Databases Activity Monitoring (DAM) tools have become widely used by companies that want to provide an added layer of security and protection against malicious attacks. More pointedly, database monitoring tools are critical to meet legal compliance requirements that govern industries like finances and health.
However, many database administrators are still using build-in database monitoring tools that can prove to be ineffective and costly. While these tools may be free, they can carry a hidden cost that can translate to millions of dollars wasted.
Because the build-in approach can lead to a negative impact on performance — normally up to 20% extra server load — they result in higher hardware and software costs. Additionally, build-in tools provide poor logging and contain irrelevant information that can make it difficult for administrators to assess and optimize their databases.
How Do Database Monitoring Tools Protect You?
Automated solutions provide better protection, lower costs, improved security audits, and reporting. In the event that an attacker breaches your database, whether it’s through data mishandling, DDoS, or SQL injection, real-time alerts and response are vital.
Other prominent features your database monitoring tools demand are priority optimization and dynamic policy creation, not to mention an easy-to-use interface that allows the administrator, or handler, to analyze current vulnerabilities or possible threats.
Effective database monitoring tools accomplish four tasks: (1) they collect information about the traffic interacting with your database, (2) they correlation that activity with legitimate versus illegitimate users, (3) they create policies to reduce mishandling and abuse, and (4) they provide rapid and prioritized responses to threats.
1. Traffic Collection
Many monitoring tools have begun auditing users that are either directly accessing the database or clients that utilize the database through a mobile device, browser, or web application. Essentially this allows companies to keep up with compliance policies and protect their database, regardless of the amount of traffic.
Imperva SecureSphere accomplishes that by incorporating the details of each transaction and analyzing activity within the database. The real-time monitoring by SecureSphere allows companies to be in control of all traffic in order for them to properly address vulnerabilities and assess risks.
2. Activity Correlation
In addition to monitoring, activity correlation is an advanced feature among DAMs that detects a possible threat by tracking transactions from particular users. If a user has an unusually high amount of transactions or if a direct user has begun tampering with a database outside of their domain, then an alert is automatically sent.
All activity within a database is typically logged to a repository, a common feature in a DAM solution. However, activity correlation goes beyond this standard feature is to automatically archive activities, policies, and configurations and create a model for normal database operations user-by-user. This correlation is vital to establishing what each user’s standard activity looks like so anomalies can be detected and met head on.
3. Policy Creation
A common yet potent feature of an effective DAM tool is the ability to respond in real time when an attack or threat is presented. While real-time monitoring is a great solution, an even better solution would be to prevent those attack from happening in the first place. This is where policy creation comes in.
Proactive DAM policies come in two forms. First, rule-based policies govern the functions of direct users (such as administrator), SQL injection, query triggers, and overall activity levels. Second, heuristic policies build profiles that define normal user activity. If abnormal activity within the database occurs, then your DAM should not only take remedial actions but actually prevent that activity altogether.
The problem with building your own heuristic polices is that they are complex to setup and require constant tuning. In contrast, the Dynamic Learning Method (DLM) and Adaptive Normal Behavior Profile (NBP) provided by SecureSphere updates heuristic policies automatically. For example, if a direct user commonly works with customer contact information but suddenly attempts to access the credit card database, then SecureSphere would respond to the incident by blocking that particular user.
Naturally, pre-packaged polices should be taken advantage of because they require little setup time. Policy wizards included natively within DAMs are also a step in the right direction, but such non-dynamic solutions simply do not provide the kind of detailed and preventative policies necessary.
4. Alert Communication
One of the most important aspects of DAM tools is support of active alerting and prioritizing incidents. Alerts can be communicated various ways, whether through email, an alert panel on the DAM tool itself, or through a third-party security tool such as SIEM. Incidents that are low-risk should be identified as such, but others — like a user trying to access sensitive information or spikes in traffic — must be prioritized and dealt with based on their level of severity.
The most comprehensive form of alerts are policy-based alerts. There are two categories that policy-based alerts fall into.
User Activity: As mentioned, alerts should be user-specific such as abnormal information requests or access, tampering with sensitive data, or SQL injections. These alerts are vital to inform the DAM tool that there is a threat or malicious activity.
System and Administrative Activity: Violations that occur within the internal system or among direct access users — most notably, escalating privileges, configuration changes, account creation, or changing stored procedures — should also trigger alerts of possible abuse or malicious use of the database.
What to take away from DAM tools?
DAM tools are essential for all databases because they provide security to your organization as well as to the customers your serve.
Whatever tool you choose, ensure that it protests against SQL injections, privilege abuse, excessive privileges, and abnormal user activity. For best practices, setting up responsive policies and alerts should be a top priority. All told, this means your DAM must address four procedures:
- Traffic Collection
- Activity Correlation
- Policy Creation
- Alert Communication