Application Security, Inc. will be showcasing the latest
version of AppRadar at the RSA Conference in San Jose on February 13-17, 2006. AppRadar, a real-time intrusion detection and security auditing solution, enables
enterprises to defend against application vulnerabilities in real-time while
ensuring strict adherence to regulatory requirements.
While prompt inclusion of the latest vulnerability is an
important requirement when looking for a security/auditing solution, content
and coverage should be high on the list as well.
For example, coverage of both external and internal threats
is crucial. While it might be tempting to deploy a perimeter solution, the
reality is that most organizations have so many holes poked into their
perimeter to give people access to their applications that it is difficult to
define exactly where the perimeter is. Secondly, even if a perimeter can be
defined, a solution sitting out at the perimeter will not be able to monitor
the DBA and other administrators logged directly into the database. Especially
relative to compliance requirements, this is a critical issue.
An equally important issue is context--an avalanche of
nameless alerts is useless. Whether you are monitoring security events, such
as the Voyager worm, tracking misuse and abuse of an insider or an outsider, or
repeated login attempts, actionability requires an audit trail of what happened,
who did it, what they did, when they did it and which systems were affected.
Different Auditing Approaches
There are three different approaches to database event
monitoring/auditing, and most of them fall short. Since coverage of both
internal and external threats is critical, perimeter based solutions are no
longer viable -- they cannot monitor internal threats. Network solutions have
their own limitations in that you cannot see administrators within the
datacenter via the network. In addition, network-based solutions can be
expensive, considering the cost of the hardware. Log-based solutions simply
look at the database logs. From a security or a real-time alerting
perspective, this is post mortem by definition. Furthermore, daily log scanning
could tax an already burdened database; while weekly and esp. monthly scans
allow a large window between the time someone takes the data, and then does
something with it. Finally, log-based solutions are labor intensive and
limited in that if you need more data than was captured in the log, then you
are out of luck.
App Radar 3.0's focus is Database Security Auditing and
Intrusion. Vice President of Strategy, Ted Julian states, "To our
knowledge we're the only solution that can audit all transactions while looking
for both misuse and security events. We are able to name those events and
explain them for what they are, as opposed to just creating a list of events
that may or may not be interesting without a lot of context." He went on
to say, "We don't introduce any reliability issues to the database nor
create load directly on the database."
AppRadar now offers Sybase and DB2 support in addition to MS
SQL and Oracle, which it already had.
The product is tightly integrated with AppDetective,
allowing organizations to specifically and automatically address the sensitive
gap between the identification of vulnerabilities and their remediation. For
example, a typical customer runs AppDetective to discover the databases in
their infrastructure, test their security posture, and begin to remediate some
of the issues. Given the number of issues typically found, the time it can
take to deploy patches, and so on, there are virtually always unaddressed
vulnerabilities left over. To monitor for these remaining vulnerabilities, AppDetective
can now create a custom AppRadar policy automatically tuned to the customers
specific details including: which databases are present; where they are; what
version is running; and which specific vulnerabilities are present. From that
moment forward, AppRadar throws alerts intelligently--issuing an alarm only for
databases which remain vulnerable. Databases that are already patched are
logged, but there is no need to throw a red level alert.
Another cool feature is self-auditing. AppRadar 3.0 now
self-audits, throwing an alert on system start/system stop, configuration
changes, or anything else that would affect the creation of a reliable audit
Also new is ASAP Update Support, a one-click update process
whereby new policies or security updates are pushed out to customers.
Additional new features include:
Huge Scalability Improvements
Easier policy sharing
Sybase and DB2 Network Intrusion Detection
Scalability in events and GUI support
Failed logins-MSSQL-frequency metrics rules
AppRadar 3.0 will be available in March and the pricing has
not changed--it starts at $12K. That breaks down to $10,000 for a perpetual
license for the console and $2K per sensor per year.