Data Breaches Hit 113 Health Care Organizations, Report Says

By Brian T. Horowitz, eWeek

A total of 113 health care facilities have been hit with data breaches in 2010, compared with only 39 banking/finance firms, according to a July 28 report by the Identity Theft Resource Center.

Most hospitals are focused on preventing unauthorized access by outsiders, using firewalls, rather than preventing intrusion by insiders, said Phil Neray, vice president of security strategy for IBM’s Guardium security platform, which analyzes transactions in databases for suspicious activity. “Firewalls have been insufficient in preventing unauthorized access by insiders,” he told eWeek.

With double the amount of data breaches for health care facilities (108) compared with banking/finance firms (39), the financial institutions are more equipped to monitor database activity than health care companies, according to IBM’s Neray. “All of the major banks have implemented this technology, but very few hospitals have,” he said.

Neray noted that the health information exchanges outlined under federal meaningful use guidelines of electronic medical records will centralize data in big data warehouses, thereby increasing the risk for data breaches. 

InfoSphere Guardium

By Al Cooley, director of product marketing at Guardium, an IBM Company, for IBM Data Management Magazine

How IBM’s new database security and monitoring software helps protect sensitive information and reduce compliance costs.

Despite the noise you hear about data leakage through lost laptops, backup tapes, and unstructured data, databases are the primary target for external hackers and insider attacks. According to the 2009 Verizon Business Data Breach Investigations Report, 75 percent of breached records originated in database servers; backup tapes, laptops, and workstations accounted for less than 1 percent of records breached.

It’s easy to understand why: databases contain an organization’s most valuable information, including customer records, payment card data, and financial results. Statistics show that hackers are skilled at using techniques such as cross-site scripting to penetrate perimeter defenses and reach the database. Existing security solutions, such as intrusion detection systems (IDSes), lack the knowledge of database protocols and structures required to detect inappropriate activities. Other solutions that rely on native DBMS logs, such as security information and event management (SIEM) systems, do not operate in real-time, can be evaded by users with elevated privileges (which hackers often acquire), and introduce problematic overhead.

A growing number of mandates encompass this type of sensitive information as well, including various financial regulations (such as the Sarbanes-Oxley Act), industry-specific mandates (the Payment Card Industry Data Security Standard [PCI DSS]), and local data privacy laws. Each mandate has unique aspects, but they generally require organizations to detect, record, and remediate unauthorized access or changes to sensitive data, including those by privileged users, while providing a secure audit trail to validate compliance. Information security and database managers struggle to implement these types of controls, especially with respect to monitoring privileged users. Heightened focus on business-reputation risk and sensitive data protection is also driving closer internal scrutiny of controls. The result of all this is clear: providing effective database security and compliance has become anything but easy. 

Breach Erosion

By Liz Parks, Stores

Private data about customers – their social security numbers, credit and debit card numbers – is among the most valuable assets a retailer has.

In a 2010 enterprise database security report, Forrester Research estimated that only 21 percent of companies were pursuing advanced data security measures. The others, the report says, “remain soft targets for hackers.”

“Given that the industry has relatively low margins, many retailers tend to under-invest in IT infrastructure and security,” says Phil Neray, vice president of security strategy for Guardium, an IBM subsidiary that provides data protection solutions. “Many assume that if they have implemented basic defenses such as firewalls they are protected. But they don’t realize that the basic safeguards only protect the perimeter and [not] against malicious insiders … [or] cybercriminals who penetrate the firewall through a web application.”

“Compliance is just a snapshot of one point in time,” Neray says. “If anyone makes any change to your system, it can make you non-compliant. So unless you are monitoring in real-time all access to your sensitive data, you are not really protected.”

Positive Response to Canadian Data Breach Law Update

By Robin Arnfield, Payments Business

Experts consulted by Payments Business are generally positive about a House of Commons Bill which proposes to update Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Bill C-29 had its first reading in the House of Commons in May 2010. It proposes to add a requirement to PIPEDA that the Federal Privacy Commissioner of Canada, Jennifer Stoddart, must be notified about any ‘material’ data breaches that a Canadian organisation may experience. The Bill would also require organisations to notify consumers about any unauthorized access to personally identifiable information about them that could cause actual harm.

“Bill C29 is a move in the right direction because it institutes mandatory notification for the first time,” says Phil Neray, vice-president of security strategy for Guardium, an IBM company. “Where it lacks teeth is in areas such as financial penalties, timeliness of disclosures, the need for preventive controls – and giving organizations less discretion in deciding when and if disclosure must occur. The big question is: why would a company, left to self-regulate, risk the financial and reputational backlash associated with disclosing a data breach?”

Canada's newly introduced data breach law is a start, but it lacks teeth

Article written by Phil Neray, VP of security strategy at Guardium, an IBM Company, for SC Magazine Canada

The Parliament of Canada recently introduced Bill C29, also known as an act that amends the Personal Information Protection and Electronic Documents Act (PIPEDA).

The new proposal makes it mandatory for businesses to notify consumers when their personally identifiable information (PII) has been breached, and it clarifies ambiguities in the original legislation - but does it go far enough?

The most significant clause would require banks, retailers and other companies to report any “material breach of security safeguards involving personal information under their control.” But the definition of “material breach” remains open to an individual company’s interpretation.

In other words, companies have the right to determine whether to even disclose a breach based on the type of information stolen, number of customers affected and whether the company thinks there’s a real risk of significant harm to the individual(s).

If Canadian companies are left to self-regulate, there’s absolutely no incentive to stick their necks out on the line – and risk the financial and reputational backlash associated with data breach disclosures.

Massachusetts may have the strictest data law in the United States. The Massachusetts law goes far beyond C-29, and is considered a potential standard for more stringent data security legislation. It establishes a clear legal standard of “due care” – the level of diligence that a prudent and competent expert would exercise under a given set of circumstances – which could make it easier for plaintiffs in civil lawsuits to sue negligent organizations.

Bill C29 is a good start because it institutes mandatory notification for the first time. But it clearly needs more teeth in areas such as financial penalties, timeliness of disclosures, the need for preventive controls – and giving organizations less discretion in deciding when and if disclosure must occur. 

Podcast: Data Protection: How security needs differ between industries

Bill Brenner, Senior Editor, CSO

In this podcast, Phil Neray, VP of Security Strategy for Guardium, an IBM Company, talks about how the data security needs of a financial services company differ from those of a power company – and where to find common ground.

Here is an excerpt from the podcast:

There was a situation at a UK bank where a database administrator was doing a favor for the application developer – the application developer needed one table created and another deleted in the application schema of the database.

Rather than go through standard change control procedures, which would have taken days or weeks, he said, “Can you do me a favor and just get into the database and set this up for me?” The DBA did it and deleted the wrong table by mistake – so they were running for a couple of days with bad data because tables were gone. That’s what I call data governance.

We’ve been seeing interest from all verticals… but there’s a couple that are a little farther ahead. Financial services, naturally – they’re used to dealing with risk management. Many top power utilities in the United States are using our technology. But they’re not so concerned yet about protecting the back-end, the control infrastructure.

Utility companies are dealing with first-level issues today: How do I make sure my financial statements are accurate? How do I make sure there aren’t any unauthorized changes to my ERP systems? They’re worried about consumer privacy – making sure information is protected.

They’re worried about internal fraud, too. Most electric utilities have a program for low income consumers, which says if you can’t afford to pay your electric bill, they won’t cut off your power. Utilities are concerned that somebody in the call center would give free or low-cost electric power to family and friends. No one would know, because they have authorized access to make those changes – it’s just they’re using that access in an abusive way.

So that’s where we’ve seen the initial interest from the power companies. I expect over time it will migrate to the back-end infrastructure. 

Under cyber attack!

The Guardian
June 29, 2010

Safeguarding sensitive information in the public sector presents unique challenges – and unique responsibilities, says Philippe Neray

Ask the thousands of residents of Oklahoma State who discovered their social security numbers had been freely available on the web for three years, thanks to a leak at the Oklahoma Department of Corrections website.

Effective and efficient controls must be put in place, both to ensure public confidence as well as to minimize the risks to our personal privacy, our financial systems, and even our national defence.

Many of these newer data security processes are already common to top global banks, insurers, telecommunication companies and retailers – and of course, most public sector managers understand the risks of inadequately protecting critical data, and want to do the right thing.

Trust survey

Professional Security
June 16, 2010

A survey of 800 British, French, German and American consumers conducted by database security leader, Guardium, an IBM company, has suggested that 78 per cent were either ‘concerned’ or ‘very concerned’ about the security of their credit card information.

In the UK, despite banks being cited overall as the ‘most trusted’ organisations by British respondents, more than two thirds (72pc) of these respondents were concerned over their banks’ ability to safeguard financial data from internal threats and disgruntled employees. In the US, 54pc) of respondents said they thought they were more likely to be a victim of identity theft than to have their car stolen.

Consumers Trust Retailers' Security The Least

Global survey of consumers shows U.S. consumers as most security-savvy

By Kelly Jackson Higgins, DarkReading

Consumers in the U.S. trust retailers, government, and banks less than consumers in other countries, a new survey conducted by IBM Guardium found. And, overall, retailers are the least trusted entity in the world, while government is the most.

“The U.S. seems to have the most security-savvy consumers, which is probably due, in part, to our breach disclosure laws, which don’t exist yet in most parts of the world outside the U.S. For example, consumers in the U.K. and France seem more concerned about giving their credit card details over the phone to retailers, when, in fact, the biggest risks are online,” says Phil Neray, vice president of security strategy for IBM Guardium, which polled 800 American, British, French, and German consumers.

Nearly 80 percent of the respondents are either “concerned” or “very concerned” about the security of their credit card information. Nearly 55 percent of U.S. consumers said they were more likely to become victims of identity theft than car theft, while two-thirds of British consumers worry that the banks can protect their financial data from rogue insiders. Meanwhile the Brits consider banks the “most trusted” organizations over government and retail. 

The £64 question

by Neil Hodge, Strategic Risk
June 14, 2010

Public trust in the ability of many organisations to protect customer details is in freefall. So why do so many still rely on inadequate traditional defences, such as a firewall or anti-virus systems?

Trawl the internet and you’ll find a glut of horror stories about the impact cyber risks can have on an organisation. At best, an employee’s computer screen freezes momentarily: at worst, customer data is stolen and misused, and the organisation’s IT systems grind to a halt. That’s then compounded with regulatory censure, fines and public trust ripped to shreds.

“Too often, management is lulled into a false sense of security because they’ve deployed traditional perimeter defences such as firewalls, and they’re passing their audits,” Guardium vice-president of security strategy Phil Neray says. “However, it’s clear that this is no longer sufficient.” Nowhere is this clearer than in the painful case last January of US payment-processor firm Heartland.

80% of consumers concerned about credit card security

Contingency Today

A survey of 800 British, French, German and American consumers conducted by database security leader, Guardium, an IBM Company, has revealed that 78% were either ‘concerned’ or ‘very concerned’ about the security of their credit card information.

In the UK, despite banks being cited overall as the ‘most trusted’ organisations by British respondents, more than two thirds (72%) of these respondents were concerned over their banks’ ability to safeguard financial data from internal threats and disgruntled employees. In the US, 54% of respondents said they thought they were more likely to be a victim of identity theft than to have their car stolen.

The survey, conducted in Berlin, London, Munich, New York and Paris, asked individuals to share their views on fraud, identity theft and the safety of credit card and personally identifiable information (PII) such as US Social Security Numbers and regionally relevant personal data such as French ‘Carte Vitale’ and German ‘Krankenversicherungskarte’ health cards. It also uncovered differences in regional consumer attitudes over the security of personal and financial data held by government organisations, banks and retailers.

Open Source Databases Pose Unique Security Challenges

Most open source database platforms aren’t supported by third-party database activity monitoring and security policy tools

By Ericka Chickowski, Contributing Writer, DarkReading

As the growth in Web 2.0 applications spurs on the adoption of open source databases within the enterprises, many organizations need to expand their security priorities to include these increasingly important data stores. While the security principles that drive proprietary database protection also apply to open source databases, there are a few additional challenges to locking down such platforms as Postgres, Ingres, and MySQL.

“This is a difficult problem,” says Adrian Lane CTO and analyst with Securosis. “The reason is there is very little effort or research put into security policies for the open source databases. Comparing Oracle to Postgres, as an example, is a little like comparing Microsoft Windows to Apple’s OS: Windows may be the more secure platform now, but only a few people write exploit code for Snow Leopard. Since we don’t hear about attacks that often, we assume it’s more secure.”

The market for open source databases was at about $850 million in 2008, according to Forrester Research, which predicted that figure to increase to $1.2 billion by the end of this year. Gartner is more conservative in its prediction for the market, expecting open source databases to be at $1 billion by 2013.

Several converging trends are likely to bear out analysts’ expectations of open source database market growth, including the exponential growth of Web 2.0 and homegrown applications that open source databases often support, economic trends that continue to spur enterprises to avoid database license costs for new projects, and increased feature sets offered by open source platforms.

“Open source databases such as Ingres, MySQL, and PostgreSQL continue to expand their features and functionality, providing viable alternatives that can support most small to moderately sized business applications,” Neil Yuhanna, analyst with Forrester, wrote last year.

Of course, as any good security expert will tell you, the viability of any given alternative can be seriously hampered if risks can’t be addressed properly. And there are a few challenges unique to open source databases that organizations need to consider.

One of the biggest is the issue of security industry support of these database platforms. True, the biggest open source databases offer a similar spectrum of the native security features enterprises have come to expect of closed source vendors. Take Ingres, for example, which Yuhanna of Forrester said was the best open source database and whose executives tout its security features.

“Ingres is deployed in many situations where securing data is crucial to national, public and personal security; as such we include all of the security controls that one would expect to find in an enterprise class database solution,” says Emma McGrattan, senior vice president of engineering at Ingres. “Security features, such as role separation, fine-grained security auditing, encryption, and security alarms enable proactive and preventive security measures.”

But Ingres and most other open source databases aren’t supported by third-party database activity monitoring and other security policy tools.

“MySQL is the only open source database that is covered by database activity monitoring products. Imperva and Guardium both provide monitoring, but I am not sure if they support 100 percent of their capabilities. The SIEM vendor Nitro also offers a flexible DAM solution that covers MySQL as well,” Securosis’ Lane says. “Monitoring, assessment, and auditing policies for Postgres are not created by the security product vendors, and the open source community does not feel compelled to create them either. MySQL is widely deployed—especially backing web applications—so we see some security product coverage, but that pales to what we see for Oracle.”

Lane suggests a few fill-in techniques to improve databases not covered by database activity monitoring, but reminds users that they won’t be as effective.

“For the other platforms, use of built in auditing functions, select use of triggers, network monitoring and even Syslog capture can help capture activity and provide visibility, but not the real time analysis of events,” he says.

Another consideration is that in combination with the types of applications that use the open source databases, these platforms may be more prone to SQL injection.

“I would say another consideration about open source databases is they tend to be used either with homegrown apps or with other open source apps and that means those apps are more likely to have SQL injection vulnerabilities,” says Phil Neray, vice president of security strategy of Guardium, an IBM company.

In terms of hardening the open source databases, though, all of the same rules apply as with proprietary databases, Neray says. This includes locking down privileges, managing passwords well, patching regularly, and so on.

Above all else, Lane says administrators should work on a secure configuration. “Don’t leave the default settings,” he says. “As with every commercial database, open source databases are nowhere near being secure out of the box.”

Information security: changing perceptions and changing realities

The number of people who have experienced identity fraud due to data breaches pales in comparison to the number of people who fear it. But data breaches are a looming threat—they’re not only costly to organisations in terms of fines, legal fees and increased audit costs, but also affect consumer perceptions and reputational risk. Data breaches can hit retailers, banks and government organisations, and they can be executed by external forces such as cybercriminals or internally by rogue employees and outsourced personnel.

In a recent IBM/Guardium survey, more than 800 respondents in France, Germany, the United Kingdom and the United States shared their views on the safety of their Personally Identifiable Information (PII) and credit card data. Despite a few variations from country to country, the sentiment of the respondents was largely the same: consumers are quite concerned about the security of their personal and financial data, and they perceive that governments, banks and retailers remain ill-equipped to protect it.

Terry Childs Convicted of Locking San Fran out of Network

By Brian Prince, eWeek

Former San Francisco network engineer Terry Childs has been convicted of locking the city out of its FiberWAN network after learning he might lose his job.

Former San Francisco network engineer Terry Childs was found guilty Tuesday of locking the city out of its own network.

A jury convicted Childs, 45, of one felony count of denying or disrupting computer services to an authorized user. Childs was charged in 2008 after he refused to provide passwords to the city’s FiberWAN network. The system contained much of the city’s digital records, including law enforcement documents and city payroll records.

When Childs heard about impending layoffs, he refused requests from his bosses to hand over hand over passwords to the network he built. The lockout went on for 12 days before Childs gave the passwords to Mayor Gavin Newsom. While prosecutors tried to portray him as a disgruntled, vengeful employee, one juror interviewed after the trial told the San Francisco Chronicle the city allowed the situation with Childs to get out of control.

“We had a lot of sympathy for him,” said juror Jason Chilton, who is a network engineer. “He was put in a position he should not have been put in. Management did everything they possibly could wrong,” Chilton continued. “There was ineffective management, ineffective communication. I think that if they put the city on trial, they would be guilty, too.”

Phil Neray, vice president of security strategy at IBM’s Guardium, said the incident is a reminder to organizations to have the proper monitoring technologies in place.

“Most superusers, like Childs, have unfettered access to all of an organizations’ critical information, including system passwords…This case shows that organizations need to protect themselves by continuously monitoring all access to sensitive information – including access to passwords and changes to system privileges, because Childs used his privileges to block other IT personnel from the network – and analyzing it in real-time for suspicious activities or violations of corporate policies,” Neray said.

Childs faced up to five years when he is sentenced. 

Judge denies bail for ex-trader accused of code theft

Samarth Agrawal, formerly with Societe Generale, is charged with stealing code related to a high-speed trading system

By Jaikumar Vijayan, Computerworld

A federal judge in New York has denied bail to a former trader at Societe Generale who was arrested earlier this week for allegedly stealing proprietary computer code used in a high-speed trading system. U.S. Magistrate Judge Michael Dolinger ordered Samarth Agrawal, 26 to remain jailed, citing flight risk concerns if Agrawal were to be released on bail. Agrawal has been in custody since Monday when he was arrested on one count of theft of trade secrets. If convicted, Agrawal, who is a native of India, faces a maximum of 10 years in prison.

Agrawal is the second individual to be nabbed in the past year for attempting to steal proprietary information involving high-speed trading systems. Last July, Sergey Aleynikov, a software developer working for Goldman Sachs, was arrested on charges that he stole 32 megabytes of proprietary code used in the company’s high-speed, high-volume trading system. Agrawal worked at Societe Generale’s New York offices initially as a quantitative analyst and later as a trader in the company’s High Frequency Trading Group (HFTG).

According to the official complaint against him, the code that Agrawal is alleged to have stolen took Societe General several years and millions of dollars to develop. The company took several measures to protect the code, including by dividing it into multiple smaller ‘units’, limiting access to only those employees whose jobs require it and then only to specific units, as well as preventing the code from being downloaded to portable storage devices such as USB thumb drives. Agrawal’s alleged theft of the code began in June 2009, about two months after he was promoted to the position of a trader within Societe Generale’s HFTG. As a trader, Agrawal was granted access to the trading algorithms on one unit of the proprietary code.

According to the complaint, Agrawal is alleged to have used that access to copy the entire proprietary code in that unit, as well as another unit that he was not officially allowed access to. He is also alleged to have captured several screen shots of the entire file system structure of the unit containing the code.The copied documents, which amounted to hundreds of pages of proprietary code, some of which were stored as Microsoft Word documents, were later printed out by Agrawal the next day, which happened to be a Saturday. Though Agrawal was supposed to inform his supervisor about his presence in the office on a weekend, he did not inform anybody that he had been there. On two separate occasions thereafter, once in August and the other in September, Agrawal is alleged to printed out hundreds more pages of proprietary code from the two units he had accessed and copied data from in June.

The incident is the latest to highlight the dangers posed to corporate data from insiders with privileged access to business networks and systems, said Phil Neray, vice president of security strategy at Guardium, an IBM company that develops database security software.

