False Intrusion Alerts Cost Time, Money
Making sure IT gets alerted only when there really is a problem is important.
With data breaches hitting the headlines regularly and reports that regulatory compliance will be tightened up considerably in 2009, monitoring database activity to maintain security is becoming more important than ever.
However, most monitoring tools give rise to false positives, costing companies time and money as IT chases down these false alerts.
According to Secerno, which offers an artificial intelligence (AI) -based database monitoring tool, a false alert can cost an enterprise about $1,200, and several false positives may be generated in one day because a database activity monitoring system sees millions of queries during that time.
Traditional database activity monitoring systems use the tried and tested methodology originally used in intrusion detection systems, where anything in a database query that might indicate anomalous behavior triggers an alert.
That triggers alerts more readily than the AI-based system Secerno offers, Paul Davie, the company's COO and founder, told InternetNews.com. "That technology is probabilistic, while ours is deterministic," he said.
Secerno claims its SynoptiQ technology, based on patent-pending technology developed at Oxford University in the U.K., eliminates false positives. The company's Secerno.SQL family of database activity monitoring solutions first lets users model normal behavior for querying their databases and set policies based on that model. It then analyzes all of a new query to see whether it matches those lists.
"We match incoming queries with 100 percent accuracy," Davie said. "None of our customers have told us they have had false positives."
The tool matches incoming queries in real time, Davie said. The algorithms Secerno uses ensures queries never get slower no matter how complex they or the policies that govern them are.
Secerno's products are available either as an appliance, consisting of the software running on a standard hardened Linux box, or as virtual machines running on VMware (NYSE: VMW) hypervisors. "A lot of our customers are looking at our solution on VMware at the moment, and we are driven by our customers' needs and wishes," Davie said.
The Secerno products can be used with Oracle (NASDAQ: ORCL), Sybase (NYSE: SY) and Microsoft (NASDAQ: MSFT) SQL Server, Davie said.
Other players in the game
Secerno is not the only database monitoring tool vendor going beyond the standard intrusion detection system approach.
Imperva uses a technology called Dynamic Profiling in its SecureSphere that uses the behavioral approach which it has had for about six years, Vice President of Marketing Mark Kraynak told InternetNews.com.
The approach is similar to Secerno's; Dynamic Profiling models over time what groups of users normally do and builds a normal profile. IT then enforces that profile, either in whole or partially, depending on what the enterprise needs.