Imperva Data Security Fabric Reviews

I believe the most valuable feature is the GUI. It is still very much oversized for the job it does, but in comparison to other alternatives, it is still the best at the moment.

Before SecureSphere was used, the native auditing tools were used, and now there is a segregation of duties when managing audit data from DBAs and DBS teams. It is a much more secure way to have audit data from databases and to monitor actions of privileged accounts.

All areas of this product have room for improvement. There are a lot of things that can be improved if you want this to run in a corporate environment with thousands of database servers. If your database server count is low, it is a fine solution for you.

Lack of centralized integration when supporting/configuring appliances (SOM has some, but not all configuration/reporting/management functions, but you can’t do a lot of things from one management appliance (SOM) and have to go to separate MX when you want to configure something). As well you can’t upgrade appliances via Update module (you can only do so with agent and that functionality has much room for improvement as the update GUI is not well designed, some functions do not work and event/alert notifications there are mostly useless). So this and some other things make management and support of very large SecureSphere infrastructure sometimes painful.

I’ve been using SecureSphere for over three years.

It depends on the load of gateways/MXs. If load is big and there are advanced filtering rules in place, gateways or MX can crash or perform slowly.

The SOM does not have all the functionality yet to manage all MXs centrally and, if you have a very large infrastructure, it is not so easy to manage it, as it requires you to apply updates or new configurations directly to agents or MXs 1 by 1.

The support team responds promptly but sometimes it seems that, in more complex cases, they just try to stall for time for R&D to look at it and that they don’t know why some problems are happening.

Before, we were using native database auditing tools. Regulators have pointed out that DBAs are managing auditing tools themselves, which is not a good practice. Usage of SecureSphere and forming a new team responsible only for management of this tool was suggested.

Setup was complex. We had to deploy hundreds of gateway appliances to gather audit data and deploy thousands of agents to different OSs. This was not an easy task, as there were no simple solutions to do that. There were also challenges to configuring auditing rules and monitoring rules to work with all kinds of databases and different kind of requirements relating to them.

I don’t know anything about pricing and licensing.

I believe an IBM solution was considered, but it was much too expensive and didn’t provide as many features.

Use the newest version (at the moment I think it is 11.5) and pay extra for staff training and additional consultation on how to set up rules, etc.

As the member of an MSSP SOC team, we monitor dozens of appliances from multiple vendors. SecureSphere is one of the many tools that feeds our SIEM with relevant alerts regarding client activity of concern. Once we receive this, we use the alert monitor to delve into the details about what took place, when and where.

The level of detail provided is excellent, allowing the resources that manage the actual devices to determine whether or not, the activity is a legitimate concern and to rectify the activity in a timely manner.

We currently export PDF files to provide to the client. Rebranding this is a pain in the current environment. Having multiple and flexible export options would be better. Exporting to CSV or other formats and allowing the simple application of corporate logos to the reports, instead of vendor logos would be helpful.

In our environment, we use the SIEM to monitor the alerts, then log into SecureSphere to examine the activity in its alert monitor. Once we know that, if our level 1 analysts cannot determine whether or not the activity is false-positive, then we will export the activity and send it to the DBAs for them to examine closer.

I have used this solution for five years.

I don’t deploy, only monitor.

I’ve never had to contact them.

The most valuable feature of this product is vulnerability management since you don’t need to run different scans by logging into different databases. Everything can be done and monitored through the centralized console by a few clicks and without any hassle.

Also, the report generation option on a daily/weekly/monthly basis comes in very handy to the top management.

Some of the ways in which this product has helped our organization are:

• All the databases are being monitored.
• All the compliance requirements can be taken care of through a console.
• The daily and weekly reports are helpful in understanding the environment.

The stability and the ease of use of this product can be improved. I believe the product can be made more flexible and stable.

Additionally, it is very unlikely for a new professional to easily use this tool to its full potential. For this purpose, I believe a few more video tutorials can be uploaded for the newer versions.

I have been using this solution for one year.

We have encountered some stability issues. There were situations when sometimes the gateway didn’t work as expected. However, thanks to active-passive mode, none of the information was lost.

Every manager and gateway has a predefined capacity. It is very easy to scale up to that capacity. But, if that is exhausted you have to burn the midnight oil.

The technical support is good in terms of knowledge. However, the replies are not so frequent and hence can be frustrating sometimes.

I have not used any other solution before. I have only used Imperva SecureSphere 11.0.

The initial setup was straightforward. Each and every step is clearly mentioned in the manual. After the initial setup, it becomes a bit tricky.