In this case, Agrawal’s activities appear to have remained unnoticed despite what should have been some obvious signs such as his accessing a unit of proprietary code that he was not allowed access to or his printing out of hundreds of pages of proprietary on a Saturday, Neray said. Incidents such as this highlight why companies need to have tools that not only control access to sensitive data but monitor all access as well, he said. Importantly, such incidents also hammer home the importance of monitoring logs on a regular basis and having a system for real-time alerts when something out of the ordinary is happening on a network, he said.

“Just because you have logs doesn’t mean you are secure,” Neray said. “Logs are just logs. They are useless unless you examine them,” he said.

Pair Of Fines Levied On Breached Companies Show Real Costs Of Database Hacks

Fidelity National Information Services subsidiary, Davidson & Company each penalized hundreds of thousands of dollars by regulatory agencies

By Ericka Chickowski, DarkReading

Two different companies in the past two weeks were fined by regulatory agencies for separate database breaches, totaling well over $1 million. The fines serve as a concrete and eye-opening example of what can happen to a business that fails to lock down its precious data stores, and also a warning that the toothless compliance mandates of yesteryear really do have bite now.

The two breach incidents in question are on opposite ends of the spectrum in regard to cause. The first was an insider breach initiated by a former DBA at Certegy, a wholly owned subsidiary of Jacksonville, Fla.-based Fidelity National Information Services (FIS), which cost the company $975,000 in fines to the Florida Attorney General. The second was an external attack precipitated by a SQL injection exploit against a customer database owned by brokerage firm Davidson & Co., for which the Financial Industry Regulatory Authority (FINRA) fined the firm $375,000.

“In one case it was hackers, and in another case it was an internal employee—a DBA—but in both the issue was that they didn’t have any real-time monitoring in place. That’s how these two stories are related,” says Phil Neray, vice president of security strategy of Guardium, an IBM company. “What a SQL injection attack [does] is give the attacker privileged user credentials. So if you’re monitoring your privileged users like your DBAs, you’re also getting the bonus of monitoring for external threats at the same time.”

According to Ponemon Institute, the current average organizational cost of a data breach stands at about $6.75 million. The more extreme case among the two fined companies was Certegy’s breach, which shows how database breach costs can really rack up for a company: A malicious insider at the company exposed about 5.9 million customer records. The $850,000 fine levied by Florida to pay its investigative costs and attorney fees, and the additional $125,000 demanded to help fund a statewide crime prevention program, are just a tip of the breach cost iceberg for Certegy. In 2008, the company settled a class-action lawsuit that cost it $4 million. Additionally, the company is now required by the state of Florida to conduct a yearly security assessment.

“There are a lot of costs there, not just in terms of paying for the audits, but in terms of the time and the resources that are going to be required internally to support that audit,” Neray explains. 

Guardium staves off FUD missiles

Security vendor defends itself over claims that it will change tactics due to IBM takeover

By Doug Woodburn, CRN

Database security vendor Guardium has accused competitors of stoking up fear, uncertainty and doubt (FUD) in the wake of its acquisition by IBM.

Big Blue bought Guardium in November and will fully absorb the firm into its Information Management software group on a known but undisclosed date in the second half of 2010. Partners will then be invited to sign up to IBM’s Software ValueNet partner programme.

Martin Pejko, vice president of Global Channels at Guardium, said that the vendor would not be abandoning its agnostic roots, despite claims by rivals.

“We have heard rumblings that we will be more focused on integrating with IBM [than other database platforms] and this is not the case,” he said.

Phil Neray, vice president of security strategy at Guardium, said: “Our advantage over Oracle is our heterogeneous support so we are serious about maintaining that.”

Guardium has about five UK-based resellers and a similar number of global SIs that work in the UK.

Pejko admitted ValueNet’s “closed distribution” model would be more rigorous than Guardium’s current partner programme, but claimed IBM’s decision to buy into the database security sector would validate the market for more resellers.

He added: “IBM has done a good job of taking a slow approach. It bought us for our revenue streams, not just technology, so it does not want to disrupt that.”

Simon Hember, managing director of Acumin, a recruitment firm which helped Guardium launch in some European countries, said: “From a database security perspective Guardium has some of the most innovative technology out there. Its brand is strong enough to avoid total absorption where the identity is lost.”

Database: Database Security Tips for Enterprises

By Brian Prince, eWeek

IBM/Guardium runs monthly “best practices” Webcasts that are attended by DBAs and application architects as well as security, compliance and risk management professionals.  The topic of last month’s Webcast, which generated more than 1,100 registrations, was “HOWTO Secure Oracle 10g & 11g—Hardening the Database”, which is based on the book by Ron Ben Natan, IBM/Guardium’s CTO (Ron is also an IBM Gold Consultant).  For archived Webcasts, see the Webcasts tab at: http://www.guardium.com/index.php/t1r/

eWeek ran an article featuring slides from the Webcast.  Here are some extracts from the full article.

• With the cost of data breaches continuing to go up, the need to properly secure your database has never been clearer. Locking down the database layer, however, is no simple task. There are a number of different aspects that must be considered and steps database administrators should take. In discussions with eWEEK, experts from database security firms Guardium—now part of IBM—and Application Security served up some tips for enterprises to keep in mind to secure their data.
• Scope of the Problem: A recent study from Forrester Research highlighted the hurdles enterprises have to face when it comes to securing their databases. Eighty percent of the businesses surveyed said they did not have a database security plan, which should contain information such as the business’ approach to migration, patching schedules, what databases should be encrypted and other relevant information.
• Understanding Your Environment: What types of databases are you running? What is in them? Data discovery and classification are key parts of any database security plan, and allow businesses to understand and prioritize what they need to protect.
• Controlling Privileges: A top concern in most environments is what the super users are doing, said Phil Neray, vice president of security strategy at Guardium. Keeping track of super users routinely rates as a top security challenge for enterprises in the annual survey by the Independent Oracle Users Group, and can be solved with database activity monitoring tools. Maintaining role separation also is a key part of controlling privileges.
• Virtual Patching Offers Temporary Protection: Virtual patching is another feature of security tools from Sentrigo, Guardium and other database security vendors. It works by detecting and blocking new exploits whether an actual patch is available for the vulnerability. It also offers a degree of protection while database patches are being tested prior to deployment.

Ex-TSA Employee Indicted For Tampering With Database Of Terrorist Suspects

By Ericka Chickowski, Dark Reading

Case serves as a wake-up call about the potential dangers of malicious insider access to sensitive data

A federal grand jury has indicted a former employee of the Transportation Security Administration (TSA) for trying to corrupt a database of terrorism suspects in an inside job that many within the information security industry say is a stark reminder of how important it is to track insider access to sensitive data stores.

Douglas James Duchack, 46, faced charges on Wednesday that he attempted to tamper with TSA’s Colorado Springs Operations Center (CSOC) systems just after he was terminated from his job as a data analyst in October.

Duchack had been in charge of processing new information from the Terrorist Screening Database and U.S. Marshal’s Service Warrant Information Network database to update TSA’s systems.

During the two-week period after being informed of his termination, Duchack allegedly placed malcode into the CSOC server containing data from the former database he was charged with in an intentional attempt to cause damage to the computer and database. The U.S. Department of Justice reports that he faces up to 10 years in federal prison and up to $500,000 in fines if he’s convicted.

“If you’re just relying on username and password credentials to protect your systems, you’re making a big mistake,” says Phil Neray, vice president of security strategy of Guardium, an IBM company. “You need to find other protection mechanisms. If you’re monitoring a database, for example, and someone is executing a command on that database that is not consistent with that role, you can have a policy that will alert the organization or block it.”

Why it is all too easy to become a cybercriminal

By Byron Acohido, The Last Watchdog

The disclosure of Operation Aurora last month and the outing of the Kneber botnet gang’s stolen booty this week have much in common.

Both involved nothing-out-of-the-ordinary cyberattacks that quixotically rose above the din to grab international headlines.

The mainstream attention is welcomed. It helps to underscore how the Internet underground has advanced to the point where a plethora of powerful hacking tools and services is readily available to novice hackers and elite crime gangs alike – with prices to fit every budget.

In Operation Aurora, Chinese hackers sent targeted messages to specific senior managers at 30 corporations luring them to click on a corrupted Web link. Clicking on the link activated a hacking tool designed to tap into a fresh zero-day vulnerability in Internet Explorer browser.  The crooks likely paid $5,000 or maybe more for this cutting-edge malicious code.

Such zero-day attacks have long become commonplace, of course. The template for zero-day attacks dates back to December 2005, and the antics of the Russian iframeCash.biz gang, led by Andrej Sporaw. The enterprising Sporaw and company flushed out a fresh zero-day hole in a Windows operating system component, called Windows metaframe file, and began exploiting the WMF hole to launch pop-up ads for early versions of scareware.

In the Chinese zero-day attack last month, one of the targeted corporations happened to be Google — in a mood to complain. The search giant cried foul, igniting an international brouhaha over how China does business. Corporations are having a difficult time keeping up.

“Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters … others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

Why becoming a data thief is all too easy

by Byron Acohido, USA TODAY

The Internet underground has advanced to the point where anyone with $325, average computer skills and a stomach for larceny can begin to amass a trove of corporate data like the one plundered in 30 days from 2,411 large organizations worldwide.

Shell out $25 and you can hire a spamming specialist to send out email lures to 250,000 people enticing them to click on a corrupted Web link that will infect their PCs with your free copy of ZeuS. Spend a bit more, and you can customize your viral spam to spread to via Facebook messages and Twitter microblogs. The only other thing you need to do is shell out $300 to rent an Internet-connected server to collect and store the harvested account logons that your bots will obediently harvest…

It was one of these type of servers that NetWitness tracked down and accessed in late January. NetWitness’ report on what it found—68,000 account logons stolen from 75,000 botted PCs in corporate networks—drew big headlines in the Wall Street Journal and New York Times.

Corporations are having a difficult time keeping up. “Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters ... others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

CUs Need to Look to Monitoring to Prevent Large Breaches

By Lindsey Siegriest, Credit Union Times

Recently, thousands of employees at the Iowa racing and gaming commission had records with their names, birth dates and social security numbers compromised when a hacker broke into the commission’s server. According to early reports, the breach was caused by changes in configuration.

Phil Neray, vice president of security strategy at Guardium, said that criminals now have automated tools that allow them to search for vulnerable Web sites. Maloof added that over the last six to 18 months the trend has been to target smaller companies and institutions.

Neray said for smaller institutions, like credit unions, that may not have the manpower to dedicate to detailed monitoring than technology is the answer. “Technology can automate the monitoring processes and analysis so it reduces the need for more people and also address compliance challenges. Having someone manually assembles compliance reports is a huge burden and technology can streamline that.”

Neray cited a recent breach a regional bank in Texas were criminals made transfers to accounts in Europe. “You need to go beyond the traditional firewalls. A larger bank has controls in place that would prevent those types of transactions from happening.”

Why Data Breaches Can Go Unnoticed By Their Victims

By Brian Prince, eWeek

An analysis of data breaches by Trustwave found just 9 percent were uncovered internally by the companies’ that were breached. The report mirrors other studies, and underscores the importance of having visibility into your IT environment as well as being able to correlate disparate events on a network.

You might expect an enterprise to be the first to notice its records had been breached. But as a report from Trustwave illustrates, that is rarely the case.

According to a study of more than 200 data breaches that occurred in 2009, Trustwave found that just nine percent were uncovered by the organization that was attacked. The vast majority – 80 percent – were discovered by credit card companies with access to the breached organization’s data. According to security pros, the reasons for this vary, but come down to the ability of businesses to understand and correlate the massive amounts of data at their fingerprints.

Many organizations spend too much time and effort creating database compliance and auditing reports using homegrown scripts, native logs, triggers and stored procedures, said Phil Neray, vice president of security strategy at IBM’s Guardium. This isn’t an effective way to detect breaches, he explained, because it’s not real-time and the massive amounts of transaction log data produced by database environments make it easy to miss an incident or connect the dots between events.

“This is (also) costing them time and money, especially in heterogeneous environments, where each database platform—Oracle, SQL Server, DB2, etc.—requires its own handcrafted approach,” he said. 

Trust and verify is more appropriate IT environments

Contingency Today

Commenting on the recent security breach at Ladbrokes,Phil Neray, vice president of security strategy, Guardium (an IBM company) said:

“Traditional network security measures – such as firewalls, intrusion detection and anti-virus systems – are of little use when the threat lies inside the organisation, with IT administrators and outsourced personnel who can easily bypass corporate policies because they are given a high level of privileges in order to accomplish their day-to-day jobs.

Of course, most employees are ethical and would never consider abusing their privileges, but the alleged Ladbrokes breach shows that a strategy of ‘trust but verify’ is more appropriate for modern IT environments, incorporating continuous , real-time monitoring and auditing of all database activities – including those performed by privileged administrative users - to quickly identify rogue activities.”

Texas Bank Sues Customer After $800,000 Scam

Banks Asks Court to Declare Security Measures ‘Reasonable’
Linda McGlasson, Managing Editor, Bank Info Security

A Texas bank is suing one of its commercial banking customers following an incident in which the customer lost $800,000 through fraudulent ACH transactions.

PlainsCapital Bank, a $4.4 billion bank headquartered in Dallas, has filed suit against Texas-based Hillary Machinery Inc., following a series of incidents that began last November, when cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.’s bank account.

The bank was able to retrieve about $600,000 of the money, but when Hillary subsequently sent a letter requesting that the bank refund the remaining $200,000, PlainsCapital responded by filing the lawsuit in U.S. District Court for the Eastern District of Texas. The lawsuit requests that the court certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. Documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.

Phil Neray, vice president of security strategy for Guardium, an IBM Company, sees the fraudsters winning the battle, as they seem to be targeting the regional banks and community bank commercial customers. “It’s a game of catch-up for those institutions that don’t have the layered protections and checks and balances across their network,” Neray says. 

Don't Wait To Lock Down DB2

Existing access control, trusted context features in DB2 are not widely deployed

By Ericka Chickowski
DarkReading

As pundits ponder how IBM will leverage its acquisition of database security vendor Guardium to add more security features and functionalities to its in-house DB2 databases, now is the time for organizations to re-examine their DB2 security strategies. But many haven’t even tapped the security features they already have available in DB2.

Many organizations don’t take advantage of the existing capabilities that DB2 provides for locking down access to information, IBM executives say. Among DB2’s extant security controls, some of the most powerful features that organizations often leave untouched—to their detriment—revolve around access control. These include two biggies: utilities label-based access control (LBAC) and trusted context.

LBAC, which is designed to offer fine-grained access control, lets DB2 administrators extend controls over data that reach far beyond the simple masking of rows or columns. Administrators can use LBAC to control table objects by attaching security labels to them. Users who try to access these objects must have the corresponding security label granted to them in order to view that data.

“I think that’s one of the newer areas where, in my experience with clients, they haven’t leveraged a lot of it yet,” says Jim Lee, director of product management and strategy for IBM’s Information Management division. “I think LBAC is not commonly used today.”

Similarly, many DB2 administrators are also forgoing the platform’s ability to offer trusted context to access roles. “The thing that I see as one big glaring gap in DB2 practices, for example, [is in using] a thing called trusted content,” says Curt Cotner, IBM fellow and vice president and CTO for database servers.

Trusted content “basically gives the DBA a way to grant privileges to a role, and then applications accessing the database from the network would inherit the role based on whether they came from a trusted application server or not,” he says. 

Communicating The Message

by Philip Howard, Business Computing

Large organisations tend to be like applications. They have a bunch of divisions that do particular things but each tends to be siloed. And most of the communications coming from such companies tends to be in siloed format.

As an example, the Information Management group at IBM recently announced that it was acquiring Guardium, the database activity monitoring vendor. Now, that’s very good. It’s an excellent product and it fits well within the information management story. Arguably, IBM may have paid a bit too much but never mind. Taken in isolation this makes complete sense.

The potential problem is that you can’t take it in isolation. Databases don’t exist in isolation, they exist as part of the corporate infrastructure. Similarly, monitoring database activity doesn’t exist in isolation but as a part of an entire environment that has to be monitored for security events and audited for compliance and analysed forensically.

Four Database Security Tips for Dealing with SQL Injections

By Brian Prince, eWeek

SQL injection placed No. 3 on Verizon’s list of the 15 most common attacks in its data breach report. Preventing SQL injections can be the difference between data security and a screaming headline. Here are a few short tips on how to help protect your databases and applications.

On Dec. 6, a researcher posted proof that he had compromised NASA Websites via a SQL injection. Fortunately for NASA, his motive appears to only have been to illustrate weaknesses in its sites.

Other entities, however, have not been so lucky. There were of course the breaches of Heartland Payment Systems and Hannaford Brothers, but also mass compromises affecting thousands of Websites.

For all the security tools on the market, SQL injection placed No. 3 on Verizon’s list of the 15 most common security attacks (PDF) in its latest data breach report, issued Dec. 9.

“The key issue is educating Web developers about how to build secure applications,” said Phil Neray, vice president of security strategy at Guardium, now an IBM company.

Calls for European-style laws on database protection to be implemented in the UK

By Dan Raywood, SC Magazine UK

There is a need for the UK to implement a law to ensure that databases are properly managed.

According to Andrew Lawton, VP EMEA at Guardium, as the perimeter is being hit there is a need to protect the ‘crown jewels’, but while this law is applied in Europe, it is not the case in the UK.

Lawton said: “Why do we not have that organised control over data and that control over the database, the content and who accesses it? Banks do feel that, as they have our and their data and organisations should have a better level of control.

“In Europe they have to demonstrate control over privileged user access. Who enforces it? The ICO is talking about the T-Mobile incident but I am surprised that we are lagging behind the rest of Europe and the lack of control they have.”

Lawton claimed that it is all about privileged user access and segregation of duties, and keeping management separate - otherwise you get a situation where the database is turned off and someone does the dirty deed and switches it back on, such as the recent T-Mobile incident.

“Look at the T-Mobile example, they took the personal information and it would have flagged the user and terminated the session, a flag goes up to look at the session and user,” said Lawton.

“Italy put a law in place about privileged users where the database is managed about who goes in, you can normally switch it off, take the data and turn it back on, but the Guardium tool is always on and sits outside of the database.”

IBM Picks Up Database Activity Monitoring Vendor Guardium

By Ericka Chickowski, CRN

The acquisition is a big validation of the database activity monitoring (DAM) market, which has managed to maintain healthy traction within the channel even in the down market.

IBM announced plans to acquire database security vendor Guardium for what some sources have pinned at $225 million.

The acquisition is a big validation of the database activity monitoring (DAM) market, which has managed to maintain healthy traction within the channel even in the down market.

“These products play a critical role in establishing a 360-degree capability to monitor the security of critical applications. The healthy valuation Guardium seems to have drawn reflects the importance of real-time, application-centric security monitoring,” says Alison Andrews, CEO of Vigilant, a New York-based Guardium partner. “As security monitoring has become significantly more multi-layered and complex, resources that can be assigned to the task are finite.  In this environment, its critical to focus monitoring efforts directly on the assets that matter most to the business.”

According to IBM officials, Big Blue was drawn to Guardium for its ability to not only help customers monitor IBM database systems, but also keep tabs across platforms.

“This marks a significant expansion in our ability to help our clients monitor and govern data in multiplatform environments,” says Arvind Krishna, general manager, IBM Information Management. “Structured information is at the center of many business transformations and the integrity of data is critical if an organization is going to use information as a strategic assets. This cross platform support is critical for our and is a key competitive differentiator for IBM.”

Andrew Lawton explains to Janine Milne how database security could prevent another T-Mobile-style data loss disaster

By Janine Milne, CBR

Q: What are the particular issues with database security?
A: The problems T-Mobile had recently [where one or more employees sold private customer details to third parties] show how there’s a lot of pressure to get more control over users. We’re hoping government will put stronger controls in place about data protection. If database administrators are corrupt, then they have complete power over data. The fact that T Mobile was unaware of the problem should be unacceptable.

We’ve seen a number of other cases where data has been sold. For example, there was a case of health information stolen from a private doctor on Harley Street, who had outsourced database management and that company outsourced again to India where a database administrator sold the data. A lot of companies are asking their outsourcers to prove what their staff are doing.

Q: What singles you out from other players in the market?
A: What we provide is like an IPS (intrusion prevention system) for databases – it’s like putting a firewall around a database. There are a set of rules that control access to the database even for privileged users. Everything can be built into the rule set. The software is real-time, so security faults are flagged immediately.

There are a lot of other players in security, but few in database security that do what we do in the way we do it. We control the centre – the database access management and control – and there are few competitors in that space. We are real-time and have 100% connection between users and actions in the database. Often applications people pool IDs and then it’s very difficult to track one individual user. So from a SOX (Sarbanes Oxley) or PCI compliance perspective, if you need to absolutely track users’ activity, you can do it against set of rules. We can group users or go down to an individual level, whereas other companies don’t go down to the individual level.

Police website hit by SQL injection, commentors claim due to budget-restricted web development

Dan Raywood

The hacking of a police website earlier this week is indicative of a lack of secure website development.

Phil Neray, vice president of security strategy for Guardium, claimed that SQL injection is a big problem worldwide, and restricted budgets mean organisations are unable to hire the most sophisticated web developers, which results in security flaws like SQL injection.

The Durham police website was hacked earlier this week with messages posted protesting over terrorist-related deaths in Pakistan. A spokesperson for Durham police told BBC News that an investigation was now under way and the ‘offending matter’ was being removed by computer specialists. A spokesman said: “We are aware of a problem with the force website and the offending matter is being removed. An investigation into how this occurred is under way.”

Neray said: “Since it’s now fairly easy to download automated toolkits for finding these flaws, almost anyone can perform these attacks, including politically-minded cybervandals.

“In the case of the Durham Police attack, it’s more of an embarrassment and a nuisance, but now you see how organised crime uses the same approach to loot websites for hundreds of thousands of credit card numbers, which they can then sell on the open market for anywhere from 7 to 70 Euros per card. That’s the real threat from cyberattacks like SQL injection.”

Federal data breach notification standard must pre-empt state laws

BY JILL R. AITORO

Two Senate measures would regulate how both public and private sector organizations protect personal information and respond to data breaches, but the real impact of any federal standards will depend on whether they pre-empt existing state laws.

The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.

Both bills cleared the Senate Judiciary Committee and have been placed on the calendar for consideration by the full Senate.

State and federal measures stem from numerous high-profile data breaches in recent years, including the exposure of the personal information of 26.5 million veterans in 2006, after a laptop was stolen from a contractor’s home. The fear in such instances is that personal information will be used for identity theft or financial fraud.

“A federal breach notification law would force management to put budget and controls in place” in both government and industry, said Phil Neray, vice president of strategy at database security company Guardium. “Most organizations are driven by what they have to do, not what they should do.”

The Office of Management and Budget requires federal agencies to notify individuals in the event of a breach of their personal information. But a patchwork of state laws dictate how other public and private organizations should handle breaches of sensitive information. Forty-seven states plus the District of Columbia, New York City and Puerto Rico have their own laws, which vary widely.

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases has been accessed by someone who isn’t authorized to view it. It’s also one of only a handful of states that incorporated a broader definition of personal information into legislation that includes not only name, Social Security number, driver’s license number and financial data, but also health information, which hackers can use to file fraudulent insurance claims or acquire prescription medications to sell on the black market.

Massachusetts also included as a supplement to its 2007 data breach notification law (MGL Chapter 93H) a series of data security requirements that government and industry must follow to protect the personal information of state residents. Among the requirements, which go into effect in March 2010, are encryption of laptops and portable devices and security training programs.

This is a good example of why a federal standard is needed, Neray said.

“Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn’t make sense from a cost or efficiency point of view,” he said. “I’d hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. You can argue about how much regulation should be imposed on businesses, but this is not a value-based issue, it’s a national issue.

The Guardian and the difficult job of database security

ComputerWeekly.com
By Phil Neray, vice president of security strategy, Guardium

Job hunting is a tough job in itself. Battling with eight percent unemployment, rehearsing for job interviews, adding relevant yet interesting hobbies to your CV...and then you receive an email from The Guardian’s jobsite to say that your personal details may have been stolen in a “deliberate and sophisticated” attack, and that you ought to get yourself registered with the UK’s fraud prevention service, CIFAS.

But this is what happened to thousands of job hunters just last week. The personal data of more than 500,000 users was accessed and stolen from the website http://jobs.guardian.co.uk, one of the most popular jobsites in Britain with more than ten million unique users. Managed by third-party job board software supplier Madgex, the cracked database contained names, email addresses, covering letters and CVs.  Other details, including passwords and financial data, were reportedly not breached.

Modern day criminals want our data: credit, financial, personal. There’s a strong black market in each, and identity thieves are more inventive than ever.  The cost of identity theft to the UK economy is estimated to be £1.2 billion annually. Every year we share more of ourselves online: a trend that’s set to continue as we spend more money on ecommerce sites, share details of our lives across multiple social media platforms, and even job hunt online. Each time we do any of these things, we place our data and our faith in commercial databases: Oracle, Microsoft SQL Server, IBM DB2, Sybase, MySQL and the overarching security measures taken by businesses that own these databases.

While Scotland Yard’s e-Crime unit gets on the case, The Guardian breach has alerted IT and security managers of the need to protect their user data and to consider data security from every angle. Most have already spent time, money and valuable resources securing their network perimeters with firewalls and anti-virus software, and even protecting their laptops with hard disc encryption and DLP solutions. It’s a necessary step, but one which can also be guilty of generating a false sense of security.

So how was The Guardian’s data accessed?  Well, all fingers point to an SQL injection vulnerability, a method currently in favour with hackers and data thieves. SQL injection attacks exploit vulnerabilities at the Web application layer to access sensitive data in back-end databases. These web-based attacks pass undetected through firewalls and other perimeter defences including IDS (intrusion detection) and IPS (intrusion prevention) systems, then hijack the application server to gain access to underlying database records. 

This threat is rising. In 2008, the number of SQL injection attacks leapt by a staggering 134% to several hundred thousand occurring each day. And according to a data breach report published by the Verizon Business RISK team, seventy-five percent of all breached records came from compromised database servers - while other IT assets such as laptops and backup tapes accounted for less than 0.05 percent of compromised data, and a staggering 90 percent involved groups identified as engaged in organised crime.

Yet databases remain vulnerable. Which prompts the question, just how many organisations are still open to this type of attack?  And how many organisations simply do not understand that they are even at risk?

Until recently, identifying unauthorised or suspicious access to databases was impractical and complex.  Logging all activity in the database itself significantly degrades system performance while at the same time generating massive amounts of transaction records, which creates a “needle in the haystack” problem since all of the monitoring data must then be analysed and filtered to identify anomalous activity, typically using home-grown scripts.

Thankfully, a new class of database monitoring appliance has emerged during the last few years that continuously monitors and analyses all database activities in real-time – from outside the database - without impacting database performance.  These systems, which can also be implemented as virtual appliances (software-only), mitigate the risk of external and internal attacks by immediately identifying suspicious behaviour based on automated policies and continuous comparisons to baselines of normal activity.  They also simplify security and compliance by providing a single integrated solution for heterogeneous environments (Oracle, Microsoft SQL Server, IBM DB2, etc.).

But why access The Guardian’s jobsite at all?  The answer is the first rule of hacking: because somebody discovered that they could.  It may be argued that the theft of names, email addresses, CVs and cover letters is relatively unimportant, almost unthreatening. Not so - data thieves are creative.  Consumers who value the security of their personal data enough to rush out and buy shredders may not lose personal data from a rubbish bin, but does that matter if it’s there for the taking online? 

The definition of sensitive data has broadened. Dates of birth, addresses, personal histories, details of daily lives – all this data is useful to a fraudster, and might be the first steps towards more complete identity theft. Businesses have to understand that any and all personal data is valuable, and that it is imperative that they ensure the public has unshakable faith in their data storage. A deliberate attack that resulted in the theft of half a million personal records from a very high profile organisation is not to be sniffed at.  Any enterprise that holds any personal data needs to take every step to safeguard it.  But it’s not an easy job - just ask The Guardian.

Marc Buchwald, Guardium : « nous protégeons les applications à partir des données »

par Emmanuelle Lamandé

Guardium s’inscrit, depuis 2002, dans le domaine de la sécurité des bases de données. Présent pour la première fois aux Assises de la Sécurité, nous avons rencontré Marc Buchwald, Regional Director Southern Europe de Guardium, qui nous explique sa stratégie.

Guardium Safeguards McAfee.com, Automates PCI Compliance Controls

Largest Dedicated Security Technology Company Chooses Guardium to Track and Monitor All Access to Cardholder Data, Without Impacting Performance or Reliability; Solution Deployed in Less Than 48 Hours

Guardium announced that McAfee has successfully deployed Guardium’s real-time database security and monitoring solution to safeguard sensitive cardholder data in its high-volume, business-critical McAfee.com environment.

McAfee.com processes millions of credit card transactions per year for McAfee’s online stores, serving home, home office and small business consumers. The site also serves customers of McAfee’s national ISP partners such as Comcast and Cox Communications, who have strict Service Level Agreements (SLAs). It is hosted in multiple world-class, geo-separated data centers hosting large-scale, clustered database systems.

“McAfee needed a solution with continuous real-time visibility into all sensitive cardholder data “ in order to quickly spot unauthorized activity and comply with the Payment Card Industry Data Security Standard (PCI DSS) “ but given our significant transaction volumes, performance and reliability considerations were crucial,” said Tony Gunn, director of security engineering, McAfee. “We were initially using a database auditing solution that collected information from native DBMS logs and stored it in an audit repository, but granular logging significantly impacted our database servers and the audit repository was simply unable to handle the massive transaction volume generated by our McAfee.com environment.

The Guardium solution provided enterprise-class scalability in a solution and was deployed in less than 48 hours. In addition to safeguarding our customers’ trust, Guardium’s technology also automates our PCI database controls and reduces DBA workload while enforcing separation of duties to protect against both internal and external threats.”

McAfee is now expanding its Guardium implementation to protect its SAP systems for Sarbanes-Oxley (SOX) compliance, as well as to safeguard other sensitive financial databases in the corporation. The company is also integrating Guardium with its correlation engine and enterprise-wide Security Information and Event Management (SIEM) platform to consolidate database security alerts and events into a single console.

Guardium’s scalable platform uses centralized, cross-DBMS policies to immediately identify unauthorized or suspicious activities in real-time, without relying on database-resident logs that add overhead and can easily be disabled or modified by hackers or privileged insiders employing anti-forensic tactics. Guardium is a founding member of the McAfee Security Innovation Alliance, and its Guardium 7 platform has been integrated with McAfee ePolicy Orchestrator’ (ePO) and has been awarded the “McAfee compatible” designation. SIA is a core element of McAfee’s technology partner ecosystem, and was established in 2007 to increase the customer value of McAfee Security Risk Management (SRM) solutions.

“We’re very pleased that McAfee, the world’s largest dedicated security technology provider, has selected Guardium to safeguard their brand and consumers’ trust,” said Ram Metser, Guardium CEO. “Safeguarding enterprise databases is a critical task which requires the right architecture and a robust solution derived from ongoing feedback from the most demanding data center environments worldwide. Guardium is committed to providing practical solutions that safeguard our customers’ businesses while at the same time simplifying database security and compliance for their IT organizations.”

OPINION / DLP or database security first?

By Phil Neray

How many breaches in the past year were caused by someone IM’ing sensitive information or stealing data with a USB stick? I can’t think of any.

So why are so many government organizations still relying solely on traditional data loss prevention (DLP) solutions to protect their critical data from leakage via e-mail attachments, instant messaging and portable USB devices?

DLP alone doesn’t cut it. According to the Verizon 2009 Data Breach Investigations Report, DLP doesn’t address the highest priority risk: breaches that occur at the database layer. The report reveals that, “Although much angst and security funding is given to offline data, mobile devices, and end-user systems, these assets are simply not a major point of compromise.”

It’s easy to see why database servers have become the principal targets for criminals and rogue insiders. Not only do they contain your organization’s most sensitive and valuable information—such as personally identifiable information (PII), financial data and classified information—but penetrating databases has become markedly easier in the last 12 months. 

Convicted hacker given the keys to prison computer system shuts down the mainframe

By Dan Raywood, SC Magazine

A story about a convicted hacker who was given complete access to a prison mainframe and subsequently closed it down is reminiscent of modern business practise.

A report by the Daily Mirror claimed that a jailed hacker shut down a prison’s entire computer system after he was given the job of programming it.

It claimed that Douglas Havard, who was serving six years for stealing up to £6.5 million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was then left unguarded and hacked into the system’s hard drive at Ranby Prison in Nottinghamshire. He apparently set up a series of passwords so no one else could get into the system. He was put in segregation as punishment after having left the system crippled.

Phil Neray, VP of security strategy for Guardium, claimed that this is reminiscent of how organisations are not implementing the right monitoring controls to ensure that insiders do not abuse their privileges.

Neray said: “This is clearly a serious judgment error, in that they gave a sophisticated cybercriminal access to important computer systems. However most organisations give similar administrative access to their IT employees, developers and even to their outsourced personnel.

“The vast majority of IT insiders are not malicious, but you never know when you might encounter a rogue employee who’s having personal financial issues or is simply disgruntled. In other words, you need to ‘trust but verify’ by continuously monitoring the activities of anyone who has the ‘keys to the kingdom’.”

DuPont sues Chinese scientist for trade-secret theft

By Jaikumar Vijayan, Computerworld

For the second time in less than three years, a research scientist at DuPont has been accused of misappropriating trade secrets from the company and attempting to use them to build competing products in China.

In a lawsuit filed in Delaware Chancery Court, DuPont accused Hong Meng, a former senior research scientist at the company, of stealing data on a new, thin-computer display technology called “organic light emitting diode” or OLED. DuPont claims that Meng planned to use the stolen information to develop and commercialize products using OLED technology with his alma mater, Peking University, in Beijing, which is also developing similar technology.

“As indicated by our civil complaint, a recent internal investigation revealed evidence that Hong Meng was attempting to misappropriate proprietary company information,” Thomas Sager, DuPont’s general counsel, said in the statement. “Hong Meng’s employment with the company was terminated and we promptly filed suit to ensure that he not use or disclose DuPont trade secrets,” Sager said. The company its commitment to protecting the proprietary science and technology it has developed.

Too often, the focus of security efforts is on satisfying compliance requirements such as those involving the protection of credit card and other financial data, said Phil Neray, vice president of security strategy at Guardium, a vendor of database protection products. “What this reminds us is that many companies have a lot of valuable data that is not covered by compliance” and, therefore, not as well protected he said.

While such thefts can be hard to stop, security controls are available at multiple layers that can help, he said. For instance, activity monitoring products can help detect suspicious activity such as a high volume of downloads involving sensitive data, or downloads that occur after hours, he said. Similarly, tools can help companies restrict the copying and downloading of certain kinds of data to USB devices, for instance, or to an e-mail account, Neray said.

DuPont sues employee for trade secrets data breach

By Chuck Miller, SC Magazine

Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.

The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.

A database can be secure, but that doesn’t help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.

“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”

Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.

“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don’t forget about proprietary information databases.”

Six Products That Might Have Thwarted The Credit Card Heist

The theft of more than 130 million credit card numbers, for which three people were indicted Monday, was carried out by a combination of packet sniffing and SQL injection. Here are six products, looked at by the Test Center, that compromised networks might have used to ward off the intrusions.

Our data is under attack. That was made readily apparent as details emerge following the indictment of several individuals in what is being called the biggest case of credit card theft ever. How did they do it? It happened because of poor security defenses within the networks of the businesses that got hacked. These companies failed to implement strong defenses against data extraction --- data that contained millions of customer credit and debit card numbers. What’s so appalling is that there are security products out there engineered to thwart the types of security breaches that were used in this crime. Here are six products we have looked at in the Test Center that these compromised networks could have used.

Guardium 7.0 Database And Security Management Appliance

Guardium’s Database Security and Management Appliance protects against inside and external threats. Guardium’s solution prevents database compromise by offering real-time monitoring and alerting, including the monitoring of privileged user accounts such as those of database administrators. SQL injection attacks are stopped by anomaly detection.

In the event of a detected attack or data compromise, such as an SQL injection, Guardium 7.0 Database and Security Management Appliance will provide detailed monitoring of attacks, pinpointing what IP was used, what was targeted, which tables were accessed and which application was involved. Information on the users who may have been compromised is provided as well. There is also the ability to prevent unauthorized access to sensitive data and to mask sensitive information in tables. This solution features templates and high-level, yet easy-to-work-with, best practice reports for PCI, SOX, OMB and data privacy.

Indictments announced for Heartland, Hannaford breaches

By Greg Masters, SC Magazine

Federal indictments were handed down in Washington, D.C. on Monday against three men accused of involvement in what the U.S. Department of Justice (DoJ) is calling the largest credit- and debit-card data breach in the United States. The men allegedly used sophisticated techniques to bypass network firewalls and penetrate the databases of several large companies, including Heartland Payment Systems, a card-payment processor; 7-Eleven, the nationwide convenience store chain; and Hannaford Brothers, a supermarket chain. The personally identifiable information (PII) of more than 130 million credit and debit card holders is believed to have been stolen.

Albert Gonzalez, 28 years old, of Miami, aka “segvec,” “soupnazi” and “j4guar17,” along with two unnamed co-conspirators, Hackers 1 and 2, residing in or near Russia, were charged with conspiracy and conspiracy to engage in wire fraud. The hackers are accused of using SQL injection attacks to get around the victims’ firewall to gain access to computers connected to the internet.

The good news is that people are getting indicted, Upesh Patel, VP, business development at Waltham, Mass.-based Guardium, a vendor of safeguards for application and database infrastructure, told SCMagazineUS.com on Tuesday. “Our security industry is fighting. We now have an avenue to funnel our concerns.”

The fact that this indictment is attracting attention in the mainstream media underscores that corporations are realizing that the database is where the crown jewels are, Patel said. The lesson to be learned here, he said, is that corporations must put a set of controls in place to monitor and secure their data.

It is no longer enough to rely merely on compliance and audits, said Patel. “The breach at Heartland could have been prevented if controls had been put in place to monitor in real time any changes taking place with the configuration files on their network. Nobody would be able to install a trojan,” he said.

Mega-Breaches Employed Familiar, Preventable Attacks

By Kelly Jackson Higgins, DarkReading

Alleged mastermind behind TJX, Heartland, and Hannaford’s breaches used SQL injection, sniffers, custom backdoor malware in many of the attacks

The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.

In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka “segvec,” “soupnazi,” and “j4guar17,” of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.

The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ’s Wholesale Club, Barnes & Noble, and Dave & Buster’s, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.

While the attacks appear to be phased-in and coordinated, the attackers didn’t employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.

There’s no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. “The breaches involved vast amounts of data that clearly resides in the database,” Patel says. “Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database.”

Database Administrators Playing Increasingly Crucial Role In Security

By Ericka Chickowski, DarkReading

Long left out of the security picture, DBAs now find themselves performing key tasks in the enterprise

[Excerpted from The Database Administrator’s Guide To Security, a new report published today in Dark Reading’s Database Security Tech Center.]

In the past, database administrators weren’t expected to do much with security. Their focus was on the speed, performance, and accuracy of the data. Security was a relatively low priority.

Recently, however, that prioritization has begun to shift. The number of structured information stores is mushrooming within the enterprise. The value of the data increases as businesses share it with customers and partners. Regulators and auditors are taking a hard look at who has access to database information. And financially motivated hackers are salivating at the prospect of breaking into these concentrated—and potentially lucrative—repositories of data.

All of these trends are converging to form one universal truth of data protection: DBAs can no longer ignore security. Like their administrative counterparts in Windows and networking environments, DBAs must finally knuckle down and count security as a vital part of their jobs.

While the security team certainly plays a major factor in shoring up the defenses of enterprise databases, all of its work won’t help much if DBAs don’t lay the necessary risk mitigation groundwork first, experts say. In addition to improving patch management and password management practices, DBAs can help by taking the right steps in configuration management.

“Figuring out if you have the right privileges on certain tables is completely outside the scope of a network vulnerability scan,” says Phil Neray, vice president of strategy for Guardium, a database security tool vendor. “The DBAs need to go and make sure the privileges are right—not just for the items in the database, but also for files and executables outside the database.”

PCI Compliance Only the Start of Security

By Brian Prince, eWeek

Reports that companies involved in some of the latest data breaches were PCI-compliant continues to spark discussion of whether PCI is a solid measuring stick for overall security. Industry observers say yes, but businesses need to change their check-list approach.  When the Network Solutions breach was reported last week, the usual buzz about whether or not the company was PCI-compliant began almost immediately.

