Posted by Matt Benati on Wed, Aug 18, 2010
Recently Verizon published its
2010 Data Breach Investigations Report stating that the top three verticals continue to be financial services, retail, and hospitality. According to the report 50% of all breaches occur at the server and application layer with a whopping 98% of the compromised records originating from these layers! Breaking this down further, Verizon states that database servers account for 25% of the breaches and a staggering 92% of all compromised records. The database is clearly a hotbed of malicious activity - so how do we stop it?
Verizon helps us by identifying the method used by cyber criminals to steal the overwhelming majority of sensitive information - it's a one two punch we need to defend against. The data shows that, "In the big breaches, the attacker hacks into the victim’s network (usually by exploiting some mistake or weakness) and installs malware on systems to collect (lots of) data." One - hacking is used in 40% of breaches and accounts for 96% of compromised records. Two - malware is then used 38% of the time to collect 94% of compromised records. "Though less prevalent than in previous reports, Hacking and Malware are even more dominant than normal with respect to compromised records."
The key to stopping this method of data theft is to identify foreign applications so that the security team can then eliminate the offending malware. In the case of database activity monitoring (DAM), we need to focus on spotting inappropriate access to the database. When the malware queries a database an intelligent DAM solution, like Netezza
Mantra, recognizes a new (or rare) application, alerts the security team, and can even block further data loss until the malware is removed.
Posted by Matt Benati on Fri, Jul 16, 2010
Netezza recently held its annual users conference, Enzee Universe, in Boston. It was a great week filled with a ton of information ranging from current product deep dives, to customers sharing their successes and needs, to investigating the intelligent economy. More and more we see data-rich companies turning to data warehouse appliances (DWA), like Netezza’s TwinFin appliance, to provide high-end analytics. They see these large data stores as strategic assets that hold the key to business success. The data is important, but the analysis is critical. As one large retail customer said to me, "Without analytics, information is just noise."
This year we also showcased the Mantra data compliance and security appliance to our data warehouse community. Its mission in life is to provide deep data auditing capabilities to be used to meet compliance requirements and protect sensitive information. Considered a database activity monitoring technology, Mantra watches all access to data warehouses, transactional databases, and file systems, and determines if the communication poses a threat or is relevant to one or more regulations. Gartner Research recently published a Release Note, Ten Database Activities Enterprises Need to Monitor, that details the importance of database activity monitoring. Specifically, one of Gartner's key findings is, "The use of structured data storage, and the amount of data stored in this way, are increasing rapidly. This trend is largely driven by data analytics requirements and consolidation efforts." If our customers are any indication, Gartner's observation is on the money.
Data warehouses are a natural part of the intelligent economy because they turn your critical information into actionable recommendations - even predictive recommendations. As more emphasis and resources are placed on data analytics, these systems are becoming more and more strategic. This trend is driving companies to increase controls at the data warehouse. In addition to using database activity monitoring for compliance and security needs (Verizon's 2009 Data Security Breach Investigations Report states that databases account for 75% of all stolen data records), companies simply need visibility into who is accessing or changing their critical data warehouses. Over the past few months we've been contacted by multiple companies asking for help after an employee made a seemingly innocuous change that resulted in unplanned downtime. This is an interesting data availability use case and one we want to know more about ...
What visibility, compliance and security needs do you have for your data warehouses and transactional databases?
Posted by Matt Benati on Fri, Jun 11, 2010
As mentioned in our last blog post, inferentially private information (IPI) is a real threat to our data privacy. As described in the WSJ, a recent AT&T breach disclosed 100,000+ email addresses of iPad users. While this information alone might not be private, the data breach does provide a building block of IPI. If you want to test this theory, simply do a search on your own personal email address - you'll be surprised how much information about you is available online. See if you can leverage one piece of information to gain another, and another, and another. Steve Lohr's article theorizes that connecting bits of personal information through sophisticated algorithms, unlimited social media data, and modern compute power can produce truly private information. I'm a believer, and with the lure of a big payout, cyber criminals will certainly attempt to capitalize on even the smallest and seemingly meaningless disclosures.
The more visible short term impact of this breach will be loss of trust and control – when they are made aware of it, consumers do not like the idea of their privacy being lost bit by bit.
Please let me know how your personal email address experiment pans out.
