Payroll just called: Salary data has been breached. What got taken? Who did it? Where? It’s your job to find out. The auditor will be here next week.
Do you have what you need to put together the pieces of a data breach? If you’re prepared enough to catch a breach in action, do you know how to find and stop it?
Database breaches, like regular crime, don’t give you a trail to the culprit. And with 4 of 5 breaches coming from inside your organization, you’re not going to find the offender without help.
Fortunately, to adapt to new security landscape—including the growing threat of insider breaches—as well as stringent regulatory standards—like those for the Payment Card Industry (PCI)—you have access to powerful tools for Data Breach Forensics.
Data Breach Forensics, also known by its primary method, File Integrity Monitoring, works by providing an audit trail for changes made to your IBM i data, typically the most sensitive in the enterprise. In summary, it requires that you know
- Which user initiated a change (and whether it was authorized)
- With what application or function they made it
- When they made the change
- The value before and after the change
There are two main ways, each with its particular strengths, to get visibility to this information.
Baseline Comparison, which checks your database on intervals against an archived baseline, is a thorough, low CPU-using source for determining changes. It, however, does not catch changes that are made if the original setting is restored before the comparison.
Real-Time Monitoring offers complete, real-time coverage of a database with corresponding alerts. Unfortunately, the power comes at the expense of system performance.
The right answer is a mixed solution of security tools that gives you flexibility to implement based on your system.
Data Thread – Monitors in real time for unauthorized activities—including field-level changes made through low-level utilities and instant notification when highly sensitive data is viewed. It combines monitoring with real-time email alerts, eSignatures, and powerful filtering that ensures no change passes unnoticed and virtually eliminates false positives.
Compliance Monitor – Provides visibility to hundreds of IBM i configuration settings. A highly scalable and audit reporting solution, forensic reports over event-based audit journal entries are complemented by its impressive baseline validation functions for system values.
Network Security – Provides auditing and access control for non-traditional interfaces. Permissive object-level security renders IBM i audit controls useless when access comes from client applications like FTP, ODBC, and remote command.
Interact – With visibility to audit entries and requests logged by Network Security, Interact facilitates real-time notification to an enterprise syslog or messaging solution. Preventing data deluge, Interact’s filtering capabilities ensure that only important events are escalated.
The most essential part of any forensics program, though, is the willingness of an administrator to put one in place. Currently, many are resting on the security reputation of their OS. That IBM i is based on configuration settings, not files, means little if a system is not guarded against threats from rogue users, open doors, and any number of threats that could be passing through your system as you read this.