Database Security Auditing and Intrusion in One Package

Application Security, Inc. will be showcasing the latest version of AppRadar at the RSA Conference in San Jose on February 13-17, 2006. AppRadar, a real-time intrusion detection and security auditing solution, enables enterprises to defend against application vulnerabilities in real-time while ensuring strict adherence to regulatory requirements.

While prompt inclusion of the latest vulnerability is an important requirement when looking for a security/auditing solution, content and coverage should be high on the list as well.

For example, coverage of both external and internal threats is crucial. While it might be tempting to deploy a perimeter solution, the reality is that most organizations have so many holes poked into their perimeter to give people access to their applications that it is difficult to define exactly where the perimeter is. Secondly, even if a perimeter can be defined, a solution sitting out at the perimeter will not be able to monitor the DBA and other administrators logged directly into the database. Especially relative to compliance requirements, this is a critical issue.

An equally important issue is context--an avalanche of nameless alerts is useless. Whether you are monitoring security events, such as the Voyager worm, tracking misuse and abuse of an insider or an outsider, or repeated login attempts, actionability requires an audit trail of what happened, who did it, what they did, when they did it and which systems were affected.

Different Auditing Approaches

There are three different approaches to database event monitoring/auditing, and most of them fall short. Since coverage of both internal and external threats is critical, perimeter based solutions are no longer viable -- they cannot monitor internal threats. Network solutions have their own limitations in that you cannot see administrators within the datacenter via the network. In addition, network-based solutions can be expensive, considering the cost of the hardware. Log-based solutions simply look at the database logs. From a security or a real-time alerting perspective, this is post mortem by definition. Furthermore, daily log scanning could tax an already burdened database; while weekly and esp. monthly scans allow a large window between the time someone takes the data, and then does something with it. Finally, log-based solutions are labor intensive and limited in that if you need more data than was captured in the log, then you are out of luck.

App Radar 3.0's focus is Database Security Auditing and Intrusion. Vice President of Strategy, Ted Julian states, "To our knowledge we're the only solution that can audit all transactions while looking for both misuse and security events. We are able to name those events and explain them for what they are, as opposed to just creating a list of events that may or may not be interesting without a lot of context." He went on to say, "We don't introduce any reliability issues to the database nor create load directly on the database."

New Features

AppRadar now offers Sybase and DB2 support in addition to MS SQL and Oracle, which it already had.

The product is tightly integrated with AppDetective, allowing organizations to specifically and automatically address the sensitive gap between the identification of vulnerabilities and their remediation. For example, a typical customer runs AppDetective to discover the databases in their infrastructure, test their security posture, and begin to remediate some of the issues. Given the number of issues typically found, the time it can take to deploy patches, and so on, there are virtually always unaddressed vulnerabilities left over. To monitor for these remaining vulnerabilities, AppDetective can now create a custom AppRadar policy automatically tuned to the customer’s specific details including: which databases are present; where they are; what version is running; and which specific vulnerabilities are present. From that moment forward, AppRadar throws alerts intelligently--issuing an alarm only for databases which remain vulnerable. Databases that are already patched are logged, but there is no need to throw a red level alert.

Another cool feature is self-auditing. AppRadar 3.0 now self-audits, throwing an alert on system start/system stop, configuration changes, or anything else that would affect the creation of a reliable audit trail.

Also new is ASAP Update Support, a one-click update process whereby new policies or security updates are pushed out to customers.

Additional new features include:

• Huge Scalability Improvements
• Easier policy sharing
• Sybase and DB2 Network Intrusion Detection
• Policy/filter import/export
• Scalability in events and GUI support
• Email response
• Improved reporting
• Failed logins-MSSQL-frequency metrics rules

AppRadar 3.0 will be available in March and the pricing has not changed--it starts at $12K. That breaks down to $10,000 for a perpetual license for the console and $2K per sensor per year.