Information activity forensics: Protecting data at the core

As companies face the growing challenge of monitoring, complying with regulatory requirements and protecting data, there has been a void in the market for systems that protect the vulnerable network core from attack.

Many organizations have experienced the damage that can ensue from a breach at the network core and have struggled to effectively define and detect the highly complex nature of these attacks.

In response, a new approach to data security and activity assurance has emerged. It's called information activity protection, and it focuses on monitoring, auditing and preventing information theft from core data servers, such as databases, file servers and application servers.

With the convergence of regulatory requirements, a growing number of incidents of data and identity theft, complex forensics investigations and the need for automated protection against data breaches, effective core security has never been more critical.

Information activity protection addresses these challenges and responds to privacy regulations such as the Health Insurance Portability and Accountability Act, California's SB1386 and Visa International Inc.'s Cardholder Information Security Program, which have created additional requirements to mitigate the impact of information theft. Other key market drivers include the continued reliance on business process outsourcing, which limits a company's ability to track what authorized outsourced users are doing when accessing sensitive data center resources and assets.

Information activity protection encompasses three core functions:

  • Monitoring and auditing
  • Information access forensics
  • Risk mitigation

The monitoring and auditing function requires the creation of an accurate, granular audit trail of user access to sensitive information assets. Subsequently, the information activity forensics function analyzes the activity to establish whether it's normal or abnormal. When an activity is classified as abnormal, it represents a potential unauthorized disclosure or unauthorized access to information assets. There can be numerous root causes for unauthorized disclosure and access that range from insider activity, masquerader activity, application-level breaches (via buffer overflow or SQL injection), software patches, configuration hole exploits, weak authentication or just plain accidental misuse. As long as these techniques compromise the confidentiality of information, the forensics function should be able to capture the results.

Finally, if such activity is flagged as abnormal, the risk-mitigation function provides for real-time processes to escalate, resolve and potentially prevent subsequent unauthorized activity.

How does information activity protection compare with other security approaches?

When considering this approach, it's important for organizations to understand how it compares with systems that may already be a part of their security strategies.

First, information activity protection isn't about encryption of data. Encryption is a complementary security function and a good security practice, but because breaches are typically triggered by authorized entities (insiders or outsiders who subvert their way in) that decrypt information, it can prove ineffective in preventing most information breaches.

Second, because information activity protection focuses on protecting information assets at the source, it's distinct from content filtering, which focuses on information leakage from outgoing applications such as e-mail, or digital rights management, which concentrates on extending access control to mobile distributed data such as documents.

Finally, unlike intrusion-prevention systems, traffic-anomaly and application security systems that detect threats and anomalies based on packet patterns, denial-of-service attacks or within an application protocol, information activity protection is concerned with assuring a business activity, including critical information exchange and operations between a user and a data server. This approach establishes norms of access activity and detects unauthorized access and disclosure of information based on the anomalous deviation from the norm.

Key challenges

There are several requirements for an information activity protection approach to work effectively:

1. The policy challenge

Any anomaly-based function, such as forensics, has the advantage of dynamically adapting to the variables within the network being monitored. However, without effective policies or rules, an administrator has no way of customizing this system to meet his needs.

2. Managing false positives and negatives

Managing false positives or false negatives is a significant challenge for organizations today. Any anomaly-based approach that monitors only one dimension of access (such as the type of information being accessed by a user) will have unacceptably high detection rates. To narrow it down, it's important to include additional dimensions of monitoring, such as the operations, time, location and volume of disclosure, within anomaly mining.

3. Deployment transparency, fault tolerance and separation of duties from the data server

Monitoring must be transparent and nonintrusive; otherwise it creates performance, reliability and manageability problems for IT administrators. Because data server performance degrades through native auditing, the monitoring function should be "outside" the data server, permitting a clean separation of security duties from the application owners.

4. Auditing, granularity and completeness

In order to provide a sufficient depth of logs for evidence and compliance reasons, auditing must have adequate granularity. For instance, syslogs or externally created Web-server logs are typically inadequate when it comes to capturing the five W's of auditing: Who is doing What operation to Which critical information asset, When and from Where? This challenge can be addressed by monitoring access to the back-end database or file server, where critical information assets are stored.

5. Integration with applications, identity and access management systems and directories, SIM and others

To avoid multiple investments, the framework should easily integrate with existing applications, provide scalability to monitor different types of databases and file servers, and have the ability to integrate with existing identity and access management and directory systems to help generate actionable reports. In addition, any real-time alert activity related to unauthorized disclosure should allow for events to be exported to security information management (SIM) or security event management environments already present in the enterprise. Finally, the risk mitigation actions should be able to leverage other security controls such as access control, provisioning and deprovisioning, and firewalls and virtual private networks.


Information activity protection represents another choice in information security and can be another line of defense for CIOs and chief security officers looking to enhance their security posture and respond to regulatory requirements while reducing costs and freeing valuable IT resources to focus on bottom-line business results.

Prat Moghe is the founder and CEO of Tizor Systems in Maynard, Mass. Tizor has developed an information activity protection platform for auditing and securing business activity at the information source.

Copyright © 2005 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon