February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Monster.com Data Theft a Multi-Stage Attack | Main | Is Security as a Service More Secure? »

August 22, 2007
Podcast With Tizor Systems: Protecting Your Data From the Dangers of Web 2.0

Listen to or download the 8:02 min. podcast below:



Download file

What follows is a transcript of my discussion with Bill Bartow, the Vice President of Marketing for Tizor Systems, where we discuss how to protect data against breaches from the inside, behavioral fingerprinting, some of the real-world problems companies have with data protection, whether or not the PCI Standard to protect consumer data is strong enough, and finally, how to protect your data from the threats of Web 2.0.

What are the key steps that a company needs to take to protect against a data breach from the inside?

Well, the first step is for companies to classify their data so that data access policies can be created based on both the type of data being accessed and the role of the user. For example, the CFO may have access to all the financial data in a company but not the engineering data. Most important is to define data access policies for your privileged users like data base administrators. These users typically have access to sensitive data across the entire company. They need this level of access to do their jobs. Due to that level of privilege, these users must be monitored and audited. And the system that audits these privileged users cannot be the same database system that these people manage. That creates a segregation of duties violation that auditors will flag as a material IT control weakness.

So this mandates that companies look to database independent auditing systems that can provide an independent and tamper-proof system for auditing all critical data activity. So, after defining data classifications, defining roles and access privileges, companies must then select a database independent auditing and protection system to really give you that complete protection against data theft from insiders.

I saw on your website that Tizor uses behavior fingerprinting. Can you tell me what this is and how it can be used to protect against data theft?

Let me start with a little bit of background. Most of the data theft incidents in the market that result in a significant business impact are those where someone's masquerading as an insider or as a malicious insider with access to sensitive data in the data center. Traditional perimeter-based security like firewalls really doesn't stop these people since they have credentials that can get them into the company network. So the only way to really prevent data theft from insiders is to monitor users in their behavior as it relates to the usage of that data.

Behavioral fingerprinting is a patented technology from Tizor that creates a dynamic user profile of what is considered normal user behavior with data. Mantra then watches each user's interaction with the database and it compares that interaction with the user's profile. When abnormal or suspicious behavior is seen, Mantra will send a real time alert to an administrator or security product to take action such as killing the user's session or blocking that activity from taking place.

As an example, imagine a user, Fred Smith, let's call him, who normally only accesses the customer database during the day and reads just a few customer records. One day, Fred decides to access the customer database from a very strange location in the middle of the night and all of a sudden instead of just accessing a few records, he decides to download over a hundred thousand customer records with credit card numbers and social security numbers. Well, that's a suspicious behavior, that's a potential data breach. And Mantra would catch that in real time by comparing that behavior to the normal user pattern that it has collected and it would then be able to alert and stop the activity. And that entire activity would then be audited, therefore protecting against the data breach.

Can you give me an example of some real world types of problems you come across when you audit companies' data management systems?

Sure, we typically see a broad range of different data auditing problems or what I'll call "bad practices". First, many companies don't have a good, documented business policy about what data should be audited and how it should be audited. Auditors get really upset with the lack of documented processes because that means lack of IT controls to support that process.

Second, we regularly see segregation of duties violations. A great example of this is a DBA who has access to all the sensitive and critical data is also the same person who is producing the reports for the auditor and those reports are describing what happened with the data.

Third, often we find that companies really don't provide a sufficient level of detail in the audit trail. So, they're not capturing the full event detail and therefore, you can't go back and reconstruct past database events. And finally, a common problem we see is privilege users sharing passwords and sharing accounts. And, clearly that creates a major risk as users could compromise systems without any trail to detect who the user was and what they did.

I see that Tizor has joined the PCI Security Vendor Alliance. Do you think the current PCI standard is sufficient to protect consumer data?

I think the PCI requirements are a really positive step toward educating and driving companies to protect customer data. PCI, unlike some other regulations, is a very prescriptive set of requirements. It is very specifically defining what steps need to be taken to protect data. The challenge is that many companies will not be able to address all those requirements in just one phase.

So, it's going to take time for these vendors to really become PCI compliant and that's why some compensating controls were put in place in PCI which I think is another really good idea. And a good example of this is encryption. PCI recommends that selective encryption be employed. Well, encryption is a difficult technology to implement. It's complex and it's time consuming and in some cases can take a couple of years before it's fully deployed. So, what the PCI folks have said is, "let's allow a compensating control here". And that means that as long as you use an alternative to encryption that still allows you to monitor all cardholder access while you're moving towards encrypting that data, you will pass your PCI audit.

So a good compensating control for encryption is data auditing and monitoring and that's why I think the PCI standard is going to be adopted and it's well done in terms of it's specific requirements for how people should protect data. I also think that some of the new laws that are emerging around data breach disclosure are also a good step and we fully support them as well.

A lot has been spoken about the coming data vulnerabilities from Web 2.0. How does Tizor help companies prepare and protect against these coming threats?

So, Web 2.0 really exposes data to more and more applications and users. In many ways, it opens up new channels of access to things like Ajax-based web applications, or web service oriented applications. Unfortunately, many hackers are also finding new vulnerabilities in these new channels and these new applications and they're exploiting those vulnerabilities to steal data for profit. So, for corporate IT, what it means is that the stakes continue to get higher and protecting data has got to be an IT priority. And that means more reasons to watch who's accessing what with the data.

Companies really should be thinking of a layered data defense system. And data protection is a new layer. It protects data at the core in the data center, right next to the databases and it really needs to be put in place now to protect your data assets.

Now, we think companies are really starting to rethink their approach to securing data. It's less about a strong perimeter which you must have but it won't protect you against data theft. It's more about protecting data at the core in the data center. And because of that, companies are really starting to adopt and embrace technology like data auditing now and that's going to help with the broad data governance initiative and it's also going to support more ways to circumvent or to stop these Web 2.0 vulnerabilities.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2254

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map