Posted by Prat Moghe on Wed, Mar 24, 2010
While security tools and professionals are busy trying to keep private data (PII) confidential, some of the public data out there turns out to be …well…“private”. Not directly, but at least inferentially.
A paper published last year titled “Predicting Social Security numbers from public data” (http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html) is a must read for all security and privacy practitioners. Here in a nutshell is what the authors Alessandro Acquisti and Ralph Gross of CMU demonstrate –
- As most of us know, each 9 digit SSN is composed of a 3-digit area number (AN), a 2-digit group number (GN), and a four-digit serial number (SN).
- The authors start out by analyzing social security numbers of known deceased people (from a public database called Death Master File or the DMF which essentially contains 83 million deaths that have been reported to the Social Security Administration.) Each entry in this file contains the name of the person, their SSN, their date of birth, date of death, their zip code, etc.
- The authors found that individuals with close birthdays and same state of application display similar SSN’s. In other words, the SSN allocation is not “random”. A strong correlation exists between dates of birth and all 9 SSN digits. SSN’s assigned in the same state to applicants born on consecutive days are likely to contain the same AN and GN etc.
- The authors outline a prediction algorithm based on a regression model. They evaluate the results of this model – here are the findings -
- They could with one attempt identify the first five digits – the ANGN combination – for almost half of the SSN records
- They could identify the complete SSN with less than 1000 attempts for 8.5% of the records. This makes an SSN equivalent to a notoriously insecure 3-digit PIN!
Also check out the recent article by Steve Lohr that explores social media implications. Lohr’s article led me to the SSN paper above.
As more and more public data gets on-line, it will combine with other data. Taken individually these extracts might look innocuous, but the composite intersection could become more and more “inferentially private”. We could call it IPI (inferentially private information) much in the style of PII (personally identifiable information). While IPI is less private than PII, it has tremendous reach since it is in the public domain. Imagine, for example, a spear phishing attack based on the first five digits of SSN. Given sufficient resources & intent, over time IPI could carry the same level of risk as PII.
Posted by Prat Moghe on Thu, Mar 04, 2010
At the RSA show this year, we saw one of the frankest exchanges with Howard Schmidt, the Cyber Security Czar appointed by President Obama. The conversation touched upon a variety of topics. Schmidt had the following three top initiatives for the government in terms of cyber security –
1. Application of risk management to evaluate areas of investment – unlike earlier periods where all technologies were equal and investments were technically oriented, he would like to apply a risk-oriented approach.
2. Continuous monitoring – typically referring to areas such as DAM (Database Activity Monitoring) and SIEM were outlined to be among top priorities. According to Schmidt, in the past it was all about looking behind and summarizing historical patterns. Now it is all about understanding what is happening. He would like to have a real-time or near-real time operational risk dashboard that can drill down into operational controls from various sites and agencies.
3. Out with the paper reports – Schmidt would like to scrap ancient processes that were paper based and siloed. His vision includes the ability to coordinate, correlate and electronically present information. While he did not elaborate further on this, it felt to me that in some sense he was calling for reporting of information & knowledge (risk) that is actionable, as opposed to just data collection for the sake of collection.
Two other interesting perspectives to share: First, Schmidt was asked if the government regulations could tighten the screws on industry in general in terms of closing the gaps on vulnerabilities in software and systems. I think his response was nuanced but on the mark. He said No! – heavy weight regulation could have the effect of impacting innovation. However, at some point if the government procurement could force leading standards in code and processes, this would essentially “trickle down” to the rest of the industry. (Essentially once such processes are adopted by vendors in the federal market, the incremental cost of deploying them in other markets is negligible.) Secondly, Schmidt did see a role for government/federal regulation in the context of privacy regulations. Since we have a plethora of state privacy rules, a federal style regulation could help bring some alignment and rationalizing of state rules.
It will be interesting to see how this year enfolds. Recent history of previous cyber security czars is littered with failures. Schmidt feels like a breath of fresh air. I hope he survives and succeeds.
Posted by Prat Moghe on Wed, Aug 19, 2009
Personally, the past few weeks have been exciting. Less than six months after joining the Netezza family, the Tizor Mantra team is gearing up to launch Mantra that can monitor and audit Netezza data warehouse products. Here is the official press release. In the process, we are re-branding Mantra under the Netezza umbrella. Going forward, we will be using Mantra as the name for monitoring TwinFin or earlier versions of Netezza appliances. Mantra Enterprise will be the Mantra version for monitoring any enterprise data (including transactional databases such as Oracle, SQL, Sybase, DB2, file servers, mainframe systems, or data warehouse environments).
