Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/18/2012
07:42 AM
Adrian Lane
Adrian Lane
Quick Hits
50%
50%

A Guide To Practical Database Monitoring

A look at what database activity monitoring can and can't do, and some recommendations on how to implement the best system for your organization

[Excerpted from "A Guide to Practical Database Monitoring," a new, free report posted this week on Dark Reading's Database Security Tech Center.]

Database activity monitoring, a form of application monitoring, examines how applications use data and database resources to fulfill user requests. DAM captures and records database events -- which, at minimum, includes all SQL activity -- in real time or near real time.

DAM is focused on the database layer, which allows for a contextual understanding of transactions, or how multiple database operations constitute a specific business function.

If you want to understand when administrators perform unauthorized alterations or view sensitive information, or be altered when systems are used in a manner inconsistent with best practices, DAM is a good choice.

DAM can even detect odd behavior that is hard to quantify but just doesn't look right -- such as when someone requests "too much" information or makes unusual requests.

It's the understanding of the database layer that allows DAM to provide both qualitative and quantitative analysis of events across multiple requesting applications and databases. It's this focus that allows DAM to provide value beyond traditional security information and event management or intrusion-detection systems, both of which collect generic system and network events.

DAM systems have been commercially available for more than a decade, and the platforms offer mature functions that scale with the IT systems they monitor. Here are the principal reasons companies use DAM products:

SQL Injection protection. DAM can filter and protect against many variants of SQL injection. While it does not provide completeprevention, statement and behavioral analysis techniques catch a great deal of known and previously unknown attacks. By whitelisting queries as acceptable from specific applications, DAM can detect most queries that have been tampered with and queries originating from unapproved applications.

DAM also can be deployed to block SQL injection and other attacks -- called "virtual patching"-- often before database vendors provide patches. Statements can be blocked before executing in the database, so there is no damage to data or the platform.

Behavioral monitoring. DAM systems capture and record activity profiles, both of generic user accounts and of specific database users. Detected changes in a specific user's behavior can indicate a disgruntled employee, hijacked accounts or even cases of oversubscribed permissions. Or maybe you're worried about attacks from mysterious Russian hackers or the much-hyped "insider threat." Behavioral monitoring is an effective technique to detect misuse, regardless of the source.

For a look at some of the other reasons why companies use DAM -- as well as a detailed guide on how to evaluate DAM products -- download the free report on database activity monitoring.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...