For VARs, Wall Street Mess Creates Upheaval and Opportunities

by Jennifer Bosavage, CRN ChannelWeb

The financial crisis that struck Wall Street giants Lehman Brothers and Merrill Lynch as well as insurance behemoth AIG has many solution providers shaking their heads in dismay.

“Projects that are focused on reducing costs will get higher priority especially if they can show a clear ROI,” Phil Neray, vice president at database security company Guardium said. “In part, those will have to do with reducing compliance cost. For example, many companies initially instituted simple, manual approaches to SOX, so they are now looking at automating those controls.”

Products that can enable customers to implement new business initiatives will have legs.

“For example, bring a new SOA solution to allow partners to have a more efficient online ordering system. So there’s not only opportunity for that kind of product, but also the security that goes along with it. As more infrastructure is opened up, the right security must be put in place,” said Guardium’s Neray. “Many financial services companies have outsourced day-to-day operations to offshore facilities. The right security and controls are needed around those DBAs.” A layer of security is needed by many companies to protect against intrusion, whether accidentally or intentionally.”

California Data Breach Bill - Sans Retail Reimbursement- Awaits Governor's Decision

by Eric Athas, StorefrontBacktalk

Almost a year ago, California Gov. Arnold Schwarzenegger vetoed a controversial state breach bill that would have forced retailers to reimburse financial institutions for replacing compromised credit and debit cards.

But in Schwarzenegger’s veto message to the State legislature, he specified that it was the reimbursement provision that he objected to, not the bill itself. Although the bill had more than enough votes to sustain an override of the veto, legislative backers opted instead to recraft the bill without that provision.

Phil Neray, VP of Guardium, a database security company, praised the bill, saying it would motivate retailers to apply tighter standards to data security. “I think what we’re seeing in California is frustration with the pace in which retailers are being compliant with PCI,” Neray said.

Slurping the USB port

by Deb Radcliff, SC Magazine

Portable media devices are being used to lift corporate data, but there are tools to defend against this practice.

Two years ago, the 17,000-member South Western Federal Credit Union (SWFCU) began hearing about internal data breaches among peer institutions and began to overhaul its data protection measures. The result is a locked down organization where critical data is blocked from being copied outside the protected boundaries – particularly through USB ports.

“Start at the database by controlling and monitoring access, since the data must first be drawn from the database to the endpoint before it can pass through the USB port, says Phil Neray, vice president of Guardium, a database activity monitoring company. Set simple controls, such as manager sign-off on downloads of over 10 records, he adds. “A lot of our customers have policies in place about what people are allowed to see and download and store on their local machines,” he says. “What’s lacking is a way to automate that to any degree of granularity.”

"It's the data stupid" so you'd better vote to protect it

by Linda Musthaler, Network World

Two enterprise security platforms designed to protect corporate data: Guardium and Vontu
Technology Executive Alert

“It’s the data, stupid.” OK, the phrase is not quite catchy enough to become a must-have bumper sticker, but it’s a mantra for every organization with sensitive information. Today’s article looks at two enterprise security platforms designed to protect corporate data. Guardium focuses on securing the data and actions involving databases, and Symantec’s Vontu platform provides data loss prevention (Compare Data Leak Protection products) on the network, at the endpoint, and in storage devices.

Guardium’s technology platform (also called Guardium) safeguards databases and enterprise applications. It uses policy-based controls and anomaly detection to prevent unauthorized activities by potential hackers, privileged insiders, and end users of enterprise databases and applications such as Oracle EBS, PeopleSoft and SAP. All user activities are monitored, including those by privileged users, application users, DBAs accessing databases directly, remote developers, and even batch processes.

Princeton Review Data Exposed Due to Configuration Flaw

by Thomas Claburn, InformationWeek

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review’s Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported.

Phil Neray, VP marketing at Guardium, a database security firm, said the problem lies in management. “Boards of directors and management teams have not made [data protection] a priority in many, many companies,” he said. “The reason why this has to come from the top is that in many cases you’re asking business units to change bad business practices. And you need budgets [to invest in database protection].”

5 Steps for Stopping the Insider Threat

by Melanie Rodier, WallStreet Technology

Guardium’s Phil Neray offers guidance on preventing insider data theft.

Financial Firms Try to Protect Themselves Against the Insider Job

The threat of insider fraud appears to be increasing. Insider data theft accounted for nearly 16 percent of all data breaches in 2008, up from 6 percent a year earlier, according to a study by the Identity Theft Resource Center. And perhaps more alarming, customer data stolen by an employee is misused more frequently than data obtained through an external breach, a recent study by ID Analytics reveals.

Phil Neray, VP of database security company Guardium, says there are two main reasons for the rise in the insider threat: Demand for sensitive corporate data has increased, and there is now a thriving black market where fraudsters can buy and sell this type of data.

“Also, most corporations have spent the last 10 years focusing on tighter controls around the perimeter of networks,” Neray adds. “It’s getting harder to break into firms from the outside in traditional hacking attacks, so the bad guys are focusing on how to use insiders to get to the data.”

Guardium CTO Interviewed on Data Security Trends

by Cristina Molina, Business News Americas

Ron Bennatan, Ph.D., CTO and VP/Guardium

Companies are showing increased interest in having several layers of security to protect information.  And as the information is mainly located in databases, the opportunities for companies such as database security solutions provider Guardium are constantly increasing.

