Dynamic Profiling in Real Life
Sharon's been writing a nice article about Dynamic Profiling lately. He's looking at it from the technical perspective, but driving home the other night listening to the news I heard an example of exactly what Dynamic Profiling is designed to do.
Apparently Obama's cell phone records have been repeatedly viewed without authorization. As a security professional, I am not at all surprised. I've seen this scenario so many times that I've learned to expect it. The fact is, when customers roll out their applications, they almost always over-privilege user and application access to databases. They want the application to work, but don't know yet who's going to use it and how, so they just write open authorizations. Makes sense. Until a year or two later when (for any number of reasons) the employees find a reason to snoop around the application, and bingo, you have a data breach.
This very scenario is what Dynamic Profiling helps you fix. It tells you what your users really are doing (and what you probably should have written as your authorization policy in the first place), then flags transactions that don't fit that profile. So one could easily imagine that there are a number of scenarios where you could catch a bunch of users accessing Obama's information - multiple IP accesses to a specific table entry (Obama cell phone record), un-authorized client access to table, etc.
Note, this is a real Dynamic Profiling alert, but the data has been altered for this demonstration:
A scary question is how many other public officials or movie stars are having their records viewed? I don't know the exact answer, but it's one that Dynamic Profiling could tell you.
