« May 2009 | Main | July 2009 »

Instant Poll: What works best when justifying security spending in your organization?

You are only ONE CLICK away from seeing what your peers are saying. 

Click on one of the choices below to see INSTANT results.

Posted June 30, 2009 in Log Management & Intelligence , Security | Permalink | Comments (0)

« May 2009 | Main | July 2009 »

Security Management and Log Management are not as mature as you think

According to Gartner, Security Information and Event Management has reached the "plateau of productivity" which means that the solution is now being bought by "mainstream" customers.  This has led some customers to lament that "all vendors sound the same".

However, don't be fooled by the "mainstream" label and the apparent similarity of vendors.  A lot of innovation is still possible and required in the Security Management and Log Management market.  In fact, somebody at the Gartner IT Security Summit asked me: "how many people are actually happy with their existing security management solutions"?  Anecdotally we know that many customers are on their second or third attempt at security management and some of the maturity challenges have been well documented, such as in a recent blog by Adrian Lane and Mike Rothman, who said (paraphrased):

"the Security Information and Event Management space has struggled over the last decade because the platforms were too expensive, too hard to implement, and (paraphrasing) did not scale well without investing a pound of flesh".

The exact answer comes from Derek Brink from Aberdeen who did a great benchmark study recently.  You can watch him present his study here.

Only "best in class" vendors, which is 20% of the total population, actually achieves a positive gain in a reduction of the number of incidents, the number of audit deficiencies and the total management costs related to leveraging security logs, information and events.

 

 

Derek's study also highlights specific product deficiencies:

Most notably, the complexity of security management and log management solutions is a major inhibitor of adoption.  This finding is consistent with the "crossing the chasm" theory, which states that "mainstream" adopters are looking for ease of use and integration first.  I

If you want to find out a quantitative score of security management and log management vendors in "Deployment and Support Simplicity" check out the Gartner Critical Capabilities Study here.

 

 

In addition to ease of deployment and ease of use, there are some other product areas that still require significant innovation. Even "best in class" customers (creating an opportunity for vendors), lag when it comes to:

1) Automate remediation

2) Correlate data

3) Normalize data

4) Analyze data

5) Prioritize incidents

Make sure to ask your vendor about their planned roadmap and innovation in each of these areas before making a purchasing decision!

Posted June 30, 2009 in | Permalink | Comments (0)

« May 2009 | Main | July 2009 »

What is the Difference Between Database Activity Monitoring and Database Security Management?

So a while ago we launched our Database Activity Monitoring product.  Only it is called Database Security Manager (see a screencast here), which leads me to discuss the difference between "monitoring" and "management".

Database activity monitoring is the common label for point solutions that aim to monitor privileged user activity on database management systems.  There are various approaches, but all aim to offer an alternative to monitoring through native audit (also called native logs).  The most popular approach - if you believe Mark Nicollet from Gartner (listen here) - is to use a host-based agent.  Our agent derives database activity by monitoring the requests sent to shared memory. 

Most host-based database security agents can do a lot more than "monitoring". For example, host-based agents can block/interrupt requests that meet certain criteria (such as requests from a certain origin, accessing a certain object, using a particular protocol, etc.).  It just didn't seem right to still refer to this new technology as "activity monitoring".  It is so much more!  As an industry, we have truly crossed a chasm and have not just turned data (shared memory requests) into actionable information (privileged user activity) but we are finally able to act and prevent security breaches from happening!

Posted June 29, 2009 in | Permalink | Comments (0)

« May 2009 | Main | July 2009 »

Five Good Reasons for a new Paradigm in Database Activity Monitoring

LogLogic has expanded into the Database Security market: you can see a screencast of LogLogic Database Security Manager here.  LogLogic has offered the ability to collect, store and analyze native database logs for years (via our standard log management platforms), so what's new?  Here are five good reasons for customers to implement a specialized database security product and to integrate this with your a broader log management solution:

1) Databases are so important they require specialized attention

2) Any successful breach of a database is very bad news (expensive)

3) Databases are especially vulnerable to attacks

4) Native logging for databases can be a bad idea

5) Database security point solutions are incomplete

Databases are so important they require specialized attention

Companies globally spend in excess of twenty billion dollars each year on their database infrastructure and thus it is wise to spend 5-10% of such investment to manage and protect your investment.  Databases also house the most valuable information in your business: customer data, transaction records, patient information, etc.  Databases are mission critical and power your front-line, revenue generating applications - such as claims processing, credit card transactions or trading systems. 

Any successful breach of a database is very bad news (expensive)

Databases are the one-stop shop for valuable information.  If you lose a laptop, the information may be abused (or thiefs wipe the laptop clean and sells the gear).  Even if the information falls in the wrong hands, there are likely only a small number of records stored on the laptop.  However, all records are available in the database and if somebody attacks and penetrates your database, it is virtually certain there is ill will.  It is good business for organized crime.  Each customer record is worth $200 and the average database attack costs $6 million (the Ponemon Institute).

Databases are especially vulnerable to attacks

Many database administrators do not apply the latest security patch in a timely fashion.  In order to apply a patch, it has to be tested with all applications accessing the database and the database has to be taken off-line in order to apply the patch.  Downtime for a critical business application is expensive so security is compromised in exchange for availability.

Native logging for databases can be a bad idea

For databases, performance is everything.  More transactions means more top-line.  Therefore, many database administrators refuse to turn on native audit logs.  Databases tend to be IO bound and writing a log for every transaction can deteriorate database performance by as much as 20%.  There are also some attack patterns that are hard to detect from native logs - such as those that make use of triggers, stored procedures and such.

Database security point solutions are incomplete

For all the reasons above, dedicated security point solutions emerged to offer an alternative to native audit.  Some of these are based on sniffing network traffic, but most use a host-based agent.  Only a host-based agent can see all database activity including local access and encrypted queries.  However, database activity is best analyzed in the context of all other activities by a particular user (or system) - such as VPN access, application activity, and e-mail traffic for example.  You can achieve such contextual analysis by integrating your database security product with a broader log management solution.

In a recent video-interview, Mark Nicollet from Gartner recommends that customers should consider buying Database Activity Monitoring and Log Management/Security Information and Event Management from the same vendor.  He also talks about the drivers for Database Security technology in general and about the benefits of a host-based approach to Database Activity Monitoring.  You can watch his interview here.

Posted June 24, 2009 in | Permalink | Comments (0)

Visit loglogic.com

Subscribe to this blog’s feed

• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• InformationWeek
• CRN
• eWeek
• IT Manager's Journal
• The Reg
• TechWeb
• The Merc
• IT Architect
• C/Net
• Security Focus
• Slashdot
• SANS
• CIO Insight
• OSF DataLossDB | Data Loss News, Statistics, and Research