Old fogeys like me are trying to forget the old name, Tizor. The good news is that Netezza Mantra has a nice ring to it.
Leaving names aside, why is this a significant moment? Several reasons…
My belief has always been that data compliance is an enterprise problem. While this problem first surfaced in distributed transactional systems and unstructured data, it has been steadily evolving towards data warehouse environments. The Netezza Mantra product is the first product to organically bring compliance to the audit and compliance market.
Also, Netezza has been a visionary and a leader in terms of defining the conversation of data warehousing for large enterprises. Traditionally Netezza was first to introduce appliances (“simplicity”) and demonstrate scale (“impossible queries”). With the latest release of TwinFin, Netezza has changed the game on price/performance and demonstrated how appliances can offer investment protection across all ranges of data warehouse needs. Now with Mantra, Netezza is bringing compliance (“trust”) into the data warehouse appliance conversation. That’s a pretty impressive strategic first as well.
Posted by Prat Moghe on Fri, Jun 26, 2009
James DeLuccia IV (http://pcidss.wordpress.com/2009/06/25/audits-of-the-future-must-enrich-and-enforce-your-it-strategy/)and I did a webcast this past week that covered an interesting theme of the year. The title was - "Getting life back from compliance". It essentially covered the question of economics around data auditing. Many enterprises are struggling with the enormous amount of work compliance has created and thrust upon IT. The first step out of this insanity is to step back and try and quantify how much work is compliance…really. The next step is to translate this into costs – hard costs and soft costs. Further classifying hard costs into development costs, capital costs, and operating costs. Once we have this number we can all stare at it long and hard until we internalize the implication: which is that it is a staggering number. Don’t believe me, check out the numbers – for a 100 database project around SOX & PCI activity monitoring/logging/reporting/reviews cost an enterprise $2 Million over 3 years – roughly an extra 40% overheadover the enterprise IT spend. The productivity hit to the IT staff is even worse. Here is the link for details - http://www.tizor.com/News-And-Events/Events/ROI-of-Auditing-and-Compliance-Lifecycle
Which brings us to the next part of the webcast. What can we do about this? We could stare some more and eventually punt on the problem – this is common, many application owners dump all data (relevant or not) on to the auditors and make it their problem. Unfortunately this makes the problem worse in the long term. Our suggestion is to look into automation. There are tools available (Mantra being one of them) that are purpose-built and turn-key. They capture all the nitty gritty issues, around scoping applications, logging & storing the right type of information, creating reports, managing this effort quarter after quarter. These tools can relieve the impact of compliance and help get your life back….really.
At some point, I will do a series of posts to dig into this in more detail. For now, check out the webcast if you are interested.
By the way, James DeLuccia’s book on IT Controls and Compliance is a good read - http://www.amazon.com/gp/product/0470145013?ie=UTF8&tag=itcomandcon-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=0470145013
Posted by Prat Moghe on Mon, Jun 08, 2009
Over this past weekend, I received a shocking news. Rajeev Motwani passed away in a senseless accident at his house. At first it was hard to even believe this could be true until I talked to a few friends. It is still hard to accept.
I was first introduced to Rajeev through interesting circumstances. A few years back, a security architect at a financial services company found the Mantra data mining technology interesting enough that he put me in touch with Rajeev. Rajeev was a Professor at Stanford, and known to be a leading expert in CS theory and algorithms with interest in data mining and privacy. As soon as we had a first conversation we clicked right away. We found many other common connections. My wife knew of Rajeev as “Mots” from her Berkeley days.
Rajeev soon became an advisor to Tizor. Rajeev was very much the active advisor – he worked hard without expecting a return. Over the years, we met pretty much every time I visited the bay area. We had our favorite haunts. One of them was University Café in Palo Alto. Once as I took my Starbucks there, Rajeev forced me to dump it down the trash before we could get down to our discussions. At another meeting, Rajeev wanted to find out how the Google stock was doing – they had just gone public, but he was too busy to track it. Rajeev was a formative influence on the Google founders and technology, particularly Sergey Brin (http://too.blogspot.com/2009/06/remembering-rajeev.html).
