With data breaches
hitting the headlines regularly and reports that regulatory compliance will be
tightened up considerably in 2009, monitoring database activity to maintain security is
becoming more important than ever.
However, most monitoring tools give rise to false positives, costing companies time
and money as IT chases down these false alerts.
According to Secerno, which offers an artificial intelligence (AI) -based database
monitoring tool, a false alert can cost an enterprise about $1,200, and several false
positives may be generated in one day because a database activity monitoring system sees
millions of queries during that time.
That adds up to quite a sum of money, and in these tight economic times that is not a
cost anyone can afford as companies tighten their belts.
Traditional database activity monitoring systems use the tried and tested methodology
originally used in intrusion detection systems, where anything in a database query that
might indicate anomalous behavior triggers an alert.
That triggers alerts more readily than the AI-based system Secerno offers, Paul Davie,
the company’s COO and founder, told InternetNews.com. “That technology is
probabilistic, while ours is deterministic,” he said.
Secerno claims its SynoptiQ technology, based on patent-pending technology developed
at Oxford University in the U.K., eliminates false positives. The company’s Secerno.SQL
family of database activity monitoring solutions first lets users model normal behavior
for querying their databases and set policies based on that model. It then analyzes all
of a new query to see whether it matches those lists.
“We match incoming queries with 100 percent accuracy,” Davie said. “None of our
customers have told us they have had false positives.”
The tool matches incoming queries in real time, Davie said. The algorithms Secerno
uses ensures queries never get slower no matter how complex they or the policies that
govern them are.
Secerno’s products are available either as an appliance, consisting of the software
running on a standard hardened Linux box, or as virtual machines running on VMware
hypervisors. “A lot of our customers are looking at our solution on VMware at the moment,
and we are driven by our customers’ needs and wishes,” Davie said.
The Secerno products can be used with Oracle, Sybase (NYSE: SY) and Microsoft SQL
Server, Davie said.
Other Players in the Game
Secerno is not the only database monitoring tool vendor going beyond the standard
intrusion detection system approach.
Imperva uses a technology called Dynamic Profiling in its SecureSphere that uses the
behavioral approach which it has had for about six years, Vice President of Marketing
Mark Kraynak told InternetNews.com.
The approach is similar to Secerno’s; Dynamic Profiling models over time what groups
of users normally do and builds a normal profile. IT then enforces that profile, either
in whole or partially, depending on what the enterprise needs.
The profile can change over time as the enterprise’s requirements change, Kraynak
said. “You should be able to figure out whether a change is now the new normal behavior
and perhaps you should change your definition of normal,” he added.
Imperva’s products also let users set policies without any learning for certain
actions. “We model user behavior,” Kraynak said. “You know some things shouldn’t happen,
for example, certain patterns or signatures, and so you just block them from the start,”
According to Kraynak, Imperva’s products look at six layers of security rules and can
correlate across them for greater security. “We can say, if you see this pattern
signature and you see a violation of the profile, then do this action,” he said.
They can also correlate across time, so IT can set a rule spelling out what action
should be taken if a certain pattern of behavior is observed over a particular period of
“Database technology is so diverse that you need a large number of rulesets to give
you a good security policy with high accuracy and low false positives,” Kraynak said.
Article courtesy of InternetNews.com