informa

Tech Insight: It's About DAM Time

Given today's threats to data from targeted attacks and unsavory insiders, it's no longer a question of whether or not to adopt database activity monitoring
Special Analysis For Dark Reading: Second of two articles

The increasing threat of targeted attacks should be all the motivation security pros need to go out and identify their database servers, enumerate the sensitivity of the data contained within, and take appropriate precautions to secure that information.

Of course, external targeted attacks aren't the only threat against your databases: consider those authorized users that could abuse their privileges. No matter how quickly we patch, or how securely written the Web application is that front-ends the mission-critical database server, there will always be people who must have access to those systems and the information contained within. And those very same people could be facing hard times like a pending layoff and hold a grudge that leads them to abuse their access by selling or damaging the database's contents.

Data leakage prevention (DLP) solutions, while far from perfect, can be effective at detecting and preventing sensitive information from leaving a corporate network. But DLP solutions may not distinguish a difference between a normal Web transaction involving one customer's data and a SQL injection attack that steals all customer information -- that's where database activity monitoring (DAM) solutions can shine.

DAM products from vendors such as Guardium and Imperva are powerful tools for providing insight into database activity and protection against data loss. To better understand what DAM is, let's first look at the definition (PDF) published by Rich Mogull of Securosis in "Understanding and Selecting a Database Activity Monitoring Solution."

"Database Activity Monitors capture and record, at a minimum, all Structured Query Language (SQL) activity in real time or near real time, including database administrator activity, across multiple database platforms; and can generate alerts on policy violations."

Features of DAM products don't stop at just recording all database activity. Additional features include learning and baselining user behavior to identify and alert on anomalies, alerting on violations of user-definable policies, data discovery, vulnerability detection, comprehensive reporting, and mapping activity to the user responsible for it.

Current DAM offerings have matured to the point that nearly all solutions have the same core feature set that has expanded over the last few years and become quite robust. Today, for example, if you're looking at deploying DAM to protect your sensitive databases, the products in your short list would be remiss if they didn't include more advanced capabilities such as application monitoring, vulnerability detection, and data discovery.

When selecting a DAM solution, the questions to ask first are: whether or not it supports your current and future database platforms; can you create your own policies; can the system create policies based on user behavior; and does it support your enterprise applications (ie PeopleSoft)? Fortunately, available solutions like SQL Guard from Guardium include a plethora of enterprise SQL platforms like Oracle, DB2, and Microsoft SQL server, even open source MySQL, so finding one to support your environment shouldn't be hard.

One of the best features of DAM solutions is that they can be deployed at the network level and monitor database activity without impact to the database server itself. Imperva SecureSphere is an excellent example: it can be deployed either inline like an IPS, or out-of-band like an IDS (sniffing via a switch monitoring port or network TAP). Inline deployment provides powerful blocking capabilities to prevent data from leaving the network as soon as a breach is detected.

Network deployment is a great option for zero impact, but for comprehensive visibility, a software agent is required to run directly on the database server. An agent can monitor activity as it occurs both at the network and software layer, obviating the need for a network-based solution. But there's a performance cost associated with the agent.

In an ideal situation, the performance hit will be less than 5 percent, but the true benefit of the agent is that local database activity is now visible, along with network activity, so that anything anyone -- including the DBA -- does locally on the server is now monitored. Some vendors like Guardium now include both monitoring and prevention within the software agent, providing data loss prevention not available in typical network-based DLP solutions.

DAM solutions are powerful security tools that not only benefit security teams with security monitoring and compliance, but they also can improve business processes with visibility of database usage that wasn't available previously. With the maturity of the solutions, visibility of database activity, and power to prevent data loss coupled with the current threats we face from both internal and external sources, it's no longer whether DAM is right for you, but whether your company can risk not implementing DAM protection.

First article: Tech Insight: Database Security -- The First Three Steps

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.