Imagine patching the database with no downtime, no backups.
 

To date, there are hundreds of known vulnerabilities in DBMSs across different vendors and versions.

Databases are complex applications. This complexity makes them particularly susceptible to many security vulnerabilities that provide an entry point for intruders and unauthorized users.

Exploits published on the Web enable even rookie hackers to get into the database and own it by using privilege escalation, and attack vectors such as SQL injection and buffer overflow.
Severe vulnerabilities even allow remote access by unauthenticated users, for example, those who are on remote IP addresses and have no database login credentials at all.

With so many known risks for DBMSs across so many vendors and versions, it seems unthinkable that databases would be left unpatched. Critical databases are left unpatched for months or even years, vulnerable to attacks that result in data theft, breaches of privacy and non-compliance with regulatory requirements.

Why aren't vendor-issued security patches being deployed?

While Sentrigo recommends timely, regular deployment of vendor-issued security patches as the best way to protect corporate databases, due to the following reasons, many organizations do not patch their databases in a timely manner: 

• Patching is an update to the DBMS kernel and requires database downtime. This is often not an option in 24x7 environments, or is extremely difficult to coordinate.
• Patching requires regression testing of all applications running on top of the database.
• Many application vendors only certify their applications to run on top of specific releases of DBMSs - updates not included.
• Older, yet still used database versions are not supported by new security patches.

What Is Virtual Patching?

Virtual patching is a way to protect the database against exploits without actually patching the DBMS kernel. This creates a security layer around the database that, unlike vendor patching, does not require downtime or application testing.

Hedgehog vPatch protects databases in real-time against known vulnerabilities using unique virtual patching capabilities

By monitoring all actions in the database and matching them against rules that detect known exploits and vulnerabilities, virtual patching detects attempted exploits. When a match occurs, an alert is issued and the suspicious session can be terminated and the originating user quarantined for specified period, until the nature of the suspected attack is investigated.

Downloadable, Easy to Deploy Across Multiple Databases

Hedgehog vPatch is a subscription-based offering that includes two components:

• Host-based software that uses sensors to protect the DBMS with a set of protections (virtual patches) to detect and prevent attempted exploits of DBMS vulnerabilities.
• Ongoing updates for newly discovered and existing vulnerabilities, courtesy of Sentrigo's "Red Team" — a team of security researchers who are constantly finding DBMS vulnerabilities and exploits, and devising ways of stopping them.

Hedgehog vPatch is non-intrusive, does not use native DBMS auditing or API functions and is not part of the DBMS - it directly monitors the database memory cache and has full visibility into all database activity.

Hedgehog vPatch™ Advantages

• No database downtime is required both during the initial installation as well as during the ongoing deployment of security updates.
• No impact on the application layer
• Support for older DBMS versions (e.g., Oracle 8i, 9i)

More details

• License/subscription and pricing
• Product comparison
• System requirements