Share via


SQL Threat Detection – Your built-in security expert

Azure SQL Database Threat Detection has been in preview for a few months now. We’ve on-boarded many customers and received some great feedback. We would like to share a couple of customer experiences that demonstrate how SQL Threat Detection helped to address their concerns about potential threats to their database.

What is SQL Threat Detection?

SQL Threat Detection is a new security intelligence feature built into the Azure SQL Database service. Working around the clock to learn, profile and detect anomalous database activities, SQL Threat Detection identifies potential threats to the database. Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.

Currently, SQL Threat Detection on Azure SQL Database detects potential vulnerabilities and SQL injection attacks, as well as anomalous database access patterns.  The following customer feedback attests to how SQL Threat Detection warned them about these threats as they occurred and helped them improve their database security.

ThreatDetectionImage

Case #1: Attempted database access by former employee

Borja Gómez, architect & development lead at YesEnglish

SQL Threat Detection is a useful feature that allows us to detect and respond to anomalous database activities, which were not visible to us beforehand.  As part of my role designing and building Azure-based solutions for global companies in the Information and Communication Technology field, we always turn on SQL Auditing and Threat Detection, which are built-in and operate independently of our code.  A few months later, we received an email alert that "Anomalous database activities from unfamiliar IP (location) was detected”. The threat came from a former employee trying to access one of our customer’s databases, which contained sensitive data, using old credentials.  Because SQL Threat Detection allowed us to detect this threat as it occurred, we were able to remediate the threat immediately by locking down the firewall rules and changing credentials, thereby preventing any damage. Such is the simplicity and power of Azure.

Case #2: Preventing SQL Injection attacks

Richard Priest, Architectural Software Engineer at Feilden Clegg Bradley Studios and head of the collective at Missing Widget:

Thanks to SQL Threat Detection, we were able to detect and fix code vulnerabilities to SQL injection attacks and prevent potential threats to our database. I was extremely impressed how simple it was to enable threat detection policy using the Azure portal, which required no modifications to our SQL client applications. A while after enabling SQL Threat Detection, we received an email notification about ‘An application error that may indicate a vulnerability to SQL injection attacks’ .  The notification provided details of the suspicious activity and recommended concrete actions to further investigate and remediate the threat.  The alert helped me to track down the source my error and pointed me to the Microsoft documentation that thoroughly explained how to fix my code.  As the head of IT for an information technology and services company, I now guide my team to turn on SQL Auditing and Threat Detection on all our projects, because it gives us another layer of protection and is like having a free security expert on our team.”

Case #3: Anomalous access from home to production database

Manrique Logan, architect & technical lead at ASEBA:

“SQL Threat Detection is an incredible feature, super simple to use, empowering our small engineering team to protect our company data without the need to be security experts.  Our non-profit company provides user-friendly tools for mental health professionals, storing health and sales data in the cloud. As such we need to be HIPAA and PCI compliant, and SQL Auditing and Threat Detection help us achieve this.  These features are available out of the box, and simple to enable too, taking only a few minutes to configure.  We saw the real value from these not long after enabling SQL Threat Detection, when we received an email notification that ‘Access from an unfamiliar IP address (location) was detected' .  The alert was triggered as a result of my unusual access to our production database from home .  Knowing that Microsoft is using its vast security expertise to protect my data gives me incredible peace of mind and allows us to focus our security budget on other issues.  Furthermore, knowing the fact that every database activity is being monitored has increased security awareness among our engineers.  SQL Threat Detection is now an important part of our incident response plan.  I love that Azure SQL Database offers such powerful and easy-to-use security features.

How to turn on SQL Threat Detection

SQL Threat Detection is incredibly easy to enable. You simply navigate to the Auditing & Threat Detection configuration blade for your database in the Azure management portal. There you switch on Auditing and Threat Detection, and configure at least one email address for receiving alerts. Click the following links to:

We'll be glad to get feedback on how this feature is serving your security requirements, so please leave a comment below

Comments

  • Anonymous
    August 13, 2016
    Do the "anomalous database access" detections work like the way hotmail will not allow me to access my email account when I'm on the road since the request is coming from a different-from-usual IP address ? If so, that does not sound like a useful "feature".
    • Anonymous
      August 13, 2016
      Azure SQL Database Threat Detection only sends a notification upon detection of an unusual access from a new location and it does not block such activity.Each Azure SQL Database Threat Detection notification provides the details of the anomalous activity and recommends how to further investigate and mitigate the potential threat. In the case of unusual access notification, it recommends you to explore the audit records around the time of alert in order to determine the nature of the anomalous activity , and check the SQL firewall rules that defines which IPs are allowed to access your server and consider looking down the range of IP addresses that allow to access the database in order to minimize the attack surface on the server.