Data Detectives

Finding that network and application security isn't enough, companies are turning to software that monitors database activity and provides an audit trail.

At McCarron International Airport in Las Vegas, virtually every detail of airport operations is stored in one of 14 Oracle Corp. or Microsoft Corp. database servers. Passenger data, personnel files, flight information, airport security data—all of that plus volumes of other sensitive information are housed in the databases. Any unauthorized change to or theft of that data could have severe consequences for the airport.

So naturally, when Phillip Murray, McCarron's departmental systems administrator, receives a request from airport security to look into a suspicious transaction, he takes it very seriously. Until recently, he might have devoted days, or even weeks or months, to scouring log files and SQL statements to investigate questionable activity on a database. "I'd have to carefully piece together events," he says. "It's a matter of browsing through thousands of transactions."

Today, however, Murray spends a lot less time analyzing log files thanks to a database activity auditing and monitoring tool—SQL Guard from Guardium Inc. in Waltham, Mass. The software tracks database access and transactions, sending alerts when unusual activities are spotted. If Murray needs to analyze an event more closely, SQL Guard provides an audit trail of the relevant commands and transactions.

"It's been an immense timesaver," says Murray.

While much of today's application-level security is automated with third-party tools, the databases behind these applications are often not so secure. The assumption is that attacks will occur from outside and be caught by the firewall or the log-in and authorization process of the application. Databases, it is presumed, are too far into the back office to be threatened by a direct attack.

"Traditionally, databases are deep in the organization, so it's hard for somebody to directly nail the database server," says Rich Mogull, research vice president at Gartner Inc. "But more organizations are now concerned about their own systems administrators and other employees, not just external attackers, and that's where these tools are the most valuable."

Concern about data security has been heightened by media reports of thefts of consumer data, as well as financial fraud by employees. Government regulations, such as the Sarbanes-Oxley Act, have also emphasized the need to closely audit access to sensitive data. And, of course, for organizations that serve the public—like McCarron Airport—the terrorist attacks of Sept. 11, 2001, significantly heightened security fears.

"Since 9/11, we had to start looking at our vulnerabilities. Despite the fact that we do rigorous background checks, there's a possibility that someone might come in and gather data that would make the airport easier to attack," says Murray.

But for McCarron, as with most organizations, there's a lot of data to protect. With so much information at risk and too few human resources available to police it all, the demand for automated security products such as database activity monitoring and auditing tools has been on the rise.

Phillip Murray, departmental systems administrator at McCarron International Airport
1pixclear.gif
Phillip Murray, departmental systems administrator at McCarron International Airport

Image Credit: Jeffrey Green

1pixclear.gif

Beyond Built-in Database Security

Within the database itself, there are several security features that can help protect data, including user access controls, removal of unnecessary services and accounts that could be exploited, and locking out users who fail several log-in attempts.

Databases also come with their own logging and alerting capabilities. However, these are usually highly manual utilities requiring a lot of time and effort to employ.

For instance, a database administrator can set triggers on certain fields in a database that will send an alert if altered, but setting multiple triggers for every field or event takes time, and too many triggers can degrade the performance of the database.

Databases also have logs that can record failed log-ons and other activities. But these require a human to pore over SQL statements. "Every transaction, good and bad, you have to wade through to find what you're looking for," says Murray. "The purpose of these log tools isn't to help investigate an event but to restore you to some point in time."

This is where an automated tool can prove useful. Third-party database activity monitoring tools work by developing a profile of normal activity that companies can use to spot unusual and suspicious database transactions. The monitoring tools then either send out an alert to a human operator or automatically block the transaction. Likewise, when auditing an event after it has occurred, the tools will filter out normal transactions in the log and consolidate suspicious ones.

Network vs. Agent-based Monitors

Database monitoring tools typically work in one of three ways. Some sit on the network and sniff the SQL stream. Others may connect to a specific port through which the data traffic flows. Or they may be off-line tools that read the databases' log files. All three approaches have their merits, according to proponents.

Those that sniff the SQL stream don't affect the performance of the database server and can be more easily deployed for multiple types of databases. On the other hand, those that read database log files don't slow network performance and are apt to catch more types of suspicious activities, because not all database access occurs over the network, such as when a database administrator is working within the data center.

Also, encrypted traffic or a heavy volume of traffic can be a problem for some products. And each of these tools will initially create a flood of false positive alerts as it learns traffic patterns, which will create an extra burden for whomever is tasked with monitoring alerts and tweaking the auditing tool.

