• 
  • Solutions Overview
  • Database Activity Monitoring
  • • Privileged User Monitoring
  • • Monitoring Applications for Fraud
  • • Preventing SQL Injection Attacks
  • Auditing & Compliance
  • • Compliance Workflow Automation
  • • SOX
  • • PCI
  • • Data Privacy
  • Change Control
  • Vulnerability Management
  • Database Leak Prevention
  • Mainframe Visibility
• 
  • Product Overview
  • Architecture
  • • Core Technology
  • • Enterprise Scalability
  • • Enterprise Integration
  • • Secure Platform
  • Audit & Report
  • Monitor & Enforce
  • Assess & Harden
  • Discover & Classify
  • Supported Platforms
• 
  • Partner Overview
  • Reseller Partners
  • System Integrators
  • Trusted Advisors
  • Technology Partners
  • Partner Certification
  • Channel Portal
• 
• 
  • Support Overview
  • Technical Services
  • Professional Services
  • Training
  • Customer Login
• 
• 
  • Guardium Overview
  • Why Guardium
  • • Industry Recognition
  • Leadership
  • Careers
  • Contact Us

Home > Products > Monitor & Enforce

Monitor & Enforce

.

In order to detect fraud by end-users with legitimate access privileges, you can also monitor and identify application users who make unauthorized changes via multi-tier applications.  This is important because these applications typically access databases via a common service account that masks the identity of the end-user at the SQL transaction level.  Guardium provides out-of-the-box support for all major enterprise applications, including Oracle EBS, PeopleSoft, JD Edwards, Siebel, SAP, and Business Intelligence, as well as custom systems built on standard application servers such as IBM WebSphere, BEA WebLogic, and Oracle AS.

Our solution overlays existing controls in your database and application systems, but is DBMS- and application-independent, thereby simplifying protection of heterogeneous environments.  It can be managed by information security personnel without requiring involvement by database administrators (DBAs). The Guardium system also provides additional controls compared to native database controls, which can be disabled, bypassed, or changed by privileged users.

In addition, you can define granular access policies that go far beyond database login-based controls.  For example, you can restrict access to specific tables based on OS login, IP or MAC address, source application, time of day, network protocol, and type of SQL command.

Continuous contextual analysis of all database traffic
Guardium continuously monitors all database operations in real-time, using patent-pending linguistic analysis to detect unauthorized actions based on detailed contextual information—the “who, what, when, where, and how” of each SQL transaction.  This unique approach minimizes false positives and negatives while providing an unprecedented level of control, unlike traditional IDS/IPS approaches that only look for predefined string patterns or signatures.

Our solution covers all types of database operations, including SQL commands (DDL, DCL, DML, SELECTS), calls to stored procedures, XML, and procedural languages such as PL/SQL and SQL/PL.  There is no limitation on monitored data types or sizes.

Our system also supports policies that look for unauthorized or suspicious behavior by examining responses from database servers.  For example, a query that yields a high volume of returned records that match a specific pattern (such as credit card or PII data) might indicate a breach condition, as would abnormally high numbers of SQL errors and login failures.

Baselining to detect anomalous behavior and automate policy definition
By creating a baseline and identifying both normal business processes and what appear to be abnormal activities, the system automatically suggests policies you can use to prevent attacks such as SQL injection.

With Guardium’s innovative “learning mode,” you create a baseline by capturing and analyzing all traffic in your environment over a representative period of time.  The learning mode automatically filters activities by number of occurrences in order to identify anomalous or random events.  It then suggests policies that represent both normal behaviors—such as repetitive access to specific tables by line-of-business applications—and anomalous behaviors, such as access to sensitive data from unrecognized IP addresses, access to system tables, or copying of data from production systems to another machine.

Monitoring with explicit policies
As your environment changes over time, you can easily add custom policies or modify existing rules via intuitive drop-down menus.  A rule can be either an access rule, an exception rule, or an extrusion rule.  Each category contains one or more components unique to that category; for example, database responses always contain data or an exception type, while SQL requests contain some combination of commands, objects, and fields.

The condition can be a simple test for a single attribute (a specific database user, for example) or it can be a complex test that examines multiple requests and session attributes.  The condition can also consider the sequence of commands and be sensitive to the number of times the condition is met within a specified timeframe.

Proactive, real-time security
Unlike traditional log monitoring systems that detect violations “after the fact,” Guardium provides an arsenal of real-time controls for proactively responding to unauthorized or anomalous behaviors.  You can use drop-down menus to easily customize automated responses to policy violations, using drop-down menus, including actions such as:

• Real-time security alerts (SMTP, SNMP, Syslog)
• Blocking (either via TCP reset, data-level blocking techniques or in-line database firewalls)
• Custom actions such as automated account lock-outs, VPN port shut-downs and coordination with perimeter IDS/IPS systems
• Enabling full logging of all session details

Unique in the industry, Guardium also supports Correlation Alerts, which trigger actions by correlating multiple events over a given period of time.  For example, Correlation Alerts will detect a series of login failures to multiple database servers from a single client IP.  These rules can even correlate activities that occur over a widely-distributed environment or across different business units.

Tracking and resolving database security incidents
Regulations such as SOX and PCI require organizations to demonstrate that all incidents are recorded, analyzed, resolved in a timely manner, and reported to management.

Guardium provides a business user interface and workflow automation system for tracking and resolving database security incidents.  Our integrated incident management application allows administrators to group a series of related policy violations into a single incident and assign them to specific individuals.  It also provides a graphical dashboard for tracking key metrics such as number of open incidents, number of assigned incidents, severity levels, and length of time incidents have been open.

©2010 Guardium, Inc. All Rights Reserved

Privacy Policy | Terms of Use | Site Map | Contact Us