• Five Big Database Breaches of 2011’s Second Half, Dark Reading
• Data Security and APTs, NetworkWorld
• Ensuring Secure Database Access, Dark Reading
• Market Overview: Database Security, 2011, Forrester Research
• Database and Security Compliance Seminars Wrap up in the Big Apple
• On-Demand Webcast: Addressing PCI for Databases: Beyond Encryption and Log Management
• Tech Tip of the Month: Tracking Activities When a Session’s Owner is Changed
• InfoSphere Guardium Training Courses
• InfoSphere Guardium Bootcamp for Business Partners
• Upcoming Events
• Quick Links
• Renew Your Subscription

Five Big Database Breaches of 2011’s Second Half
Dark Reading, Ericka Chickowski

Healthcare breaches dominate since the summer, with plenty of lessons learned

Though the second half of the year has been comparably calmer than the first half’s excitement over database breaches at RSA, Sony, and Epsilon, the breach numbers continued to roll in — especially at healthcare organizations, which made up a disproportionate number of exposed records. Here are some of the biggest breaches that went down in the second half of the year. Read more about database security lessons learned and IBM InfoSphere solutions.
1. The Breach Victim: Nemours
2. The Breach Victim: Tricare/SAIC
3. The Breach Victim: Sutter Physicians Services and Sutter Medical Foundation
4. The Breach Victim: SK Communications
5. The Breach Victim: Valve, Inc.

Editor’s Note (LM):  These breaches are examples of how continuous, real-time database activity monitoring (DAM) is essential for detecting breaches and fraud in situations where application-layer security has been bypassed.  Bypassing of application security controls can occur either via a flaw in the application’s authorization software (as in this example), or when administrators and hackers connect directly to the databases that form the core of enterprise applications such as Oracle EBS, PeopleSoft, JDE and SAP.  It can also occur when malware installed on corporate users’ PCs is used to steal application credentials. DAM can help rapidly detect these breaches by immediately identifying suspicious or unauthorized activities at the database tier, which will inevitably result due to malicious activity such as unauthorized changes to sensitive data or account permissions, or an unusually large number of read operations on sensitive data. InfoSphere Guardium Solutions for Security and Privacy solutions comprise:

Database Activity Monitoring provides the simplest, most robust solution for continuously monitoring access to high-value databases, assuring the integrity of trusted information in your data center and automating governance controls in heterogeneous enterprises.

Data Redaction protects sensitive data in documents and forms from unintentional disclosure, detecting & removing the data from the document version openly shared. It supports many of today’s documents formats, including scanned documents, PDF, TIFF and Microsoft® Word.

Database Encryption can protect sensitive information in both online and offline environments and has centralized policy and key management to simplify data security management.

Read more.

Data Security and APTs
Enterprises are investing in new data security tools but is this enough?
NetworkWorld, John Oltsik

As part of our recent APT research, ESG asked security professionals working at U.S.-based enterprise organizations (i.e. more than 1,000 employees) if APTs had caused their organizations to purchase and deploy new information security technologies. About 40% are doing so.

What’s interesting is the types of investments they are making in order to protect sensitive data. For example:

• 54% of organizations that purchased new tools as a result of APTs are investing in data encryption technologies
• 43% of organizations that purchased new tools as a result of APTs are investing in database security technologies
• 35% of organizations that purchased new tools as a result of APTs are investing in DLP
• 31% of organizations that purchased new tools as a result of APTs are investing in new types of user authentication or access controls

Database security is often ignored but it seems like APTs have become a wake-up call. IBM tells me that its database security services and products (aka Guardium) are selling well.

Read more.

Ensuring Secure Database Access
DarkReading, InformationWeek – Debra Donston-Miller

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. But proper provisioning is a growing challenging, due to the proliferation of “big data,” NoSQL databases and cloud-based data storage.

The types of data companies are collecting and the way companies are using that data may be changing, but a database security basic still holds true:
Give users access only to the data they need to do their jobs. It may be a little more challenging these days to determine just which users need access to which data, but taking the time to make those kinds of decisions is key.

Read more.

Market Overview: Database Security, 2011
A Forrester Research Report, Noel Yuhanna

Enterprise databases continue to experience growing attacks despite enhanced security processes and increasing database security approaches. Security gaps in solutions persist in intelligent prevention, tighter integration with middleware and applications, and security patch automation. Forrester forecasts the database security market to grow at approximately 20% annually through 2014, with leading database management system (DBMS) vendors such as IBM and others further extending database security. Application, database, and security professionals should ensure that they have an enterprise wide database security strategy for all sensitive databases.

