Symantec Tests 'Big Brother' Data Monitor

Engineers in Symantec's research and development organization have built a new database security appliance that could eventually lead the company into the database security business. The project has been tested by a handful of customers since September, and Symantec is expected to decide within the next few months whether to bring it to market.

The unnamed appliance is a pre-configured server that sits on the network and monitors the database traffic, looking for inappropriate queries. "We're providing Big Brother in a box, if you like, to just keep a gentle eye on people. And if people deviate from their normal patterns, we can flag that," said Gerry Egan, group product manager with Symantec's Advanced Concepts Group.

Still in Development

The appliance, which has been under development for several years, monitors network traffic using the same underlying "sniffing" engine as Symantec's Network Security 7100 Series intrusion prevention appliance. But the 15 engineers working on the project have also developed their own software, which then analyzes the database queries.

The current version of the Symantec appliance does not actually block suspicious queries--it simply monitors and reports on what the database is up to--but that feature is being considered for a future version of the product, Egan said.

"Our product particularly comes into play where there are valid or authorized users of the database who now start to abuse the privilege," Egan said. The product could be used to detect employee or partner fraud, or to warn database administrators (DBAs) when their applications appear to be acting in a malicious manner.

Symantec is testing prototypes of the product with customers in the health care and financial services industries, as well as with educational and government users, in a trial run that is scheduled to go on through the end of this year. "At that point, it will be up to management whether they would like to build it into a product," Egan said.

Should that happen, Symantec would be the first major vendor to develop this type of product, analysts say. To date, database security appliances are sold by only a handful of small companies, including Imperva Inc. and Guardium Inc., but enterprise users are becoming increasingly focused on data security and regulation compliance.

"We're starting to see a little more interest in this area because of all this identity theft," said John Pescatore, an analyst with the research company Gartner.

Customer Interest

Imperva's chief executive officer Shlomo Kramer, whose three-year-old company already sells a similar product, said he is not surprised to see Symantec looking into this market. During the past few quarters, demand for this type of product has accelerated, spurred by laws such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, as well as by California's SB 1386, which requires companies to notify customers after security breaches, he said.

"We are seeing much larger projects in the pipeline, and we're seeing more and more customers with dedicated budgets to this type of initiative," Kramer said. Imperva's customers are primarily in the financial services, e-business and health industries, he said.

The Symantec prototypes use a Dell PowerEdge 1850 server running the Linux operating system, but should Symantec decide to bring the product to market, it could based on virtually any type of server, Egan said.

Based on initial customer feedback, however, Symantec seems likely to stick with its appliance concept and not try to develop a software-only product.

"The DBAs are a very conservative bunch of people, and they definitely don't like people installing things on their servers," Egan said. "It also means, from the chief security officer's perspective, he can drop it in without even telling the DBAs. ... The database administrators have the keys to everything, and who keeps tabs on them?"