Sat, April 15, 2006 — CIO — Michael Osborne has been getting a lot of vendor calls lately pitching a new breed of products, typically called electronic data discovery (EDD) tools. These tools promise to investigate historical data to uncover security breaches, compliance failures and plain old errors in transactions across various enterprise systems, from network administration to accounting. Driven by compliance requirements such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, these tools focus on user activities, such as who accessed a database or updated a customer account. The goal is to look at both real-time and historic patterns across multiple databases, networks and applications to find suspicious activities that might indicate insider financial fraud, customer identity theft, compliance policy breaches or theft of proprietary data such as customer contacts or product designs. As the senior security manager at Kimberly-Clark, which makes health and hygiene products, Osborne is interested in ways to prevent supplier or insider fraud, such as detecting sham providers used to steal or launder money. In other organizations, electronic data discovery tools might be used to detect identity theft or violations of information-access policies.

Osborne is not alone in getting these pitches, say analysts and consultants, who warn that CIOs should be cautious. "There’s a lot of vaporware out there," says Avivah Litan, a security research director at Gartner. "You’re seeing vendors build an industry around scare tactics over compliance and security."

That’s not to say there aren’t useful technologies available. For example, Osborne is evaluating a tool from Oversight Systems that analyzes accounting information from SAP and other financial systems to detect fraud and errors both in current transactions and in past transactions stored in the SAP system. He’s recommended that Kimberly-Clark seriously consider adopting the technology.

At online shopping service provider 2Checkout.com, Tom Denman, the director of risk management, has adopted 41st Parameter’s analysis tools to detect fraud in the shopping and financial transactions that his service handles for online stores. 2Checkout used to rely on real-time security event monitoring tools but found they couldn’t do as thorough an analysis in real-time. Denman now batches customer transactions and uses 41st Parameter tools to analyze them against previous transactions and various fraud patterns, to detect stolen credit cards and the like (one fraud pattern might be the use of a credit card number for online purchases the same day in several countries). Suspect transactions get flagged for human review, prioritized by risk level.

The use of historical data correlated across multiple systems and a focus on user activity is what distinguishes EDD from real-time security event monitoring (SEM) tools, which typically are used to monitor network activity for intrusions and viruses. EDD provides more context in which to find fraud or uncover breaches. "The tools can serve the understand-and-prevent function," says Keith Schwalm, vice president of Good Harbor Consulting, a security advisory firm. EDD tools can work as an adjunct to SEM tools, or provide both functions, notes Amrit Williams, a security research director at Gartner. The vendor trend is to merge the two functions into a suite, he adds.