Security Experts:

Database Activity Monitoring: What it is and What it Isn't

Database Activity Monitoring (DAM) is a crucial part of your compliance and safety profile, but to be effective at protecting your database, you need to understand its limitations.

What is DAM?

Database Activity Monitoring is a fairly established technology, existing over a decade. DAM monitors all activity on the database and provides alerts and reports on that activity. Every time an admin logs in to the database, every activity is recorded. In fact, if the admin does not log in, that too is reported, so you can identify people with permissions who aren’t using them. Depending on the product you use and the configuration, you’ll get different types of reports and alerts.

One of the crucial elements of DAM is that the data about database use is stored outside the database it is monitoring, so the people who are being monitored cannot tamper with the data. Another crucial element is the ability to send real-time alerts, so that as soon as a violation of policy is detected, it can be handled immediately.

Database Activity Monitoring (DAM) DiagramMonitoring versus prevention

If you read many of the product descriptions on the market, you’ll find that database firewall vendors say that DAM will detect and protect against threats to your database. In many cases, what that means is that you receive reports or alerts about activity that has already occurred, and you can take action to handle the incident. For example, you might find out someone has copied the entire database to a hard drive, by successfully executing a backup command, and then you can investigate and take away admin privileges from that individual.

It sounds great, except the data leak already occurred. Preventive measures would have denied the ability to copy the database in real-time.

So DAM is not prevention. What is it and why do you need it?

Compliance and monitoring

First and foremost, you need DAM to meet the requirements of many regulations, such as SOX, PCI-DSS, HIPAA and others. It’s fundamental to know what has happened in the database, including permissible actions.

Secondly, you want to know. It’s important to know the usage patterns of your DBAs and sysadmins, and to review periodically. If anything out of the ordinary does happen, you’ll have a complete record and be able to pinpoint the problem.

Finally, not every behavior can be prevented. Good DAM reporting will allow you to detect users who are inactive, behaviors you hadn’t previously identified as threatening, and other types of anomalies that might indicate new policies need to be put in place.

Multiple-database management

Unlike internal database configuration tools, DAM provides management over a number of databases. This allows enterprises to have a big-picture view of the permissions by each individual or group. Having one management tool over multiple databases provides a huge time savings and allows for a systems view of the databases in the enterprise.

Monitoring methods

DAM is implemented through different types of monitoring. No method is necessarily better or worse than the other method, though only reverse-proxy provides capabilities beyond monitoring to actually enforce policies in real-time.

• Network monitoring detects all SQL commands used.

• Remote monitoring is done through creating admin privileges on the database for the monitor itself, which records what is happening in the database using those privileges.

• Agent-based monitoring where an agent is installed on all databases, recording and reporting all information on the database.

• Proxy or reverse-proxy monitoring is performed by a proxy which stands between the database and all incoming and outgoing commands to the database. This methodology can also be used for real-time interception.

• Policy suggestion

It’s not much use to get a log file of all activity on the database. An effective DAM will give insight based on patterns of use and anomalies. Many solutions come with built-in default policies that are aligned with best practices and compliance standards. The most experienced vendors in the industry have insight into best practices and can provide an excellent baseline set of policies. Upon implementation, the DAM solution can return back reports on any violations of default policies, allowing the organization to create and implement new policies.

Pattern and anomaly detection

Once baseline policies are established, the DAM may be able to detect anomalies, even if they are not specifically against policy. Such incidents can be easily identified through alert and reporting tools, so that the administrator does not need to manually review log files. Sometimes referred to as behavioral profiling, the ability to detect deviations from normal activity is a crucial factor in identifying potential breaches.

Sensitive data detection

Some of the DAM tools on the market today are able to scan databases to identify sensitive data. In organizations with multiple databases or outsourced database programmers, it is common to find that the organization itself is not sure where all the sensitive data is stored. Data detection tools scan each column and each row where sensitive data is stored, and suggest policies for protection of that data. Even when you have an idea of where the data is stored, automated detection can give you the extra peace of mind knowing that you have definitely covered all potential columns and tables with sensitive data.

Reporting and alert tools

The best DAM solutions should make it easy for administrators to see what is going on by automatically analyzing the data and providing easily accessible and understandable reports and alerts.

One of the dangers with any type of logging or reporting tool is that the alerts become overwhelming and the admin may overlook the most important ones. One of the requirements of a good DAM solution is that admins are alerted in a way that makes it easy to identify urgent cases and filter out alerts that can be handled later.

Similarly, reporting tools need to provide visual indicators of the problem areas, so that IT staff can focus on the issues that need immediate attention. If the reporting system is overwhelming, gives too many false positives, or is difficult to use, the utility of DAM is dramatically reduced. Advanced reporting tools may allow admins to create their own customized reports.

Activity monitoring

In reality, most of the activity on the database is not performed by individuals, but by calls from apps and other databases. Some DAM solutions include full monitoring of apps and other sources of database calls. In fact, this should be a requirement, because of the huge incidence of insider threats, and because most outsider threats come through apps. If you do not have full activity monitoring in the DAM solution, it’s important to implement application and database firewalls as a supplement to monitor and prevent such activity.

Rollback

Some DAM solutions provide rollback capabilities, in case inadvertent or intentional damage was done to the database.

Separation of duties Separation of duties refers to providing different levels of permissions to different administrators. Though not a DAM function at the core, some DAM products do provide additional administration tools for managing administrators.

A common question is why any separation of duties is needed beyond what’s provided with the built-in tools provided as part of the database. Furthermore, cloud solutions such as AWS provide separation of duties on top of the built-in separation of duties features. The answer is that it depends on what you need, and you need to investigate exactly what you need.

For organizations that need a highly granular separation of duties, tools are available to limit access on the level of an individual row or column of a database, to restrict access only to specific data within a database for administrators who should have limited access.

Advanced separation of duties tools may be bundled with DAM or sold as separate products.

Remediation

The most important item to understand in DAM is the issue of remediation. Remediation is performed outside of the DAM solution. Most of the DAM solutions in the market do not include the real-time database protection of a database firewall or a Data Masking solution. In other words, the DAM only alerts of the problems, so the operations team needs to repair any issues or revoke privileges when they are being abused. Only real-time database firewalls are set up to also include tools for real-time intervention and prevention of threats.

Conclusion

DAM is an important part of your enterprise compliance profile and provides some components of database security. However, DAM does not offer a real-time security measure against threats such as SQL Injections, insider threats, and inadvertent tampering with data. To ensure your enterprise is covered, DAM needs to be combined with other solutions such as SQL Injection protection, database firewall, and data masking and encryption.

view counter
David Maman is co-founder and CTO at GreenSQL, a leader in database security and compliance solutions for enterprise running on-premise or in the cloud. A recognized international expert in computer security, David advises companies on threat management, real-time network protection, advanced network design, and security architecture.