• “The worst part of passing a PCI audit is that it creates a false sense within upper management that your systems are fully protected,” said Phil Neray, vice president of security strategy at Guardium. “Management needs to understand that security and compliance are continuous, ongoing processes, not one-time ‘check-off’ events, and they need to prioritize the people and budgets to make this happen.”
• PCI compliance, he continued, provides a set of guidelines and a starting point for security and application teams. But it doesn’t replace a detailed analysis of insider and outsider threats in an organization, or rigorous attention to processes for closing security holes, he added.
• PCI compliance is, after all, just a snap shot in time. Organizations compliant at the time of an audit can theoretically be knocked out of compliance before the next one by a single control change.
• “Security is a 24/7, 365-day-a-year thing,” said Bob Russo, general manager of the PCI Security Standards Council.
• “Most organizations seem to have a checkbox attitude toward PCI and want to use PCI as an excuse if anything bad happens. … There seems to be significant misunderstanding between the concepts of compliance, validation and security,” Forrester Research analyst John Kindervag said. “Compliance incentivizes security. PCI exists because companies who took credit cards didn’t have adequate basic security, and now it is being forced upon them.”

DETAILS EMERGE IN U.S. CYBER ATTACKS

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.

By J. Nicholas Hoover, InformationWeek

DDOS [Distributed Denial of Service] attacks have targeted the private sector for years and many companies have taken protective measures, but recent cyber attacks on Estonia and Georgia as well as this one could portend an increase in politically motivated attacks.

“It’s no longer hackers defacing Web sites to become famous,” says Phil Neray, VP of strategy at database security company Guardium. “It’s political cyberterrorism, which is a very serious threat.”
The targets included the Web sites of The White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration as well as The New York Stock Exchange, NASDAQ, and The Washington Post.

Cybersecurity has become an increasingly high priority for the federal government, and President Barack Obama recently laid out plans to appoint a new high-level cybersecurity coordinator.  Secretary of Defense Robert Gates recently said that the military had spent more than $100 million over six months responding to cyber attacks.

U.S., South Korean cyberattacks have little impact here

By William Jackson, GCN

The distributed denial-of-service attacks used networks of compromised computers called botnets to send high volumes of traffic to sites with the intention of overloading the Web servers and making the sites unavailable.

“It’s been more of a nuisance,” said Phil Neray, vice president of security strategy at Guardium. “We have countermeasures for denial-of-service attacks.”

Sophisticated attacks that do not draw attention to themselves and might allow information to be quietly gathered or manipulated without the owners’ knowledge are a more serious threat than denial-of-service attacks, Neray said.

Neray called the attacks an example of political cyber terrorism probably being carried out by a nation state, although there is little evidence of the source of the attacks. Reports from South Korea earlier this year indicated that North Korea had established a cyber warfare unit. Neray said the denial-of-service attack could be another example of North Korean provocations, in line with the recent missile tests.

Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, said today that the incidents highlight the need for improved cyber defenses.  Carper called for passage of legislation he introduced in April — the U.S. Information and Communications Enhancement Act of 2009 (S. 921), which would rewrite the Federal Information Security Management Act [FISMA] of 2002. The legislation would enhance the power of the Homeland Security Department’s U.S. Computer Emergency Readiness Team to take action before a cyberattack penetrates government networks.

Beating the Breach

Computerworld UK

Getting to grips with best practices in database security and monitoring.

Things used to be simple. You could have on-site security guards and identity checks at the server room. You could stop outsiders from accessing your data by restricting physical access to the machines that process it.

In today’s web-enabled world, that’s no longer the case. To be useful, a company’s data must be connected to the internet. That exposes it to more automated and targeted attacks than ever before. Hackers are highly motivated, with crime syndicates willing to pay hard cash for personal information hacked from customer databases. Should the database be breached, a company risks financial penalties from governments and credit card companies, as well as lost competitive advantage and customer trust. But defending the business requires companies to rethink how they protect their IT infrastructures.

Breach Analysis: Highest Risk is to Online Data Versus End-User Devices
The 2009 Data Breach Investigations Report from the Verizon Business RISK Team examines 285 million records that were compromised in 2008. While much media attention and security funding have focused on lost laptops and backup tapes, the study reveals some startling statistics: only 0.05 percent (1/20th of one percent!) of breached records came from mobile devices such as USB drives, end-user systems such as laptops, and offline data. In comparison, the #1 source of breached records was database servers - which accounted for a massive 75 percent of all compromised records.

The Threat from Privileged Insiders
One of the primary threats comes from insiders. Privileged users such as database administrators (DBAs), developers and outsourced personnel typically have unfettered access to databases as part of their daily jobs.  It only takes one dissatisfied employee to cause a breach. Privileged users can also disrupt business applications by making unauthorized or even accidental changes to sensitive data - bypassing formal change control processes - and in most organizations, no one would know the difference.

External Attacks: SQL Injection
According to a recent IBM report, SQL injection attacks have now become the number one web application vulnerability, increasing 134 percent in 2008. Most modern businesses use web applications, which are essentially windows into your most critical databases used by customers, partners and employees. By typing malicious code into poorly-coded web forms, hackers can steal sensitive data and even plant malware on unsuspecting users that visit vulnerable sites. This type of attack completely bypasses traditional security measures because it leverages web applications to penetrate your perimeter.

Database Activity Monitoring (DAM)
With these threats ever-present, businesses need to start protecting themselves more proactively. One way is do this is to deploy a database activity monitoring (DAM) solution. These do exactly what their name implies - they track all database activities in real time. Some also create a granular audit trail of all activities, which can’t be modified by privileged users - which is important for auditors. If unauthorized or anomalous access occurs, based on predefined policies, DAM immediately triggers a real-time alert. Some solutions can even shut down the threat before any damage occurs.

DAM solutions offer additional business benefits beyond safeguarding critical data. Many offer automation and centralization of key security controls, across multiple DBMS platforms and applications, replacing manual processes that may already be in place. This automated approach produces a significant ROI by reducing the time and cost required to both catch unauthorized access and generate the detailed compliance reports required for regulations such as PCI-DSS and European data protection laws.

Hackers hit U.S. Army websites

by Chuck Miller, SC Magazine

A group of computer hackers based in Turkey breached the sites of two U.S. Army facilities, leveraging SQL injection attacks, according to reports.

The group, which calls itself “m0sted,” defaced the page and redirected users to pages that included anti-American and anti-Israeli statements, Information Week reported last week.

The defaced pages were set up to provide public access to the McAlester Ammunition Plant in McAlester, Okla., and the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va., home of the Gulf Regional Division, a division of the Army that is responsible for reconstruction projects in Iraq.

“The question of vulnerability to SQL injection attacks has come up frequently,” Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. “The number is rising dramatically. SQL injection is a serious threat. Not enough organizations are paying attention to it.”

DoD Official Charged With Handing Over Classified Data To China

by Kelly Jackson Higgins, DarkReading

User with classified data access sold Defense Department information, documents

A Department of Defense official with top-secret security clearance allegedly provided an official working for the Chinese government with classified department data and documents.

According to a Department of Justice announcement, officials have charged James Wilbur Fondren Jr., deputy director for the U.S. Pacific Command (PACOM) Washington Liaison Office, with espionage conspiracy for providing classified information to an agent of a foreign government. Fondren sold information to a Taiwanese-American man in the form of “opinion papers” that included classified DoD data via an at-home consulting business he ran on the side, according to the affidavit filed this week.

“This case really highlights the question a lot of people are asking themselves these days: Where is the perimeter? Or maybe there is no perimeter?” says Phil Neray, vice president of security strategy for Guardium. “The traditional perimeter of firewalls doesn’t exist [here] because the perimeter was this person. You might even say the data is the perimeter.”

This situation is the equivalent of a privileged user with inside access to sensitive information. “As part of this job, he had access to these classified documents,” Neray says. “It doesn’t appear that there were any controls in place to look for suspicious usage of those documents.”

British consumers do not trust the government to protect data but are satisfied with banks

Staff, SC Magazine

British consumers are concerned about the security of their personal and financial data.

According to a survey by Guardium, consumers were asked to share their views on the safety of their personal data from both internal and external threats across a range of organisations. Of the three types of organisation, banks emerged as the most trusted, followed by retailers and the government.

Of those surveyed, 43 per cent were worried about their bank’s ability to protect their credit cards from fraud, while 40 per cent had concerns about their bank’s ability to protect their personal data.

Almost one-fifth of the respondents had been victims of fraud, although 87 per cent of those affected had been pleased with their bank’s ability to handle the situation and provide a positive outcome.

Meanwhile consumers were more concerned about external threats – such as criminal attacks – to their banking information than internal threats, although 25 per cent said they were worried about the potential threat from rogue or disgruntled employees in the wake of the global financial crisis.

David Valovcin, vice president for Guardium, said: “Traditional perimeter defences such as firewalls and anti-virus are no longer sufficient to defend against cybercriminals who can easily bypass them with web application attacks such as SQL injection.”

National Academy of Sciences says U.S. needs cyberattack plan

by Angela Moscaritolo, SC Magazine

U.S. cyber capabilities are at least as powerful as its most sophisticated adversary, but the country needs a clear plan should it decide to unleash a digital attack of its own, according to a report from the National Academy of Sciences (NAS).

The report, entitled “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” said a number of challenges lie ahead, including developing rules for the use of cyberweapons, coordinating allied nations and public and private entities, determining the outcome of cyberattacks on enemies and dealing with the possible “significant” operational implications a cyberattack could have on the U.S. private sector.

Phil Neray, vice president of strategy at database security company Guardium, told SCMagazineUS.com that cyberattack policy is needed because of the changing nature of war. Because cyberattacks can be launched at a distance anonymously, it is conceivable that a foreign nation would launch a cyberattack instead of a more traditional attack. And for, private entities, it would be difficult to know how to respond to such an attack or how to enlist the government’s help, he said.

Guardium Adds DB2/400 Support to Database Security Platform

Guardium has added support for DB2/400 (DB2 for i) with its database security software, the company announced this month. Guardium’s software monitors all major database management systems in real time for signs of unauthorized or malicious activity from internal and external threats, such as malevolent DBAs and SQL injection attacks. The software does not affect database performance and provides another layer of protection for critical business systems on top of traditional network security tools, the company says.

“The key issue for database security is that most companies have no visibility into what’s really going on with their database,” says Phil Neray, Guardium’s vice president of marketing. “They don’t really know who’s accessing those databases, and they don’t have any mechanisms for identifying unauthorized or suspicious activity.”

Read more about how Guardium gives customers better visibility into database activities. 

SQL Injection Invasion

Weak Web Applications Increasingly Fall Prey To This Potentially Devastating Attack

As security measures in data centers become progressively more stringent, hackers are turning to more unique methods to access sensitive data. One of these is SQL injection, which replaced cross-site scripting as the predominant Web application vulnerability in 2008, according to an IBM study.

Key Points

• SQL injection threats are now the top Web application vulnerability and pose a serious threat to servers and databases holding sensitive data.
• Coding procedures should keep an eye on the potential for SQL injection by preventing unexpected user input.
• Certain intrusion systems and regular testing can bolster efforts to prevent these attacks.

Guardium’s Neray recommends implementing real-time database activity monitoring technology to track all SQL transactions and continuously checking for unusual or suspicious activity, such as a high volume of failed logins, an unusually high volume of queries in a given period of time, or the execution of SQL commands that are not typically executed by the organization’s Web applications.

GhostNet spy network phishes international victims

by Chuck Miller, SC Magazine

A cyberespionage network, known as GhostNet, possibly operating out of China, is making use of malicious websites and phishing emails to take control of hundreds of sensitive government machines across 103 countries, researchers revealed this weekend.

A pair of Canadian researchers at the Munk Center for International Studies at the University of Toronto said GhostNet struck “high-value targets,” such as foreign embassies and ministries, and even a NATO network. So far, some 1,300 computers have been infected by servers that trace back to China. The researchers, Ron Deibert and Rafal Rohozinski, released their 53-page report Sunday after 10 months of investigation.

“The attacker(s) are able to exploit several infection vectors,” the researchers wrote. “First, they create web pages that contain drive-by exploit code that infects the computers of those who visit the page. Second, the attacker(s) have also shown that they engage in spear phishing in which contextually relevant emails are sent to targets with PDF and DOC attachments.”

In the spear-phishing attacks, when the attachments are downloaded, they create backdoors that “cause the infected computer to connect to a control server and await further instructions,” the researchers wrote. The compromised machines then can be directed to download and install a remote administration trojan..

“Some of the things they did indicate that they were very sophisticated,” Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. “The machines were told to send the data stolen using a Tor network in an encrypted form. Also, the way the trojans communicated with the command servers made use of a complex control program that enabled them to completely control users’ PCs.”

The GhostNet operation is still operating and continues to hit more than a dozen additional computers per week, according to the University of Toronto researchers.

Website-infecting SQL injection attacks hit 450,000 a day

by Byron Acohido, USA Today

Cybercriminals are spreading invisible infections far and wide across the Internet by hammering hundreds of thousands of websites each day with so-called SQL injection attacks. The trend started last summer and has continued to accelerate. IBM Internet Security Systems says it identified 50% more infected Web pages in the last three months of 2008 than it did in all of 2007.

Giant financial institutions and online merchants have put up strong defenses, says Phil Neray, vice president of security strategy at Guardium, a database security firm. “The same is not necessarily true of regional banks and credit unions, smaller online retailers and state government agencies.”

Five considerations for securing a midmarket company

by Marcia Savage, SearchSecurity
Issue: Mar 2009

Just like their large counterparts, midsize companies with 100 to 1,000 employees face regulatory compliance pressures. They also face the same kinds of threats and can’t afford a reputation-destroying and costly data security breach. But unlike big enterprises, midsize businesses don’t have the luxury of ample resources and large security teams. They rely on ingenuity to figure out ways to secure their data assets on sometimes shoestring budgets and are well-versed in the resourcefulness the recession requires of companies of all sizes.

For Cimarex Energy, Guardium provides automated database security monitoring that goes beyond the ability of a human. The Denver-based independent oil and gas exploration and production company, which counts about 850 employees, has an ERP application that processes about a million database transactions an hour.

“At that rate, there’s no way you could have a human doing any kind of monitoring,” says Ann Auerbach, manager of IT compliance at Cimarex. “Auditors always ask how you know the IT staff isn’t going in at night and changing the data…Without the tool, I don’t know how we would prove to the auditors that unauthorized transactions were not entered into the database.”

The tool also helps IT staff at Cimarex locate problems such as infected PCs by tracking unusual activity such as invalid database logins, she adds.

This article discusses the five essential considerations for securing a midsize business.

Insider Data Theft Exacerbated by Economic Crisis

by Angela Moscaritolo, SC Magazine

The majority of individuals laid off, fired or changing jobs in the last 12 months stole data from their former employer, according to a new survey from the Ponemon Institute and Symantec.

Some 945 individuals in the United States who were fired or left their job willingly were surveyed and 59 percent admitted to taking company information when leaving. And it seems, according to the survey, email lists are most susceptible to theft. Typically, a bad impression of the company increased the odds of theft; few companies are taking the proper steps to prevent this problem, the survey found. Further, a portion of companies did not revoke employee access to computer systems right away, Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com Monday.

Mike Spinney, senior privacy analyst at the Ponemon Institute, told SCMagazineUS.com Tuesday in an email that the economic crisis plays a role in these findings.

“As news reports and rumors swirl related to a falling economy and job-loss anxiety grows, people feel greater pressure to make rash decisions based on a fear of finding themselves in dire financial circumstances,” Spinney said.

In times of economic hardship, people are tempted to do things they normally wouldn’t do, and that includes stealing confidential data, Phil Neray, vice president of strategy for database security company Guardium, told SCMagazineUS.com.  “Economic situations tend to make people forget their ethics,” Neray said.

But, the economic crisis is not fully to blame though, he added. Economic incentives to take confidential data continue to increase. 

Simplifying IT

by Al Perlman, SearchStorageChannel.com

Managing IT has never been simple, but it seems to be getting more and more complex these days, with 24x7 Internet access, and regulatory compliance, and virtualization, and SOA, and on and on and on. For Guardium, simplifying IT has been part of its core mission since its inception in 2002—focusing specifically on enterprise-level data security with real-time database security and monitoring. The key to Guardium’s success has been a solution that is delivered on a pre-configured appliance that runs a suite of real-time monitoring, security and compliance applications on an embedded Linux kernel running on a Dell PowerEdge server. The result is a highly scalable product that installs quickly and solves some of IT’s most pressing challenges. In fact, Guardium’s product does its job so well, when Dell was looking to simplify its own IT department, it chose Guardium as a solution. This Channel Success Story highlights the ways in which Guardium’s innovative approach can simplify even the most complex IT challenges.

Industry Reaction to Heartland Data Breach

by Linda McGlasson, Bank Info Security

Information security companies reacted quickly to the news of the Heartland Payment Systems (HPY) breach. Here is a roundup of thoughts on the breach, recommendations on how to handle personal sensitive data, and what industry thought-leaders see emerging as a result of this breach:

Phil Neray, VP/Security Strategy. Guardium:
This breach highlights the need to go beyond ‘old school’ security techniques like simply reading your log. Organizations need to implement technologies such as real-time activity monitoring to catch 21st-century criminals.

As the Heartland breach illustrates, you can be PCI compliant and still be breached. Good compliance does not mean good security.

Database security: Protecting the crown jewels

by Deb Radcliff, SC Magazine

Universities, banks, SMBs and large brands alike are waking up to the fact that their databases are no longer safe inside their perimeter firewalls, intrusion prevention systems and other edge protections.  The question is, how and what are they logging and auditing? And how are they handling the remaining security areas — access controls and assessment — particularly in light of what Noel Yuhanna, principal analyst at Forrester, calls a “security gap” in current database technologies.

“Right now, database topologies are not flexible enough to differentiate between a user and an attacker,” Yuhanna says. “If there’s a suspicious activity around user queries — say, they’re querying sensitive data a hundred times — the database doesn’t care, so long as the user has a valid name and password. All database vendors have the same gap.”

Washington Metropolitan Area Transit Authority (WMATA) in Washington, DC, also uses Guardium to monitor, audit and manage vulnerabilities and changes on its critical database systems. With more than 11,000 employees, WMATA conducts more than seven million financial transactions a year, making it responsible for passing Level 1 merchant audit, according to the PCI DSS.

“It used to be that all we could see was what application, such as PeopleSoft, was accessing the database. Now, with Guardium, we can see who’s accessing the database through the application,” says Victor Iwugo, director of IT security at WMATA.

Combined with its database vulnerability features, Guardium has helped his organization carry out separation of duties, wherein administrators can’t have access to the critical data itself, catch and block attempted SQL injections and other pests, repair systems, and fine-tune access control policy.

Guardium also gets close to the database while not in the database. In this case, it resides in the database’s underlying operating system to avoid impact on performance.

Report: Businesses Failing to Protect Site Visitors From Malware Threats

by Erika Morphy, E-Commerce Times Part of the ECT News Network

Companies aren’t taking adequate measures to protect their Web site visitors from becoming victims of malware attacks, according to a new report from IBM. There may be little businesses can do stop the attackers altogether, but they could be doing a whole lot more to safeguard their own Web sites.

Poorly secured corporate Web sites are becoming a top cybersecurity threat as companies are increasingly putting their own clients at risk, according to the latest IBM (NYSE: IBM) X-Force Trend and Risk Report, released on Monday.

This growing online threat to consumers is the result of two trends:
** one, the longstanding problem of commercial software and even custom-built applications that come riddled with bugs and vulnerabilities; and
** two, the increasing number of malware distributors who use legitimate business sites as launch pads for their activities—usually through large-scale, automated SQL injection attacks that typically redirect visitors of legitimate sites to Web browser exploit toolkits. Attackers are refining these techniques for maximum impact: IBM X-Force noted that they are incorporating new types of exploits that link to malware-infected movies and documents.

Too many companies assume their Web sites are safe because they have a firewall deployed, observed Phil Neray, database expert and VP of strategy at Guardium.  “Companies need to move beyond the perimeter network security model of relying on firewalls and move to newer security technology that allows them to monitor in real time who is accessing their Web site,” he told the E-Commerce Times.

Stimulus bill includes protection for digital health care records

by Dan Kaplan, SC Magazine

There is rising interest in patient privacy because of the huge financial incentives related to medical fraud – either billing insurance companies for medical services that were never rendered, or using someone else’s medical identity to get medical services and prescription medications.  The article discusses this threat, as well as the more traditional threat of exposing someone’s confidential health information.

“A portion of the $818 billion stimulus bill that was passed this week by the U.S. House calls for computerizing all health records in five years, but the legislation also contains stringent privacy and security controls to protect this online data.

Experts said these measures would complement the Health Insurance Portability and Accountability Act (HIPAA), approved in 1996, by bringing privacy and security regulations more in line with the digital age. That’s an important move, considering the digitization of health records is likely to spur increased attempts at malicious intrusion … However, the legislation fails to reference medical identity theft, a growing problem that affects an estimated quarter of a million people each year, Dixon said.

Criminals who gain unauthorized access to patient data can, for example, alter the records to falsely show that a victim has a certain disease, she said. They then can bill insurance companies for expensive drugs never prescribed or treatments never given …

Phil Neray, vice president of marketing at data security firm Guardium, said that because patient records will be stored in the cloud, they will attract the ire of hackers. Celebrities and politicians could be targeted, much like Britney Spears’ records were last year by hospital workers.  Controls such as monitoring must be required and enforced, Neray added.

‘In order to make the information widely accessible to doctors, insurance companies and patients, they’re going to have to build web interfaces,” he told SCMagazineUS.com. “Once you’ve done that, you’ve essentially created a tunnel into the database.’”

Network Security Against Today's Threats - Guardium 7 Product Review

by Samara Lynn, CRN ChannelWeb

Guardium’s database security may contain the most powerful compliance regulations tools that the Test Center has ever seen.

SQL server attacks abounded last year, evidenced in the Test Center’s threat reports of 2008. A relentless amount of SQL hacking attempts were logged as well.

Compromised databases accounted for many of the big computer security breach news stories in 2008. This is why a lot of companies are turning to database security solutions like Guardium.

Guardium’s database security and management appliance protects against inside and external threats: 

** Guardium’s solution prevents database compromise by offering real-time monitoring and alerting, including the monitoring of privileged user accounts such as those of database administrators.
** Guardium employs a sophisticated level of vulnerability assessment. This, along with database analytics and forensics, provides detailed information on what or whom is threatening or trying to threaten data.
** There is also the ability to prevent unauthorized access to sensitive data.
** Installation of the S-TAP is easy and quick. Even better, the S-TAP service is self-auditing and self-monitoring; an alert will be sent if an uninstall of the service is attempted.
** Another impressive feature is the lack of overhead with database performance. Logging and monitoring are all done on the appliance. This result uses way less overhead than using native database monitoring.

Click here to download PDF version of Guardium 7 product review. 

Strictest data law in nation

by Greg Masters, SC Magazine

The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Mass. 201 CMR 17 from Jan. 1 until May 1. This state law, which requires that data of Mass. residents be protected (notably by encryption) by “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” is said to be the strictest data security law in the country.

Unlike the EU, which has broad data privacy legislation for member states (EU Data Directive 95/46/EC), the U.S. does not have a holistic approach to protecting personal information, says Phil Neray, VP of marketing at Guardium. “Instead, it is left to individual states, as well as regulators (HIPAA, GLBA) and ‘self-regulation’ by industry (PCI-DSS).”

He agrees that the new Massachusetts law will likely become a standard for stricter laws in other states because it goes far beyond simple breach notification. “For example, the Massachusetts law has a strong emphasis on insider threats, with requirements for employee training, ongoing monitoring to identify unauthorized access, and ensuring that users aren’t sharing credentials or using vendor-supplied default accounts.”

CheckFree’s Hack Attack Has a Long Tail

by John Adams, Bank Technology News

For a five-hour period in December, customers accessing CheckFree’s electronic bill payment site instead found themselves unknowingly redirected to the worst neighborhood on the Internet—a bogus malware site manned by Ukrainian hackers. That’s the easy part to figure out. According to a notice recently filed by CheckFree parent Fiserv with the New Hampshire attorney general’s office, about 160,000 customers were exposed to the breach. Yet the firm and a number of its banking clients are alerting a whopping five million consumers to possible exposure.

...brutal year for security, with Guardium estimating a 50 percent increase in data breaches across all industries in 2008—affecting nearly 36 million Americans—with another 50 percent increase predicted for 2009. Phil Neray, vp of security strategy for Guardium, says the rising tide of breaches gives management little choice but to increase spending. “Part of the problem is upper management not allocating the proper budget to implement the monitoring and prevention controls required to deal with the increased sophistication of the attacks.

Yahoo limits hold on sensitive data

by Byron Acohido, USA TODAY tech reporter and co-author of Zero Day Threat

Yahoo has taken a bold step by saying it will hold some Personally Identifiable Information (PII), which it gathers from folks using its search service, for no more than 90 days. Google reportedly keeps some PII for 9 months; Microsoft for 18 months.

“This is a good example of a company that’s being proactive in protecting sensitive customer data, rather than being reactive and in crisis mode, post-breach,” says Phil Neray VP at database security company Guardium.

Podcast Discusses Protecting Against Insider Threats in a Down Economy

by Jason Meserve, NetworkWorld

With the economy in the tank and employees anxious about their jobs, corporations have to be extra vigilant against insider threats.

In this brief podcast, Phil Neray, vice-president of marketing at Guardium, shares tips on how to monitor for potential insider threats and how to prevent losses.
(16:44)

Is security recession proof?

by Greg Masters, SC Magazine

It’s official. According to an Oct. 30 release from the Commerce Department, the U.S. economy shrank at an annual rate of 0.3 percent in the third quarter of 2008, the first time this has happened since 1991. Business spending on new equipment and software fell by 5.5 percent, and Forrester recently predicted that software and IT vendors will average 3 to 5 percent growth compared to the 9 to 12 percent they had earlier in 2008.

Phil Neray, vice president of strategy at Guardium, agrees that most companies, especially those in financial services, absolutely must safeguard the integrity of their data. But, he adds, when times are tough, companies look at how they can do more with less. “If you can replace manual processes with automated processes, you have a good shot of being approved by the CFO,” he says.

While security personnel may not be accustomed to making an ROI argument to get budget approval, he says, outlining how an automated, centralized, appliance-based approach can replace licenses, mass storage of log files, third-party personnel digging through those logs, makes for a pursuasive case.

“This is especially true if you can demonstrate how a software system will pay for itself in less than six months.”

Security Distributors Fight Corner

by Doug Woodburn, CRN

Major players have reacted to claims that their place in the security channel is under threat

An article published in CRN, in which resellers said that distributors must do more to justify their role in the channel (ChannelWeb, 13 October), has provoked a bitter reaction from several top names in niche distribution.

Dave Ellis, e-security director at Computerlinks, the UK’s largest IT security distributor, claimed that the ability of distributors to support global deals and incubate new technologies has only made them more relevant.

“Customers increasingly have to deliver projects globally and most resellers just do not have the skills and infrastructure to support the logistical aspects, nor are they able to offer the end user the support that their customers demand,” he explained. Ellis added that the climate had forced security resellers to become more risk averse in terms of technology investment.

“When it comes to adopting new technology, I would suggest that many security resellers are less willing to take as much risk as they may have done in the past,” he said. “By bringing new vendors to the market, as Computerlinks has done with Guardium, many of the costs and risks associated with entering a new market are stripped away from the reseller...”

Nation's First Encryption Law

by Greg Masters, SC Magazine

For the first time in the United States, a law specifies that encryption be used for the transmission of any electronic data. Nevada’s NRS 597.970, which went into effect on Oct. 1, states: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

While 39 states have already passed data protection laws, most requiring disclosure of breaches, Nevada’s statute is thought to be the first law requiring encryption of transmitted data … Phil Neray, vice president of marketing at Guardium, says that any business governed by PCI is already encrypting data in transit in order to be compliant. While he says any law that encourages better security is a good thing, he argues that hackers are looking for bigger targets than email attachments.

“The focus should be on areas that have potential for massive data breaches, like data centers,” he says. “Thieves and organized crime are not looking for retailers sending Social Security numbers in email, they’re looking for databases containing sensitive information.” Therefore, companies and regulators need to implement tighter controls around corporate databases. “From a security and controls point of view, as well as a regulatory point of view, he says.

Hackers got into 18 computer servers at World Bank

by Byron Acohido, USA TODAY

Cyberintruders used the Internet to crack into at least 18 computer servers [including several SAP systems and an RSA SecurID server] at the World Bank Group last July.

The intrusion, revealed Friday in a FoxNews.com story, underscores how relentlessly criminals probe corporate IT systems, especially banks, say tech-security experts.

One bank memo lists the breached servers and makes this assessment: “As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data, and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group.”

Banks, indeed, are not the only targets. Corporate intrusions in general are on the rise, says Phil Neray, vice president at database security firm Guardium. Cybercrooks seek out [credentials] used by privileged insiders so they can access sensitive databases. “Many organizations don’t have any real-time monitoring or alerting mechanisms in place to identify unauthorized activities [by privileged users],” Neray says.

According to the FOX News story, “They were able to acquire passwords — including the password for the systems administrator.  That enabled them to jump into the servers at MIGA, the bank’s giant insurance arm. It was there that they captured the security administrator’s password as he was logging on to his computer.”

Click here for a related article in CNET.

'Super Users' Could Threaten Database Security, Study Says

Survey by Independent Oracle Users Group says most database administrators haven’t implemented proper defenses

In a survey of more than 300 IT and database administrators, the group found that the greatest risks to corporate data comes from internal access, either by unauthorized users or by “super users” with special access privileges.

“The problems are both organizational and technical,” says Ron Bennatan, CTO of Guardium. “DBAs have traditionally focused on performance and availability as their key priorities, while IT security has primarily focused on perimeter and end-point security. Now the two groups need to work together, usually in conjunction with risk and compliance people, to close these gaping holes.

“On a technical level, there are a number of well known limitations with native database logging and auditing utilities, such as their complexity and impact on database performance,” Bennatan says. “That means that most DBAs are very reluctant to turn them on, because it just creates more headaches for them and doesn’t really address the core problems.”

Wall Street Meltdown Expected to Drive Risk Management Investments

by Jaikumar Vijayan, Computerworld

The ongoing chaos on Wall Street could hold an upside for vendors of risk management technologies and practices, as well as sellers of compliance management products.

Analysts expect an increased interest in these products from financial companies for competitive reasons, and to comply with the new regulations that many predict are inevitable following the meltdown.

Phil Neray, vice president of marketing at Guardium, expects increased regulatory oversight that will result in more demand for compliance monitoring and enforcement tools, such as database monitoring tools available from Guardium, as well as identity and access management products and electronic discovery tools.

For VARs, Wall Street Mess Creates Upheaval and Opportunities

by Jennifer Bosavage, CRN ChannelWeb

The financial crisis that struck Wall Street giants Lehman Brothers and Merrill Lynch as well as insurance behemoth AIG has many solution providers shaking their heads in dismay.

“Projects that are focused on reducing costs will get higher priority especially if they can show a clear ROI,” Phil Neray, vice president at database security company Guardium said. “In part, those will have to do with reducing compliance cost. For example, many companies initially instituted simple, manual approaches to SOX, so they are now looking at automating those controls.”

Products that can enable customers to implement new business initiatives will have legs.

“For example, bring a new SOA solution to allow partners to have a more efficient online ordering system. So there’s not only opportunity for that kind of product, but also the security that goes along with it. As more infrastructure is opened up, the right security must be put in place,” said Guardium’s Neray. “Many financial services companies have outsourced day-to-day operations to offshore facilities. The right security and controls are needed around those DBAs.” A layer of security is needed by many companies to protect against intrusion, whether accidentally or intentionally.”

California Data Breach Bill - Sans Retail Reimbursement- Awaits Governor's Decision

by Eric Athas, StorefrontBacktalk

Almost a year ago, California Gov. Arnold Schwarzenegger vetoed a controversial state breach bill that would have forced retailers to reimburse financial institutions for replacing compromised credit and debit cards.

But in Schwarzenegger’s veto message to the State legislature, he specified that it was the reimbursement provision that he objected to, not the bill itself. Although the bill had more than enough votes to sustain an override of the veto, legislative backers opted instead to recraft the bill without that provision.

Phil Neray, VP of Guardium, a database security company, praised the bill, saying it would motivate retailers to apply tighter standards to data security. “I think what we’re seeing in California is frustration with the pace in which retailers are being compliant with PCI,” Neray said.

Slurping the USB port

by Deb Radcliff, SC Magazine

Portable media devices are being used to lift corporate data, but there are tools to defend against this practice.

Two years ago, the 17,000-member South Western Federal Credit Union (SWFCU) began hearing about internal data breaches among peer institutions and began to overhaul its data protection measures. The result is a locked down organization where critical data is blocked from being copied outside the protected boundaries – particularly through USB ports.

“Start at the database by controlling and monitoring access, since the data must first be drawn from the database to the endpoint before it can pass through the USB port, says Phil Neray, vice president of Guardium, a database activity monitoring company. Set simple controls, such as manager sign-off on downloads of over 10 records, he adds. “A lot of our customers have policies in place about what people are allowed to see and download and store on their local machines,” he says. “What’s lacking is a way to automate that to any degree of granularity.”

"It's the data stupid" so you'd better vote to protect it

by Linda Musthaler, Network World

Two enterprise security platforms designed to protect corporate data: Guardium and Vontu

“It’s the data, stupid.” OK, the phrase is not quite catchy enough to become a must-have bumper sticker, but it’s a mantra for every organization with sensitive information. Today’s article looks at two enterprise security platforms designed to protect corporate data. Guardium focuses on securing the data and actions involving databases, and Symantec’s Vontu platform provides data loss prevention on the network, at the endpoint, and in storage devices.

Guardium’s technology platform safeguards databases and enterprise applications. It uses policy-based controls and anomaly detection to prevent unauthorized activities by potential hackers, privileged insiders, and end users of enterprise databases and applications such as Oracle EBS, PeopleSoft and SAP. All user activities are monitored, including those by privileged users, application users, DBAs accessing databases directly, remote developers, and even batch processes.

Guardium has the ability to monitor for anomalous activities at a very granular level, such as a single transaction by a specific user. The software can initiate responses to specific behaviors if desired. For example, when a particular user attempts to access sensitive tables, he can be sent a pop-up alert telling him his action is forbidden.

Princeton Review Data Exposed Due to Configuration Flaw

by Thomas Claburn, InformationWeek

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review’s Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported.

Phil Neray, VP marketing at Guardium, a database security firm, said the problem lies in management. “Boards of directors and management teams have not made [data protection] a priority in many, many companies,” he said. “The reason why this has to come from the top is that in many cases you’re asking business units to change bad business practices. And you need budgets [to invest in database protection].”

5 Steps for Stopping the Insider Threat

by Melanie Rodier, Wall Street & Technology

Guardium’s Phil Neray offers guidance on preventing insider data theft.

Financial Firms Try to Protect Themselves Against the Insider Job (see sidebar)

The threat of insider fraud appears to be increasing. Insider data theft accounted for nearly 16 percent of all data breaches in 2008, up from 6 percent a year earlier, according to a study by the Identity Theft Resource Center. And perhaps more alarming, customer data stolen by an employee is misused more frequently than data obtained through an external breach, a recent study by ID Analytics reveals.

Phil Neray, VP of database security company Guardium, says there are two main reasons for the rise in the insider threat: Demand for sensitive corporate data has increased, and there is now a thriving black market where fraudsters can buy and sell this type of data.

“Also, most corporations have spent the last 10 years focusing on tighter controls around the perimeter of networks,” Neray adds. “It’s getting harder to break into firms from the outside in traditional hacking attacks, so the bad guys are focusing on how to use insiders to get to the data.”

Guardium CTO Interviewed on Data Security Trends

by Cristina Molina, Business News Americas

Ron Bennatan, Ph.D., CTO and VP/Guardium

Companies are showing increased interest in having several layers of security to protect information.  And as the information is mainly located in databases, the opportunities for companies such as database security solutions provider Guardium are constantly increasing.

High ranking executives from Guardium were recently invited to a security seminar that took place in Santiago, Chile, organized by Chilean IT security solutions provider Neosecure. BNamericas spoke with Guardium’s CTO and VP Ron Ben-Natan.

“There are a lot of places where you can invest in security, and one thing that people try to solve is leakage of data. There are many more issues regarding direct access to the repository, direct access to the database. So we are saying “the data sits inside the database, how do we guarantee there is no unauthorized access?” And even when it leaves the database on a pen drive or in an email it started inside the database, so the question is how did it get onto somebody’s desktop so they could put it on an email? Today the hardest problem is direct access to the database and new regulations are looking at how to control the data inside the database itself … It is all about making it easier, more practical, and making it cost less.”

Prevent Privileged Users from Accessing Sensitive Data

by Megan Bearly, SQL Server Magazine

With SQL injection attacks and data thefts happening more and more frequently, many companies are looking for a solution that not only provides database activity monitoring and alerting functionality, but also preventative control over who can access data. Recently, I spoke with Phil Neray, Guardium’s vice president of strategy, about Guardium 7.0 and S-GATE, which provide granular control over data access.

According to Neray, this product provides a practical way to enforce data access policies. Guardium 7.0 also includes vulnerability assessment functionality that monitors for various vulnerabilities and threats. Guardium 7.0 even monitors encrypted data. In addition, this product ships with more than 100 preconfigured best practice reports for SOX and PCI compliance.

S-GATE lets you block privileged users, such as DBAs, from accessing sensitive data, without having to worry about whether you’re blocking legitimate access as well. This product includes real-time preventive controls, continuous access policy enforcement, and fine-grained auditing.

Ex-Countrywide Employee Charged With Selling Customer Data

by Kelly Jackson Higgins, Senior Editor, Dark Reading

The FBI has busted a former Countrywide Home Loan worker who is suspected of downloading the personal data of some 20,000 customers a week over a period of two years and selling it to third parties.

According to a published report, the data may have been sold to companies that wanted to offer their own loans to the Countrywide victims. Up to 2 million Countrywide customer names were “run and sold,” according to the report.

Phil Neray, vice president at Guardium, says Countrywide’s breach was caused in part by a lack of proper internal controls. “The lack of internal IT controls is perhaps indicative of a corporate culture that was less focused on internal controls than other objectives,” Neray says.

TJX Hacker, ID Theft Ring Indicted

Bank Technology News

By now you’ve heard the news that law enforcement nationwide has indicted 11 members of a global crime ring, charging three Americans and a variety of foreigners with stealing the data of more than 40 million cardholders from TJX and eight other national merchants.

The indictments make up what is being billed as the biggest bust of its kind.

“I think the most interesting piece of news is that the authorities linked so many cases to the same ring.  There was always speculation that the same criminals were perpetrating multiple crimes—now they finally proved it,” says Avivah Litan, Gartner analyst.  “But what was equally interesting is that a few of the well-publicized breaches, such as the breach against Card Systems International and Ralph Lauren Polo, weren’t connected by these indictments. I had expected them to be.”

Some highlights of the news:

— The alleged ringleader, Albert Gonzales of Miami, was on the payroll as a Secret Service confidential informant, but was playing both sides. Not only was Gonzales continuing his own life of crime while working as an informer, reports indicate he was also tipping his criminal confidants off to law enforcement info he became privy to.

— A number of the nine retailers the 11 are accused of infiltrating—including Boston Market and Barnes and Noble— were quoted in various publications saying they had no idea, or confirmation, that they had been breached. This indicates that they didn’t have monitoring controls to identify anomalous transactions like large downloads of credit card numbers or access from unauthorized applications and locations, says Phil Neray, vp at database security vendor Guardium.

P2P File-Sharing Sinks Ships

by Erika Morphy, CRM Buyer magazine

“Data security” may soon rank right up there alongside “military intelligence” as an oxymoron of the high-tech era. If it’s not lost or stolen laptops, it’s hackers breaking into sloppy networks—or perhaps thousands of unwitting music lovers sharing sensitive corporate secrets along with the latest hot tracks.

Monitoring what employees are doing may be the most urgent piece that companies need to address, said Phil Neray, vice president of marketing at Guardium. Many companies have established some type of security policy, at least on paper, he told CRM Buyer."What they haven’t done is implement what Gartner calls ‘content monitoring software’—products that examine network traffic and specific protocols to identify suspicious behavior,” Neray said. “These products have been in the market for at least a few years, but it has only been recently that adoption has begun to take off.”

This particular incident was bad, especially considering how long it took for the information to be taken down, he continued. “It could have been much worse though—too many people still don’t realize the dangers of using P2P networks. Now, can you imagine if this employee had worked for a credit card company or a bank or insurance company? It wouldn’t have been a couple of thousands of names out there—but tens or hundreds of thousands.”