Since this tool is far better than the competitors and manages a lot of compliance requirements, the pricing seems to be fine.

We had evaluated other solutions such as McAfee DAM and IBM Guardium.

You should follow both the guide and the tutorials. The tool is handy only if it is implemented properly. Implementation is a bit complicated; hence, it is advisable to create documentation alongside. It would be more beneficial to use the directory present on the Imperva site before logging for any issues.

Database auditing has become simple and easy, releasing storage previously used for native database audit processes. We found new patterns of database users' behaviour and corrected some user authorisations.

Mainframe mappings/agents/optimization for CPU usage are areas with room for improvement.

Agent on z/OS does not have a limit for CPU usage like on other platforms. If
you specify filter too "wide", the agent would consume too much cpu so that
could cause more cost for your mainframe. Agents are a bit special for
configuration because the logic is different than the one on other
platforms.

That is because mainframe agents were originally from Tomium company that
was acquired by Imperva some time ago. They still run the same code, just
little improved.
At this point, my configuration does not collect what I expected, but that
could be due to bugs, that is expected to be solved in version 12 of the
SecureSphere.

You can say for sure that security audit costs money - in this case, your
mainframe CPU money.

I have been using it for 18 months.

We had a problem with mainframe DB2 mappings; incorrect results due to bug. A fix is expected in DAM (Database Activity Monitoring) version 12 in March 2017.

I have not encountered any stability issues. Only, you need to optimize the data/events you are receiving. If you have too much input, you will have a stability problem (in that case, lower event throughput and increase manager memory).

I have not encountered any scalability issues. It's flexible.

Customer service is excellent, 5/5.

We did not previously use a different solution. We had some pilot projects and chose this solution.

Initial setup was straightforward and it was simple/easy to install and customize.

A combination of in-house and local support teams implemented it. We are satisfied with their level of expertise.

ROI is good. We needed this system for getting ISO 27001.

Be careful if you have a mainframe. Calculate well...

Before choosing this product, we evaluated IBM InfoSphere Guardium.

We are very satisfied with this product. It's simple to use, customize and administer. Installation is simple and easy, even on mainframe.

WAF is a great security layer to protect an organization from a wide spectrum of application attacks residing in OSI layer 7. The Imperva device relies on signature-based policies, as well as on a web correlation engine. In addition, the packet inspection can be enhanced with the aid of stream signature policies, which are policy items focused on the stream rather than the HTTP/HTTPS protocol. Imperva can easily match a web user to the requests launched from his client. While the default policy subset is very rich and covers different regulations (e.g., PCI, SOX), there is always an option to create custom policies addressing specific needs. Security alerts are comprehensive of all the necessary details for the analysis, such as connection details, signature triggered, alert type (e.g., Protocol, Profile), severity and followed action (e.g., syslog forward, IP monitoring).

DAM also provides great value to audits and again, the data monitoring policies by default are very rich.

If you don't know exactly what kind of data you store in-house, SecureSphere allows you to actively scan and classify your information, automatically providing you detailed status of the data, which can be further reviewed and finalised by analysts or DBAs. This is also valid for user rights on the data, understanding the level of privileges granted to users and suggesting countermeasures in detailed aggregated charts and reports.

Once under monitoring, the data can be reviewed with an intuitive interface that allows the analyst to drill down, quickly narrowing the scope in a few clicks and focusing the attention only on the relevant queries. Once the pattern is identified, it is even possible to quickly report a detailed status of the findings, as well as generate a report template for future uses. This is on the hot data, what we have available in the management database. The time span can be increased indeterminately with a good retention configuration, combined with a SAN that stores the cold data, partitioned in daily slices and ready to be loaded into a separate database space for archives.

This is brilliant if you think about scalability, for you can obtain a very big archive while preserving system resources and performance. However, to get this configuration, in-depth tuning is needed for several weeks in order to get all relevant metrics (e.g. data stored per day, data spikes, backup speed, link transfer capacity, etc.) and adopt the appropriate customizations.

Audit data can also be correlated with application users by obtaining a detailed match of the database queries executed according to a particular web user’s HTTP requests.

The FAM module allows organizations to continuously audit storages and network shares and keep a detailed record of every file operation across the company. Scans are available also in this context, providing user rights as well as access to the monitored files. A data classification is also possible with the FAM.

All of Imperva’s features are extremely powerful, while a certain degree of knowledge is required to have a solid understanding of the product.