High ranking executives from Guardium were recently invited to a security seminar that took place in Santiago, Chile, organized by Chilean IT security solutions provider Neosecure. BNamericas spoke with Guardium’s CTO and VP Ron Ben-Natan.

“There are a lot of places where you can invest in security, and one thing that people try to solve is leakage of data. There are many more issues regarding direct access to the repository, direct access to the database. So we are saying “the data sits inside the database, how do we guarantee there is no unauthorized access?” And even when it leaves the database on a pen drive or in an email it started inside the database, so the question is how did it get onto somebody’s desktop so they could put it on an email? Today the hardest problem is direct access to the database and new regulations are looking at how to control the data inside the database itself … It is all about making it easier, more practical, and making it cost less.”

Prevent Privileged Users from Accessing Sensitive Data

by Megan Bearly, SQL Server Magazine

With SQL injection attacks and data thefts happening more and more frequently, many companies are looking for a solution that not only provides database activity monitoring and alerting functionality, but also preventative control over who can access data. Recently, I spoke with Phil Neray, Guardium’s vice president of strategy, about Guardium 7.0 and S-GATE, which provide granular control over data access.

According to Neray, this product provides a practical way to enforce data access policies. Guardium 7.0 also includes vulnerability assessment functionality that monitors for various vulnerabilities and threats. Guardium 7.0 even monitors encrypted data. In addition, this product ships with more than 100 preconfigured best practice reports for SOX and PCI compliance.

S-GATE lets you block privileged users, such as DBAs, from accessing sensitive data, without having to worry about whether you’re blocking legitimate access as well. This product includes real-time preventive controls, continuous access policy enforcement, and fine-grained auditing.

Ex-Countrywide Employee Charged With Selling Customer Data

by Kelly Jackson Higgins, Senior Editor, Dark Reading

The FBI has busted a former Countrywide Home Loan worker who is suspected of downloading the personal data of some 20,000 customers a week over a period of two years and selling it to third parties.

According to a published report, the data may have been sold to companies that wanted to offer their own loans to the Countrywide victims. Up to 2 million Countrywide customer names were “run and sold,” according to the report.

Phil Neray, vice president at Guardium, says Countrywide’s breach was caused in part by a lack of proper internal controls. “The lack of internal IT controls is perhaps indicative of a corporate culture that was less focused on internal controls than other objectives,” Neray says.

TJX Hacker, ID Theft Ring Indicted

Bank Technology News

By now you’ve heard the news that law enforcement nationwide has indicted 11 members of a global crime ring, charging three Americans and a variety of foreigners with stealing the data of more than 40 million cardholders from TJX and eight other national merchants.

The indictments make up what is being billed as the biggest bust of its kind.

“I think the most interesting piece of news is that the authorities linked so many cases to the same ring.  There was always speculation that the same criminals were perpetrating multiple crimes—now they finally proved it,” says Avivah Litan, Gartner analyst.  “But what was equally interesting is that a few of the well-publicized breaches, such as the breach against Card Systems International and Ralph Lauren Polo, weren’t connected by these indictments. I had expected them to be.”

Some highlights of the news:

— The alleged ringleader, Albert Gonzales of Miami, was on the payroll as a Secret Service confidential informant, but was playing both sides. Not only was Gonzales continuing his own life of crime while working as an informer, reports indicate he was also tipping his criminal confidants off to law enforcement info he became privy to.

— A number of the nine retailers the 11 are accused of infiltrating—including Boston Market and Barnes and Noble— were quoted in various publications saying they had no idea, or confirmation, that they had been breached. This indicates that they didn’t have monitoring controls to identify anomalous transactions like large downloads of credit card numbers or access from unauthorized applications and locations, says Phil Neray, vp at database security vendor Guardium.

P2P File-Sharing Sinks Ships

by Erika Morphy, CRM Buyer magazine

“Data security” may soon rank right up there alongside “military intelligence” as an oxymoron of the high-tech era. If it’s not lost or stolen laptops, it’s hackers breaking into sloppy networks—or perhaps thousands of unwitting music lovers sharing sensitive corporate secrets along with the latest hot tracks.

Monitoring what employees are doing may be the most urgent piece that companies need to address, said Phil Neray, vice president of marketing at Guardium. Many companies have established some type of security policy, at least on paper, he told CRM Buyer."What they haven’t done is implement what Gartner calls ‘content monitoring software’—products that examine network traffic and specific protocols to identify suspicious behavior,” Neray said. “These products have been in the market for at least a few years, but it has only been recently that adoption has begun to take off.”

This particular incident was bad, especially considering how long it took for the information to be taken down, he continued. “It could have been much worse though—too many people still don’t realize the dangers of using P2P networks. Now, can you imagine if this employee had worked for a credit card company or a bank or insurance company? It wouldn’t have been a couple of thousands of names out there—but tens or hundreds of thousands.”

File sharing's threat to agency data is growing, analysts say

by Gautham Nagesh, Government Exec magazine

The security breach that led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer, is becoming increasingly common in the federal government, according to a peer-to-peer intelligence company.

The trend to outsource more government work also has led to more security breaches. “More outsourcing means trusting a third party with the data.  Forty to 60 percent of breaches are from a third party. Smaller organizations don’t have the kind of IT oversight that bigger companies have. For most companies, these organizations are the weak links in the chain.”

