Security Vendors Work to Curb False Alarms

IT staffs bedeviled with false intrusion alarms suffer inefficiency and cost more.

 By Richard Adhikari
Page of   |  Back to Page 1
Print Article

With data breaches hitting the headlines regularly and reports that regulatory compliance will be tightened up considerably in 2009, monitoring database activity to maintain security is becoming more important than ever.

However, most monitoring tools give rise to false positives, costing companies time and money as IT chases down these false alerts.

According to Secerno, which offers an artificial intelligence (AI) -based database monitoring tool, a false alert can cost an enterprise about $1,200, and several false positives may be generated in one day because a database activity monitoring system sees millions of queries during that time.

That adds up to quite a sum of money, and in these tight economic times that is not a cost anyone can afford as companies tighten their belts.

Traditional database activity monitoring systems use the tried and tested methodology originally used in intrusion detection systems, where anything in a database query that might indicate anomalous behavior triggers an alert.

That triggers alerts more readily than the AI-based system Secerno offers, Paul Davie, the company's COO and founder, told InternetNews.com. "That technology is probabilistic, while ours is deterministic," he said.

Secerno claims its SynoptiQ technology, based on patent-pending technology developed at Oxford University in the U.K., eliminates false positives. The company's Secerno.SQL family of database activity monitoring solutions first lets users model normal behavior for querying their databases and set policies based on that model. It then analyzes all of a new query to see whether it matches those lists.

"We match incoming queries with 100 percent accuracy," Davie said. "None of our customers have told us they have had false positives."

The tool matches incoming queries in real time, Davie said. The algorithms Secerno uses ensures queries never get slower no matter how complex they or the policies that govern them are.

Secerno's products are available either as an appliance, consisting of the software running on a standard hardened Linux box, or as virtual machines running on VMware hypervisors. "A lot of our customers are looking at our solution on VMware at the moment, and we are driven by our customers' needs and wishes," Davie said.

The Secerno products can be used with Oracle, Sybase (NYSE: SY) and Microsoft SQL Server, Davie said.

Other Players in the Game

Secerno is not the only database monitoring tool vendor going beyond the standard intrusion detection system approach.

Imperva uses a technology called Dynamic Profiling in its SecureSphere that uses the behavioral approach which it has had for about six years, Vice President of Marketing Mark Kraynak told InternetNews.com.

The approach is similar to Secerno's; Dynamic Profiling models over time what groups of users normally do and builds a normal profile. IT then enforces that profile, either in whole or partially, depending on what the enterprise needs.

The profile can change over time as the enterprise's requirements change, Kraynak said. "You should be able to figure out whether a change is now the new normal behavior and perhaps you should change your definition of normal," he added.

Imperva's products also let users set policies without any learning for certain actions. "We model user behavior," Kraynak said. "You know some things shouldn't happen, for example, certain patterns or signatures, and so you just block them from the start," he explained.

According to Kraynak, Imperva's products look at six layers of security rules and can correlate across them for greater security. "We can say, if you see this pattern signature and you see a violation of the profile, then do this action," he said.

They can also correlate across time, so IT can set a rule spelling out what action should be taken if a certain pattern of behavior is observed over a particular period of time.

"Database technology is so diverse that you need a large number of rulesets to give you a good security policy with high accuracy and low false positives," Kraynak said.

Article courtesy of InternetNews.com

This article was originally published on Dec 18, 2008
Get the Latest Scoop with Networking Update Newsletter