File sharing's threat to agency data is growing, analysts say

by Gautham Nagesh, Government Exec magazine

The security breach that led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer, is becoming increasingly common in the federal government, according to a peer-to-peer intelligence company.

The trend to outsource more government work also has led to more security breaches. “More outsourcing means trusting a third party with the data.  Forty to 60 percent of breaches are from a third party. Smaller organizations don’t have the kind of IT oversight that bigger companies have. For most companies, these organizations are the weak links in the chain.”

“You need three things: people, process and technology,” said Phil Neray, vice president of marketing at database security company Guardium. “Educate the people about what’s not acceptable, have a process and policies in place to deal with it, and technology to enforce the policies. If you only implement one of the three, you’re not going to be effective in preventing unauthorized behavior.”

Enforcing Policies to Prevent Data Leakage

by Jaikumar Vijayan, Computerworld

Wagner Resource Corp. recently learned the hard way what Pfizer Inc. and many other companies have similarly discovered in the past: installing peer-to-peer file-sharing software on corporate computers is a bad idea.  The Alexandria, Va.-based investment firm last week had to notify about 2,000 of its clients that their names, Social Security numbers and birth dates had potentially been exposed on the LimeWire P2P network. Among the individuals whose personal data was exposed in the Wagner compromise was Supreme Court Justice Stephen Breyer.

“The key to limiting P2P exposures is to have not just the proper controls in place but also policies for enforcing them, said Phil Neray, a vice president at database security software vendor Guardium Inc. in Waltham, Mass. It’s hard to completely prevent employees from downloading P2P software, because some people will find a way around the controls, Neray said. So, he added, the focus should be more on monitoring and filtering the content that is traveling into and out of corporate networks, in order to stop sensitive data from leaking out.

Supreme Court Justice's records exposed in peer-to-peer breach

by Rebecca Sausner, Bank Technology News

“Some companies have policies, but don’t have controls, and some companies don’t have either,” says Phil Neray, VP of marketing at database security vendor Guardium.”

Podcast Discusses Need to Monitor Database Activity, Not Just Email & P2P

by Dan Kaplan

In this brief podcast, Phil Neray, vice-president of marketing at Guardium, breaks down the Walter Reed Medical Center peer-to-peer data breach and offers up suggestions for organizations needing to protect sensitive data, including monitoring data extracts from databases holding sensitive information (as mandated by OMB 06-16).  The podcast also discusses how preventive controls can enforce data access policies, and the differences between data leak prevention (DLP) and database activity monitoring (DAM).

Walter Reed Breach Highlights Need to Monitor Outsourcers

by Sue Marquette Poremba

A data breach involving Walter Reed Medical Center and other military hospitals has exposed the personal information of nearly 1,000 patients. “One of the biggest problems is monitoring contractors,” said Phil Neray, Guardium vice-president of marketing.  “Outsourcers are given access to a lot of information, and too often, they aren’t being monitored.”

Guardium upgrade blocks rogue DBAs

By Ellen Messmer

Guardium’s S-GATE blocks privileged users based on detailed controls, rather than simply flagging activities with a warning to the security manager.  A number of publicized data breach disclosures linked to insider attacks, including the one made by the Certegy division of Fidelity National Information Services last year, have highlighted the damage that a rogue database administrator can do through abuse of power.  Guardium’s add-on to its S-TAP software, dubbed S-GATE, runs on any database server.

How to Protect A Company's Data

by Andy Greenberg

The old protection strategy of trying to harden the outside of companies’ networks to protect against hacker threats--what security researcher Bill Cheswick once called the “crunchy outside with a soft, chewy center” approach--is giving way to a new strategy: safeguarding the data itself. Instead of trying to fortify the perimeter of the company’s network, some security technologies are aiming to evaluate the sensitivity of individual pieces of information and then apply security directly to movable chunks of information.

[One of the] data-centric segment[s] of the security industry involves monitoring the activity that happens around databases and major applications. For instance, Waltham, Mass.-based Guardium [offers] software that classifies data by modeling their movement and watching for anomalies that might be signs of penetrations or insider misbehavior.

Information-centric security won’t stop all data leaks, says Rich Mogull, an independent security consultant and founder of Securosis. But the overall movement toward protecting information rather than building walls around networks is a major step in reducing risk, he says.  “In a 7-Eleven, there’s never more than a few hundred dollars in the register. The rest is in the safe, and even that’s guarded by cameras,” Mogull says. “Companies are applying risk-reduction controls to our sensitive information based on the information itself. That’s why this is so different.”

Bank Information Security Talks to Guardium About Trends in Data Security

In this brief podcast, Bank Information Security talks to Guardium about key trends in information security for financial services companies, and the types of business problems addressed by Guardium.

10 Steps to Database Security

Most small and mid-sized businesses that build and administer databases focus on performance and availability. Security is usually an afterthought. Until you read the headlines about the well-publicized data breaches.  And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. 

Which brings us to another tough statistic—a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders … DBAs should seek out the newest database security releases instead of relying on what’s on their systems now, says Forrester’s Yuhanna. For example, the latest offerings from Oracle, IBM, SQL Server, and Guardium offer far more advanced features. Guardium’s appliance, for example, features continuous tracking of all database activity, including failed logins, and includes an email alert service that can let others know of any suspicious activity.

Coding error exposes personal data

A software security researcher has exploited a flaw in the sex offender registry webpage operated by the Oklahoma Department of Corrections. The vulnerability, caused by a SQL query in the page’s URL, allowed the researcher to download the Social Security numbers of more than 10,000 individuals.  The URL pointing to the DoC site contained a SQL query string, in addition to the site’s address.  The SQL query string gave the visitor direct access to the SQL database containing the sex offenders’ registry, which includes the name, address and other identifying information of sex offenders as mandated by federal law.

Phil Neray, vice president of marketing at security vendor Guardium, agreed with [security researcher Alex] Papadimoulis on the poor coding practices. “The people who wrote the web application made some basic mistakes in how they wrote it, specifically in the case of SQL injection,” he told SCMagazineUS.com. “You need to verify the input from web application before forwarding the query to the database, and obviously they were not doing that.”

Baseline Talks to Guardium About PCI

In this online video interview (1:04 minutes), Baseline Magazine reporter Erica Chicowski speaks to Guardium’s Phil Neray about how DAM protects cardholder data for PCI.

Unified threat management, demystified

Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion public company that operates a gaseous diffusion plant in Paducah, Ky., knew he was going to get even busier.

USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense in depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, an atypical function for a UTM.

Database monitoring meets vulnerability assessment

Guardium is moving into the area of vulnerability management with the latest release of its database security and compliance platform.

In Guardium 7, the company is looking to address the entire database security and compliance lifecycle.  “We added vulnerability management to our solution because we saw huge advantages to providing an integrated solution with a common Web console, back-end database for tracking all database systems and configurations, and workflow automation,” said Phil Neray, vice president of marketing at Guardium.  “It often takes three to six months to patch business-critical systems, due to change management and testing processes in most organizations. By combining [database activity monitoring] with vulnerability assessment, you can protect unpatched systems with signature-based policies that watch for potential attacks until these systems can be patched.”

“This integration is definitely beneficial - after all, it’s all about data security, whether it’s scanning, discovering, assessing the environment, auditing or monitoring,” said Noel Yuhanna, an analyst with Forrester Research. “Enterprises want more integrated data security solutions that can do everything possible, with common interfaces and controls,” he said. “No one wants to install five products from five different vendors.”

Guardium is "On a Roll"

Guardium doubled its customer base in 2007 and is now installed in more than 350 data centers worldwide, including more than 60 Global 500 and Fortune 1000 companies in all major industries.

Organizations that have chosen Guardium include 3 of the top 4 global banks, one of the top cardholder brands worldwide, one of the world’s largest PC suppliers, a global soft drink brand, one of the top 3 global retailers and one of the market leaders in business intelligence software. 

Guardium partners with Network Appliance to simplify PCI compliance

Guardium and Network Appliance recently announced the first joint solution for protecting cardholder data in databases without costly and time-consuming application re-writes. The combined solution allows organizations to quickly and easily comply with the Payment Card Industry Data Security Standard (PCI DSS), providing significant business benefits immediately and in the long term. Other types of sensitive corporate data, such as financial, HR, CRM, and intellectual property information, can also be secured using this combined solution.

Database monitoring as a compensating control for PCI-DSS

Database monitoring as a compensating control for PCI-DSS
Your Data: Love It Or Lose It
by Ericka Chickowski, Baseline

According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete. The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with media-level encryption until it can employ full database encryption.

“The benefit is that it doesn’t require any changes to your databases or applications,” says Phil Neray, vice president of marketing at Guardium, a database security company.

Hacker arrested in Greece accused of stealing, selling weapons

Authorities have arrested a 58-year-old man in Greece they said hacked into computer systems of France’s Dassault Group for more than five years, stole sensitive weapons technology data and sold it to a variety of countries.

Computerlinks signs UK distribution agreement with Guardium

Computerlinks will work with a select number of reseller partners, providing its IT security and professional services expertise to exploit the demand for solutions that prevent data vulnerabilities and address audit findings.

Guardium delivers an enterprise security platform for preventing information leaks from the data centre and enforcing change controls, in order to assure the privacy and integrity of sensitive corporate information. The technology prevents unauthorised activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle and SAP, while simplifying and automating compliance processes.

5-Minute Podcast: Data tape lost with JC Penney customer info

SC Magazine talks with Guardium about the latest retail data breach. Plus, why all organizations need a holistic data security plan that includes both physical and “digital” activity monitoring.

Former Cox employee who shut down 911 sentenced to five months in prison

A former Cox Communications employee has been sentenced to five months in federal prison for remotely shutting down portions of the company’s system – including 911 emergency services – after being asked to resign his position.

Phil Neray, vice president of marketing at data-security vendor Guardium, said administrators need to be able to quickly observe strange behavior from other employees to prevent similar incidents. “I think the moral of the story is that privileged users are given a high amount of power that they need to have as a part of their jobs,” he said. “As a result, when you have a disgruntled employee, you have to be able to quickly determine anomalous behavior.”

Mass SQL injection attack compromises 70,000 websites

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors’ PCs with a variety of exploits last week, according to researchers.

The cyberattackers used a SQL injection attack on Microsoft’s SQL Server database product to compromise the array of sites. “[It was] an application that accessed system tables not commonly accessed [by the application server],” said Phil Neray, vice president of marketing at Guardium. “[The affected tables] told the hacking application where to insert the malicious code in the database,” he said.

Read more

70,000 Web Pages Hacked By Database Attack

Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. Guardium’s database activity monitoring technology immediately detects this type of anomalous activity in real-time—and then takes proactive, customizable actions such as issuing SNMP/SMTP alerts and automatically locking the exposed database account. 

Tech Insight: Database Activity Monitoring

If you weren’t concerned about unauthorized database access before, maybe now you should give a DAM. It’s mid-afternoon. Do you know who’s accessing your databases?

Until recently, the answer for many organizations—including the TJX Companies and Ameritrade—the answer has been no. While all databases come with tools for security and access control, many users—mostly employees or other insiders—have found ways to circumvent them, leaving IT people in the dark about who’s been using the data, and when. The problem isn’t just headline-grabbing external hacks, such as the one at TJX, but also insiders who, for one reason or another, find it inconvenient to follow security policy. “It’s not that the users are malicious,” says Phil Neray, vice president of marketing for Guardium, a maker of database security tools. “They’re doing it for the sake of convenience.”

Protecting Critical Data at the Source

Regulatory requirements, malfeasance, and criminal attacks are driving companies to find new ways to secure their corporate data. Companies are now adopting Database Activity Monitoring (DAM) as an essential layer of their data security architectures. This article describes why traditional security technologies are insufficient and describes the key capabilities provided by DAM solutions.
(UK publication)

Silicon Valley Minute Goes to Black Hat 2007

Video interview (0:30) with Guardium VP Phil Neray, courtesy of Liz Safran and Silicon Valley Minute.

Compliance and Security Concerns Drive Data Auditing

A recent Forrester report, “The Forrester Wave: Enterprise Database Auditing and Real-Time Protection, Q4 2007,” estimates the value of the database auditing and real-time protection market—including new licenses, support and services—to be $450 million, and predicts that number will double by 2010. “[Customers are realizing that] other technologies like IDS/IPS [intrusion detection/intrusion prevention], SIEM and DLP systems address part of the broader data security issue, but don’t really cut it in the database monitoring space because they don’t have the specialized understanding required to capture and analyze database activities. For example, systems that analyze HTTP traffic are fairly easy to develop because HTTP consists of only 10 or so primitives, whereas SQL consists of over 350 individual commands as well as a full programming language, with additional variations and subtleties for each DBMS platform.”

Database Security: Guardium SQL Guard 6.0

In an industry flush with products for securing the network perimeter, Guardium’s SQL Guard 6.0 serves as an important addition for monitoring and managing connections to and from a wide variety of enterprise database products. SQL Guard has evolved from an impressive technology to an enterprise-class data security product that should be on every organization’s radar.

Former Cox Communications employee pleads guilty to hacking company network

There are several reasons why a former Cox Communications employee still had the access needed to shut down his former employer’s telecommunications services after he was asked to resign. “The issue in a lot of organizations is that privileged users share accounts, so they can access one account that can’t be turned off,” said Phil Neray, vice president of marketing at data security vendor Guardium.

Guardium Offers Visibility Into DB2 Blind Spot

When it comes to security auditing, the mainframe just hasn’t kept up with the times ... The new Guardium for Mainframes product, a combination appliance and software, provides visibility into all DB2 activity, including who’s reading what on the database. “This would be important for PCI because you need to know who’s accessing sensitive data,” says Phil Neray, vice president of marketing for Guardium. “Until now, there’s not been a practical way to track all database activities without impacting performance.”

Guardium for Mainfames covered in Rich Mogul's blog, Securosis

Guardium extends its database security solution to the mainframe, “a really smart move, especially since they partnered with Neon who sells to the mainframe buying center. They can now offer full database monitoring (including SELECT queries) on the mainframe outside of network sniffing (which misses certain kinds of connections) ... Now you have an independent way to enforce separation of duties on mainframe administrators without interfering with how they work or affecting performance. And you can integrate the policies for alerts, and the logs, with all your other database monitoring.”

As data breaches snowball, IT pros look for answers

Ann Auerbach, IT and compliance manager for Denver-based Cimarex Energy Co., acknowledges that the biggest concern for the oil and gas exploration company is that it is able to adequately respond to auditors examining its security controls. For that, she chose technology from database security vendor Guardium. She said version 6 of Guardium provides her, among other things, with regular reports auditors can study to see who is doing what on the network.

Overall Rating: Five Stars

Guardium provides a sophisticated database security solution that is simple to install and deploy. Businesses have a legal duty to protect their customer information, and this has the tools to ensure they meet regulations.

TJX Lesson: PCI Compliance Might Stop Data Breaches

“The Canadian report was interesting,” says Phil Neray, a vice president at Guardium. “TJX was cited for not having an activity monitoring process. We also recommend a multi-layered security approach.” This he likened to the security layers around a castle, first a moat, then a drawbridge, and a gate. “What might get through one layer, will hopefully get stopped at the next layer,” Neray adds.

Most companies have a good “traditional” perimeter security set up, but have been slow to adopt newer technology, such as database monitoring. “Had TJX had some type of activity monitoring in place, the breach would have been detected sooner, rather than going on for months and months. There will always be holes in the environment where hackers or insiders can exploit data. If you have activity monitoring in place, this allows you in almost every situation to detect when an intruder is cutting through your layered defenses.”

PCI Is Security Simplicity, Not Complexity

All it takes is one successful hack attack to wipe out years of so called “savings” gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just won’t happen to them.

The time to take security seriously is before an attack happens, not after. That is precisely what PCI aims to do.

TD Ameritrade database breach an inside job?

The TD Ameritrade theft of information on 6.3 million customers might have been caused by an inside attack. “This has all the signs of an inside job,” said Phil Neray, vice president of marketing at Guardium. He added that unauthorized malicious code placed on one of the company’s databases, “could only be put there by someone with administrative access to the database.”

Ten Tech Companies to Watch -- Guardium

“Guardium’s Linux-based security software resides on a hardened appliance plugged into the client’s network, and all it does is analyze database traffic very, very closely. Given that financial databases contain millions of records and are sometimes sprawling, multi-national affairs, it’s a lot of traffic to watch ... Guardium is in the right place at the right time with the right partners.”

Gold Winner in Auditing and Compliance

“This year’s Auditing and Compliance category Gold Winner, Guardium Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, provides auditing with an eye toward protecting sensitive data against theft, including data breaches by privileged users inside an organization. Data Privacy Accelerator gives organizations an edge on not only preventing data breaches, but also on stopping them in real time.”

Sentencing in DuPont insider theft case delayed again

“Phil Neray, vice president of marketing at Guardium, told SCMagazine.com, ‘Policies are important, but you have to have [automated] tools in place to enforce those policies.’ Putting automated monitoring systems on a corporate network gives enterprises two key tools in combating insider threats, added Neray. ‘They allow identifying the unlawful activity with real-time alerts and they create a body of forensics-quality evidence the enterprise can use’ to prosecute insiders who’ve stolen proprietary information.”

Former Boeing employee charged in data theft

“Many large companies simply fail to ‘verify what their [privileged] employees are doing,’ said Phil Neray, vice president of marketing at Guardium, a vendor of database-access monitoring products. ‘This was an employee with unfettered access to sensitive information as part of his job.’ Had Boeing deployed automated activity-monitoring technology, Neray pointed out, ‘it would have immediately noticed that something that didn’t fit inside of [Edwards’] normal patterns of activity was happening.”

Getting Inside the Insider Threat

“Still, Ron Ben-Natan, CTO of Guardium, based in Waltham, Mass., said businesses should operate under the Cold War adage of ‘trust but verify.’ ‘We all want to hire trustworth personnel but we must act to identify IT policy violations for both security and regulatory requirements. Trust is not a strategy and hope is not a policy. By integrating checks and balances into our daily network and database operations, we get early warning signs to find malicious acts like data breaches and preent them from happening.’ “

Guardium Adds Tracking Solution

“Guardium’s new Universal Local-Access Monitoring solves a very real problem for IT security personnel who are responsible for monitoring privileged users and ensuring the privacy and integrity of corporate data,” said Jon Oltsik, senior analyst, Enterprise Strategy Group (ESG). “The combination of all-inclusive network and local-access monitoring provides an advanced level of oversight and control that helps enterprises both enforce policies and demonstrate compliance.”

New Report Chronicles the Cost of Data Leaks

This article on McAfee’s Datamonitor report chronicles the cost of data leaks. It quotes Phil Neray, Guardium’s VP of Marketing, “Most sensitive data is stored in enterprise databases that are at the core of your Oracle Financials, SAP or PeopleSoft systems. Privileged insiders such as administrators, developers and outsourced personnel have virtually unfettered access to these data sources.”

Database monitoring appliance curbs leaks

Guardium unveils data-leak prevention appliance for database monitoring
Guardium next month intends to deliver a database-monitoring appliance designed to identify suspicious activity and prevent leaks of sensitive data.

Technology May Ease Compliance Burden

Auditors may ask IT shops for database reports to prove that organizations can track changes made to critical databases containing customer information. “The company panics and tells IT to turn on the native database auditing utilities, which reduces system performance, impacts the stability and produces so many reports that it is impossible for the IT staff to go through them all,” says Guardium’s Vice President of Marketing, Phil Neray.

(Problem Solved) - Answers For Auditors

CIO David Vordick selected Guardium for a real-time database monitoring solution to help USEC Inc. pass its audits. After two audits with the solution in place, their investment has paid off. Guardium simplifies data governance by centralizing Sarbanes-Oxley controls across database platforms and providing preconfigured reports. “When it comes to Sarbanes-Oxley,” says Vordick, “it’s good to have one less thing to worry about.”

Secure your enterprise data

Regulations and a fear of banner headlines put the focus on data, not network, security
Security experts are painfully aware that clamping down on insider threats and data leaks is far more difficult than stopping malware. While recognition of the data-security problem is spreading fast, very few enterprises have acted to lock down their sensitive data and intellectual property. This articles talks about both the need to protect privileged data and ways to combat the issues, such as creating and enforcing policies. “You’ve got to focus on insiders and trust – trust and verify,” says Phil Neray, Guardium’s Vice President of Marketing.

