Symantec Takes Anomaly Detection To The Database

The latest generation of database security technology, which operates by "learning" to detect unusual and potentially malicious data requests, got a shot in the arm this month as the world's biggest security vendor debuted an appliance that warns database administrators when something foul is in the air.

Anomaly detection, a security method that's been available to network security pros for a few years, is now being applied to databases. Also known as heuristics, it involves software or appliances that track database transactions, learn the characteristics of "normal" transactions over time, and alert administrators when abnormal data requests take place.

Symantec's Database Security appliance, part of the company's Security 2.0 campaign, marks the software maker's entry into the database transaction-monitoring market.

Smaller Symantec rivals, including IPLocks, Tizor Systems, and Application Security, beat Symantec to the market for database-monitoring hardware and software that employs anomaly detection. But Symantec's market position gives it the ability to shine the spotlight on database transaction monitoring in ways its smaller competitors can't.

Database Security tracks all traffic going to and from a company's databases in real time, and the product has room to grow. While Database Security is only available preinstalled on Windows-based Dell or Unix servers, Symantec plans to offer it as a software application that customers can install on servers or appliances of their choosing. Symantec is considering a version of Database Security that combines transaction analysis with an automated ability to block suspicious transactions, though the company first has to determine whether such a device would interfere with legitimate transactions it mistakenly tags as malicious.

CareGroup Healthcare System, a Boston-based health care group with three affiliated hospitals and several medical centers, has been testing Database Security for the past year. Symantec's product sits in the background of the group's network and sniffs all transactions entering and exiting 60 of the organization's databases.

"We're in the health care industry. If someone is querying a patient's medical records, I want to get an alert," says Ayad Shammout, CareGroup's lead technical database administrator, noting that CareGroup's databases process roughly 300,000 transactions per hour. It would take hours to pull that same information from CareGroup's network-monitoring appliance logs, Shammout says.