“You need three things: people, process and technology,” said Phil Neray, vice president of marketing at database security company Guardium. “Educate the people about what’s not acceptable, have a process and policies in place to deal with it, and technology to enforce the policies. If you only implement one of the three, you’re not going to be effective in preventing unauthorized behavior.”

Enforcing Policies to Prevent Data Leakage

by Jaikumar Vijayan, Computerworld

Wagner Resource Corp. recently learned the hard way what Pfizer Inc. and many other companies have similarly discovered in the past: installing peer-to-peer file-sharing software on corporate computers is a bad idea.  The Alexandria, Va.-based investment firm last week had to notify about 2,000 of its clients that their names, Social Security numbers and birth dates had potentially been exposed on the LimeWire P2P network. Among the individuals whose personal data was exposed in the Wagner compromise was Supreme Court Justice Stephen Breyer.

“The key to limiting P2P exposures is to have not just the proper controls in place but also policies for enforcing them, said Phil Neray, a vice president at database security software vendor Guardium Inc. in Waltham, Mass. It’s hard to completely prevent employees from downloading P2P software, because some people will find a way around the controls, Neray said. So, he added, the focus should be more on monitoring and filtering the content that is traveling into and out of corporate networks, in order to stop sensitive data from leaking out.

Supreme Court Justice's records exposed in peer-to-peer breach

by Rebecca Sausner, Bank Technology News

“Some companies have policies, but don’t have controls, and some companies don’t have either,” says Phil Neray, VP of marketing at database security vendor Guardium.”

Podcast Discusses Need to Monitor Database Activity, Not Just Email & P2P

by Dan Kaplan

In this brief podcast, Phil Neray, vice-president of marketing at Guardium, breaks down the Walter Reed Medical Center peer-to-peer data breach and offers up suggestions for organizations needing to protect sensitive data, including monitoring data extracts from databases holding sensitive information (as mandated by OMB 06-16).  The podcast also discusses how preventive controls can enforce data access policies, and the differences between data leak prevention (DLP) and database activity monitoring (DAM).

Walter Reed Breach Highlights Need to Monitor Outsourcers

by Sue Marquette Poremba

A data breach involving Walter Reed Medical Center and other military hospitals has exposed the personal information of nearly 1,000 patients. “One of the biggest problems is monitoring contractors,” said Phil Neray, Guardium vice-president of marketing.  “Outsourcers are given access to a lot of information, and too often, they aren’t being monitored.”

Guardium upgrade blocks rogue DBAs

By Ellen Messmer

Guardium’s S-GATE blocks privileged users based on detailed controls, rather than simply flagging activities with a warning to the security manager.  A number of publicized data breach disclosures linked to insider attacks, including the one made by the Certegy division of Fidelity National Information Services last year, have highlighted the damage that a rogue database administrator can do through abuse of power.  Guardium’s add-on to its S-TAP software, dubbed S-GATE, runs on any database server.

How to Protect A Company's Data

by Andy Greenberg

The old protection strategy of trying to harden the outside of companies’ networks to protect against hacker threats--what security researcher Bill Cheswick once called the “crunchy outside with a soft, chewy center” approach--is giving way to a new strategy: safeguarding the data itself. Instead of trying to fortify the perimeter of the company’s network, some security technologies are aiming to evaluate the sensitivity of individual pieces of information and then apply security directly to movable chunks of information.

[One of the] data-centric segment[s] of the security industry involves monitoring the activity that happens around databases and major applications. For instance, Waltham, Mass.-based Guardium [offers] software that classifies data by modeling their movement and watching for anomalies that might be signs of penetrations or insider misbehavior.

Information-centric security won’t stop all data leaks, says Rich Mogull, an independent security consultant and founder of Securosis. But the overall movement toward protecting information rather than building walls around networks is a major step in reducing risk, he says.  “In a 7-Eleven, there’s never more than a few hundred dollars in the register. The rest is in the safe, and even that’s guarded by cameras,” Mogull says. “Companies are applying risk-reduction controls to our sensitive information based on the information itself. That’s why this is so different.”

Bank Information Security Talks to Guardium About Trends in Data Security

In this brief podcast, Bank Information Security talks to Guardium about key trends in information security for financial services companies, and the types of business problems addressed by Guardium.

10 Steps to Database Security

Most small and mid-sized businesses that build and administer databases focus on performance and availability. Security is usually an afterthought. Until you read the headlines about the well-publicized data breaches.  And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. 

Which brings us to another tough statistic—a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders … DBAs should seek out the newest database security releases instead of relying on what’s on their systems now, says Forrester’s Yuhanna. For example, the latest offerings from Oracle, IBM, SQL Server, and Guardium offer far more advanced features. Guardium’s appliance, for example, features continuous tracking of all database activity, including failed logins, and includes an email alert service that can let others know of any suspicious activity.

Coding error exposes personal data

A software security researcher has exploited a flaw in the sex offender registry webpage operated by the Oklahoma Department of Corrections. The vulnerability, caused by a SQL query in the page’s URL, allowed the researcher to download the Social Security numbers of more than 10,000 individuals.  The URL pointing to the DoC site contained a SQL query string, in addition to the site’s address.  The SQL query string gave the visitor direct access to the SQL database containing the sex offenders’ registry, which includes the name, address and other identifying information of sex offenders as mandated by federal law.

