Research Papers

For Database Activity Monitoring, the deployment model directly effects performance, management, cost, and how well the technology serves your requirements. Appliances, software, and virtual appliances are the three basic deployment models for DAM. While many security platforms offer these same deployment models, what you have learned with firewalls or intrusion detection systems does not apply here – DAM is unique in the way it collects, processes, and ultimately manages information. This white…

Four years ago, when we initially developed the Data Security Lifecycle, we mentioned a technology we called File Activity Monitoring. At the time we saw it as similar to Database Activity Monitoring, in that it would give us the same insight into file usage as DAM provides for database access. The technology did not actually exist, but it seemed like a very logical next step from DLP and DAM.

If you don’t already have attackers in your environment you will soon enough, so we have been spending a lot of time with clients figuring out how to respond in this age of APT (Advanced Persistent Threat) attackers and other attacks you have no shot at stopping. You need to detect and respond more effectively. We call this philosophy “React Faster and Better”, and have finally documented and collected our thoughts on the topic. Here are a couple excerpts from the paper to give you a feel for…

The Database Security Operations Quant research project – Database Quant for short – was launched to develop an unbiased metrics model to describe the costs of securing database platforms. In the process we developed the most in-depth database security program framework we can find, as well as all the key metrics to measure database security efforts. Our goal is to provide organizations with a tool to better understand the security costs of configuring, monitoring, and managing databases. By…

We all know of the inherent challenges that mobile devices and the need to connect to anything from anywhere present to security professionals. We’ve done some research on how to start securing those mobile devices, and now we have continued broadening that research with a look to a network-centric perspective on these issues. Let’s set the stage for this paper:

This report contains the results, raw data, and analysis of our 2010 Data Security Survey.

Key findings include:

• We received over 1,100 responses with a completion rate of over 70%, representing all major vertical markets and company sizes.

SIEM and Log Management platforms have seen significant investment, and the evolving nature of attacks means end users are looking for more ways to leverage their security investments. SIEM/Log Management does a good job of collecting data, but extracting actionable information remains a challenge. In part this is due to the “drinking from the fire hose” phenomenon, where the speed and volume of incoming data make it difficult to keep up. Additionally, the data needs to be pieced together with…

The lack of credible and relevant network security metrics has been a thorn in the side of security practitioners for years. We don’t know how to define success. We don’t know how to communicate value. And ultimately, we don’t even know what we should be tracking operationally to show improvement – or failure – in our network security activities. The Network Security Operations (NSO) Quant research project was initiated to address these issues.

As described in the Network Security Operations (NSO) Quant report, for each process we determined a set of metrics to quantify the cost of performing the activity. We designed the metrics to be as intuitive as possible while still capturing the necessary level of detail. The model collects an inclusive set of potential network security operations metrics, and as with each specific process we strongly encourage you to use what makes sense for your own environment.

Data Loss Prevention has matured considerably since the first version of this report three years ago. Back then, the market was dominated by startups with only a couple major acquisitions by established security companies. The entire market was probably smaller than the leading one or two providers today. Even the term ‘DLP’ was still under debate, with a menagerie of terms like Extrusion Prevention, Anti-Data Leakage, and Information Loss Protection still in use (leading us to wonder who,…

What? A research report on enterprise firewalls. Really? Most folks figure firewalls have evolved about as much over the last 5 years as ant traps. They’re wrong, of course, but people think of firewalls as old, static, and generally uninteresting. But this is unfounded. Firewalls continue to evolve, and their new capabilities can and should impact your perimeter architecture and firewall selection process. That doesn’t mean we will be advocating yet another rip and replace job at the perimeter…

Tokenization is currently one of the hottest topics in database and application security. In this report we explain what tokenization is, when it works best, and how it works – and give recommendations to help choose the best solution.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures. The problem is that the guidance provided is not always clear. This is especially true when it comes to secure storage of credit card information. The gap between recommended technologies and how to employ them leaves a lot of room for failure. This white paper examines the technologies and deployment…

Anyone worried about security and/or compliance has probably heard about Security Information and Event Management (SIEM) and Log Management. But do you really understand what the technology can do for your organization, how the products are architected, and what is important when trying to pick a solution for your organization?

Endpoint Security is a pretty broad topic. Most folks associate it with traditional anti-virus or even the newfangled endpoint security suites. In our opinion, looking at the issue just from the perspective of the endpoint agent is myopic. To us, endpoint security is as much a program as anything else.

This paper includes descriptions of major database encryption and tokenization technologies, a decision tree to help determine which type of encryption is best for you, and example use cases drawn from real world deployments.

Two of the most common criticisms of Data Loss Prevention (DLP) that comes up in user discussions are a) its complexity and b) the fear of false positives. Security professionals worry that DLP is an expensive widget that will fail to deliver the expected value – turning into yet another black hole of productivity. But when used properly DLP provides rapid assessment and identification of data security issues not available with any other technology.

Our goal with this paper is to help customers cut through the marketing fluff, and spotlight the differentiators between current database assessment platforms and the previous generation of DBA tools. While we discuss the individual functional components that constitute assessment platforms, don’t get scared off by the technical discussions. We also cover business justification and compliance for those who are not responsible for managing databases, but need information from the database to do…

Our goal with this paper is to help customers cut through the marketing fluff, and spotlight the differentiators between current database assessment platforms and the previous generation of DBA tools. While we discuss the individual functional components that constitute assessment platforms, don’t get scared off by the technical discussions. We also cover business justification and compliance for those who are not responsible for managing databases, but need information from the database to do…

This report represents the current findings of the Project Quant open patch management project. The report will be updated as the research continues and we refine the model. Please see the project site for more information.

This document includes our analysis of the Project Quant open patch management survey.

The survey is an ongoing project, and we will continue to release updated analysis and data as new responses are available. You can participate by clicking this link to take the survey.

Data Loss Prevention

This paper covers our recommendations for using endpoint DLP- including major features, what to look for, and deployment recommendations. Since we generally recommend full-suite DLP solutions over endpoint only solutions, you will notice the paper focuses more on endpoint DLP as part of a larger DLP program.

Content Discovery and DLP: Best Practices for Stored Data Discovery and Protection.

By: Rich Mogull

This paper outlines some of the techniques and technologies for content discovery as used by Data Loss Prevention Platforms, and the trade offs each provides.

Understanding and Selecting a Database Activity Monitoring Solution white paper. This paper examines the business requirements for monitoring databases, as well as the technologies that assist in capturing and analyzing that activity. Rich discusses the compliance and security issues that organizations face, and the options they have at their disposal to identify and report on transactions that fail to meet business best practices. As there are many ways to collect information in and around…

Web Application Security is an incredibly difficult undertaking, and one of the papers we are most proud of is this one: Building a Web Application Security Program (attached below). Web Applications not only have many of the same threats and issues as traditional applications, but by their nature, have a whole additional set of issues to worry about as well. They require a different approach and analysis, and we hope that you will follow the use cases and adapt the technologies and process…