In-Depth

Case Study: Watching Sensitive Database Information at Toro

Sarbanes-Oxley, the need to improve monitoring, and a desire to move administration and accountability closer to end users, drove Toro to invest in record-level enterprise application monitoring software from Prodigen.

• By Mathew Schwartz
• 01/14/2004

Strong information security perimeter defenses just don't cut it anymore. As security experts increasingly note, the metaphor of a strong wall alone isn't enough, given today's threats. Worms can open hidden back doors, and attackers can exploit not-yet-public operating system vulnerabilities and gain root access. Typical perimeter defenses—firewalls or intrusion detection systems, for example—might not catch such aberrant activity. Perimeter defenses also do little against someone using authentic credentials.

What's needed is a well-layered defense: different approaches providing overlapping, independent checks and balances. Now, thanks in part to recent regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002, security practitioners, company executives, and boards of directors have even more incentive to adopt new thinking. Regulators don't just want to know which defenses are in place. They want to know whether anyone inappropriately accessed or modified records, no matter whether the attacker was a teenage hacker or the company's own CFO.

Today "it's not enough to technically protect information, without evaluating who is accessing it," notes Michael Drazan, vice president of corporate information services for Toro, an outdoor and irrigation equipment manufacturer with annual revenues of $1.4 billion.

To watch for unauthorized access to data, Drazen recently implemented The Contouring Engine, enterprise application monitoring software from Prodigen, while simultaneously implementing identity management software to better manage passwords. The Countouring Engine monitors transactions or record-level activity in enterprise applications such as SAP, Peoplesoft, and Ariba, looking for odd activity.

"I felt strongly that it was time to switch from security administration to monitoring, both to move accountability closer to the people who best know the data and to ensure proper control per Sarbanes-Oxley," Drazen says.

At first, the engine does really nothing more than create a baseline of what the trusted user does during his workday to do his job," says Ken Searl, president and CEO of Prodigen. Establishing an initial baseline takes 60 to 90 days, he says. Once the monitoring goes live, the software alerts information security administrators if a user's typical behavior changes.

Drazen says the installation went smoothly. "Technically, this was not too complex, but it does mean tapping into each application we want to monitor. Most applications are geared to access control but not monitoring."

Of course monitoring can raise employees' blood pressure, and Drazen is quick to demarcate how and why the software is used. "One could take a 'big brother' approach to look over the employees' shoulders at every thing they do, but that is not our culture here at Toro." The company trusts its employees to use their tools properly, he stresses; the software's purpose is "to protect them from identity theft, though vigilant monitoring. If we see a change in use of passwords or system behavior, it is a flag to follow up and ensure someone has not stolen their password." In the end, this approach "protects the employee, the company, and our digital assets."

While regulations mandate corporate data protection, Searl says this type of transaction-level data monitoring, tied to employee usernames, goes a step further. "We're protecting that employee from being accused of something a year or two later. Say the company finds forensically it was a [particular] ID holder [username] and a year from now says to the user, what were you doing on January 25, because we see your ID doing bad things then."

Underlying that point is a forensics issue: passwords and user IDs don't absolutely equal a certain individual. Rather, they indicate the use of a set of credentials, and linking that to the intended user typically takes additional, corroborating evidence. Also, time is of the essence, and while an intruder may trigger intrusion detection alarms or leave telltale intrusion signs for a security administrator to find in a log, he might have already had access for months. Record-level monitoring gives companies another method of finding attackers quickly, and hopefully resist (or at least roll back) any damage.

As this is a security application, Drazen says he can't reveal project success metrics, but does note the tool is helping Toro better tighten its access controls. Vis-à-vis personnel, "the jury is still out on whether we will need more people to monitor" the software and respond to alerts.

To date he has "been very pleased with the results," as well as Prodigen's response to application feature requests and user training. In particular, he says, the software helps satisfy Toro's need to not only meet security objectives, but to "move into a more preventive—versus reactive—mode of operation."