Phil Neray, vice president of marketing at security vendor Guardium, agreed with [security researcher Alex] Papadimoulis on the poor coding practices. “The people who wrote the web application made some basic mistakes in how they wrote it, specifically in the case of SQL injection,” he told SCMagazineUS.com. “You need to verify the input from web application before forwarding the query to the database, and obviously they were not doing that.”

Baseline Talks to Guardium About PCI

In this online video interview (1:04 minutes), Baseline Magazine reporter Erica Chicowski speaks to Guardium’s Phil Neray about how DAM protects cardholder data for PCI.

Unified threat management, demystified

Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion public company that operates a gaseous diffusion plant in Paducah, Ky., knew he was going to get even busier.

USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense in depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, an atypical function for a UTM.

Database monitoring meets vulnerability assessment

Guardium is moving into the area of vulnerability management with the latest release of its database security and compliance platform.

In Guardium 7, the company is looking to address the entire database security and compliance lifecycle.  “We added vulnerability management to our solution because we saw huge advantages to providing an integrated solution with a common Web console, back-end database for tracking all database systems and configurations, and workflow automation,” said Phil Neray, vice president of marketing at Guardium.  “It often takes three to six months to patch business-critical systems, due to change management and testing processes in most organizations. By combining [database activity monitoring] with vulnerability assessment, you can protect unpatched systems with signature-based policies that watch for potential attacks until these systems can be patched.”

“This integration is definitely beneficial - after all, it’s all about data security, whether it’s scanning, discovering, assessing the environment, auditing or monitoring,” said Noel Yuhanna, an analyst with Forrester Research. “Enterprises want more integrated data security solutions that can do everything possible, with common interfaces and controls,” he said. “No one wants to install five products from five different vendors.”

Guardium is "On a Roll"

Guardium doubled its customer base in 2007 and is now installed in more than 350 data centers worldwide, including more than 60 Global 500 and Fortune 1000 companies in all major industries.

Organizations that have chosen Guardium include 3 of the top 4 global banks, one of the top cardholder brands worldwide, one of the world’s largest PC suppliers, a global soft drink brand, one of the top 3 global retailers and one of the market leaders in business intelligence software. 

Guardium partners with Network Appliance to simplify PCI compliance

Guardium and Network Appliance recently announced the first joint solution for protecting cardholder data in databases without costly and time-consuming application re-writes. The combined solution allows organizations to quickly and easily comply with the Payment Card Industry Data Security Standard (PCI DSS), providing significant business benefits immediately and in the long term. Other types of sensitive corporate data, such as financial, HR, CRM, and intellectual property information, can also be secured using this combined solution.

Database monitoring as a compensating control for PCI-DSS

Database monitoring as a compensating control for PCI-DSS
Your Data: Love It Or Lose It
by Ericka Chickowski, Baseline

According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete. The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with media-level encryption until it can employ full database encryption.

“The benefit is that it doesn’t require any changes to your databases or applications,” says Phil Neray, vice president of marketing at Guardium, a database security company.

Hacker arrested in Greece accused of stealing, selling weapons

Authorities have arrested a 58-year-old man in Greece they said hacked into computer systems of France’s Dassault Group for more than five years, stole sensitive weapons technology data and sold it to a variety of countries.

Computerlinks signs UK distribution agreement with Guardium

Computerlinks will work with a select number of reseller partners, providing its IT security and professional services expertise to exploit the demand for solutions that prevent data vulnerabilities and address audit findings.

Guardium delivers an enterprise security platform for preventing information leaks from the data centre and enforcing change controls, in order to assure the privacy and integrity of sensitive corporate information. The technology prevents unauthorised activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle and SAP, while simplifying and automating compliance processes.

5-Minute Podcast: Data tape lost with JC Penney customer info

SC Magazine talks with Guardium about the latest retail data breach. Plus, why all organizations need a holistic data security plan that includes both physical and “digital” activity monitoring.

Former Cox employee who shut down 911 sentenced to five months in prison

A former Cox Communications employee has been sentenced to five months in federal prison for remotely shutting down portions of the company’s system – including 911 emergency services – after being asked to resign his position.

Phil Neray, vice president of marketing at data-security vendor Guardium, said administrators need to be able to quickly observe strange behavior from other employees to prevent similar incidents. “I think the moral of the story is that privileged users are given a high amount of power that they need to have as a part of their jobs,” he said. “As a result, when you have a disgruntled employee, you have to be able to quickly determine anomalous behavior.”

Mass SQL injection attack compromises 70,000 websites

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors’ PCs with a variety of exploits last week, according to researchers.

The cyberattackers used a SQL injection attack on Microsoft’s SQL Server database product to compromise the array of sites. “[It was] an application that accessed system tables not commonly accessed [by the application server],” said Phil Neray, vice president of marketing at Guardium. “[The affected tables] told the hacking application where to insert the malicious code in the database,” he said.

Read more

70,000 Web Pages Hacked By Database Attack

Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. Guardium’s database activity monitoring technology immediately detects this type of anomalous activity in real-time—and then takes proactive, customizable actions such as issuing SNMP/SMTP alerts and automatically locking the exposed database account. 

