14 posts from September 2009
September 25, 2009
 SecureSphere's Approach to Audit & Compliance - Enter COBIT
Pin It

SecureSphere report

Following a question from a prospect, I thought that it would be useful to provide some insight into  our approach for audit and compliance. 

"SecureSphere addresses different business requirements based on its ability to secure and monitor transactions from the end user through the Web application to the database. SecureSphere offers complete data security and visibility: SecureSphere can identify the unique application users that performed database queries—even in multi-tier environments. This Universal User Tracking capability provides user accountability to database audit trails and compliance reports".

Different compliance regulations require monitoring of users and/or privileged users and administrators: understanding how they behave, what they do, what kind of data they were accessing and what actually was reviewed.  

In order to address the many compliance requirements, SecureSphere is using the COBIT framework for reporting:

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. (source: wiki)

Using a single, well-known industry standard as a framework provide multiple benefits:
  1. Organizations can easily integrate SecureSphere into their existing audit and compliance projects using consistent reporting.
  2. SecureSphere administrator can add additional reports based on business requirements (even though SecureSphere ships with a library of several hundred reports...).   
  3. Adding out-of-the-box support for additional compliance mandates is  straightforward.  
And above all, ISACA is doing an excellent job in training so ensuring that SecureSphere is using a well defined and well known framework is also essential for establishing it as a standard tool for data activity monitoring, data security and compliance. 


September 24, 2009
 Insider Threat White Paper: The Anatomy of an Insider - Bad Guys Don't Always Wear Black
Pin It

Imperva announces new content dedicated to addressing insider threats.

The site includes a new white paper - The Anatomy of an Insider:  Bad Guys Don't Always Wear Black, webcasts, insider threat podcasts that include candid interviews with the former Deputy Director of the NSA Bill Crowell, and an Interview with the CTO of Imperva - Amichi Shulman, as well as other insider threat material.

Download the free white paper.

Why have we put so much effort into addressing insider threats?

Sensitive data protection is essential to any effective security or compliance strategy. Traditional network security controls simply don’t protect sensitive data from insider threats. Purpose-built data security solutions can prevent, detect, and continually audit how users, including privileged users such as DBAs and system administrators, interact with sensitive data. Visibility into ordinary users and privileged users in terms of their interactions with mission-critical applications and databases gives organizations the ability to effectively mitigate risk by answering questions around the who, what, where, when, and how of insider threats.



September 23, 2009
 Shaking The PCI Security Standards Council Meeting
Pin It

It's that time of the year again. No, I am not writing about the best time in a quarter (which is approaching very fast). It's time for the annual PCI Security Standards Council community meeting. Two years ago the meeting took place in Toronto. Last year in Miami and now in Las Vegas. It is very encouraging to see how the community evolved into a large, influential group. The number of active members and other participants that are passionate about PCI and data protection in general is growing very nicely. As one can imagine, there is a direct correlation between the number of data breaches and compromised credit card records and the number of PCI professionals :-( 

Christopher Novak from Verizon Business provided the (black) color background when he presented the 2009 Data Breach Investigation Report (DBIR), a document that was discussed in detail in different places, including this blog, yet there are some points that should be highlighted as it seems that as PCI gains more momentum we need to continue to educate people about data security challenges:

  1. Most breaches and nearly all records stolen are a result of “external sources” activity.
  2. 90%+ of breached records attributed to organized crime activity. 
  3. Of the 284 million records that were compromised last year, most damages from external sources
(It should be noted however that stats are a funny thing indeed. Conversations I've had with Brian Contos - Imperva's Chief Security Strategist - suggest that a greater number of breaches are actually internally sourced. And if you combine partners along with employees, contractors, etc as  the group considered "insiders" - as they all have elevated levels of trust and access, then the great majority of successful breaches occur from insiders - at least the ones we know about. Brian further suggests that these breaches are a combination of malicious, careless or negligent activity; they aren't all "bad guys."  Finally, Brian sites some stats from that show that in many cases - even when the number of attacks from outsiders might be higher, the number of records stolen, and the dollar amounts are much greater when the attack or mistake is from someone within. 

To quote Brian, "When it comes to insiders and outsiders the terms are losing meaning; it's about data security regardless of the source. If we agree that data is valuable and data mostly resides in databases, and we also agree that most users interact with that data via Web applications, then prudence dictates that safeguards be applied at the Web application and database layer."

Okay - so let's get back to Mr. Novack's findings.)

Continue reading "Shaking The PCI Security Standards Council Meeting " »


 Imperva CEO - Shlomo Kramer talks with USA Today about the Ponemon PCI Study
Pin It

Read Mr. Kramer's feedback to USA Today

Listen to the Dr. Larry Ponemon Podcast and Read the Transcript

Download the Survey Results

Snippet From USA Today

The Ponemon Institute and Imperva today released more evidence showing how the Payment Card Industry Data Security Standards are having a limited effect keeping your credit and debit card information safe.