Find out why Forrester expects stand-alone database security markets to continue, even as it starts to integrate with broader information security frameworks and the security information and event management, intrusion detection and prevention, and data leak prevention markets.

Read more.

Database Security and Compliance Seminars Wrap up in the Big Apple

InfoSphere Guardium recently concluded a 4-city Best Practices for Database Security &  Compliance Seminar Series in New York City. Attendees heard how cyber attacks, insider breaches, and data leaks are driving organizations to look to technology to prevent fraud and provide audit trails showing the proper controls are in place for monitoring access to sensitive data across the enterprise. C-level executives are looking to simplify compliance, minimize risk and reduce costs.

Positive feedback was received from the attendees, appreciating the valuable industry insight provided by Jeff Wheatman, Research Director from Gartner.  Additional education was provided by Phil Neray, IBM Data Security Strategist with revealing case studies.  IBM technology experts also provided an InfoSphere Guardium technology overview, outlining the exceptional benefits of this solution.

A recording of this technical overview, which was demonstrated during the Best Practices Series, is available for download. Listen to Distinguished Engineer and former Guardium CTO Ron Ben Natan discuss industry security concerns and how InfoSphere Guardium for database security and compliance can address those concerns.

Download the technical overview.

PCI databases handle millions of transactions per day — making it impractical to implement native database logging and auditing due to their performance overhead and complexity.

In this technical webinar, you’ll learn how clients of all sizes — including Dell, McAfee, Washington Metro (WMATA) and a top 5 global bank – implemented Guardium’s scalable, cross-DBMS solution to:

• Easily pass QSA audits with out-of-the-box compliance reports and automated workflows.
• Prevent unauthorized access by continuously monitoring all database activities — including actions by privileged users such as DBAs, developers and outsourced personnel — without impacting performance or creating more work for DBAs and security teams

You’ll find out how database activity monitoring (DAM) can help you:

• Implement centralized, cross-DBMS policies for all your applications (PeopleSoft, SAP, Siebel, etc.) and databases (Oracle, SQL Server, DB2, Netezza plus 12 other platforms).
• Integrate with leading SIEMs to alert security teams to SQL injection and other cyber-attacks, by tracking security exceptions such as failed database logins.
• Identify sharing of privileged credentials (e.g., generic service accounts) and other violations.
• Regularly test database systems (Requirement 11) for missing patches, misconfigurations, default vendor passwords and other vulnerabilities.
• Auto-discover where sensitive cardholder data is located in databases.
• Enforce change controls (Requirement 6).
• Address Requirement 3 (Protect stored cardholder data) without complex changes for column-level encryption.
• Provide Separation of duties (SOD) by creating a secure audit trail that can’t be disabled by administrators and cyber-criminals.
• Provide a compensating control for network segmentation (Requirement 7).
• Deliver a typical payback period of less than 6 months by eliminating capital expenses such as database log storage and incremental server resources.

View the Webcast.

On-Demand Webcasts:

• The IBM X-Force 2011 Mid-Year Trend Report: Analyzing the Latest Cyber-Threats

• Cybercrime Insights: 2011 Data Breach Investigations Report from Verizon Business & the U.S. Secret Service

• Compliance Best Practices for Oracle EBS, PeopleSoft & SAP
• Preventing Database Breaches: Insights from Independent Research on Database Auditing and Real-Time Protection (Feauturing Forrester Wave)
  
• HOWTO Safeguard Against the Latest Cyber-Threats (Featuring IBM X-Force)
• Look Beyond Native Database Auditing to Improve Security, Audit Visibility and Compliance(Featuring Forrester)
• HOWTO Assess Database Vulnerabilities and Protect Your Most Sensitive Data
• Cybercrime Insights from the 2010 Verizon Data Breach Investigations Report
• Creating a Database Security Plan — Why Basic Database Security is No Longer Sufficient(Featuring Forrester)
• 10 Database Activities Enterprises Need to Monitor to Prevent Database Attacks (Featuring Gartner)
• HOWTO Secure Your SAP Data & Eliminate Last-Minute Audit Scrambles
• Securing Sensitive Data in the Healthcare Industries
• Introducing Guardium 8: Beyond Database Monitoring — Enforcing Access & Change Controls for Heterogeneous Environments
• HOWTO Secure Mainframe PII Data & Pass Compliance Audits Faster
• The Hacker’s Roadmap: HOWTO Safeguard Against Constantly Evolving Threats (Featuring IBM X-Force)
• HOWTO Secure Oracle 10g and 11g: Hardening the Database
• Databases at Risk – and HOWTO Address Them (Featuring Enterprise Strategy Group)
• Data Discovery & Classification for Heterogeneous Database Environments
• Product Demo: Top Scenarios for Real-Time Database Security & Monitoring
• Best Practices for Data Privacy & Protection
• Best Practices for Database Security & Compliance (Featuring Forrester)

Tech Tip of the Month – Tracking Activities When a Session’s Owner is Changed

Question: I understand InfoSphere Guardium has the ability to track both remote and local database activity, but what happens if a user logs into the OS as “Joe” and then does a “Switch User” to “Oracle”, after which the local database is accessed? Wouldn’t this effectively obscure your ability to track down malicious activities?

