Most Businesses Unaware Of Data Breach, Survey Warns

Many organisations spend too much time and effort creating database compliance and auditing reports using homegrown scripts, native logs, triggers and stored procedures, said Phil Neray, vice president of security strategy at IBM’s Guardium. This isn’t an effective way to detect breaches, he explained, because it’s not real time and the massive amounts of transaction log data produced by database environments make it easy to miss an incident or connect the dots between events.

“This is [also] costing them time and money, especially in heterogeneous environments, where each database platform – Oracle, SQL Server, DB2, etc.- requires its own handcrafted approach,” he said.

Having proper visibility into all changes, events and configurations is the beginning of a strong defence, Melancon said.

“Once you have all the right data coming in, you have a chance to understand context and manage risk,” he explained. “The challenge is that, that results in a huge landfill of data. You then have to make sense of it by using a policy-based method to perform intelligent analysis of the data, in an automated way – the triad of visibility, intelligence and automation are the keys to effective security.”

But many data breaches – some 81 percent in the Trustwave study – involve systems managed by a third party that had been compromised. For enterprises, this can add a new layer of challenges. Nicholas Percoco, senior vice president at Trustwave’s SpiderLabs, advised businesses to pay close attention to how their partners handle security.

“If they are able to explain what they do from a security standpoint, ask them to produce a report or letter from a third-party security auditor attesting to their policies and procedures,” he recommended. “This provides evidence that their actions are in line with the promises made when servicing customers. An SAS-70 audit is a good example, but a penetration test will likely be more revealing.”

There is also the option of stipulating in outsourcing contracts that any breach of customer credit card data under the management of the third party, for example, is the third party’s responsibility, Litan told eWEEK.

“The rest will take care of itself,” she said.