Tech Insight: Database Activity Monitoring

If you weren’t concerned about unauthorized database access before, maybe now you should give a DAM. It’s mid-afternoon. Do you know who’s accessing your databases?

Until recently, the answer for many organizations—including the TJX Companies and Ameritrade—the answer has been no. While all databases come with tools for security and access control, many users—mostly employees or other insiders—have found ways to circumvent them, leaving IT people in the dark about who’s been using the data, and when. The problem isn’t just headline-grabbing external hacks, such as the one at TJX, but also insiders who, for one reason or another, find it inconvenient to follow security policy. “It’s not that the users are malicious,” says Phil Neray, vice president of marketing for Guardium, a maker of database security tools. “They’re doing it for the sake of convenience.”

Protecting Critical Data at the Source

Regulatory requirements, malfeasance, and criminal attacks are driving companies to find new ways to secure their corporate data. Companies are now adopting Database Activity Monitoring (DAM) as an essential layer of their data security architectures. This article describes why traditional security technologies are insufficient and describes the key capabilities provided by DAM solutions.
(UK publication)

Silicon Valley Minute Goes to Black Hat 2007

Video interview (0:30) with Guardium VP Phil Neray, courtesy of Liz Safran and Silicon Valley Minute.

Compliance and Security Concerns Drive Data Auditing

A recent Forrester report, “The Forrester Wave: Enterprise Database Auditing and Real-Time Protection, Q4 2007,” estimates the value of the database auditing and real-time protection market—including new licenses, support and services—to be $450 million, and predicts that number will double by 2010. “[Customers are realizing that] other technologies like IDS/IPS [intrusion detection/intrusion prevention], SIEM and DLP systems address part of the broader data security issue, but don’t really cut it in the database monitoring space because they don’t have the specialized understanding required to capture and analyze database activities. For example, systems that analyze HTTP traffic are fairly easy to develop because HTTP consists of only 10 or so primitives, whereas SQL consists of over 350 individual commands as well as a full programming language, with additional variations and subtleties for each DBMS platform.”

"A Leader Across the Board" in Enterprise Database Auditing and Real-Time Protection Market

With “Dominance and Momentum On Its Side,” Guardium Earns Highest Overall Scores for Current Offering, Product Strategy and Corporate Strategy; Cited for “Leadership in Supporting Large Heterogeneous Environments”

Database Security: Guardium SQL Guard 6.0

In an industry flush with products for securing the network perimeter, Guardium’s SQL Guard 6.0 serves as an important addition for monitoring and managing connections to and from a wide variety of enterprise database products. SQL Guard has evolved from an impressive technology to an enterprise-class data security product that should be on every organization’s radar.

Former Cox Communications employee pleads guilty to hacking company network

There are several reasons why a former Cox Communications employee still had the access needed to shut down his former employer’s telecommunications services after he was asked to resign. “The issue in a lot of organizations is that privileged users share accounts, so they can access one account that can’t be turned off,” said Phil Neray, vice president of marketing at data security vendor Guardium.

Guardium Offers Visibility Into DB2 Blind Spot

When it comes to security auditing, the mainframe just hasn’t kept up with the times ... The new Guardium for Mainframes product, a combination appliance and software, provides visibility into all DB2 activity, including who’s reading what on the database. “This would be important for PCI because you need to know who’s accessing sensitive data,” says Phil Neray, vice president of marketing for Guardium. “Until now, there’s not been a practical way to track all database activities without impacting performance.”

Guardium for Mainfames covered in Rich Mogul's blog, Securosis

Guardium extends its database security solution to the mainframe, “a really smart move, especially since they partnered with Neon who sells to the mainframe buying center. They can now offer full database monitoring (including SELECT queries) on the mainframe outside of network sniffing (which misses certain kinds of connections) ... Now you have an independent way to enforce separation of duties on mainframe administrators without interfering with how they work or affecting performance. And you can integrate the policies for alerts, and the logs, with all your other database monitoring.”

As data breaches snowball, IT pros look for answers

Ann Auerbach, IT and compliance manager for Denver-based Cimarex Energy Co., acknowledges that the biggest concern for the oil and gas exploration company is that it is able to adequately respond to auditors examining its security controls. For that, she chose technology from database security vendor Guardium. She said version 6 of Guardium provides her, among other things, with regular reports auditors can study to see who is doing what on the network.

Overall Rating: Five Stars

Guardium provides a sophisticated database security solution that is simple to install and deploy. Businesses have a legal duty to protect their customer information, and this has the tools to ensure they meet regulations.

TJX Lesson: PCI Compliance Might Stop Data Breaches

“The Canadian report was interesting,” says Phil Neray, a vice president at Guardium. “TJX was cited for not having an activity monitoring process. We also recommend a multi-layered security approach.” This he likened to the security layers around a castle, first a moat, then a drawbridge, and a gate. “What might get through one layer, will hopefully get stopped at the next layer,” Neray adds.

Most companies have a good “traditional” perimeter security set up, but have been slow to adopt newer technology, such as database monitoring. “Had TJX had some type of activity monitoring in place, the breach would have been detected sooner, rather than going on for months and months. There will always be holes in the environment where hackers or insiders can exploit data. If you have activity monitoring in place, this allows you in almost every situation to detect when an intruder is cutting through your layered defenses.”

