Data protection the greatest threat is from trusted sources

Monitoring database access and transactions for suspicious activity

Most organisations databases contain highly sensitive data, from employee information and customer lists to confidential product data and valuable intellectual property. As well as staff, many enterprises allow customers, suppliers and partners to access their databases, making them highly vulnerable. Websites are even more exposed, as they can be accessed by anyone online. Most organisations struggle to secure their databases, partly because effective controls can impact on how they do business. Database Activity Monitoring (DAM) systems can help by tracking database access and transactions for unusual behaviour. Intelligent DAM systems can also detect theft or fraud by insiders, enforce separation of duties for database administrators, and alert in real time to internal breaches or external attacks. Why is DAM needed? In the enterprise environment, relational databases are the most popular and Microsoft SQL Server, Oracle and MySQL predominate. While the inherent security of these databases has improved in recent years, their mode of use leaves gaps that can be exploited. The most common form of attack is SQL Injection where malicious code is attached to a legitimate database statement, and used against fully patched databases. Also vulnerable are website pages that contain search fields or feedback forms. These databases have their own auditing systems, such as SQL Server Trace and SQL Server connection auditing, but turning on full auditing would soon overwhelm the database server with excessive volumes of audit data. The presence of an audit file would also be visible, and alert an attacker to edit and remove any trace of the attack. IT security practitioners acknowledge that the greatest threat to their data is increasingly from trusted sources, either through accident or malicious intent. More troubling is the possibility of abuse by database administrators, who are informed, privileged users with the skills to access all kinds of data.

Encryption of sensitive data is often suggested, but it doesnt actually solve the problem. Firstly, encryption requires major changes to applications and databases; and secondly, it doesnt protect against privileged users or hackers who know how to access application servers and back-end databases. It is for these reasons that DAM has gained so much momentum.

Data Protection is a serious challenge for organisations that have to provide access to much
of their data to customers, suppliers, partners and staff. Effective transaction monitoring should be a key part of your data protection strategy.

How do you demonstrate solid returns from IT security solutions?

ROI from IT security systems the big impossible?

Most of your IT investments directly support the business of your organization, so calculating a return on that investment is pretty straightforward. With IT security solutions, its not nearly so simple. How do you calculate ROI on the investment youve made to protect your organisations sensitive data? How do you put a value on compliance with industry regulations? How do you quantify the benefits of good information governance? Its much easier to calculate the cost of a data breach or a compliance breach: one example is the breach at Sony which brought down its laystation network for 23 days, another is the Epsilon Interactive data breach in 2011 that may cost the email marketing services company up to 4 billion dollars. Well touch on these breaches in this short white paper, but well also well and look at practical ways to calculate: How stronger IT security can support more robust business initiatives The operational gains available from increased IT security capacity The benefit of reducing security-related downtime in e-commerce networks The economic benefits of rapid recovery following a breach in Network Security Defining the problem

When you look for advice on how to calculate ROI on IT security, youll read about hard and soft costs, and see long debates about how to weigh intangible benefits against concrete costs. Youll run into fancy acronyms such as ROSI (Return on Security Investment), NV (Net resent Value), IRR (Internal Rate of Return) and ALE (Annualized Loss Expectancy). ROI has always been a bit of a murky issue, says a CERT podcast (in relation to IT security). After all, how do you prove a negative? How do you quantify the value of something that is less likely to happen if you spend lots of money to prevent it? Thats the issue with IT security: investing more is usually not reflected in a bottom line profit increase, but a reduction in risk. To quote Bruce Schneier: Security is about loss prevention, not about earnings. Organisations tend to insure against potential risks in many areas, and thats a valid way of looking at IT security: its a form of business risk mitigation that reduces or prevents loss, and risk mitigation is insurance. This is a useful parallel to draw when discussing IT security with business managers or board members asking why youre spending money on something they dont see any obvious returns from. One thing they dont want to see is headlines like the ones Sony suffered in 2011. The bad R went on for months but the value of Sonys shares dropped by $2 billion overnight. Investors react strongly to bad R, as camera maker Olympic found out when its stock price plunged by 50% when its board was accused of sanctioning fraudulent accounting practices.

Summary
In many ways, IT security solutions are like insurance: its more about preventing serious harm to organisations than about generating profits. In this series of articles, well show there are ways to calculate ROI on IT security solutions.