Ponemon and Imperva surveyed more than 500 companies that boast combined annual revenues of $5.6 billion.

Heartland "went through the motions without actually implementing a meticulous and rigorous data security program," says Imperva CEO Shlomo Kramer. "Companies that don’t use PCI as a strategic initiative will cover only credit card numbers and not other data that's equally problematic to lose like Social Security numbers."

Read Mr. Kramer's feedback to USA Today

Listen to the Dr. Larry Ponemon Podcast and Read the Transcript

Download the Survey Results


 Imperva Podcast and Survey Results on PCI DSS with Dr. Larry Ponemon of the Ponemon Institute
Pin It

Listen to the Podcast and Read the Transcript

Download the Survey Results

On this episode of the Imperva Security Podcast Dr. Larry Ponemon of the Ponemon Institute discusses the results of his latest PCI DSS survey. He talks about a number of fascinating and sometimes anomalistic statistics from the survey results, and shares his views and leanings. Dr. Ponemon addresses questions such as:

  • Can consumers rely on companies to protect their credit card information?
  • How has PCI affected security budgets?
  • Which PCI approaches work and which ones don't?
  • How do smart companies manage the cost and get the most out of PCI?

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Dr. Ponemon consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws.

Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona.

Listen to the Podcast and Read the Transcript

Download the Survey Results


September 21, 2009
 Imperva at the 2nd Annual Critical Infrastructure Conference in Calgary Canada
Pin It

On Tuesday September 29th, 2009 I'll be presenting at the Critical Infrastructure Conference in Calgary.  My session is in two parts:  1) Hacking into Web application and databases, and 2) Stopping people from hacking into Web applications and databases.  The entire presentation is geared toward the particular needs of organizations that operate critical infrastructure environments - i.e. energy, oil & gas.

Some of the information I'll be covering is discussed at a high level within the Imperva Solutions by Industry for Energy page, and the corresponding solution brief for the electric industry.

Hope to see you there.



 Imperva Podcast on Insider Threats with CTO Amichai Shulman
Pin It

On this episode of the Imperva Security Podcast Amichai Shulman – CTO and Co-founder of Imperva talks about Insider Threats. He explores the differences between careless and nefarious insiders and talks about the difficulties of managing risks surrounding privileged users. He also discusses several threat mitigation strategies. This episode complements another insider threat Imperva Security Podcast with Bill Crowell - former NSA Deputy Director.



September 18, 2009
 Imperva Webcast - Anatomy of a Database Attack
Pin It
Register here

Date: September 30, 2009
Time: 11:00 AM PDT | 2:00 PM EDT

Corporate databases and their contents are under siege. From outside the organization, criminals can exploit web applications to steal confidential information for financial gain. From the inside, databases can be compromised by employees and contractors with malicious intent. SQL Injection, platform vulnerabilities, buffer overflows...databases are vulnerable to a myriad of threats and attack vectors.

Imperva CTO Amichai Shulman will use live demonstrations to trace the steps involved in breaking into a database, and present a reference architecture and checklist for implementing iron-clad database security measures. Specific topics covered during this webinar include:
  • The 5 Steps for Attacking a Database
  • Key tools for obtaining database credentials such as Brute Force and Exhaustive Search
  • Primary database attack methods such as Lateral SQL Injection and Buffer Overflow
  • Covert tactics used by database attackers to cover their tracks and avoid detection
Presenters: Amichai Shulman, CTO & Brian Contos, Chief Security Strategist

Register here


September 16, 2009
 Spicy Food Challenge 7 Seattle Washington
Pin It

On this spicy food challenge, another co-worker from Imperva and I head out for the spiciest chicken wings in Seattle Washington at the Wing Dome.

You can view the other spicy food challenges here:

One, Two, Three, Four,  Five, and Six


September 15, 2009
 Party Like There Are No Bugs
Pin It

Next month, Oracle will host its annual conference in San Francisco. We will be there of course:

Oracle OpenWorld is probably one of the largest technology driven events in the US. About 60,000 attendees will visit the 400 partners expo, experiment hands-on labs, join 1,800 training sessions watch demos, enjoy networking events and more. The event is planned many months ahead and is a major marketing event. Actually, it is so big and important that Oracle decided to delay its planned security patch cycle by one week since "many Oracle customers with responsibility for deploying the Critical Patch Update within their respective organizations will be attending Oracle OpenWorld." (announcement here). 

Indeed it makes sense. I wonder if anyone is looking at future CPU dates just to make sure that they do not happen to fall on a holiday....




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: