Bad Network!
NBAD systems use passive sensors to watch your network for strange behavior and attempt to determine who's doing what--and whether they should be doing it or not. Some IPS products have recently pulled in NBAD functionality, as have security event information management vendors.
We approve of this trend; NBAD is a valuable piece of an overall security architecture. For example, while the focus of an IPS is to block illegal activity, and the focus of SEIM is to log security events and incidents while watching those logs for anomalous behavior, NBAD tools watch for abnormal behavior on the wire, attempting to determine when some activity should be disallowed. If a host that's normally connected only to a database and a directory server suddenly starts creating connections to other machines, the NBAD should detect the activity. IPS and SEIM products are more likely to ignore such behavior, especially if the connections are few and the traffic appears benign.
In time, NBAD as a standalone product will decline, as people consistently choose more complete architectures. We expect an increase in anomaly detection in SEIM products in 2007 and a move by NBAD vendors like Q1 Labs, Arbor Networks and Riverbed to be more firmly in the SEIM camp.
Still About The Data
The recent focus on external compliance issues has reinforced the view that protecting customer data is essential to your enterprise's health. Vendors have stepped up with products that attempt to detect, control and report about access to all of those databases you didn't know were out there (and yes, you do have them). On the surface, these products may seem superfluous: All major databases control access to specific tables and columns and generate logs that tell you who's doing what. But that built-in access control is very programmatic, rights-oriented protection, and its logging is not intuitive and subject to tampering.
Database extrusion detection products by vendors such as Application Security and Imperva attempt to watch for common access violations. Why is the Southeastern U.S. sales rep dumping the entire Pacific Rim customer list? Why is that Web application server suddenly requesting 25 customer records at a time, instead of one? Add to this the increasing capability of these products to map internal user names to a Web application that normally uses a generic database login, and you've got a powerful tool that will find all known and unknown locations of your data, tell you who's requesting what through applications, and monitor for anomalies. These tools are a powerful addition to your arsenal, and will help you keep critical data in the hands of legitimate business users.
In addition, placing the application on an appliance that watches network protocols to determine activity, or copying and footprinting database logs, will make it difficult for malicious insiders to cover their tracks by tampering with log files. We're excited about this technology--it keeps your eyes on the important stuff. The few employees who may commit insider data theft will get tagged. The vast majority who are just trying to do their jobs will rarely notice the system. And people with legitimate business reasons for generating abnormal database activity can quickly explain their actions.
