Feeds

Database security via event stream processing

Peace of mind

Choosing a cloud hosting partner with confidence

I wrote recently about the potential for using event stream processing (or complex event processing) for database security. This is precisely what Symantec will be offering later this summer (the exact date has yet to be announced).

Moreover, this database security product, which will also provide auditing capability, will be delivered as an appliance.

Let me first deal with the appliance part of this equation. What this means is that Symantec will deliver a combined hardware and software product, with the latter having been pre-installed and pre-configured so that there are no set-up issues: you simply plug it in and go.

You plug it into the network, where it monitors all traffic that goes into and out of the database. For the first few days after installation it will not apparently do much. This is because it is monitoring the behaviour of the various users that access the database and building up patterns of activity that it can recognise. Once it has done so it can report on any anomalies that may occur, ranging from authorised users doing odd things (according to the US Secret Service, 78 per cent of all fraud is conducted by authorised users) to SQL injection and Application Server hacks.

This last is particularly important because CRM, ERP and other such applications have global access to the database so hacking the Application Server is an easy way to break into the system.

Another important capability is what Symantec refers to as extrusion detection. That is, when anomalous data is leaving the database (as opposed to people getting into it). As an example, the company suggests setting up one or more dummy records in the database. There is no good reason why anyone should access these and, therefore, anyone who does so may be doing so for nefarious purposes.

All alerts and reporting is done in real-time, as is the monitoring of traffic entering and leaving the database, which is where the event streaming aspect of the product is relevant. By contrast, the traditional way to provide this sort of information (which includes conventional auditing: who did what and when) is to use database log files. However, full database logging is normally turned off because it can kill performance and, in any case, database logs are not easy to read. At best, they are only useful for post-fact analysis.

As with other event streaming products you can define filters - so you can tell the appliance that you are not interested in certain data and, similarly, you can define policy rules to be applied to incoming or outgoing information with respect to what you are interested in.

As far as I can see, and bearing in mind that this will be a first release of a product that will no doubt add capabilities as time goes by, the only drawback to the appliance is that it uses proprietary storage mechanisms.

While efficient from a storage and administrative perspective, this has a downside when it comes to analysis of the collected data.

There are built-in query and reporting capabilities, but if you wanted to apply a business intelligence or data mining tool to the collected data for more detailed analysis, you would have to export the data to an external (ODBC compliant) data mart. However, this seems a relatively small price to pay for the peace of mind that this product should bring.

Copyright © 2006, IT-Analysis.com

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.