Datiphy monitors database activity to look for potentially malicious behavior. Its software examines every transaction to build a baseline of activity, and sounds an alert if behavior deviates from known good activity.
Datiphy uses several software components to achieve its aims. An Extractor is deployed on a standard server and plugs into a tap or SPAN port to see network traffic. Alternatively, a packet broker can direct relevant traffic to an Extractor.
The packet broker option isn’t a surprise, given that Datiphy’s CEO, Ted Ho, is a cofounder of Gigamon.
Customers may not be able to get full visibility into all transactions or databases via Extractors, so Datiphy also offers the Observer, which is a software agent that runs directly on a database. However, organizations are sometimes reluctant to run third-party agents on a database because they don’t want to affect performance or otherwise introduce problems.
Extractors and Observers report to a Policer, which has an index engine to analyze transactions and database activity. If a Policier detects unusual behavior, it will sent an alert. It also provides a searchable front-end for administrators.
For large deployments, a Director software package aggregates multiple Policiers and provides centralized management.
Extractors and Observers monitor full database transactions. They map databases to applications, and track users and database administrators. The company says it monitors up to 15 ‘assets’ in every transaction. An asset could be an administrator, a database server, or a column in a database, for example.
Though the software examines transactions, it’s not storing those transactions by default (though it can if a customer activates that feature).
Instead it keeps metadata. Administrators can run queries against this metadata for audits, investigations, or regular monitoring. The company says it can store about 3 months of information on a 1Tybte drive.
Find It Faster
Datiphy is among a breed of startups preaching the message that breaches are all but inevitable, and that the faster an organization can detect the breach, the sooner they can respond and limit the damage.
Given that databases are a likely target, the company argues it is well positioned to serve as an early warning system.
“We’re looking at the real transactions within your environment, and then users set policies and alerts based on that information,” said Mike Hoffman, executive VP of sales and marketing, in an interview.
The software can send alerts if there’s suspicious activity around confidential information such as Social Security or credit card numbers. It also watches privileged users, and can be set to alert on abnormal behavior, such as a DBA logging in outside of normal business hours.
The trick, of course, is instrumenting the system properly so that operators aren’t overwhelmed by false alarms. By working from a baseline of normal activity, Datiphy thinks it can solve that problem.
“It doesn’t mean we won’t ever produce a false alarm,” said Hoffman, “but we can reduce them, so if an alert comes from our system, it’s likely to be real.”
I’m all for putting security controls around your most to valuable assets, whether it’s behavioral analysis, explicit rule sets, or coal-mine canaries. And if Datiphy’s secret sauce can really make it easier to separate good from bad activities, that’s a bonus.
But while there are arguments to be made about the pros and cons of various detection schemes and products, what really matters is that your organization has the human capacity available to pay attention to whatever system you have in place, make sense of its alerts, and understand the system’s quirks and blind spots.
Without good human operators, no amount of secret sauce will help.
Datiphy is a U.S. spinoff of a Taiwanese company, launched in 2011, that offers database monitoring as a service. The goal of Datiphy, founded in 2014, is to productize the service. Datiphy received a $7 million funding round in September 2015 from Highland Capital Partners.
Datiphy’s founder and CTO is James Lin, who previously held positions at WatchGuard, 3Com and HP. This isn’t Lin’s first startup; he cofounded RapidStream, a maker of firewall and VPN appliances. RapidStream was acquired by WatchGuard in 2002.
As mentioned above, Datiphy’s CEO, Ted Ho, is a Gigamon cofounder and former CEO. He retains a seat on the Gigamon board.
Datiphy charges software licenses for the various modules, plus a one-time charge based on transaction volumes. Customers with up to 10 million daily transactions pay $30,000; and those with up to 250 million per day pay $75,000.