Skyfence, CounterBreach develops a behavioral
baseline of typical user data access and then detects critical deviations from the norm.
CounterBreach proactively flags these dangerous actions for immediate investigation.
Contain
With the CounterBreach solution, security teams can contain potential data leaks before
they become major events. Once dangerous anomalies are detected, enterprises can
quickly quarantine risky users in order to proactively prevent or contain data breaches. 
5
 D ATASHE E T

Imperva System Requirements

CounterBreach CounterBreach Prerequisites
CounterBreach requires one of the following Imperva products performing monitoring
Cyber Security and containment functions: SecureSphere Database Activity Monitor, Database Firewall,
File Activity Monitor and File Firewall. Additionally, Imperva Skyfence can be integrated
Imperva CounterBreach protects
with any CounterBreach deployment.
enterprise data stored in enterprise
databases, file shares and cloud CounterBreach Virtual Appliances
applications from the theft and
CounterBreach is deployed as virtual appliances that are simple to deploy and do
loss caused by compromised,
not interfere with existing SecureSphere or Skyfence implementations. The minimum
careless or malicious users. By
requirements per physical host and for each guest virtual appliance are shown below.
dynamically learning users’ normal
data access patterns and then
PHYSICAL HOST GU EST VIRTU AL APPLIAN CE
identifying inappropriate or abusive
Disk Operating File
access activity, CounterBreach Hypervisor Processor CPU Memory
Space System System
proactively alerts IT teams to CounterBreach
2 4 GB 50 GB
dangerous behavior. Admin Server1
CounterBreach
Analytics 4 16 GB 500 GB
Server2 Dual-core
CounterBreach server Intel VMWare
Deception VTx or ESX/ESXi
AMD-V 4.x/5.x/6.x 2 4 GB 160 GB
Sensor Admin
Server2
CounterBreach
Deception 2 4 GB 40 GB
Sensor Server2

Licensed
Windows
Deception
2 4 GB 40 GB 2012 R2 NTFS
Target Server3
Server
64bit

1
The Admin Server is required for Behavior Analytics and Deception Tokens. Imperva will deliver software on
pre-configured virtual appliances with the specifications shown above.
2
Imperva will deliver software on pre-configured virtual appliances with the specifications shown above.
3
Imperva will deliver Deception Target software to customers via an installer. A virtual machine with the
specifications show above must be provided by the customer.

Supported Platforms

COUNTE RBREACH BEHAVIOR AN ALYTICS

Database Platforms Oracle, Microsoft SQL Server

File Systems CIFS file storage systems, NAS devices
File Operating Systems Microsoft Windows Server
All apps supported by Skyfence including Office 365, AWS,
Cloud applications Salesforce, Google Apps, Box, Dropbox, NetSuite, Workday,
Microsoft Azure and more.
COUNTE RBREACH DECEPTION TOKEN S

Endpoint Operating Systems Windows 7

Software Distribution System Microsoft SCCM

© 2016, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, Skyfence, CounterBreach 6
and ThreatRadar are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks
or registered trademarks of their respective holders. DS-CounterBreach_Overview-0316-rev1
imperva.com