What is Database Activity Monitoring (DAM)?
DAM is the collection of database related activities, stored in a central location and then analyzed for both security policies and business process policies.
Database activity monitoring captures and analyzes database events in near real time, and creates an alert on policy violations.
It is different than any other intrusion detection system or data loss prevention systems because it’s an infosec technology that is wholly database focused. It looks into SQL queries and is able to determine not just look at the specific tables but is able to do a whole lot more such as business process analysis and be able to infer when someone is misusing the database and filters that from normal database activity.
What does a DAM solution look like? Typically they are deployed in an enterprise system, the DAM appliance usually sits in front of the database server and captures all the activities in and out. So they’re looking at SQL queries as they’re coming into the database and they are looking at the content of the information as it flows out. Database are used in an enterprise environment by many different types of applications (ERP Systems, Web Application, etc) and so being able to collect ALL that activities and differentiate appropriate use to misusing the data is a difficult challenge.
Why use DAM?
Security is the main reason and to be able to detect misuse is another driving factor. Insider threat detection was and still is very important to any organization ; to be able to see when sensitive information was accessed or maybe leaked out. More common now is being able to detect SQL injections. DAM is used for Business Process enforcement such as SOX, PCI DSS, HIPAA, etc. and is also used for security event audits.
Monitoring Use Cases
- Business Process Analysis/Enforcement (SOX, HIPAA, PCI, etc)
- Block malicious activity
- Security event verification
- Compliance controls
- Query and efficiency analysis
- Operations and change controls
What to Monitor?
Most DAM products will give you the following capability right out of the box.
- Sensitive Data Access
- Critical Database transactions
- Strange or erratic user behavior
- Forensic analysis and reports (ability to compile activates over a long period of time for compliance as well as any security incidents that may occur)
One of the big challenges of DAM is: How do I introduce this to my company and environment?
Three basic options for DAM Deployment:
- Network Monitoring – Just look at database activity on your network. Very fast and easy to deploy. It doesn’t capture critical database activities.
- Remote Monitoring. It scans thru memory structures on the database servers and looks at database operations and pulls that information out to a central collection appliance.
- Agent based deployment (OS kernel level agent that captures all the traffic on the database server). Captures all local level application activities and admin level activities which is critical when trying to look for misuse.
Event Collection Methods
- Database Audit Logs
- Event Log
- System Trace
- Console Activities
- Network activities
- Database Activities
- Transaction Logs
- Memory Scans
- System Tables
Basic Database Security
- SQL Queries (best way to monitors common attacks like sql injections and profile sql queries from legitimate applications. Good way of capturing programming errors also.)
- Logout/Failed logins (best way to see security breaches)
- Administrative & system activities (want to see what the admins are actually doing? Are they applying patches and doing what they are supposed to be doing?)
- User Activities (if using user access control systems you can know exactly what user is requesting that query or business function.
- Metadata & structural Changes
- System management events
Database Operation Types
DML (select, insert, update delete) – Data Manipulation Language
DDL (create, alter, drop) – Data Definition Language (create new users, dropping tables, altering permissions)
DCL (Grant, Revoke) – Data Command Language (run batch jobs, granting and revoke certain access rights)
Most DAM products allow you to divide your policies by specific operation types mentioned above. Then you can match the operation types with other parameters like time of day or specific IP addresses to gain more insight.
- Blocking – block unauthorized users
- Sensitive Data Access – monitor databases and tables with sensitive data.
- Connection Pooled User Identification – de-anonymize users so that you can lookup the users that come in through an application and be able to associate that user with the query and store that info for analysis. In essence this is correlation that you see in some SIEM products but this is done at the database activity level.
What do consider when deploying DAM
As you organization changes over time (add new application or new user behavior and new databases) your policies and what you monitor for security reasons as well as compliance reasons will change over time.
- Policy creation and update consume time
- Pay close attention to how you deploy
- Carefully select events you need.
- Choose appropriate data source
- Filter unneeded data
- Understand goals before you start – define your use cases