Following a question from a prospect, I thought that it would be useful to provide some insight into  our approach for audit and compliance. 

Imperva announces new content dedicated to addressing insider threats.

The site includes a new white paper - The Anatomy of an Insider:  Bad Guys Don't Always Wear Black, webcasts, insider threat podcasts that include candid interviews with the former Deputy Director of the NSA Bill Crowell, and an Interview with the CTO of Imperva - Amichi Shulman, as well as other insider threat material.

Download the free white paper.

Why have we put so much effort into addressing insider threats?

Sensitive data protection is essential to any effective security or compliance strategy. Traditional network security controls simply don’t protect sensitive data from insider threats. Purpose-built data security solutions can prevent, detect, and continually audit how users, including privileged users such as DBAs and system administrators, interact with sensitive data. Visibility into ordinary users and privileged users in terms of their interactions with mission-critical applications and databases gives organizations the ability to effectively mitigate risk by answering questions around the who, what, where, when, and how of insider threats.

It's that time of the year again. No, I am not writing about the best time in a quarter (which is approaching very fast). It's time for the annual PCI Security Standards Council community meeting. Two years ago the meeting took place in Toronto. Last year in Miami and now in Las Vegas. It is very encouraging to see how the community evolved into a large, influential group. The number of active members and other participants that are passionate about PCI and data protection in general is growing very nicely. As one can imagine, there is a direct correlation between the number of data breaches and compromised credit card records and the number of PCI professionals :-( 

Christopher Novak from Verizon Business provided the (black) color background when he presented the 2009 Data Breach Investigation Report (DBIR), a document that was discussed in detail in different places, including this blog, yet there are some points that should be highlighted as it seems that as PCI gains more momentum we need to continue to educate people about data security challenges:

1. Most breaches and nearly all records stolen are a result of “external sources” activity.
2. 90%+ of breached records attributed to organized crime activity. 
3. Of the 284 million records that were compromised last year, most damages from external sources

(It should be noted however that stats are a funny thing indeed. Conversations I've had with Brian Contos - Imperva's Chief Security Strategist - suggest that a greater number of breaches are actually internally sourced. And if you combine partners along with employees, contractors, etc as  the group considered "insiders" - as they all have elevated levels of trust and access, then the great majority of successful breaches occur from insiders - at least the ones we know about. Brian further suggests that these breaches are a combination of malicious, careless or negligent activity; they aren't all "bad guys."  Finally, Brian sites some stats from InfoSecurityAnalysis.com that show that in many cases - even when the number of attacks from outsiders might be higher, the number of records stolen, and the dollar amounts are much greater when the attack or mistake is from someone within. 

To quote Brian, "When it comes to insiders and outsiders the terms are losing meaning; it's about data security regardless of the source. If we agree that data is valuable and data mostly resides in databases, and we also agree that most users interact with that data via Web applications, then prudence dictates that safeguards be applied at the Web application and database layer."

Okay - so let's get back to Mr. Novack's findings.)

Read Mr. Kramer's feedback to USA Today

Listen to the Dr. Larry Ponemon Podcast and Read the Transcript

Download the Survey Results

Snippet From USA Today

Read Mr. Kramer's feedback to USA Today

Listen to the Dr. Larry Ponemon Podcast and Read the Transcript

Download the Survey Results

Listen to the Podcast and Read the Transcript

Download the Survey Results

On this episode of the Imperva Security Podcast Dr. Larry Ponemon of the Ponemon Institute discusses the results of his latest PCI DSS survey. He talks about a number of fascinating and sometimes anomalistic statistics from the survey results, and shares his views and leanings. Dr. Ponemon addresses questions such as:

• Can consumers rely on companies to protect their credit card information?
• How has PCI affected security budgets?
• Which PCI approaches work and which ones don't?
• How do smart companies manage the cost and get the most out of PCI?

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Dr. Ponemon consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws.

Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona.

Listen to the Podcast and Read the Transcript

Download the Survey Results

On Tuesday September 29th, 2009 I'll be presenting at the Critical Infrastructure Conference in Calgary.  My session is in two parts:  1) Hacking into Web application and databases, and 2) Stopping people from hacking into Web applications and databases.  The entire presentation is geared toward the particular needs of organizations that operate critical infrastructure environments - i.e. energy, oil & gas.

Some of the information I'll be covering is discussed at a high level within the Imperva Solutions by Industry for Energy page, and the corresponding solution brief for the electric industry.

Hope to see you there.

On this episode of the Imperva Security Podcast Amichai Shulman – CTO and Co-founder of Imperva talks about Insider Threats. He explores the differences between careless and nefarious insiders and talks about the difficulties of managing risks surrounding privileged users. He also discusses several threat mitigation strategies. This episode complements another insider threat Imperva Security Podcast with Bill Crowell - former NSA Deputy Director.

On this spicy food challenge, another co-worker from Imperva and I head out for the spiciest chicken wings in Seattle Washington at the Wing Dome.

You can view the other spicy food challenges here:

One, Two, Three, Four,  Five, and Six

Next month, Oracle will host its annual conference in San Francisco. We will be there of course: