The recent and massive database breach at Equifax serves to highlight the insider threat that database systems face today. But you say, "The Equifax database attack was perpetrated by external hackers, not internal personnel." While that's true, it is also true that once the Equifax database attackers circumvented the corporate firewalls and breached the application, they were able to masquerade as legitimate and authorized insiders. To identify an attack of that nature requires tools that detect insider threats. To better understand all of this, let's walk through the Equifax database attack chain.

According to Equifax, the database attackers exploited a vulnerability in the third-party Apache Struts software they were running and had failed to patch with an available security update. Specifically the vulnerability is CVE-2017-5638 and a patch had been available to Equifax for nearly two months prior to the attack, yet for some unexplained reason, Equifax had never installed it.

Apache Struts is a very popular third-party web application software package that Equifax uses, as does 65 of the Fortune 100 companies. Through the vulnerability the attackers were able to submit operating system commands directly to the server. At that point the attacker, for all intents and purposes, appeared as a legitimate and authorized insider – a trusted administrator with all of the privileges assigned to the application. As an aside, we have a textbook example here as to why it's good security hygiene to restrict privileges of users and applications to the absolute minimum. A least privilege policy limits potential damage in the event the database credentials are compromised.