When The Washington Post went looking for a way to add additional security to its Oracle and SQL Server databases, it found that good monitoring tools were few and far between.
"We wanted something that would be very granular and flexible," says Stacey Halota, director of information security and privacy at the education and media company. The company had been relying on monitoring tools that were native to the databases, but Halota and her team knew those tools weren't sufficient, and wanted to bolster its defense-in-depth and compliance stances.
"We wanted to add another layer of security to what we had, and we needed to make it easier to comply with Sarbanes-Oxley and the [Payment Card Industry's] PCI standard," says Halota, who told her story at the recent Network World IT Roadmap Conference & Expo in the US. "Although we were using the native tools and we had some third-party software in place already, we wanted to see what else was out there."
Many of the tools she investigated, however, were not very practical for The Washington Post's environment. "With some tools, if you want to monitor a certain event, but they are architected so that they will monitor every instance of that event, store it and then sort through it later," she says. "So if you're looking at a person accessing a data element in your database, in order to see that person doing it, you have to monitor that activity for all people and then filter it out."
When tested, those tools quickly became unmanageable. "We ended up with gigabytes of data every day," she says.
Big Brother arrives
At the time, around the fall of 2005, Halota says she was hearing a lot about a tool from Symantec code-named Big Brother, an appliance-based monitoring tool, still in beta, that took a different approach.
"It would home in on exactly what you're looking for and report on it very quickly," she says, noting that the tool is now called the Symantec Database Security and Audit (SDSA) appliance. "And you didn't have to go through reams of logs to find what you needed."
She called Symantec, signed up for the beta program and got the appliance installed for testing. "I was excited about it because we could get involved with it while it was still being developed," Halota says. "As an early adopter, you tend to be able to give more feedback."
The SDSA comes with prebuilt policies that can be easily customized to suit a particular environment, Halota says. For example, the appliance can monitor all information that leaves the database, alerting administrators when it detects sensitive information such as credit card numbers, Social Security numbers, or any other administrator-defined data pattern. Users can then build policies around these patterns to control what gets flagged as suspicious activity. For example, if corporate IT policy employees can access data for only one credit card per request but a request is made to access data for multiple credit cards, the system will track that activity and alert the security team.
"The policies themselves are very flexible," Halota says. "You could say, 'I want to know when a request comes from this machine vs. that machine,' and it will get down to that level."