In-Depth

Q&A: Real-Time Database Monitors May Ease Regulatory Headaches

Near-real-time monitoring may help your company catch attackers and restore altered data.

• By Mathew Schwartz
• 02/18/2004

According to a 2002 survey by analyst firm IDC, that insecurity translates to lost or altered data. In the banking and finance industries, for example, 27 percent of database operators reported data had been erased by virus, human error, or break-ins. Compounding the management problem is that companies must manage ever-increasing amounts of data, and regulators.

If intellectual property escapes, the costs can be devastating. Just ask Microsoft, which has yet to quantify the competitive damage caused by portions of Windows 2000 and NT source code showing up on the Internet.

One method for easing auditing headaches and intellectual property worries is to watch the databases containing the intellectual property as well as the identity management information. By establishing baselines and monitoring databases, companies can catch attackers and restore altered data.

To discuss near-real-time database monitoring, Security Strategies spoke with George Csaba, senior director of product management, and Trish Shafer Riley, senior marketing manager, for database monitoring provider Intellectual Property Locks (IPLocks).

Are databases naturally secure?

Csaba: There’s not much protection for databases inside the firewalls. Of course every database has its own [built-in] protection mechanisms, but it’s [often] not good enough to protect the information in those databases—and that's based on the admissions of the database vendors themselves.

What do companies stand to lose if an important database gets compromised?

We believe that more than 90 percent of the mission-critical data in an enterprise is in the database—[for example,] financial data, CRM [customer relationship management] information, human resources records, and patient or customer information.

So how can organizations specifically guard against intellectual property theft?

We have a very specific module that alerts when people [access unusual information]. So if someone is trying to steal an entire database, or if we see that there's a high peak in the reads or the input/output of the database, then we send a notification that hey, there's something going on, someone is trying to read the entire database. We call that “The Big Read.”

How do you monitor databases?

Riley: What we can do is monitor the information access and structural integrity of databases, plus [conduct] database vulnerability assessment and monitoring. So we look at a database environment for a customer, and assess whether that environment is safe. For example, there are some inherent weaknesses in databases; we look for those, and [offer] solutions for fixing them. Our number-one goal is to provide a safe operating environment.

The next step is, you monitor continuously. If a general user suddenly becomes a super-user, that’s a problem. But we have a non-intrusive approach; you don’t have to store any kind of agents in the database.

Then how do you access the database?

Csaba: We just go in as a read-only user … pull out the information that we need, bring it out to our box, learn what’s going on, then generate the snapshot we have … then alert when there are changes. The product can also do an initial assessment.

What are typical database misconfigurations?

Often, companies find that individuals have been given too much privilege. They’re also finding good people go bad because they’ve been given too much access—and they begin to use it.

Are new regulations drawing customers to database monitoring?

Yes—[such as] Sarbanes-Oxley, Basel II, the Gramm-Leach-Bliley Act, the California Personal Information Privacy Senate Bill 1386, the PATRIOT Act. And the product itself can help facilitate different forms for different regulations.

Does database monitoring make it easier to keep auditors happy?

Riley: Well, you can look with Sarbanes-Oxley, say, to see if the database fields are intact, if data integrity is there. Organizations, after they’ve mapped out their business processes, they need to map out the internal controls to safeguard those processes.

Similarly, you have to protect the financial database; the accuracy of financial statements is always paramount for the CEO, CFO, and CIO. As an example of how monitoring can help, take [a large semiconductor manufacturer customer] in Japan. What it used to do, before every close of the books, was have three or four people manually review the accuracy of the financial statements—the data in the database. We said, let us do it—and we found close to 100 [numerical] errors. Also we found a manager had left for a vacation and gave access [his password] to various people, which is not a best practice.

And once you’ve done the assessment and created the baseline, it makes sense to go in and continually monitor. One of our customers, a financial firm, said it typically took six weeks out of the year just to audit information. With [our product], it can alert if there are any changes—whether intentional or not—and … it creates a record, if something was changed, [recording] why and on what date.

How many databases can you watch?

Csaba: Currently we can look at up to 100 databases. To date we’ve also worked with 10 million records, and it was fine.

What about monitoring outsourced databases?

Outsourcing can, of course, save money, but you have to be careful … and if you outsource your financial information or customer databases, then you should have the ability to see what the outsourcer is doing. So [monitoring] provides you with a mechanism to have an early warning that something fishy is going on. Also you get that insight even if you have a relationship with someone who is outsourcing with someone else, [who, in turn, is] outsourcing with someone else.

Is this software?

Database Security Audit System is hardware-assisted software device. We are a software vendor, but we wanted to use an external device to minimize the performance impact on the database.

What all can companies monitor?

We have different modules, and one of those focuses on the data itself—this is the minimum, the maximum, this is the distribution of the data. And we have data mining [capabilities] … so if someone suddenly moves a large amount of data, we would catch that; it’s a gross anomaly. Or if user behavior changes, we would notify the appropriate individual. Or, since most organizations use LDAP servers to authenticate users, … if there are changes in user access provided by the server, it could sound an alarm.

The continuous database vulnerability assessment looks for weaknesses, and gives … a detailed summary of how to fix them.

Or with our rule-chaining module, for example if I’m in a security department and concerned someone is going to do something in a database, I can start the privilege monitoring process, and in that, if someone suddenly becomes database administrator from an average user, I can kick off [the metadata monitoring module] to see what kind of changes that person is going to make. Whereas otherwise the person might elevate their privilege, make changes, then turn the privilege back down—to hide their tracks.