Rajeev was very supportive through all the key events at Tizor. His rolodex was phenomenal as was his effort. He was excited about the Netezza acquisition of Tizor and was looking forward to being a part of the future technology inventions and possibilities. Last year, when my wife and I founded a startup around mobile analytics, Rajeev was the first stop for us, and again he readily rolled up his sleeves to become actively involved.
As I analyze why I enjoyed interactions with Rajeev, I realize he was a complete person. Unlike CS theory purists, he was comfortable with non-optimality. This combined with his rigor was an unbeatable match. Unlike many other professors, Rajeev was equally comfortable in technology and business. He had an astute nose for common sense and what works. (I would often suggest to Rajeev to jump full-time into entrepreneurship, and he would just nod.) Above all, he had strong integrity and ethics and a sense of giving. He represented the best in us. I will miss him dearly.
Posted by Juliet Sigmann on Thu, Jun 04, 2009
Occasionally as I survey first-hand the experiences of enterprises dealing with compliance and risk management issues, there is a “wait a minute” moment. A humbling moment if you will. Most recently, this humbling moment happened as two regional banking customers of Mantra were sharing their experiences. Regional banks as I learnt, are in an interesting place and have unique challenges.
First, they are small – particularly in comparison with the huge financial services companies. Their operating IT teams are small. Their security resources are miniscule. Their application teams are daily firefighters used to manning multiple fronts.
However, unlike other smaller enterprises, the compliance and regulation pressure in a regional bank is intense. A regional bank has all the usual regulations of a large financial services company – as well the hand of FDIC is omnipresent.
As it turns out this unique combination can challenge the best of them and often brings out the best in them. The questions I was interested in understanding from these banks were –
1. How do regional banks deal with compliance & risk management problems like data auditing? How do they approach the problem?
2. What are their top drivers?
3. Who leads these initiatives? What are the people, process, and technology issues? Does the security person drive, or does the application owner?
4. What role does technology have to play in this? What are the critical technology challenges in this environment?
The answers to these questions are interesting. In summary:
- Compliance clearly seems like the top driver, though viewed through risk management lens.
- SOX, Privacy, and FDIC-led audits seem to be top drivers.
- People driving initiatives seem to be all over the map when it comes to roles – the only common characteristic is that they are usually entrepreneurial leaders, who have a strong combination of hands-on operations and strategic thinking.
- Technology has a huge role to play – almost an essential requirement since resources are tight. Total Cost of Ownership (TCO) seemed to be the leading requirement of technology – not just automation, but ease of use and reliability across the whole life cycle of deployment, management and integration. For regional banks, technology becomes an essential operational tool for viewing business risk. There is no room for error or overhead.
For first-hand perspectives from a regional bank, check out the webcast we did recently –
Regional Bank Recorded Webinar: Auditing & Protection Databases in Regional Banks - An Industry View
Posted by Prat Moghe on Mon, Apr 27, 2009
I have been tracking the RSA Show for a few years, and each time I return the question always is what is the show theme for the year. (This theme is usually the viral outcome of collective water-cooler conversations by the RSA show attendees – it is not the official mandate of the RSA program committee.) For example, last year’s theme ended up being about governance. The year before that was data & DLP.
2009 RSA show didn’t seem to have such a theme. This year the technology talk was more of the same – compliance, log management, DLP, encryption, …. (I am ignoring all talk about cloud security – while some vendors made an effort to call out cloud security, this is still too early to matter. ) Under the surface though, I noticed that the leaders and visionaries were busy retooling and hard at work with their products. The theme if any was to make technologies work in driving security and compliance into a large-scale enterprise. Driving initiatives into deployment. Driving them into scale. Driving them to manageability. While these drives are not sexy, they can lead to meaningful value for enterprises. They are sometimes the source of very interesting innovation.
One example at home, was Tizor’s announcement of Mantra 7.0. This release extends the scale of data auditing significantly beyond what has been available in the market. For our press release – see http://www.tizor.com/News-And-Events/Press-Releases/4-07-09
Since this is my first post since Tizor's acquisition by Netezza (NYSE: NZ), I am also reminded of an interesting anecdote I heard recently from Ray Tacoma, the VP Sales at Netezza. Ray's grandfather, a farmer, taught him the lesson that winters were the best time to sharpen tools. This RSA show was about showing off meaningful and sharpened tools in the winter of 2009.