Perimeter
1/4/2008
05:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Database Activity Monitoring

If you weren't concerned about unauthorized database access before, maybe now you should give a DAM

It's mid-afternoon. Do you know who's accessing your databases?

Until recently, the answer for many organizations -- including the TJX Companies and Ameritrade -- the answer has been no. While all databases come with tools for security and access control, many users -- mostly employees or other insiders -- have found ways to circumvent them, leaving IT people in the dark about who's been using the data, and when.

The problem isn't just headline-grabbing external hacks, such as the one at TJX, but also insiders who, for one reason or another, find it inconvenient to follow security policy.

"It’s not that the users are malicious," says Phil Neray, vice president of marketing for Guardium, a maker of database security tools. "They’re doing it for the sake of convenience."

While some vendors offer broad data leak prevention solutions to the insider threat problem, many enterprises are taking a closer look at a more focused set of products built specifically for databases: database activity monitoring (DAM) tools. DAM products can help enterprises meet compliance requirements by verifying proper controls and auditing database access, in addition to detecting -- and sometimes preventing -- malicious attacks.

How can you find a DAM package that works for your organization? The best approach is to issue a request for information (RFI) from a range of vendors that offer such tools, giving you the means to examine the differences in the products and their various approaches.

When developing a DAM RFI, enterprises should focus on a few key features to help cut through the marketing fluff. The RFI should include as much information as possible about the production environment, reducing the number of responses from vendors who think they can solve the problem, when they really can’t.

The most basic part of the RFI should include the database servers currently in production, and any that might be used in the future. The major DAM vendors, such as Guardium, Imperva, and Application Security Inc. support Microsoft SQL Server, Oracle, and IBM DB2, but they generally don't cover open source database servers such as MySQL and Postgres. DAM products don't always support every protocol between database clients and servers, either, so be sure to include those in the RFI.

Besides the obvious database and protocol support, DAM solutions monitor database activity in different ways. Some can "listen" on the network, in the same way that intrusion detection systems do, and analyze the database traffic as it passes from the client (or even an application server) to the database server. This approach has some limitations: Activity on the database server itself doesn't pass through the network, and therefore wouldn't be detected by a network appliance.

In this scenario, a software agent must be installed on the database server to monitor local activity. The agent should have minimal impact on the server, and shouldn't rely on the database server’s native logging. A DAM solution isn’t complete unless it can monitor both local and network-based activity, so make sure the RFI includes both requirements, along with information on the operating systems the database servers are running.

Like other security products that send alerts based on attack signatures, DAM solutions provide the best value to security analysts when they provide both SQL request and response information when an suspected attack is detected. Having both sides of the conversation can provide the context needed to determine if the attack was successful or not.

However, enterprises should be aware that monitoring both sides of the conversation can tax a DAM system's performance, notes Mark Kraynak, senior director of strategic marketing at Imperva. "Knowing something is taken may not be as important as knowing what was taken," he says. "[But] recording both sides essentially doubles the work being done, so performance and throughput is crucial.”

Recording the responses may also pose a risk to data privacy, because sensitive information stored in the database could end up recorded by the DAM solution. If this might be a problem, confirm that the solution can mask or discard the responses to prevent unnecessary disclosure to security personnel who don’t need that information.

One of the most important features of a DAM product is its ability to tie the database activity to a specific user -- a crucial method for identifying the source of an attack. DAM solutions should be able to tie a user identity to database activity from end to end, whether the user is connecting to the database directly or passing through a Web or application server first. If a vendor claims to have this capability, make sure that it can identify users in all of your environments, not just for a select few commercial applications.

When putting together a RFI, make sure to ask all of the questions we've outlined here. What database servers and operating systems are supported? Does the product monitor from both the network and database server (and if so, how does local monitoring impact performance)? Does the product make the database responses available for review, and can it mask sensitive information to prevent accidental disclosure? And, how well can the DAM solution monitor user activity end to end, on both commercial and custom applications?

With solid answers to these questions, you should see significant differences between the DAM product offerings and be able to narrow down the list of vendors that offer a viable solution for your particular environment.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Application Security Inc.
  • Guardium Inc.
  • Imperva Inc.

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    Partner Perspectives
    What's This?
    In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

    As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
    Featured Writers
    White Papers
    Cartoon
    Current Issue
    Dark Reading's October Tech Digest
    Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
    Flash Poll
    Title Partner’s Role in Perimeter Security
    Title Partner’s Role in Perimeter Security
    Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-7407
    Published: 2014-10-22
    Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

    CVE-2014-3675
    Published: 2014-10-22
    Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

    CVE-2014-3676
    Published: 2014-10-22
    Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

    CVE-2014-3677
    Published: 2014-10-22
    Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

    CVE-2014-4448
    Published: 2014-10-22
    House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Follow Dark Reading editors into the field as they talk with noted experts from the security world.