PCI Is Security Simplicity, Not Complexity

All it takes is one successful hack attack to wipe out years of so called “savings” gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just won’t happen to them.

The time to take security seriously is before an attack happens, not after. That is precisely what PCI aims to do.

TD Ameritrade database breach an inside job?

The TD Ameritrade theft of information on 6.3 million customers might have been caused by an inside attack. “This has all the signs of an inside job,” said Phil Neray, vice president of marketing at Guardium. He added that unauthorized malicious code placed on one of the company’s databases, “could only be put there by someone with administrative access to the database.”

2007 Editor's Choice Awards: SQL Server Magazine honors exceptional SQL Server products

Guardium Named Category Gold Winner
“This year’s Auditing and Compliance category Gold Winner, Guardium Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, provides auditing with an eye toward protecting sensitive data against theft, including data breaches by privileged users inside an organization. Data Privacy Accelerator gives organizations an edge on not only preventing data breaches, but also on stopping them in real time.”

Ten Tech Companies to Watch -- Guardium

“Guardium’s Linux-based security software resides on a hardened appliance plugged into the client’s network, and all it does is analyze database traffic very, very closely. Given that financial databases contain millions of records and are sometimes sprawling, multi-national affairs, it’s a lot of traffic to watch ... Guardium is in the right place at the right time with the right partners.”

Sentencing in DuPont insider theft case delayed again

“Phil Neray, vice president of marketing at Guardium, told SCMagazine.com, ‘Policies are important, but you have to have [automated] tools in place to enforce those policies.’ Putting automated monitoring systems on a corporate network gives enterprises two key tools in combating insider threats, added Neray. ‘They allow identifying the unlawful activity with real-time alerts and they create a body of forensics-quality evidence the enterprise can use’ to prosecute insiders who’ve stolen proprietary information.”

Former Boeing employee charged in data theft

“Many large companies simply fail to ‘verify what their [privileged] employees are doing,’ said Phil Neray, vice president of marketing at Guardium, a vendor of database-access monitoring products. ‘This was an employee with unfettered access to sensitive information as part of his job.’ Had Boeing deployed automated activity-monitoring technology, Neray pointed out, ‘it would have immediately noticed that something that didn’t fit inside of [Edwards’] normal patterns of activity was happening.”

Getting Inside the Insider Threat

“Still, Ron Ben-Natan, CTO of Guardium, based in Waltham, Mass., said businesses should operate under the Cold War adage of ‘trust but verify.’ ‘We all want to hire trustworth personnel but we must act to identify IT policy violations for both security and regulatory requirements. Trust is not a strategy and hope is not a policy. By integrating checks and balances into our daily network and database operations, we get early warning signs to find malicious acts like data breaches and preent them from happening.’ “

Guardium Adds Tracking Solution

“Guardium’s new Universal Local-Access Monitoring solves a very real problem for IT security personnel who are responsible for monitoring privileged users and ensuring the privacy and integrity of corporate data,” said Jon Oltsik, senior analyst, Enterprise Strategy Group (ESG). “The combination of all-inclusive network and local-access monitoring provides an advanced level of oversight and control that helps enterprises both enforce policies and demonstrate compliance.”

New Report Chronicles the Cost of Data Leaks

This article on McAfee’s Datamonitor report chronicles the cost of data leaks. It quotes Phil Neray, Guardium’s VP of Marketing, “Most sensitive data is stored in enterprise databases that are at the core of your Oracle Financials, SAP or PeopleSoft systems. Privileged insiders such as administrators, developers and outsourced personnel have virtually unfettered access to these data sources.”

Database monitoring appliance curbs leaks

Guardium unveils data-leak prevention appliance for database monitoring
Guardium next month intends to deliver a database-monitoring appliance designed to identify suspicious activity and prevent leaks of sensitive data.

Technology May Ease Compliance Burden

Auditors may ask IT shops for database reports to prove that organizations can track changes made to critical databases containing customer information. “The company panics and tells IT to turn on the native database auditing utilities, which reduces system performance, impacts the stability and produces so many reports that it is impossible for the IT staff to go through them all,” says Guardium’s Vice President of Marketing, Phil Neray.

(Problem Solved) - Answers For Auditors

CIO David Vordick selected Guardium for a real-time database monitoring solution to help USEC Inc. pass its audits. After two audits with the solution in place, their investment has paid off. Guardium simplifies data governance by centralizing Sarbanes-Oxley controls across database platforms and providing preconfigured reports. “When it comes to Sarbanes-Oxley,” says Vordick, “it’s good to have one less thing to worry about.”

Secure your enterprise data

Regulations and a fear of banner headlines put the focus on data, not network, security
Security experts are painfully aware that clamping down on insider threats and data leaks is far more difficult than stopping malware. While recognition of the data-security problem is spreading fast, very few enterprises have acted to lock down their sensitive data and intellectual property. This articles talks about both the need to protect privileged data and ways to combat the issues, such as creating and enforcing policies. “You’ve got to focus on insiders and trust – trust and verify,” says Phil Neray, Guardium’s Vice President of Marketing.

