Blog Monitoring and Analytics.

Ran into a firm called "Collective Intellect" during RSA week over at the Ziff-Davis briefing. Their product, mediaintellect, was different enough of an offering that I thought I would make a comment on this concept. While not security oriented, they are Blog oriented. They advertise "Real-time actionable insight from social media monitoring and analysis"€.  Basically they monitor blog traffic and content for market research and feedback. Good product? Bad Product? I have no idea.   The people I met from the company were nice enough, but there is something about 'predictive marketing intelligence' for social media that makes me uneasy.

A Rothman-esque 'So What?' is in order here. What are they going to do for you? Are they going to tell you if your corporate blog sucks? Or they can tell you your marketing campaign sucked because some bloggers they read said so? Is there really a way to do this based upon traffic and key words? Can you really quantify brand influencer's? And you want this service why? I got to wonder if this an angle for PR & Analysts to re-insert themselves into the process now that their opinions are not interesting enough to generate their own readership. Blogs Analysts: can they provide value or are they simply parasitic?

Clearly Blogs have upset the PR apple-cart.  And I can see how mediaintellect would to fill a need for PR and Marketing departments to make some sense of Blogs and use them to their benefit.  But I read Blogs that are decidedly non-corporate for the reason that I don't want to wade through the endless controlled-sanitized-non-informative-corporate-attorney-approved marketing spin that most companies pump out. It is marketing influence I am trying to get away from, and this tool/service provides those organizations a way to monitor and affect the very medium I use to avoid their influence.  ~Shiver~  Maybe I am overly sensitive and this is simply a natural evolutionary step based upon the fundamental change in media and broadening of audience, such as Black Hat changing to look more and more like the RSA conference with each passing year.

Monitoring Activity

Passport breach: Let’s chalk one up for monitoring.

 

The Washington Post reported that the illegal viewing, and subsequent disclosure, of passport information from Barak Obama, Hillary Clinton and John McCain was caught by a monitoring system.

This is precisely the type of activity that monitoring can detect, and it can be used very effectively for alerting to suspicious behavior regardless of the user.

In early 2005 I was invited by some people at DHS to pay a visit a couple of congressmen and senators to discuss trends in information privacy & security. I later discovered the reason for the invite was one of the Republican staffers had been reading a couple of the Democratic rivals files and documents. It turns out that both parties shared a common file server & database that had little to no security beyond access control. The staffer was fired and escorted out by the Secret Service. I advocated database monitoring to detect this type of activity in the future, coupled with assessment as a preventative control. 

It appears that the state department already has something like this in place so ‘Bravo’! And they, like most public companies, only deployed after a breach had occurred.

eWeek: DLP, DAM Share Common Data Security Objectives

Content-aware technologies.

Brian Prince of eWeek published an article on the similarities of Database Activity Monitoring and Data Loss Prevention shook me from my morning calm.

Brian is on target with his opening statement, that DAM & DLP are both trying to protect data and they work in/on a separate area of the IT infrastructure. And I could not agree more with the ending quote by Mark Nicolette of Gartner that "We expect a few acquisitions of DAM vendors by large vendors that have DLP technology …"  I agree because Data Security, from the customer perspective, is viewed as a single problem. They do not differentiate between data theft at the database, file server, network or application level. They want a unified solution to deal with insider and external threat and not worry about the vagaries of packet inspection on the network or agent based issues. What is more, it is far more appropriate to develop a single data security policy and deploy it to the software/appliances that actually perform the inspection. The industry needs to consolidate to provide a unified security strategy for customers who really don’t care about the widget that gets the work done, just that it gets done. 

 

So my quibble with this article … and you probably could guess this was coming … is the quotes are disjointed, somewhat contradictory and (from my perspective) misses the state of the industry. Here is what I mean, and while I have a lot of respect for Paul Proctor, I find this befuddling: "DAM [Database Activity Monitoring] and DLP tools will not likely become one product because they have different buying centers and purpose, but DAM tools will likely become content-aware."

 

I think DAM and DLP as tools will in fact coalesce for the reasons stated above. Business rules and policies, coupled with whatever dashboard to review reports and status is a likely customer interface, and the data collection & analysis tools that sit  below should be and will be invisible to the user. Think about who the audience for these tools are and I think you will agree that these products (or tools) do in fact coalesce. 

 

But the issue that really gets to me … actually annoyed me enough to write this Blog post is as follows: IPLocks released a Content Monitor product in 2002 to … now watch for it … Monitor Content! And, before you ask, it really is content aware. We were so happy with the concept we patented it (reference).  So I can say with a high degree of certainty it is more than ‘likely’ to happen, it happened a long time ago.  And I believe there might be another vendor out there today who offers it as well. We thought that a Meta Data monitor, to watch some of the quasi-data and structural changes was a nice complement as well. No disagreement that there is value in content monitoring, just seems appropriate to be talking about the vendors who offer it today as opposed to speculating as to it’s value in DAM solutions.

 

And I want to offer what I consider to be a slight clarification on a comment from Ted Julian "We think its critical customers can discover sensitive data automatically, even on databases they don't know they have," Julian continued. "Network appliance-based solutions just aren't practical in this regard, simply way too cumbersome and expensive."

 

Data discovery is different than content sensitive DAM.  More to the point, there are several forms of data discovery, but typically it is either an active interrogation of the database to discover sensitive content or a passive monitoring of the network for content. A network based appliance can work well in this later regard, in fact I think most of the DAM vendors say they provide this, but I have no argument that it is a little more unwieldy for the former methodology.