Solution Needed: Breachometer
When it comes to security and auditing, sampling is simply not good enough. The leaders at Fuji Television Network, Japan's leading television broadcasting company (they also broadcast Dragon Ball Z, ask your kids...) know that. One of the key reasons to select SecureSphere according to said Mr. Satoshi Morimoto, Manager of Information Security for Fuji Television Network was that "SecureSphere provides us with full details on database queries and responses"
I was thinking about sampling versus accurate measurement in the light of the latest (today's yesterday's ) customer data loss scandal: Exclusive news by the Sunday Herald revealed the story of 8 million victims in the world's biggest cyber heist. But then the mentioned company denied the accusations, stating that it's not accurate and grossly
unsubstantiated...
Computerworld provided both sides of the story in a way that creates few more questions:
The website quotes a spokesman stating that there were some evidence" of unauthorized access to customer data by someone using a valid employee username and password. But the compromise was limited to just one property then it also added that Just over a dozen customer records were exposed, and that it has found "no evidence to support the sensational claims" of a much wider and larger breach made by the Sunday Herald.
Then, PogoWasRight.org (excellent as always) provided additional details that supporting the company.
What's the story? probably something happened but it looks like either no one really knows what the exact details are or another kind of smoke screen is being used. There might have been a breach, but the company is probably unaware of its full size. Personally, I hope that this report is not true. I don't think that anyone needs 8 million or 7 million or any other number of records breached over a database hack or virus accessing the database in order to prove that Application Data should be secured.
Having said that, One of the first steps that should be taken when a breach occurs is to determine the full scope of the problem (last August, in Behind the Scenes: Data Breach Headlines Examined the Imperva ADC provided some analysis of past breaches and advice on handling incidents).
In some cases native logging that might have been sufficient to address a PCI auditor is not enough to determine the full scope, especially in case of malicious activity. Database Activity Monitoring solutions could provide the necessary insights into who was accessing the data, when and how, even if this person was authorized or even if he (or she) are privileged users (such as DBA or system administrator). The best approach is to use a combination of activity monitoring and security solution (like SecureSphere.
In a way, even when used in monitoring-only mode (versus, security gateway mode) it can be
used as a special "Breachometer" - device that will always measure the right exposure without errors due to sampling or being compromised.
Computerworld provided both sides of the story in a way that creates few more questions:
The website quotes a spokesman stating that there were some evidence" of unauthorized access to customer data by someone using a valid employee username and password. But the compromise was limited to just one property then it also added that Just over a dozen customer records were exposed, and that it has found "no evidence to support the sensational claims" of a much wider and larger breach made by the Sunday Herald.
Then, PogoWasRight.org (excellent as always) provided additional details that supporting the company.
What's the story? probably something happened but it looks like either no one really knows what the exact details are or another kind of smoke screen is being used. There might have been a breach, but the company is probably unaware of its full size. Personally, I hope that this report is not true. I don't think that anyone needs 8 million or 7 million or any other number of records breached over a database hack or virus accessing the database in order to prove that Application Data should be secured.
Having said that, One of the first steps that should be taken when a breach occurs is to determine the full scope of the problem (last August, in Behind the Scenes: Data Breach Headlines Examined the Imperva ADC provided some analysis of past breaches and advice on handling incidents).
In some cases native logging that might have been sufficient to address a PCI auditor is not enough to determine the full scope, especially in case of malicious activity. Database Activity Monitoring solutions could provide the necessary insights into who was accessing the data, when and how, even if this person was authorized or even if he (or she) are privileged users (such as DBA or system administrator). The best approach is to use a combination of activity monitoring and security solution (like SecureSphere.
In a way, even when used in monitoring-only mode (versus, security gateway mode) it can be
used as a special "Breachometer" - device that will always measure the right exposure without errors due to sampling or being compromised. 