Database activity monitoring helps USEC with SOX compliance

Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. The company needed to find a way to monitor and track DBA activity but not hinder them in doing their job. USEC found that Guardium’s solution was the most effective product on the market, monitoring and logging everything that the DBAs do at the SQL statement level, so the security manager can see exactly what they’re doing with the database. The DBAs follow a change control process to give the security manager advance notice of any planned, and authorized, database work. Any time a DBA or other privileged user connects to the database, the security manager gets an alert and can compare that activity against approved changes.

Field Report: Nuclear Fuel Supplier Tightens Database Security

Keeping tabs on enriched uranium? Challenging. Keeping track of database integrity for SOX? Piece of cake.
Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. USEC needed to upgrade internal security on its financial databases by adding tools that monitor the actions of “privileged users,” namely, the DBAs. USEC now uses Guardium’s database activity monitoring and auditing solution to watch activity on inventory, HR, and financial databases. Robert Gorrie, information security manager says, “You have to trust your DBA, but ‘trust’ is not something that will keep your auditors at bay.”

Data Theft Shows Insider Risks

Gary Min, who worked as a scientist at DuPont for 10 years, highlights the damage insiders can do to companies that do not monitor behavior. He covertly used DuPont’s computer systems to steal trade secrets valued at more than $400 million after joining a rival company but before resigning from DuPont. “What happened at DuPont is not surprising at all,” said Phil Neray, vice president of marketing at Guardium. Neray said the apparently unfettered access that Min had to the data on DuPont’s EDL server is evidence of the lack of monitoring that is typical inside corporate networks. “The objective should be to give insiders as much access as they need but no more.”

DuPont case highlights insider threat

Corporate executives who doubt that malicious employees are among their greatest potential security threats should look at the case of a former DuPont Co. senior scientist as the ultimate cautionary tale, one security expert said Thursday. “By default you trust insiders,” said Ron Ben-Natan, Guardium CTO. “The challenge is always in how you balance the trust you give them with the right amount of security so a few bad apples can’t get away with this sort of thing.” Ben-Natan goes on to list several lessons that can be learned from this case and applied to any enterprise IT shop.

Preventing data breaches is hard; detecting them later can be harder

Jaikumar Vijayan notes the lag between when a database intrusion occurs and when it may be detected, noting that this gap may be due to the myriad ways attackers can gain access to systems and conceal their tracks. USEC Inc., a $1.6 billion energy company, uses a Guardium solution to “detect unauthorized changes and other policy violations that could affect the integrity to USEC’s financial data in real time,” said CIO David Vordick. The product also enables USEC to “monitor compliance with its Sarbanes-Oxley financial reporting obligations and provides the company with a real-time, security-alerting capability.”

Guardium Database Compliance Tool Tracks All Changes

Guardium released its latest set of compliance automation tools, aiming to help businesses record and monitor every alteration workers make to their enterprise information vaults. While most companies have developed database change control guidelines since the arrival of mandates such as Sarbanes-Oxley, few have been able to build systems that track every change made to their systems and alert administrators when policies are violated. Guardium’s Change Control Solution for Database aims to do just that, offering the ability to monitor every adjustment made to database objects – including database structures, permissions, stored information, and configuration files.

Guardium to Protect Database

Guardium announced the first database security and monitoring solution that provides granular visibility into all changes todatabase objects – including database structures, permissions, data, and configuration files – without relying on database-resident functions such as trace and transaction logs or native auditing. Most organizations have formal change control policies and processes that govern how and when changes are made to production databases. Until now, however, there were no effective and tamper-proof solutions for detecting when critical changes were made outside of these policies and processes.

Passing the SOX Audit: More than 60% Say They Aren’t Ready

A survey from the Oracle Applications Users Group (OAUG) reveals that manual controls increase operational costs significantly. Despite years of effort and millions of dollars of investment, nearly 61 percent of companies say they have not yet finished implementing their SOX compliance processes. “Security and compliance go hand in hand,” says Phil Neray, Vice President of Marketing for Guardium. “Securing the data in real-time and automating database activity monitoring are key ways organizations can protect their critical information while increasing operational effectiveness.”

Taking A Holistic View Of Risk And Privacy

Christine Dunn reports that companies using technology to help with compliance are turning to systems that allow them to implement controls for governance as well as privacy regulations. “Customers know not to treat each regulation with standalone initiatives,” says Ron Ben-Natan, Guardium’s Chief Technology Officer. “Instead they bundle them into two groups, governance (think Sarbanes-Oxley) and privacy (HIPAA or SB-1386), and then put systems into place to manage all changes and access to the data.”

An Ominous Milestone: 100 Million Data Leaks

Kevin Poulsen, senior editor for Wired News, noted in his blog that 100,152,801 records have been compromised in data breaches since the ChoicePoint breach nearly two years ago. Educational institutions were twice as likely to report suffering a breach as any other type of entity, followed by government, general businesses, financial service and healthcare companies. “College and university databases are the ideal target for cyber criminals and unscrupulous insiders,” said Ron Ben-Natan, the chief technology officer of Guardium. “They store large volumes of high-value data on students and parents, including financial aid, alumni, and credit card records. At the same time, these organizations need open networks to effectively support their faculty, students, and corporate partners.”