On the positive side, these products typically provide four key functions:

1. Monitor traffic in real time.

The software profiles everything from the type of data normally accessed by users and the number of records typically pulled for specific queries to the log-on times typical for a user. So if an authorized user, who never works weekends, logs in on Saturday night and downloads 1,000 records, the software sends a red flag. It will also keep an eye on metadata changes, alterations to user privileges and abnormal transactions.

2. Send an alert in response to suspicious activity.

Once the software has profiled the normal activity of the database and the IT staff has added any of its own access rules, the tool can identify abnormal activity. Typically, alerts are sent via e-mail or to a console for action by the administrator.

3. Automate the auditing process.

While auditing won't prevent theft or intrusion, it's critical to tracing an event. Auditing tools can speed the process considerably and can provide clear reports and audit trails in case of an investigation.

4. Block suspicious transactions.

This feature isn't available with every product, nor is it advisable in many cases, say experts. "I wouldn't advise doing it unless you have a very strong understanding of how you use your database," says Pete Lindstrom, research director at security analysis firm Spire Security LLC. "The problem is often unknown applications like weird third-party report writers and automated log-ins and heartbeat-monitoring products. If you prevent database activity without understanding it, you'll break the infrastructure."

Nevertheless, he says, once the software has run for a while and profiled the traffic, it's possible to block some obviously bad activities.

Who Needs Data Auditing?

As the 2004 debacle at ChoicePoint Inc. illustrates, all financial and credit-records companies can use data activity profiling and monitoring tools. ChoicePoint, an aggregator of consumer data, was found to have allowed thieves to purchase and download data on as many as 400,000 consumers. The company opted to stop selling consumer data to most businesses after that. But it's not just the ChoicePoints of the business community that can benefit from better protection. Most midsize and large organizations are at risk for theft or improper use of data, notes Gartner's Mogull.

"Everybody's got credit card numbers or Social Security numbers," says Mogull. "Thanks to new regulations and a lot of negative public exposures, CEOs and CFOs are saying, 'I don't want to end up on the front page of The Wall Street Journal. We need to take a look at what's going on with the database.'"

The CEI Group Inc., a provider of auto accident and claims management services, implemented Lumigent Technologies Inc.'s AuditDB tool two years ago. With volumes of personal information on more than 600,000 consumers, CEI Group thought it prudent to add another layer of defense around its database. The Feasterville Trevose, Pa.-based company was surprised to find that having a data auditing tool is a major selling point for new customers.

"We can show prospects that we have a detailed audit trail of all changes made to the database and every query against the database," says Andre Alicea, manager of database administration at CEI. "That says a lot about our ability to handle security and privacy concerns."

Another attractive feature, says Alicea, is that the tool doesn't require much extra effort by administrators. "Once it's set up, it just runs on its own. If there's a problem, it sends us an e-mail."

Government regulators and auditors are also helping to promote the adoption of database auditing. For Southwest Corporate Federal Credit Union, the second-largest corporate credit union in the U.S., the main motivation behind implementing IPLocks Inc.'s Information Risk Management Platform was the advice of an auditor to improve database security.

Dallas-based Southwest serves more than 1,200 member credit unions, which in turn cater to individual customers. Just about a year ago, an external auditor told both the company and a competitor that they must prove their data is secured and monitored against theft.

Southwest did some quick research looking for a product that could monitor and audit its 85 Microsoft SQL Servers and came up with the Information Risk Management Platform. The IPLocks tool, which scans the database log files, enabled Southwest's administrators to keep an eye on the databases without having to constantly do manual queries on specific types of activities or go through unfiltered log files.

The system did require significant tweaking during the first couple of weeks, when it began generating hundreds of alerts, says Akinja Richards, project manager and database administrator at Southwest.

"It took a few weeks to get it all running smoothly," he says, noting that the key to getting a monitoring tool running efficiently is to first understand what all of your applications do. "If I have no idea what the HR people do or what applications they use and reports they run, then I'm going to either protect too much or too little," Richards says.

"You have to understand your applications and your business environment in order to use something like this effectively," he says.

Hildreth is a freelance writer in Waltham, Mass.

1pixclear.gif

Worried About Database Security

According to a survey by Forrester Research Inc., the majority of large North American companies are very worried about the security of their database servers.

Forrester interviewed 24 companies with $500 million or more in revenue and found that:

9 were extremely concerned.

10 were very concerned.

3 were concerned.

0 were somewhat concerned.

2 were not concerned.

At the same time, more than half (15) said they felt that their databases are protected against intrusions, although only five felt that theirs are very protected and just one said its databases are extremely protected. Of the 24, three said their databases are somewhat protected, and none said their databases had no protection.

Source: Forrester Research Inc., March 29, 2005

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon