Why Should I Monitor My Databases?
By Raj Soni
As president & CEO of Adaptive Systems Inc, a firm exclusively focused on data privacy, security and compliance, “why should I monitor my databases?” is a question I get asked all the time. Many clients have said that their databases are in a secure zone and in a segmented network. The fact that databases are in a secure zone is very good and that’s how it should be, but despite that, privileged users still have access to this data, correct? Do you want to blindly trust your workers and assume they don’t have any bad intentions, or they can’t make any errors/mistakes?
There are also regulations such as GDPR and CCPA that call for putting controls on your sensitive data but I’m not going to address regulations in this blog. I want to address the practical importance of monitoring instead of discussing regulations.
Three main reasons every company should monitor their databases is (1) to monitor your privileged users such as your DBAs and service accounts that have access to your sensitive data in your databases, (2) keep a check on Shadow IT and (3) forensic reasons; in case data is compromised, without the forensic data you may never understand the attack vector(s), the vulnerabilities exploited and how the data was actually exfiltrated.
So, let’s examine these three reasons a bit more. One of the biggest risks to an organization is an insider threat. Privileged users such as DBAs and service accounts have elevated privileges and so it only makes sense to monitor them and make sure these users and accounts are doing what they’re supposed to be doing and nothing more. The old saying, “trust but verify” holds true here. Privileged users’ credentials can be compromised by malware; a careless or disgruntled employee can also inflict a lot of damage. If a disgruntled employee is really smart, they probably would not use their own credentials, they may “borrow” a colleague’s password to hide their own bad deeds. This is rare of course, but it happens more than we realize. The more likely scenario is the privileged user will make errors or an omission inadvertently which can be exploited by malware.
Shadow IT is another reason to monitor database activity. There are lines of business that like to start their own pet projects. They start copying sensitive production data temporarily without notifying anyone and before you know it, this pet project grows and no one in the InfoSec team knows that sensitive data is sitting somewhere on a server that only a couple of people know about. Discovering data sources and finding these rogue systems is a very important element of database monitoring.
Lastly, the forensic logs created by monitoring helps to connect the dots and identify the attack vectors faster. What are some of the things to look for before data exfiltration can take place? Elevated privileges, multiple failed logins, anomaly detection, schema tampering, all of these things can only be “seen” if you are monitoring your databases, the privileged users and accounts.
Database monitoring was primarily used to comply with regulatory requirements such as SOX but what is exciting now is we are able to use these logs and enrich them with other logs such as network and AD logs and actually connect the dots to get a clearer picture of what is happening in your environment and produce actionable events. User and Event Behavior Analytics (UEBA) is the ultimate goal – know in near real-time what’s happening and be able to act.
If you are considering database activity monitoring (DAM) but not sure where to start, drop me a note and I’d be happy to answer any questions you may have.