Databases That Learn
A new generation of security software studies the way people normally access a database to identify hackers.
Protecting sensitive corporate, medical, and government databases–filled as they are with everything from credit-card numbers to personal health histories–has traditionally been a matter of granting passwords to employees, and allowing varying levels of access depending on users’ job duties. But such measures haven’t always stopped sophisticated hackers or insiders who stray from their assigned areas.
The latest generation of software goes further: it learns about appropriate database usage patterns, and sounds an alarm if something anomalous happens.
Now Symantec, a leading maker of anti-virus software, is releasing its own learning-based database security product, after a year-long pilot project. The company says the software can protect against insiders, as well as outsiders who find their way past security features and help themselves to sensitive information.
“It learns the behavior of who is accessing what. You put it into ‘learn’ mode and it figures out who should be asking for what data. If there is an odd request–say, a large list of students’ social-security numbers, anything that’s not a normal procedure–administrators are notified,” says Carey Nachenberg, chief architect at Symantec Research Labs in Santa Monica, CA.
The technology can also be customized to alert administrators when a specific kind of request is made, such as one for multiple credit-card numbers.
Taken together, this approach could have advantages over traditional methods of database security, known as role-based access control. “Organizations have traditionally relied on access controls to meet confidentiality needs,” says Sushil Jajodia, director of the center for secure information systems at George Mason University. “Security products typically focus on outsider attacks…but do not protect an organization from malicious insiders. This is one of the first products to address the insider threat.”
Symantec says the new technology, announced this week, can detect clever attacks from outsiders, too. For example, most online shopping sites have fields that allow users to search for products. But if just the right queries and characters–such as quotes or asterisks–are put in the right places in a search field, a harmless search for books or videos can become a successful theft of credit-card numbers in the company’s database. “This is a common attack, and many websites are vulnerable,” says Nachenberg. “In order to catch such a thing, I need to identify that a different query is being sent than what is normal.”
While the concept is just emerging, Symantec is not the first to develop a technology around it. For example, two small companies–New York City-based Application Security and Acton, MA-based Lumigent–also make software that uses learning techniques to identify attacks and other unusual activity.
Symantec’s solution, known as Symantec Database Security, is the first product to come out of its Advanced Concepts Group within the research labs. The group develops more speculative technologies, by behaving like a startup company getting off the ground by making a custom product for a handful of customers.
“The challenge for any large company is to build an entirely new product and bring it to market,” says Steve Trilling, vice president of research & advanced development at Symantec. “When you are shipping to millions of customers, there is an expectation that we will ship on 10 platforms, in 10 languages, with lots of documentation and a sales and marketing program. So I think there was some value in building something from the ground up using a different model.”
Identity theft is a big problem. In the first eight months of 2006, more than 116 data breaches were reported that put more than 65 million records at risk, the company says.