Welcome Guest. | Log In| Register | Membership Benefits

Psst! Informant Tells A Good Story For A Song

RippleTech's extrusion detection appliance delivers strong functionality at an attractive price.

By John H. Sawyer
InformationWeek
July 21, 2007 12:00 AM (From the July 23, 2007 issue)

THE UPSHOT

CLAIM: Participants in our Rolling Review must be capable of monitoring for, detecting, and preventing data extrusion from database servers when possible. RippleTech's Informant boasts in-depth monitoring, zero impact on performance, and detailed auditing.

CONTEXT: Database extrusion prevention systems either monitor data returned by SQL queries or watch for anomalous behavior or both. Informant looks only for anomalous behavior and doesn't sit inline with the traffic flow. This approach can be highly effective without being obtrusive.

CREDIBILITY: Informant performed well in all tests. The breadth of monitoring for the supported database platforms was impressive, allowing our rules to be extremely specific and effective. Native reporting falls a bit short and is best left to other security management systems.

Does your company lack in-depth native database logging capabilities or knowledge of what should be considered anomalous behavior? If so, here's a tip: RippleTech's Informant can protect your sensitive data without breaking the bank.

RippleTech's appliance version

RippleTech's appliance version
We previously reviewed Pyn Logic's Enzo 2006, a software-only offering running on Microsoft Windows. In contrast, RippleTech offers appliances sporting a hardened Linux installation and with the $2,995 Informant software preinstalled and optimized. We tested the appliance version.

Even with the $4,995 appliance premium, Informant is still the least expensive database extrusion prevention, or DBEP, system we've seen to date. It doesn't lack functionality, either: Informant currently supports Oracle, Microsoft SQL Server, DB2, and, unique among the products tested so far, MySQL. RippleTech Informant also let us watch HTTP traffic, though that's not something the company focuses on.

By monitoring database activity using a mirrored switch port, Informant inspected all our SQL traffic, including user and administrative activity, with the exception of the content returned from SQL queries. This is notable because knowing what a database returned can help determine whether an attack was successful. Granted, organizations that need to comply with the Health Insurance Portability and Accountability Act and the like will appreciate that Informant isn't yet another source of possibly regulated data. However, Imperva's SecureSphere addresses this problem with a masking feature that hides sensitive data from view in both the administrative interface and reports, by replacing data in logs with asterisks. Still, we don't believe Informant is overly hindered by this lack of visibility into returned content because, fortunately, it sends alerts based on the number of rows returned, thus raising a red flag on SQL injection or malicious insider attacks that result in large amounts of data being disclosed.

In addition to tracking network activity, we could monitor local database management through host-based agents available for Red Hat Enterprise Server, CentOS, Solaris 8 and 9 (Sparc), and AIX 5.2 and 5.3. No local monitoring of Windows, yet.