Database Activity Monitoring
The Importance of Database Activity Monitoring
Database activity monitoring provides a way to monitor database activity and privileged access to databases and can identify and (optionally) prevent SQL injection attacks accessing large amounts of data or unusual queries.
Database activity monitoring can meet the auditing requirements of most organizations.
Database activity monitoring may be able to detect (or deter) database admins and other privileged users from reading sensitive data.
Limitations of Database Activity Monitoring
Database Activity Monitoring systems use signature-based algorithms, and thus have false positives and false negatives and require a good bit of tuning. In addition, some systems need to sit in the data path which does not work if the data is encrypted.
Vidder's Database Activity Monitoring Recommendations
Vidder recommends deploying a Database Activity Monitoring system for databases containing highly sensitive data and/or when database activity must be audited. There are a few criteria to consider when choosing a database activity monitoring solution. The first is the type of system.
There are three types of database activity monitoring systems: network-based, remote, and local agent. Network-based systems are implemented as a bump-in-the-wire and see all SQL queries going to the database and the data being returned. An advantage of this method is that it does not impact the performance of the database. However, network-based systems may not see privileged access to the databases when logged in locally to the database.
Remote monitoring uses the native database engine to capture the SQL queries. The advantage of this method is that all commands will be captured including privileged access when logged in locally. The disadvantage is that this method may slow down the database (especially on Oracle databases).
Local agent monitoring install an agent on the same server as the database. In more recent systems, the agent hooks into the kernel of the database to monitor the traffic without modification to the database software. Typical performance degradation of this method is well under 5%. Advantages of this method include the ability to monitor all SQL queries and correlate them easily across database platforms. A requirement is that the vendor support all database engines the corporation uses.
A second decision criteria is the policy type. There are three types of policies: rule-base, heuristic, and content-based. Rule-base policies can alert on specific types of queries, number of results by column and/or administrative privilege of the user, and may also do some SQL injection detection.
Heuristic policies create a baseline of activity and look for activity outside of the baseline on a per user basis.
Content-based policies effectively perform data loss prevention techniques to look for social security numbers, credit card numbers and other regular expression-based items maliciously or accidentally inserted into the database.
Another criteria to consider is alerting and reporting capabilities. Here the permutations are great, so finding capabilities that match existing work flows are important.
There are other newer criteria that may be considered. These typically have to do with providing greater granularity to the communication with the application server - be it the database user or the interaction the application has with the data.