Risk
12/2/2009
02:18 PM
50%
50%

New Report Helps Enterprises Choose Their Own DAM Products

Study of database activity monitoring offers insights on how DAM products work -- and how to choose between them

[Excerpted from "Database Activity Monitoring: Emerging Technology Keeps Tabs On Assets," a new report published today in Dark Reading's Database Security Tech Center.]

When it comes to databases, there's one thing that all users agree on: a single breach can be devastating. One look at the security headlines will tell you that no company can afford a database leak.

One of the most promising technologies for security pros who are struggling to stay on top of this concern is database activity monitoring, or DAM. These systems enable organizations to monitor database events in real-time and quickly respond to unauthorized activity.

Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have historically been underserved. Need more? The use of DAM technology is starting to be considered an essential control when demonstrating compliance with industry regulations and standards that require regular review of logs -- a category that includes PCI DSS, HIPAA, the Gramm-Leach-Bliley Act, FISMA, and Sarbanes-Oxley.

These products are still expensive; appliances run $25,000 to $50,000 per device, while agent-based offerings cost $5,000 to $25,000 per database. There are tough architectural decisions to be made, especially for distributed enterprises. Expect some turf warfare.

But because databases are increasingly targets for attackers, and few of us are willing to encrypt them, a DAM system might just be worth the investment.

In a nutshell, most DAM products monitor all SQL activity in real time across multiple database platforms and generate alerts based on policy violations. These systems also have the ability to aggregate -- and, to some degree, correlate -- activity from multiple heterogeneous database products, including Microsoft SQL Server and Oracle.

Some products also provide the additional benefit of monitoring and securely storing records of activity outside the target databases, which can come in handy if the systems housing these databases are ever compromised.

There are various technical approaches that enable DAM products to achieve these goals, but systems can be grouped into three primary categories: network monitoring, remote monitoring and local agent monitoring. Network monitoring products are typically delivered via appliances, whereas local agent monitoring DAM systems are software-based. For companies that need to do remote monitoring, native auditing is turned on for the target database, and the resulting activity log data is sent to an external appliance.

Choosing the best model is a matter of weighing the pros and cons of each approach and evaluating the database environment that you're looking to protect.

This calculation depends on your specific environment and overall goals. Using a combined approach to database monitoring provides the best coverage, but the involved nature of that type of deployment can be a scary proposition for some IT teams.

Organizations should first decide which threats they're the most concerned about. Do you think DBA/insider abuse is more likely than external manipulation of an application to do database dumping? Then catalog operational restrictions and dust off the debate over how comfortable you are with proactive blocking mechanisms.

DAM deployments require cooperation among multiple groups, and the dependencies on various IT specialties should not be underestimated. For example, for inline products, the network team will have to design and provision span ports on critical switches -- ports that, in some organizations, are in short supply.

With agent-based products, both system administrators and DBAs will need to be involved, as you'll be introducing yet another "moving part" on systems for which they are responsible. The larger the organization and more extensive the DAM deployment, the more people you'll need to bring to the table. CIOs should start getting those parties lined up early.

For more detailed insight on how to choose a choose a DAM product and how to deploy it, download the full report here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.