Privileged User Monitoring
Privileged user monitoring poses a significant technical and operational challenge as database and IT administrators require unrestricted access to perform their jobs. Most often, privileged activity is performed directly on data systems, thus it is not visible outside of the system itself.
Without effective privileged user monitoring, these users can cause immense damage without ever being detected. In addition, Industry and compliance regulations including PCI DSS, SOX and others, require that privileged users be closely monitored and their activities authorized.
Track Privileged Access to Sensitive Data
Organization should monitor all privileged access to files and databases including local system access, audit user creation and newly granted privileges and restrict usage of shared privileged accounts.
Block or Alert on Suspect Activity
Identify user behavior that deviates from normal access patterns, alert and block suspicious activities that may indicate privilege abuse. Users performing unauthorized activities should be quarantined and their privileges should be reviewed. Audit reports and analytical tools are needed to support forensic investigations.
Identify Unauthorized Privileges Changes
Changes to data objects and data system users must be properly authorized. Unauthorized activities should be thoroughly investigated and controls should be implemented to prevent future incidents.
Separation of Duties, Privileged Users Should not Monitor Themselves
Following the principle of "separation of duties" (SOD), the monitoring capability should not be managed or operated by privileged users as they may alter the controls to conceal irregular activities.
Eliminate Excessive Rights which may be Abused
Hardening systems by granting access to business need know, is an essential step in data breach prevention. Organizations should review user privileges and identify highly privileged users. Verify that the privileges are necessary for the user's role and duties. Revoke excessive user rights and remove dormant users.
1Blocking privileged database users activities requires SecureSphere Database Firewall (DBF)
"Database Activity Monitoring Market Overview" by Jeffrey Wheatman, Mark Nicolett, 03-Feb-2009