A Dubious Milestone – Privacy Rights Clearinghouse Reports Exposed Record No. 100 Million

Two months after the U.S. population reached 300 million people, the nation realized a more troubling statistical milestone when the Privacy Rights Clearinghouse today reported that more than 100 million records have been exposed since the ChoicePoint data breach. Colleges and universities were popular hacking victims. Phil Neray, vice president of marketing at data security firm Guardium, says colleges store large amounts of sensitive information, including financial data, while having fewer resources to protect that property. “That combination makes them particularly vulnerable,” he said. “Databases are incredibly complex pieces of software. They’re complex and easier to penetrate.”

IBM Tackles Data Control

In the world’s premier knowledge economy, 50 companies ally with Big Blue on data management.
On the day after the University of California, Los Angeles, said hackers gained access to a critical university database, compromising data on 800,000 staff and students, IBM announced a new service that tackles the uniquely Information Age problem of data governance. The Armonk, New York giant engaged almost 50 organizations to come up with an overall approach to data governance or control. Phil Neray, vice president of marketing at Guardium, said, “Wal-Mart buys and sells millions of items, but it’s Wal-Mart’s data that describes and defines what Wal-Mart is. But most companies don’t really have their data firmly under control.” Guardium is a member of IBM’s Data Governance Council.

Breach at UCLA Exposes Data on 800,000

The University of California, Los Angeles is notifying more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year. The breached database includes the names, Social Security numbers, dates of birth, and addresses of current and former faculty, staff, and students and, in some cases, the parents of students at the university. Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston, and Ron Ben-Natan, Guardium’s chief technology officer, comment on how misperceptions about monitoring and auditing databases for security breaches cause organizations to limit their scope or not do it all, which contributes to the problem.

Data Governance Rises to Top of Compliance Efforts

NEW YORK—A panel of analysts, consultants and software vendors gathered here Nov. 9 for a discussion of IT security and regulatory compliance issues stumped hard for companies to increase their focus on better managing their databases. Speaking at a compliance strategy event hosted by IBM and software maker Guardium, the experts said that the database—one of the most complex pieces of enterprise infrastructure—must be tackled correctly to help ensure compliance with regulatory guidelines such as the Sarbanes-Oxley Act. 

Oracle to Better Explain Future Patches

“Many enterprises still haven’t been able to get their arms around the new requirements that compliance demands. A new survey conducted by the Oracle Applications Users Group (OAUG) in conjunction with Unisphere Research found that… while Sarbanes-Oxley touched the largest number respondents of the survey, only 26 percent of the respondents considered themselves SOX-ready… Close to one out of three respondents said that they require at least five full-time employees to handle database monitoring and compliance reporting – which translates into a fully-loaded cost of several hundred thousand dollars per year… by automating IT processes, data managers can more efficiently validate that controls are effective and ensure that changes have been made to the environment properly.”

PCI Council Needs Better Coordination

The creation of the Payment Card Industry (PCI) council this month doesn’t go far enough in coordinating security standards among the major card brands, according to an analysis from Gartner Inc.’s Avivah Litan. Each of the payment brands “will still be responsible for enforcing the PCI standard… and may have different definitions of compliance levels,” says Litan. She recommends to enterprises that accept credit cards that if sensitive cardholder data can’t be encrypted, database activity should be monitored and applications should be scanned for vulnerabilities. Preparing and installing encryption systems can be costly and take several years, says Phil Neray, a vice president at Guardium Inc. The firm sells a data-monitoring product which guards against both external hackers and insiders, he says.

SOX II: Time to Cut Costs

By the time most companies have gone through their second SOX audit – or its frequent companion, the SAS 70 – it’s painfully clear that something has to be done to tame the manpower-sucking, cut-and-paste approach to proving the validity of internal controls and compliance … “Our clients are calling it phase II of SOX compliance, saying ‘We don’t want to just be compliant; we want to be efficient,’” says Phil Neray, VP of marketing at Guardium, a database security vendor.

List of Data Breach Notices Lengthening

AT&T, Sovereign and Verizon Wireless among latest to report security snafus
If there’s a continuing lesson to be learned from such incidents, it’s that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.

“The bottom line is that the data is leaking and is not being contained in the way it should be,” he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added. 

Vendor Briefs, September 2006

According to Phil Neray, vice president of marketing for Guardium, a major compliance issue for most companies is that “DBAs are being asked to create reports that they’ve never created before.” The ability to automate tracking, auditing, and reporting for compliance is especially crucial for mid-sized companies, which often require existing IT staff to bear the compliance burden. Guardium’s Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, protects sensitive data against theft, including situations in which insiders obtain data through unauthorized access. The Data Privacy Accelerator is one of several Guardium database compliance accelerators.

Agencies Struggle To Follow OMB's Instructions on Data Security

In the wake of well-publicized breaches at the Veterans Affairs Department and other agencies, the Office of Management and Budget instructed all agencies in a June 23 memo to take four steps, [including] … Record all removal of information from sensitive databases and verify that the information is erased after 90 days unless it is still needed …[Alan Paller, director of research at the SANS Institute] estimated that while many agencies encrypt data and practice two-factor authentication, almost none can track what information is removed from databases … “I would guess that very few [agencies] have [taken the steps] because it’s a fairly short deadline,” said Phil Neray, vice president of marketing at Guardium, Inc., which makes appliances that can track information extracted from databases …"There is no doubt that [the government push to secure data] has raised awareness about the need for security,” Neray said.

A Holistic Approach to Database Compliance

“We see forward-thinking organ