Imperva helps you comply with data regulations such as SOX or PCI. It helps SOC analysts to enlarge the scope analysis, significantly providing great procedures to drill down into the audit or a customizable enrichment fed by several types of input, e.g. Active Directory or other external platforms, and even a layer 7 inspection. When fully integrated, the application user requests are bound with the queries executed, giving a comprehensive picture of how your web application interacts with the data layer highlighting all possible security flaws in the data management, code bugs or server misconfigurations. All this logical data collection is effectively arranged into detailed profiles from where it is possible to spot the unusual deviations or to create advanced conditions to trigger upon this baseline. Think about access to PCI data from users different to the ones allowed, such as DBAs, only from a certain subnet, let's say the external network, out of the business hours, like nights or weekends. This is one possibility of what Imperva can achieve in your organization to protect the data from unauthorised users.

To have the mind at ease with a security solution has been always a chimera. Even SecureSphere suffers from some limitations, which I believe will be handled in the near future. I see two main things to improve at this point:

• SSL tunnel support for z/OS agents
• Capability to retain live audit policy data for several months; sometimes, on certain installations, this is not feasible due to the big data streams involved in the scope.

I've been supporting the Imperva technology since version 8.x. I have a company that provides consultancy services and I support Imperva.

From versions 9.5 and later, the Imperva solution has reached an optimum level of stability. On every unusual state reported, I was always able to relate it to misconfigurations or other hardware limitations and never to major bugs or software problems.

Again, Imperva works great when you need to increase managed devices, add new gateways or even change the operational modes of the latter.

On a scale from 1-10 (1=worst, 10=best) I would say technical support is 9. Support is always guaranteed and every internal SE has been always competent and ready to assist.

I tested different audit and WAF solutions and the one I was always more comfortable with is Imperva.

Setup is actually complex due to the nature of the product and needs deep knowledge of the solution to get things working with minor effort. If you don't know exactly what kind of solution are you deploying or even the installation steps to get the environment fully working, you won't be able to install it easily.

I am a technician, so I am not very confident discussing this topic.

Doing the initial Imperva training before putting your hands on the product helps a lot. Getting assistance from Imperva during the initial stage of your new environment is highly recommended.

• SecureSphere Database Assessment
• SecureSphere Database Activity Monitoring

It was instrumental in scanning a large inventory of databases to identify sensitive data. Using Imperva Assessment scans, we were able to identify SHR, PII & confidential data sources in a large inventory of database systems.

This helped us classify our large inventory and apply additional security controls based on the data classification output.

I would like to see a better web management console; the UI is not very intuitive, unless you really know what you’re doing. And scan error details should be readable from the web console, instead of running Unix commands on the backend server to view detailed logs.

I would like to see improvements in setting custom device configuration (e.g., Server Name, TCP Port for connections). In a large inventory, it is a time-consuming process if you need to change any configuration.

The web management console UI, could be much more user friendly. The product is pretty powerful, but the management UI is not very intuitive, i.e. not very user friendly and can be improved to make it much better.

When the DAM scans contains errors, the web UI should have the ability to show detailed logs in the web console, instead of requiring an admin to query the back-end server via commands to retrieve scan error logs. This limited web functionality causes extra work when scanning a large inventory where sometimes some servers return scan errors.

I have used it for 3.5 years.

I have not encountered any deployment, stability or scalability issues.

While configuring custom strings for data classification, we did engage Imperva Support and they were very helpful in setting up custom hex strings to help with our data classification. The response time was good too.

As mentioned above, Imperva was already set up in our Enterprise environment and we only had to add on the Database Assessment module license to our setup.

It was implemented in-house.

During the evaluation phase of the project, many of the IT service providers we spoke to quoted figures ranging from half-a-million Australian dollars and up. This cost was inclusive of X people they proposed to get the job done. Imperva DAM was already included in our Enterprise licensing and until last year, we didn’t have a use-case for it. With this project, we had no second thoughts about adding this module license. Excellent ROI using the automated scans, especially comparing it to the manual method proposed by many vendors.

We did evaluate many software solutions & IT service providers, but none of them were close to meeting our project objective. We had a vast inventory of 5000+ databases, hosting data for thousands of applications, each having different schema & naming conventions. We did a Proof of Technology (PoT) in-house using the Imperva DAM module and, with a few tweaks, it met our project needs. Considering we were already using Imperva for different security assessments, it was an easy decision to add on the Database Assessment module and use that in our infrastructure.

Out of the box, Imperva comes with a lot of security modules & features that straight away add value to your organisation’s security objectives. That’s just the beginning in my opinion. There are enough customization options available for administrators to get Imperva to work for them the way they want it to. The ability to use custom scripts for scans and the ability to use TCP-level capture of database events are excellent features to use in an enterprise.

Web application security is pretty good. I have encountered very low false positives.

The correlated attack validation (CAV) is one of the unique aspects about the SecureSphere technology I like.

First of all, the product is useful for securing the websites of our company, which is basically preserving our brand value in the market.

Secondly, the product is very much competent with evolving threat vectors in cyberspace. Hence, this piece of security requires very few fine tuning efforts be put in place; everything falls right into its exact place.

The user interface is kind of a let-down. The graphics, tabs, and other various options are quite jumbled and confusing. My only complaint/suggestion: Improve the user interface.

I have been using it for 18 months.

I would like to talk about the upgrade scenario (deployment). First of all, it is complicated; secondly, many manual settings need to be done when you move from one version to another. They don’t automatically get replicated into the newer version, something which I encountered only in Imperva products. The boxes should have built-in scripts to reconfigure the settings and carry out a smooth migration.

I didn’t interact much with tech support. But from what I’ve heard, it’s on par with industry standards.

Imperva from the beginning!!

Initial setup was complex, but security is not that easy to be figured out in simple clicks, so I guess it’s okay.

We have resident engineers from Imperva and they are quite good at what they do.

Before implementing this product, get your hands dirty with the world wide web. The more you know about the internet, the more useful it is.

Most of the configuration is out-of-the-box and it offers very granular security policies. Deployment and configuration is very easy. Once initial setup has been configured, all the rules and polices are applied automatically and we can start viewing the logs.

We are able to prevent and protect external and internal threats by using Imperva’s complete product line.

I would like to see some more granular audit logs for database activities.

I have been using it for 5-6 years.

I have not encountered any issues with deployment, stability or scalability issues. Deployment is very easy, and it offers more stability and scalability.

There are delays in responses from technical support, but you do get a response per SLA.

Initial setup was pretty straightforward.

Anyone can implement this solution if you study the guides.

It is worth the investment for retail, banking, government and IT organizations.

It is the best product for cyber security & forensic investigation for external and internal threat identification and prevention.

• Easy agent setup
• Big data
• SIEM tool integration

SecureSphere covers the legal obligations for Turkish banks. According to Turkish banking regulations, database activities (especially admins' activities) should be monitored and alerted.

Syslog size for transferring data should be increased.

I used it from September 2015-May 2016.

I remember that SecureSphere stores limited data according to the number of the data structure type that is defined in the server configuration files. If a customer does not realize this, data taken with the policy that has a max data structure type is interrupted.

The vendor’s local partners, NGN Company and Bulent Daldal, were very supportive whenever my company needed their help.

I supported NGN when SecureSphere was set up. Although I only experienced this setup process once, I can now setup SecureSphere DAM and agents on my own. I mean, it was easy and feasible with guidance.

A vendor team implemented it.

I did not evaluate other solutions, but I have heard from my clients (Deloitte clients) who have used Guardium before that SecureSphere is better.

SecureSphere fulfills so many requirements for our clients. Additionally, if they want to evaluate and correlate data more comprehensively, they can use this product with SIEM tools such as ArcSight or Splunk.

There are many features that are valuable, it depends on the purpose. If the purpose is compliance or auditing, the most valuable feature are the audit log system, as it helps you to secure an audit trail and from user to action even if the user are privileged and even if the user logs in on the physical server. If the purpose is security the most valuable feature are the way it can drop and prevent the access of sensitive table/data set by rules and policies. Lastly, if the purpose is availability, the most valuable feature is the way it can drop connections set by rules and policies.

If the purpose is compliance or auditing, ex PCI-DSS you need a system like this to pass part of the compliance. As I help customers with compliance, this is a great tool to make it all "simple" and the report part makes the lives easier for the users/auditors.

If it's used for security, this, or systems like this, are the last line of defence, and you will prevent incursions, or at least know what happened, and what was stolen.

If it is to be used to monitor availability, you will only know the real ROI if you are a victim of a large attack, then you can pat yourself on the back and say "Yay! We prevented that". This cannot be achieved solely on the Imperva system and you need the full suite of WAF.

This product needs a good team of UX people, because it's not always that understandable, and sometimes it's straight up confusing.

They did have some issues with HA and Clustered environments, but it is supposed to be fixed in v12, which I have not tested.

No issues encountered.

There are issues, but it is supposed to be fixed in v12, which I have not tested.

It's good, but it's a big company, so you need to know the paths to get the most out of it.

It's very good.

This is a complex system, and all other in the same league are just as complex. There are no workarounds to simplify it.

It's expensive, and their licensing is kind of strange, but it is what it is.

We also looked at IBM InfoSphere Guardium.