Start Demo

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

ExtraHop
Reveal(x) 360

Cloud-native visibility, detection, and response
for the hybrid enterprise.

Learn More

How It Works

Why Decryption Matters

Integrations and Automations

Cybersecurity Services

AWS Cloud Security

What is Network Detection & Response (NDR)?

Reveal(x) Enterprise: Self-Managed NDR
caret-left Back

Solutions

Learn More

Security

Cloud

IT Ops

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Portal Login

Cybersecurity Services

Training

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Channel Partners

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

Newsroom

Events

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

The ExtraHop Advantage

What Is Cloud-Native?

Contact Us

caret-left Back

Newsroom

Get the latest news and information.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Events

Upcoming events and conferences.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories

Shields Up Resources

Ransomware Attacks in 2021: A Retrospective

Cyberattack Glossary

Network Protocols Glossary

Documentation

Firmware

Training Videos

back caretBlog

How-to: Spot Data Thieves Even If They Drop the Audit Table

Principal SE John McGovern shows how ExtraHop can help security analysts and DBAs find who executed a SQL DROP against the database.

 
If a tree falls in the woods and no one hears, does it make a sound?

If a hacker steals from your database and there are no logs, did they steal data?

If a table is dropped from the database, how does the DBA know who did it?

ExtraHop can't help with the first question, but it can answer the other two conundrums with data off the wire. In the video above, Principal SE John McGovern shows how ExtraHop can help security analysts and DBAs find who executed a SQL DROP against the database.

The workflow is super simple:
Discover - Search to find all database transaction records that include the word "drop."
Explore - The resulting list of transactions is interesting, and it shows client IP addresses. But what about this client's activity before they did the DROP? To see this, click on the flow ID for any transaction you want to investigate, then remove the "drop" filter. Now, the ExtraHop platform is listing out every single SQL statement executed by that client against the database, in order, starting from the SELECT statement all the way down to the DROP.
Trace - Need more? With a click, you can download the packets associated with this specific flow so that you can perform forensic investigation.

Borrowing from the Perl motto, the above workflow is an example of how ExtraHop makes easy things easy and hard things possible. Without ExtraHop, DBAs would rely on a database profiler to record this type of activity. But a hacker who has just queried sensitive data from the database can use a DROP to delete the audit logs themselves, essentially wiping away their digital fingerprints. In those cases, there's very little an analyst or DBA can do to investigate. That is, unless they have an ExtraHop!

At ExtraHop, we call these types of super-simplified workflows "haikus" because it's hard to imagine stripping it down further. And with that, I leave you with this real haiku ...

Database hacked
Audit table drop? Oh no!
Answers on the wire

Related blog posts:

Log Data vs. Wire Data: Why There's a Clear Winner
Don't Trust Log Data! Lessons from the Cryptonomicon
Network Teams Need A Better Workflow

XKCD: Exploits of a Mom

XKCD

#StopITShaming mashup

Click to enlarge

Sign Up to Stay Informed

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More