Database activity monitoring helps USEC with SOX compliance

Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. The company needed to find a way to monitor and track DBA activity but not hinder them in doing their job. USEC found that Guardium’s solution was the most effective product on the market, monitoring and logging everything that the DBAs do at the SQL statement level, so the security manager can see exactly what they’re doing with the database. The DBAs follow a change control process to give the security manager advance notice of any planned, and authorized, database work. Any time a DBA or other privileged user connects to the database, the security manager gets an alert and can compare that activity against approved changes.

Field Report: Nuclear Fuel Supplier Tightens Database Security

Keeping tabs on enriched uranium? Challenging. Keeping track of database integrity for SOX? Piece of cake.
Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. USEC needed to upgrade internal security on its financial databases by adding tools that monitor the actions of “privileged users,” namely, the DBAs. USEC now uses Guardium’s database activity monitoring and auditing solution to watch activity on inventory, HR, and financial databases. Robert Gorrie, information security manager says, “You have to trust your DBA, but ‘trust’ is not something that will keep your auditors at bay.”

Data Theft Shows Insider Risks

Gary Min, who worked as a scientist at DuPont for 10 years, highlights the damage insiders can do to companies that do not monitor behavior. He covertly used DuPont’s computer systems to steal trade secrets valued at more than $400 million after joining a rival company but before resigning from DuPont. “What happened at DuPont is not surprising at all,” said Phil Neray, vice president of marketing at Guardium. Neray said the apparently unfettered access that Min had to the data on DuPont’s EDL server is evidence of the lack of monitoring that is typical inside corporate networks. “The objective should be to give insiders as much access as they need but no more.”

DuPont case highlights insider threat

Corporate executives who doubt that malicious employees are among their greatest potential security threats should look at the case of a former DuPont Co. senior scientist as the ultimate cautionary tale, one security expert said Thursday. “By default you trust insiders,” said Ron Ben-Natan, Guardium CTO. “The challenge is always in how you balance the trust you give them with the right amount of security so a few bad apples can’t get away with this sort of thing.” Ben-Natan goes on to list several lessons that can be learned from this case and applied to any enterprise IT shop.

Preventing data breaches is hard; detecting them later can be harder

Jaikumar Vijayan notes the lag between when a database intrusion occurs and when it may be detected, noting that this gap may be due to the myriad ways attackers can gain access to systems and conceal their tracks. USEC Inc., a $1.6 billion energy company, uses a Guardium solution to “detect unauthorized changes and other policy violations that could affect the integrity to USEC’s financial data in real time,” said CIO David Vordick. The product also enables USEC to “monitor compliance with its Sarbanes-Oxley financial reporting obligations and provides the company with a real-time, security-alerting capability.”

Guardium Database Compliance Tool Tracks All Changes

Guardium released its latest set of compliance automation tools, aiming to help businesses record and monitor every alteration workers make to their enterprise information vaults. While most companies have developed database change control guidelines since the arrival of mandates such as Sarbanes-Oxley, few have been able to build systems that track every change made to their systems and alert administrators when policies are violated. Guardium’s Change Control Solution for Database aims to do just that, offering the ability to monitor every adjustment made to database objects – including database structures, permissions, stored information, and configuration files.

Guardium to Protect Database

Guardium announced the first database security and monitoring solution that provides granular visibility into all changes todatabase objects – including database structures, permissions, data, and configuration files – without relying on database-resident functions such as trace and transaction logs or native auditing. Most organizations have formal change control policies and processes that govern how and when changes are made to production databases. Until now, however, there were no effective and tamper-proof solutions for detecting when critical changes were made outside of these policies and processes.

Passing the SOX Audit: More than 60% Say They Aren’t Ready

A survey from the Oracle Applications Users Group (OAUG) reveals that manual controls increase operational costs significantly. Despite years of effort and millions of dollars of investment, nearly 61 percent of companies say they have not yet finished implementing their SOX compliance processes. “Security and compliance go hand in hand,” says Phil Neray, Vice President of Marketing for Guardium. “Securing the data in real-time and automating database activity monitoring are key ways organizations can protect their critical information while increasing operational effectiveness.”

Taking A Holistic View Of Risk And Privacy

Christine Dunn reports that companies using technology to help with compliance are turning to systems that allow them to implement controls for governance as well as privacy regulations. “Customers know not to treat each regulation with standalone initiatives,” says Ron Ben-Natan, Guardium’s Chief Technology Officer. “Instead they bundle them into two groups, governance (think Sarbanes-Oxley) and privacy (HIPAA or SB-1386), and then put systems into place to manage all changes and access to the data.”

Guardium 7 Awarded 5-Star Ratings

by David Mitchell, SC Magazine

Lab Review Cites “Swift Deployment, Extensive Database Support, Sophisticated Policy-Based Security, Unique S-Tap and S-Gate Probes, [and] Vulnerability Assessment Tools”

Guardium, the database security company, received 5 out of 5 stars on Features, Performance and Ease-of-Use in an extensive Guardium 7 lab review published in the April 2009 issue of SC Magazine UK.

The review states that Guardium 7 “provides essential tools to protect against the ever-increasing number of security threats” and “provides a range of security measures that allow companies to audit database usage and enforce policies to prevent unauthorized access” while providing an “intuitive web interface” that “offers a range of preconfigured interfaces for data privacy regulations and compliancy guidelines.”

The review concludes that “you have to ask yourself whether you can afford not to have [Guardium 7].”

The Verdict: 5 Stars

With database attacks on the increase Guardium can make sure businesses don’t get caught with their pants down.

by Dave Mitchell, IT PRO
London,England,UK

“The Verdict: 5 Stars: Regulatory compliance isn’t just about protecting databases but also about having laid down reporting and data access auditing procedures that can be enforced. Guardium is capable of ensuring consistent practices can be maintained across multiple databases and provides the tools to safeguard them and ensure their integrity.”

“With database attacks on the increase Guardium can make sure businesses don’t get caught with their pants down.  Businesses have a legal obligation to protect personal and sensitive information in their databases and yet it is truly stunning how many are still failing to comply with regulatory guidelines. It’s now a well known fact that SQL injection attacks are increasing massively thanks to freely available hacker kits and this year has started with security company Kasperksy ironically having one of its customer databases hacked into.”

“There’s certainly no shortage of database security products on the market and Guardium has traditionally offered an impressive array of defences against these types of attacks and more. Deployed as a well specified Dell PowerEdge 1950 appliance, it provides database monitoring and auditing plus security policy enforcement for blocking unauthorised access.”

"Most Powerful Compliance Regulations Tools ... Ever Seen"

“SQL server attacks abounded last year, evidenced in the Test Center’s threat reports of 2008. A relentless amount of SQL hacking attempts were logged as well. Compromised databases accounted for many of the big computer security breach news stories in 2008. This is why a lot of companies are turning to database security solutions like Guardium ... [which] may contain the most powerful compliance regulations tools that the Test Center has ever seen.”

Red Herring 100 Winner

Guardium has been named a Red Herring 100 North America winner, a selection of the 100 most innovative private technology companies in North America.  The magazine’s editorial board identified the top 100 out of more than 1,500 closely evaluated companies that are leading the next wave of IT innovation.  Previous award winners include Google, Yahoo!, Skype, Netscape, Salesforce.com, and YouTube.

"A Leader Across the Board"

According to Forrester, Guardium is “A Leader across the board” with “dominance and momentum on its side (Forrester Wave: Enterprise Database Auditing And Real-Time Protection, Q4 2007, October 2007).  In its comprehensive assessment, Forrester evaluated 14 large and small vendors across 116 criteria, with Guardium earning the #1 score for Architecture and the highest overall scores for Current Offering, Product Strategy, and Corporate Strategy.  Forrester expects Guardium to “maintain its leadership in supporting large heterogeneous environments, delivering high performance and scalability, simplifying administration, and performing real-time database protection.”

Best Intellectual Property Protection

Guardium was named a finalist for the Reader’s Trust Award for Best Intellectual Property Protection. Guardium is the only database security company selected as a finalist by SC Magazine readers. Placement in the SC Magazine Awards program is based on voting by more than 9,000 of the publication’s readers who are responsible for IT security, compliance and risk management in organizations worldwide.

5-Star Rating

SC Magazine gave Guardium 5-Star ratings for Features, Performance and Ease-of-Use, citing its “easy installation, massive database support, sophisticated reporting, strong policy-based security [and] PCI out-of-the-box.” The review described the product as a “sophisticated database security solution that is simple to install and deploy” with “an extensive range of security features that allow companies to monitor and audit database usage and enforce policies to prevent unauthorized access.”

Top of Class

Guardium was rated “at the top of the DBEP [database extrusion prevention] class” with a “solid feature set that should please security pros looking to take back control of database security” in a lab review conducted by InformationWeek magazine.  According to the review, Guardium “has thrown in practically every feature you’ll need to lock down sensitive data” with a “well-designed and attractive Web interface that shows off the maturity of the 6.0 release.” The review concludes that Guardium 6.0 provides “capabilities that stand out from other products we’ve tested.” These products include Imperva’s SecureSphere Database Security Gateway and RippleTech’s Informant. 

Enterprise-Class Security

The Verdict: Guardium’s solution “has evolved from an impressive technology to an enterprise-class security product that should be on every organization’s radar.” Guardium “continues to address one of the most typical database audit failure points. Most auditors will not issue a ‘pass’ if you leverage a database’s native logging features because they are owned and controlled by the groups you are trying to monitor (for example, DBAs should not be responsible for configuring and monitoring DBAs). Guardium 6.0 ensures a system of checks and balances between the security and database engineering teams.”

Gold Winner in Auditing and Compliance

“This year’s Auditing and Compliance category Gold Winner, Guardium Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, provides auditing with an eye toward protecting sensitive data against theft, including data breaches by privileged users inside an organization. Data Privacy Accelerator gives organizations an edge on not only preventing data breaches, but also on stopping them in real time.”

"One of 10 technology companies to watch”

Bank Technology News named Guardium ”one of 10 technology companies to watch”, stating that the company’s “innovation is getting them noticed” and that Guardium is “in the right place at the right time with the right partners.” Past winners of this prestigious award have included Oracle and RSA, The Security Division of EMC.  The publication notes that ING Investment Management is one of Guardium’s customers, while citing Guardium’s “top talent, led by chief technology officer Ron Bennatan, who’s developed apps for J.P. Morgan, Merrill Lynch, [AT&T Bell Laboratories] and Intel.”

Gold Winner in Security

The editors and writers of SQL Server Magazine created the first annual Editors’ Choice Awards to recognize superior products in the market. Winners in 17 categories were chosen based on strategic importance to the market, competitive advantages, and value to the customer.

American Business Awards Finalist

Guardium was named a finalist for the prestigious 2008 American Business Awards in the category of “Best New Product or Service - Computer Software.” Guardium 6 was one of more than 2,600 nominations spanning 40+ categories.  Other finalists include: Microsoft; Adobe Systems; Citrix Online; salesforce.com; and WebEx Communications.  Hailed as “the business world’s own Oscars” (New York Post, April 27, 2005), The American Business Awards are the only national, all-encompassing awards program honoring great performances in business. 

Ten Database Activities Enterprises Need to Monitor

by Jeffrey Wheatman, Research Director, Gartner

Most enterprises are paying too little attention to the very real security risks associated with their databases. Databases – especially RDBMSs – are growing larger all the time, and the information they hold is increasingly sensitive and subject to compliance requirements of many different kinds. These sensitive data types include intellectual property, personally identifiable information, personal health information and financial information.  Auditors, security and risk professionals, and data owners need to watch for telltale behaviors that may indicate serious database security problems. For this reason, Gartner has compiled a list of 10 critical database activities and behaviors – segmented by four sets of roles – that enterprises should be auditing now.

Your Enterprise Database Security Strategy 2010

By Noel Yuhanna, Principal Anyalyst, Forrester Research

SQL injection attacks and internal data thefts are on the rise – but DBAs spend less than 5% of their time on database security.

Read “Your Enterprise Database Security Strategy for 2010”, authored by Noel Yuhanna, principal analyst at Forrester Research Inc., to learn:

• Why AAA and basic security are no longer sufficient.
• The 3 key pillars of a database security plan (foundation, preventive, detection).
• Why 60% of internal database threats go undetected.
• Why privileged user monitoring and role separation are important (and how to implement them).
• Reducing compliance costs and effort by standardizing controls across regulations and applications.

Databases at Risk

by Jon Oltsik, Principal Analyst, Enterprise Strategy Group
In a recent Research Brief, ESG analyzed the current state of database security.  Based upon a survey of 179 North American-based security professionals working at organizations with over 1,000 employees, ESG found that:

• Databases house a higher percentage of confidential data than any other type of data repository.
• Database security depends upon too many manual processes.
• Enterprise-class organizations aren’t diligent enough about database security.

This Research Brief categorizes databases as a “dangerous and growing security gap,” and offers steps to improve database security across the enterprise.

Forrester Wave: Guardium Is "A Leader Across The Board"

According to Forrester, Guardium is “a Leader across the board” with “dominance and momentum on its side.” Forrester expects Guardium to “maintain its leadership in supporting large heterogeneous environments, delivering high performance and scalability, simplifying administration, and performing real-time database protection.”

Forrester Case Study: Guardium Secures SAP & Siebel Data, Achieving 239% ROI

This commissioned case study by Forrester Consulting describes how a global manufacturer implemented Guardium’s real-time monitoring technology to protect corporate data and enforce change controls for critical databases supporting SAP, Siebel and 22 other key financial systems. The customer is a Fortune 500 manufacturer whose brands are household names around the world. According to Forrester, the Guardium solution delivered a risk-adjusted ROI of 239 percent and payback period of less than 6 months compared to the “significant labor and capital costs” that would have otherwise been required using an in-house solution and traditional database logging utilities.

Forrester SOX Case Study

This commissioned case study by Forrester Consulting explains how a leading NYSE-traded energy company simplified database monitoring for SOX while strengthening database security and change controls.

OAUG Survey: Automating Compliance – The Role of Automation in Database Compliance Monitoring

The latest survey commissioned by the Oracle Applications Users Group (OAUG), the leading Oracle user group, in cooperation with Guardium, finds that IT organizations are devoting major amounts of staff resources to database monitoring and compliance reporting. Discover what other businesses are saying about compliance challenges and costs, automating database monitoring and auditing, and the benefits and opportunities that lie ahead.

Bring Database Activity into Compliance

by Eric Ogren, Security Analyst, Enterprise Strategy Group
This special report, commissioned by Guardium, examines a comprehensive approach to securing confidential data and auditing database activity for compliance with government regulations and corporate security policies. The purpose is to provide information and make recommendations for database security to assure true compliance and business continuity. Information in this report derives from Enterprise Strategy Group research and interviews with security executives of global operations.

Data Centric Security

by Spire Research
This white paper talks about how to protect your valuable and sensitive databases. Safeguarding information assets is vital, yet it can be difficult to apply controls that are restrictive or inhibit performance. Learn more about the traditional issues surrounding database security, an approach to implement a database security monitoring program, and insights into how Guardium addresses the challenges of security and compliance with its powerful solutions.

Aberdeen Group: Guardium Receives Strategic Investment from Cisco

Waltham, Mass.-based Guardium received a strategic investment from Cisco as part of a strategic funding round totaling $6.3 million.  Cisco’s investment in the four year old company is the first investment in this market by a major technology company and provides strong validation of Guardium’s market leadership and the new database access control product category that provides companies with the ability to track and control access to sensitive data in their critical business systems and ensure regulatory compliance.  Cisco, for a relatively small investment, gains access to new technology which may help drive Cisco revenue in the future as the company expands and refines product offerings. 

IBM/Guardium Hosts Database Security Seminar Series Featuring Top Analyst Firm

Experts Share Best Practices for Database Protection, Information Governance & Compliance

IBM Acquires Guardium

Helps Organizations Safeguard Critical Enterprise Data

Bank CISO to Present at Data Security Seminar

Security and Compliance Leaders Meet in Toronto to Discuss Data Security Initiatives for Key Regulations, Privacy Standards and Reporting Requirements

Guardium Continues Expansion Across EMEA Region

Andrew Lawton Appointed VP to Address Growing EMEA Demand for Safeguarding Sensitive Data from Cybercriminals and Insider Threats

Guardium Research Reveals Alarming Lack of French Consumer Confidence in Online Security

New data security survey discovers that 73% of French consumers lack confidence in retailers’ abilities to safeguard financial data; 43% concerned about Carte Vitale

Verizon Business Forensics Investigator Discusses “Lessons from the 2009 Data Breach Investigations Report” in Webcast

Experts Shed Light on Headline Breaches and Reveal Best Practices for Cyber Defense

Guardium Safeguards McAfee.com

Largest Dedicated Security Technology Company Chooses Guardium to Track and Monitor All Access to Cardholder Data, Without Impacting Performance or Reliability; Solution Deployed in Less Than 48 Hours

Guardium Hosts Executive Financial Services Seminar on Leading Practices for Data Security, Privacy & Compliance

Top Data Protection Professionals from Deloitte & Touche LLP, ING Americas Financial Services and Leading Analyst Firm Address Compliance Issues Including Cost and Complexity

Guardium CTO Shares Best Practices for Database Security and Addressing Insider Threats at San Francisco ISACA Fall Conference

High Profile Breaches and Spying Demonstrate Need for Database Monitoring and Auditing

Sybase Recommends Guardium Solution

Sybase Recommends Customers Implement Guardium’s Database Security and Auditing Solution

New Educational Site Focuses on Database Security

New Dark Reading Tech Center Covers Database Vulnerabilities, Common Mistakes and Defenses for Protecting Against Both Internal and External Threats

Security Veteran to Lead Government Practice

Key Hire with 20+ Years of Federal Technology Experience Will Continue Guardium’s Rapid Growth Safeguarding Data for Government Sector

Abu Dhabi Bank Strengthens Database Controls

Security Initiative Driven by ADCB Audit Strategy to Monitor DBAs and Prevent Unauthorized Changes to Critical Databases

Cybersecurity Seminar with Gartner and Booz Allen

Leading Data Protection Experts Highlight Pressing Government Issues Including Cybersecurity and Emerging Threats

Guardium 7 Awarded 5-Star Ratings by SC Magazine

Lab Review Cites “Swift Deployment, Extensive Database Support, Sophisticated Policy-Based Security, Unique S-Tap and S-Gate Probes, [and] Vulnerability Assessment Tools”

Survey: UK Public Worried About Data Security

A fifth of respondents have been victim to fraud; Only two percent have ‘total faith’ in government security policies

Guardium Integrates with Microsoft Forefront “Stirling”

Leading Provider of Real-Time Database Security and Monitoring Announces Support for Microsoft Forefront “Stirling”

Guardium Fuels Customer Momentum for IBM

Supports Data Center Consolidation with Expanded Support for IBM DB2, Informix, Cognos Software and IBM i and System z Operating Systems with z/VM and Linux

Guardium Hosts Best Practices Webcast with Forrester

Real-World Case Studies Help Companies Learn Effective Strategies for Protecting Sensitive Corporate Data While Reducing Cost of Compliance

"Most Powerful Compliance Regulations Tools ... Ever"

Tune in for CRN’s Virtual Trade Show Review of Guardium 7 on February 25th; Review Examines Need for Multi-Layered Security Including Real-Time Database Security & Monitoring

Guardium CTO to Present at Infosecurity Europe Event

Data Breaches Demonstrate Critical Need for Data-Centric Security

Washington Metro Automates PCI Controls

Level 1 Merchant with 9 Million Transactions Yearly Protects Consumer Trust By Shielding Database Infrastructure from Internal and External Threats

Dell Simplifies Enterprise Security with Guardium

“Deployment of the Guardium platform successfully met the requirements established by Dell without causing an outage to any of its databases, and produced a significant reduction in auditing overhead.”