Answer: Oftentimes operational processes require individuals to login with their credentials and then “su” to a generic account like “oracle”.  There is no way to correlate subsequent activity to a specific individual unless you specifically monitor the UID chain, as InfoSphere Guardium does.

If you are wondering specifically what user the InfoSphere Guardium system will show under this scenario, the answer is “Joe”!

Let’s examine the whole chain of events and the InfoSphere Guardium results in more detail:
1. First, the user logs into the system as “joe” (see user actions outlined in red in the window in the lower portion of Figure 1)
2. He then switches users to the Oracle account (su – oracle)
3. Using SQL *Plus he connects to the Oracle DBMS using the “system” database account
4. He then executes “select * from creditcard”, to retrieve your valuable credit card data

Figure 1: InfoSphere Guardium enables clients to identify the original user who logged into a Unix or Linux system, regardless of how many times they switch users; an important feature in providing an effective audit trail for privileged users.

InfoSphere Guardium has the ability to track down the original user who logged into a Linux/Unix system regardless of how many times that user has done a “su” to other users, using a feature called UID Chaining. In this scenario you can easily see that it is Joe (see the InfoSphere Guardium report in the top portion of Figure 1) who has downloaded the credit card data; key information that other solutions are unable to provide.  And of course the full range of InfoSphere Guardium policy-based actions can be used in conjunction with UID Chaining, ranging from logging, to real-time alerts and blocking.

2011 InfoSphere Guardium Training Courses

Guardium’s training courses help you achieve results quickly and easily. For more information about training, to sign up for a training course, or to schedule a training session, go to: Guardium Training.

GU201: IBM InfoSphere Guardium Technical Training
This three day course offers a balanced mix of lectures, hands-on lab work, case studies, and testing. Students will learn how to create reports, audits, alerts, metrics, compliance oversight processes, and database access policies and controls. Students will also learn about system administration, archiving, purging, and back-ups.

GU210: IBM InfoSphere Guardium QuickStart Training
This one day course is delivered onsite and offers a balanced mix of lecture and hands-on exercises to ensure you can effectively meet your audit requirements and address key business priorities. Students will learn how to use Guardium’s solution in their own environment and create compliance reports, audit workflows, and real-time alerts based on their business requirements.

InfoSphere Guardium Bootcamp for Business Partners

This technical workshop is for IBM business partners who are currently working with or are interested in working with IBM InfoSphere Guardium. It provides training on InfoSphere Guardium in a classroom setting. Detailed presentations and hands-on labs on Guardium 8 are included where attendees will gain in-depth knowledge on topics including:

• InfoSphere Guardium product overview
• Guardium installation concepts, planning, and configuration
• Auditing database servers with the Guardium system
• Monitoring for unusual traffic
• S-GATE and S-TAP Terminate Functions
• Vulnerability Assessments
• Enhanced Enforcement Actions
• And much more

Learn how IBM InfoSphere Guardium can add value to your security and data management solutions and extend your market opportunity. Business partners working in the consulting industry who are currently working with or plan to work with InfoSphere Guardium are also welcome to attend.

Schedule and registration information

Please Note: We will send an email confirmation to all registrants 1-2 weeks before the bootcamp begins.

Date	Country	City	Registration Information
Jan 16 – 20, 2012	Mexico	Mexico City	Register here
Feb 6 – 9, 2012	India	Bangalore	Register here
Feb 6 – 9, 2012	Russia	Moscow	Register here
Feb 12 – 15, 2012	Saudi Arabia	Riyadh	Register here
Feb 21 – 24, 2012	Australia	Sydney	Register here

For more information, go to: IBM InfoSphere Guardium Bootcamp

Please visit us at the following upcoming events:

RSA Conference
San Francisco, CA – February 27 – March 2, 2012, Moscone Center

IBM Pulse
Las Vegas, NV – March 4 – 7, 2012, MGM Grand Hotel