European Financial Services Company Selects Guardium

Guardium and Telindus Belgacom ICT Luxembourg Sign Partnership Agreement

Guardium CTO to Present at UK Oracle Conference

Recognised Database Security Expert to Discuss Best Practices for Monitoring Privileged Users and Preventing Fraud in Enterprise Applications

National Bank of Kuwait Implements Guardium

Guardium and StarLink Announce Distribution Partnership to Provide Real-Time Database Security and Monitoring to Middle East Region

Guardium Achieves ArcSight Certification

Integration with the ArcSight SIEM Platform Provides Enterprises with Clear Visibility into Internal and External Database Threats

Guardium Expands International Reach

Market Leader Continues Momentum in Europe, Latin America & Asia-Pacific Markets

Executive Seminar with Forrester

Leading Industry Analyst and CTO to Discuss Critical Enterprise Data Protection, Governance and Compliance Issues

Government Database Security & Compliance Webcast

Online Seminar Outlines Effective Strategies for Securing Personally Identifiable Information (PII) and Complying with OMB Directive M-06-16

Guardium is Red Herring 100 Winner

Past Winners – Including Google, YouTube, Salesforce.com, Netscape, Yahoo! and Skype – Demonstrate Waves of Technology and Business Innovation

Blocking Unauthorized Privileged User Access

For the First Time, Organizations Can Fully Enforce Separation of Duties – Without Disrupting Business Processes or How DBAs Do Their Jobs

Guardium: Finalist for American Business Awards

6th Annual Stevie® Awards Recognize Guardium 6 As One of the Best New Software Products of 2007

Guardium Chosen as Red Herring 100 Finalist

Award Recognizes the 100 “Most Promising” Companies Leading the Next Wave of Innovation

Guardium Hosts Best Practices Seminars Featuring Gartner

Experts to Highlight Data Privacy, Governance and Compliance Essentials

Gartner Reveals DAM Best Practices

On-Demand Video Details Top Strategies for Securing Critical Enterprise Data

Guardium 7 Monitors Oracle ASO Encrypted Traffic

Guardium 7 Supports Oracle Advanced Security Option (ASO) Network Encryption, Monitoring Data-in-Motion from Privileged Users and Enterprise Applications such as Oracle EBS and PeopleSoft

Guardium 7 Adds Vulnerability Management

First Solution to Integrate Vulnerability Assessment with Sensitive Data Discovery, Real-Time Activity Monitoring, Policy-Based Controls, Configuration Auditing and Compliance Workflow Automation

Guardium 7 Integrates with SIEM, Log Management

Integration with ArcSight ESM, CA, Cisco MARS, LogLogic, RSA enVision and SenSage Provides 100% Visibility and Database Analytics for SOX, PCI-DSS and Data Privacy

Guardium Installed in 350+ Data Centers Worldwide

Installed in More Than 350 Data Centers Worldwide, Including 3 of Top 4 Banks, One of the World’s Largest PC Manufacturers and a Global Soft Drink Brand

Guardium Hosts Best Practices Webinar with Forrester

On-Demand Web Seminar Outlines Effective Strategies for Securing Critical Data From Malicious Outsiders and Trusted Insiders

Securing Microsoft SQL Server 2008

Support for SQL Server Advanced Security Features Provides Comprehensive Visibility into Critical Database Activities

Guardium Secures SAP & Siebel Data

Guardium Solution Automates SOX Controls and Prevents Unauthorized Changes to Critical Databases, According to Case Study by Leading Analyst Firm

Best Intellectual Property Protection

Readers Value Real-time Monitoring of Business-Critical Information as Keys to Protecting Intellectual Property

Guardium Teams with NetApp for PCI

Joint Solution Combines Real-Time Activity Monitoring and Granular Access Controls with Media Encryption to Protect Cardholder Data

Forrester: Guardium is "A Leader Across the Board"

With "Dominance and Momentum On Its Side," Guardium Earns Highest Overall Scores for Current Offering, Product Strategy and Corporate Strategy; Cited for "Leadership in Supporting Large Heterogeneous Environments"

Guardium Partners with NEON on Mainframe

Announces First Solution for 100% Real-Time Visibility Into All Mainframe Database Activity Without Impacting Business Processes; Practical and Comprehensive Solution for Preventing Unauthorized Access to Sensitive Data in Large Corporations

Guardium Receives 5-Star Ratings

Lab Review Cites "Easy Installation, Massive Database Support, Sophisticated Reporting, Strong Policy-Based Security [and] PCI Out of the Box"

Guardium Joins PCI Security Council

Brings Real-Time Database Security and Monitoring Expertise to Help Organizations Protect Cardholder Data with Practical, Cost-Effective Solutions That Don't Impact Existing Business Processes

Guardium Rated at the Top of Class

"Guardium has thrown in practically every feature you'll need to lock down sensitive data" with "capabilities that stand out from other products we've tested" and a "well-designed and attractive Web interface that shows off the maturity of the 6.0 release"

Guardium Wins Back-to-Back Awards

Industry Recognition Signals Growing Importance of Data-Centric Security and Market Leadership Achieved by Guardium's Appliance-Based Solution

Guardium Expands Team to Drive Channels

Martin W. Pejko to Expand Channel Partnerships to Capitalize on Explosive Demand for Real-Time Database Security and Monitoring Solutions

Guardium Receives RSA Certification

Guardium Joins RSA Secured® Partner Program to Enhance Data-Centric Security

Guardium and Cigital Announce Partnership

Alliance Combines Best-of-Breed Consulting with Appliance-Based Technology for Protecting Web-Facing Applications and Critical Data

Guardium & Cisco Discuss Security and Compliance

TechWiseTV Educational Broadcast Highlights Best Practices for Preventing Information Leaks and Protecting Sensitive Data

Guardium Strengthens Executive Team

Upesh Patel to Drive Technology Partnerships Leading to Enhanced Data-Centric Security

Guardium Slams “Back Door” to Privileged Users

First Solution to Monitor All Local-Access Connections Without Performance Overhead and Security Risk of Native Logs

Guardium Expands Worldwide Distribution

Company Continues Rapid Expansion by Adding 14 New Resellers in North and South America, Europe, the Middle East, and the Pacific Rim

Guardium Launches Database Leak Prevention

Automatically Pinpoints and Tags Sensitive Information in Databases; Assigns Granular Access Policies; Prevents Unauthorized Access; Delivers Automated Controls and Reporting for PCI DSS

Guardium Strengthens European Presence

Seasoned Professional Leads London–Based HQ to Meet Growing Demand for Protecting Critical Enterprise Data from Hackers and Trusted Insiders

Guardium Partners with Xtivia

Enhances Data Security, Data Governance and Compliance for Fortune 500 and Mid-Market Customers Across the U.S.

Guardium Experiences Strong Growth

Extends Early Lead in Market by Tripling Size of Installed Base; Works with Industry Leaders to Accelerate Data Security and Data Governance Initiatives

First Solution To Track All Database Changes

New Offering Supports Auditors' Requirements to Tighten Controls and Increases Staff Efficiency

Receives IBM "Advanced Industry-Optimized" Status

Joins IBM PartnerWorld Industry Networks to Deliver On Demand Solutions that Accelerate Data Security and Data Governance Initiatives

Survey Shows Companies Not Ready for SOX Audit

Survey From Oracle Applications Users Group (OAUG) Shows Manual Controls Significantly Increase Operational Costs

Global Energy Company Implements Guardium

Appliance-Based Technology Helps NYSE-Traded Company Simplify and Automate Database Activity Monitoring for Oracle & SQL Server – Without Impacting Business Processes

Guardium & IBM Host Seminar with Gartner

Guardium and IBM Sponsor Wall Street Seminar About Best Practices for Protecting Critical Data, Meeting Auditors' Requirements, and Reducing Compliance Costs

Guardium Named Gold Winner

Self-Contained Network Appliance Provides Automated SOX Reporting & Real-Time Security Without Impacting System Performance or Stability

Premier Systems Integrator Selects Guardium

Top Cisco, Oracle, Sun, and EMC Reseller Targets Growing Demand for Data Privacy and Compliance

Energy Producer Achieves ROI with Guardium

Case Study by Leading Analyst Firm Demonstrates Strong Security and Compliance Benefits with Solid Financial Return

Finalist for MITX Technology Award

Third Annual MITX What's Next Forum & Technology Awards Recognize Outstanding Technology Advancements in New England Region

Guardium Adds Cisco as Strategic Investor

Cisco Invests in Guardium’s Network-Based Platform for Protecting Sensitive Corporate Information

Guardium Adds Support for New IBM Platforms

Enhances Ability to Create Unified Controls Across Heterogeneous, Multi-Vendor Database Infrastructures

Guardium Hosts Data Privacy Seminar with Gartner

Analysts to Highlight Best Practices for Data Security and Compliance

Premier MSP Selects Guardium

Implements Guardium Database Security and Auditing to Protect Oracle ERP System at Leading Manufacturer

Guardium & Forrester Outline Best Practices

Feb. 28 Web Seminar to Highlight Network-Based Database Security and Auditing Appliances

Guardium Expands Global Installed Base

Demand for Database Security and Compliance Solutions Fuels Growth, Industry Partnerships and New Product Innovation

Guardium Protects Against Identity Theft

Network Appliance Prevents Unauthorized Access From Both Inside and Outside the Firewall

Phil Neray Joins Guardium

Phil Neray Joins Technology Leader to Raise Awareness for Company’s Advanced Data Privacy and Compliance Solutions

Guardium Joins IBM Data Governance Council

Helps Clarify, Resolve Data Governance Challenges Related to Information Security, Privacy and Corporate Compliance

Next Generation Database Firewall

SQL-Level, Policy-Based Database Firewall Re-Enforces Guardium's Leadership in Database Auditing, Compliance and Security Markets

SQL Guard Security System & EMC Centera API Integration

Combination Delivers a Storage Solution For Data-Centric Auditing and Compliance Initiatives

Identity Theft Protection Solution

Enables Organizations to Accelerate and Simplify Credit Card Data Protection for New PCI Data Security Compliance Standard

$5.5 Million Raised in 3rd Financing Round

Ascent Venture Partners Leads Investment Group to Provide Funding for Guardium’s Continued Rapid Growth in Database Security Market

Cyber Security Chief Joins Board of Directors

Amit Yoran to Provide Insight and Guidance to the Leading Database Security Company

2005 MITX Technology Awards Finalist

Second Annual MITX Technology Awards Recognize Outstanding Technology Advancements in New England Region

Enterprise-Class Security Platform Expansion

New SQL RemoteGuard Non-Intrusive Monitoring Probe Provides Flexible SQL Guard Options for Departmental and Remote Distributed Databases

Information Security Decisions Presentation

SQL Guard Advanced Database Security Solutions Automate Database Security, Auditing, Compliance, and Identity Theft Prevention

International Reseller Program Expansion

Leading Resellers Worldwide Add SQL Guard^™ Database Security Solution to Audit and Protect Enterprise Databases

Guardium Teams with Nebulas Security

Leading United Kingdom Value Added Reseller Provides Robust Database Security Solutions that Protect Critical Enterprise Assets

Guardium Builds Momentum in 2004

Database Security Leader Experiences Exceptional Revenue Growth, Organization Expansion; Delivers Market-Leading Solutions for Securing Corporate Databases and Automating SOX/GLBA Compliance Initiatives

Guardium Security Suite Named Hot Pick

Recognized as a “Must-have” Database Security Solution for Enterprises; Placed in “a League of its Own”

Guardium Launches SOX & GLBA Solution

New Auditing, Assessment and Firewall Capabilities Accelerate Compliance Initiatives

Breakthrough Database Firewall

Innovative Policy-Based Firewall Extends SQL Guard Family and Leadership in Database Security Market

Guardium Joins EMC NAS Partner Program

Robust Database Security and Auditing Solutions with EMC’s Leading NAS Solutions Deliver Critical Information Protection Solutions

Guardium Addresses SOX Solutions

Will Share Insights into New Approaches That Simplify Financial Database Access Control and Auditing To Support Sarbanes-Oxley Compliance

Guardium Enters Alliance

Delivers Unprecedented Continuous Visibility and Access Control for All Network-Based Access To Distributed Sybase Databases

Breaking New Ground in Database Security

Enables and Simplifies Database Security Assessment, Access Policy Control, Auditing and Regulatory Compliance in a Single Enterprise Solution

Guardium Secures Second Round of Financing

Database Security Provider Will Use Funds to Pursue Significant Market Opportunity

Guardium Extends Database Support

SQL Guard Database Security Platform Now Supports IBM DB2; Guardium Joins IBM PartnerWorld Program

Guardium Joins Oracle Partner Network

Provides Robust Database Security for Oracle Customers

Guardium Introduces SQL Guard

First Non-Intrusive, Network-Based Data Access Security Appliance for Protecting Valuable Corporate Data Fills Key Security Gap by Delivering Unprecedented Visibility and Knowledge Into Enterprise Database Access

Rounding Out the Executive Management Team

Michael Castricone and David Valovcin Bring Extensive Sales, Finance

Guardium Extends Executive Management Team

Nathan Kalowski And Roy Barr Bring Extensive Track Records In Building Successful High Growth Companies To Data Access Security Provider

Guardium Closes $4M Venture Capital

Guardium Targets the Enterprise Application and Database Security Market

Sybase TechWave

August 9-11, 2010
Hilton Washington
Washington, DC

Attendees have traditionally come to TechWave to learn about new product features and solutions, to network, and to do business. Last year’s TechWave conference received the highest customer satisfaction marks in the 11 year history of the event.

AFITC 2010

Air Force Information Technology Conference
August 30 - September 2, 2010
Renaissance Montgomery Hotel & Spa at the Convention Center
201 Tallapoosa Street
Montgomery, AL 36104

Guardium will be presenting the following session:
“Real-Time Database Security (Monitoring/Protection) & SCAP/STIG/NIST Compliance”
August 30th at 2:30pm in meeting room 6

IBM Security for a Smarter Planet - Chicago

Thursday September 9, 2010
IBM Chicago Tec

Join us to discuss how security is intrinsic to your business processes, your product develop- ment and your daily operations. We’ll cover how you can fit security into your overall IT infrastructure design from virtual data centers, secure application development, secure cloud development and end- point management. Learn how to understand the latest security threats AND how to stay ahead of them.

Gary Miko, IBM InfoSphere Guardium , will be presenting the “Data Security and Compliance” session from 1:00 pm – 1:45 pm.

IBM Security for a Smarter Planet – San Antonio

Tuesday, September 14, 2010
Sunset Station, San Antonio, TX

Join us to discuss how security is intrinsic to your business processes, your product develop- ment and your daily operations. We’ll cover how you can fit security into your overall IT infrastructure design from virtual data centers, secure application development, secure cloud development and end- point management. Learn how to understand the latest security threats AND how to stay ahead of them.

Jorge Marques, IBM InfoSphere Guardium , will be presenting the “Data Security and Compliance” session from 1:00 pm – 1:45 pm.

IBM Security for a Smarter Planet – Bloomington, IL

Tuesday, September 14, 2010
Bloomington-Normal Marriott Hotel & Conference Center

Join us to discuss how security is intrinsic to your business processes, your product develop- ment and your daily operations. We’ll cover how you can fit security into your overall IT infrastructure design from virtual data centers, secure application development, secure cloud development and end- point management. Learn how to understand the latest security threats AND how to stay ahead of them.

Gary Miko, IBM InfoSphere Guardium , will be presenting the “Data Security and Compliance” session from 1:00 pm – 1:45 pm.

ISSA International Conference

September 15-16, 2010
Georgia International Convention Center
2000 Convention Center Concourse
College Park, GA 30337 (Atlanta area)

CONNECT and COLLABORATE with your ISSA International Board, the Metro Atlanta host chapter and the Conference Planning Committee in Atlanta this September.  The world is becoming more CONNECTed and we must embrace this free exchange of information, yet maintain the safeguards to protect confidential data and personal privacy. We COLLABORATE in internal work groups to construct effective security while fostering productivity in the new world of mobile devices.  As Information Security professionals we are asked to CONNECT many different disciplines ranging from technical to legal compliance. And we COLLABORATE as a professional community sharing our hard won knowledge and valuable lessons learned through programs like the ISSA International Conference to deter breaches and cybercriminals.

Forrester’s Security Forum

September 16-17, 2010
Westin Copley Place, Boston, MA

As the global economy recovers in 2010, Security & Risk professionals must continue to balance tactical and technical responsibilities with the long-term strategic objectives of the business. To achieve this goal, you must aspire to transform your security organization from a reactive silo of technical security expertise to a proactive information risk management team. You must also adopt the same objectives and measures of success as the business. Ultimately, you want the business to view you as a strategic partner and enabler. Of course, you have to undergo this transformation while you adapt to the changing threat landscape, the adoption of cloud services, the consumerization of IT and expanded use of social technologies.

This year’s Security Forum will focus on: 1) evaluating the maturity and effectiveness of the security organization; 2) laying out a road map for architectural optimization and innovation; and 3) ensuring that the right skills, incentives, and metrics are in place for the long-term success of the security program.

ArcSight Protect ‘10

September 19-22, 2010
Gaylord National Resort & Conference Center
201 Waterfront Street
National Harbor, MD 20745 (Washington DC area)

ArcSight Protect ‘10, where the greatest minds in security meet, learn and collaborate to stay ahead of the surging threat of cybercrime. An unparalleled opportunity to be immersed in the latest knowledge and technology advances for protecting your organization and bringing your security level to unprecedented heights.

Oracle OpenWorld 2010

September 19-23, 2010
Moscone Center, West

Oracle OpenWorld is the world’s largest and most important conference for Oracle technologists, business users, and partners. This annual gathering is the best place to meet live and in person with experts, enthusiasts, business leaders, and innovators from every industry around the globe to network, learn, and celebrate your role in the technology that runs your business.

For a complimentary Discover Pass to the show ($125 value), register here using Guardium code ORCUKOCSTD

Be sure to view a short presentation in Guardium’s booth for a chance to win a free copy of HOWTO Secure and Audit Oracle 10g and 11g (CRC Press, 2009) authored by database security expert Ron Ben Natan, Ph.D. and Guardium CTO.  Raffle run every 30 minutes.

GTEC 2010

October 4-7, 2010
Westin Hotel, Ottawa, Canada

GTEC will showcase government and industry leadership on the structures, people, processes and technologies that lead to high performance government organizations. As an attendee, you’ll be exposed to a wealth of information in a conference that is delivered alongside a robust display of technologies and services.

IBM Security for a Smarter Planet – Little Rock

Tuesday, October 5, 2010
Holiday Inn Presidential

Join us to discuss how security is intrinsic to your business processes, your product develop- ment and your daily operations. We’ll cover how you can fit security into your overall IT infrastructure design from virtual data centers, secure application development, secure cloud development and end- point management. Learn how to understand the latest security threats AND how to stay ahead of them.

Jorge Marques, IBM InfoSphere Guardium , will be presenting the “Data Security and Compliance” session from 1:00 pm – 1:45 pm.

Gartner Symposium/ITxpo 2010

October 18-21, 2010
Walt Disney World Dolphin, Walt Disney World Swan
Orlando, FL

Gartner Symposium/ITxpo 2010 is the industry’s largest and most important annual gathering of CIOs and senior IT leaders. It delivers independent and objective content with the authority and weight of the world’s leading IT research and advisory organization. In more than 200 sessions, workshops, how-to clinics, roundtables and more, Gartner analysts cut through the hype to deliver you a view of what you need to know — from breakthrough approaches to delivering business value through IT to the strategic implications of fast-evolving technologies and industry trends. Whatever your IT role, Symposium/ITxpo has a track dedicated to your needs and perspectives.

IBM Information on Demand 2010

October 24-28, 2010
Mandalay Bay, Las Vegas, NV

This is a must-attend conference for business and IT professionals. You’ll gain the technical expertise and strategic insights to combine trusted information with business analytics and optimize your business performance.

Join us in Las Vegas this October to experience the best in technical and business education—including hands-on training, the largest IBM Expo and unprecedented networking opportunities.

SecureWorld Dallas

November 3-4, 2010
Plano Convention Center, Plano, TX

SecureWorld Expo brings together the security leaders, experts, senior executives, and policy makers who are shaping the very face of security.

API IT Security Conference

November 10-11, 2010
Hilton Houston North, Houston, TX

IT Security is critical to the infrastructure of the oil and natural gas industry, and this conference will reflect on the latest issues and strategies enhancing operations. This conference provides an excellent opportunity to network with IT security professionals, and to candidly share ideas and to discuss the challenges facing the industry. These sessions, essential to IT security, are chosen and presented by recognized members in the field.

UKOUG Technology & E-Business Suite

November 29 - December 1, 2010
International Convention Center (ICC), Birmingham, United Kingdom

With delegates attending from around the world, and an agenda filled with top quality speakers, Conference Series Technology & E-Business Suite 2010 will once again make a positive impact on the Oracle Technology & E-Business Suite user. This annual user group event will offer a place to share knowledge and an exhibition where you can hear the latest information from key personnel about product development.