Database Activity Monitoring (DAM) is a database security technology for monitoring and analyzing database activity that operates independently from the database management system (DBMS) and does not rely on audit forms original (DBMS-resident) or native logs such as traces or transaction logs. DAM is usually done continuously and in real-time.
Database monitoring and prevention activities (DAMP) are extensions to DAMs that go beyond monitoring and warn also to block unauthorized activities.
DAM helps businesses handle regulatory compliance mandates such as the Payment Card Industry Data Security Standard (PCI DSS), the Portability Health Insurance and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), US government regulations such as NIST 800-53, and EU regulations.
DAM is also an important technology for protecting sensitive databases from external attacks by cyber criminals. According to Verizon Business Verison Violation Investigation Report 2009 - based on data analyzed from the Verizon Business caseload of 90 confirmed offenses involving 285 million records compromised during 2008--75 percent of all infringing records originating from the compromised database server.
According to Gartner, "DAM provides outstanding user access and application monitoring that does not rely on logging of the original database and audit function.DAM can serve as a compensation control for exceptional user tasks issues by monitoring administrator activity.This technology also improves the security database by detecting activity reading and updating unusual databases of the application layer.Form aggregation, correlation, and reporting databases provide database auditing capabilities without the need to enable the original database audit function (which becomes resource-intensive as auditing rates increase). "
According to a survey by the Independent Oracle User Group (IOUG), "Most organizations have no mechanism to prevent database administrators and other privileged database users from reading or corrupting sensitive information in financial, human or other business applications. such incidents. "
Forrester refers to this category as "database audit and real-time protection".
Video Database activity monitoring
Common use cases for DAM
' Custom User Monitoring " Text bold' : Monitoring privileged users (or superuser), such as database administrators (DBAs), system administrators (or sysadmins ), developers, help desks, and outsourced personnel - typically have unrestricted access to enterprise databases - are critical to protecting against external and internal threats.Constant user monitoring involves auditing all activities and transactions, identifying anomalous activities (such as viewing data sensitive, or create new accounts with superuser rights), and reconcile observed activities (such as adding or deleting tables) with official change requests.
Since most organizations are already protected at the perimeter level, the main concern lies in the need to monitor and protect from privileged users. Hence there is a high correlation between Database Security and the need to protect from insider threats. This is a tricky task because most privileged users are able to use sophisticated techniques to attack databases - stored procedures, triggers, views, and unclear traffic - attacks that may be difficult to detect using traditional methods.
Additionally, since targeted attacks often result in the attacker obtaining preferential user credentials, special activity monitoring is also an effective way to identify compromised systems.
As a result, auditors now demand the monitoring of privileged users for best security practices and regulations. Supervised user monitoring helps ensure:
o Data privacy, so only authorized applications and users see sensitive data o Data governance, so that the structure and importance of the database are not changed outside of the company's change control procedures.
Application Activity Monitoring: The main purpose of monitoring application activity is to provide greater end-user accountability and detect fraud (and other misuse of legitimate access) occurring through enterprise applications, rather than through direct access to database.
Multi-tier enterprise applications such as Oracle EBS, PeopleSoft, JD Edwards, SAP, Siebel Systems, Business Intelligence, and specialized applications built on standard mid-level servers such as IBM WebSphere and Oracle WebLogic Server disguise end-user identities at the database transaction level. This is done by an optimization mechanism known as "connection pooling." Using a combined connection, the application collects all user traffic in multiple database connections that are only identified by the generic service account name. Application event monitoring allows an organization to associate certain database transactions with a particular app end-user, to identify any unauthorized or suspicious activity.
End-user accountability is often required for data governance requirements such as the Sarbanes-Oxley Act. The new auditor's guide from the Public Company Accounting Supervisory Board for SOX compliance has also heightened the emphasis on anti-fraud controls.
Cyberattack Protection: SQL injection is a type of attack used to exploit bad coding practices in applications that use relational databases. Attackers use the application to send SQL statements composed of application statements combined with additional statements introduced by attackers.
Many application developers write SQL statements by combining strings and not using ready statements; in this case the application is vulnerable to SQL injection attacks. This technique alters the application SQL statement from innocent SQL calls to malicious calls that may lead to unauthorized access, data deletion, or information theft.
One way DAM can prevent SQL injection is by monitoring application activity, generating baseline "normal behavior", and identifying attacks based on differences from normal SQL structures and normal sequences. An alternative approach monitors the memory of the database, where the database execution plan and the context of the SQL statement are visible, and based on the policy can provide granular protection at the object level.
Maps Database activity monitoring
DAM core features
As defined by Gartner, "DAM tools use multiple data collection mechanisms (such as server-based agent software and in-line or out-of-band network collectors), aggregate data in a central location for analysis, and reports based on behavior that violates the policy security and/or signatures or show behavioral anomalies.DAM requests are driven primarily by the need for monitoring of privileged users to handle compliance-related audit findings, and by threat management requirements to monitor database access DAM requirements The company begins to expand, expand beyond the basic functions , such as the ability to detect malicious activity or unsuitable or unapproved database administrator access (DBA). "
More advanced DAM functions include:
- Ability to monitor intra-database and back-door attacks in real time (such as stored procedures, triggers, views, etc.)
- An agnostic solution to most IT infrastructure variables - such as encryption or network topology
- Blocking and prevention, without parallel to transactions
- Active discovery of risky data
- Increases visibility into app traffic
- The ability to offer monitoring of database activity in a virtualized environment, or even in the cloud, where there is no well-defined or consistent network topology
Some companies also look for other functions, including:
- Configuration audit to comply with audits required by US Sarbanes-Oxley Act
- DLP capabilities addressing security issues, as well as identification of data and protection requirements of the Payment Card Industry (PCI) and other data-centric regulatory frameworks
- Reporting authorization of database user privileges, required by various rules
- The ability to offer monitoring of database activity in a virtualized environment, or even in the cloud, where there is no well-defined or consistent network topology
- Better integration with vulnerability scanning products
General DAM architecture
Interception-based: Most modern DAM systems collect what a database does by being able to "see" the communication between the database client and the database server. What the DAM system does is find a place where they can see the flow of communication and get requests and responses without requiring participation from the database. The interrupt itself can be done at some point like database memory (eg SGA), on the network (using TAP network or SPAN port if communication is not encrypted), at the operating system level, or at the level of the database library.
If there is unencrypted network traffic, then packet sniffing can be used. The advantage is that no processing is done on the host, but the main disadvantage is that local traffic and sophisticated intra-database attacks will not be detected. To capture local access some network-based vendors use a probe that runs on the host. This probe cuts all local access and can also intercept all network access if you do not want to use network equipment or if database communications are encrypted. However, since the agent does not do all the processing - it sends data to the DAM tool where all the processing takes place - this can affect network performance with all local traffic and the real time session termination may be too slow to interrupt unauthorized queries.
Memory-based: Some DAM systems have light sensors attached to protected databases and continually search the system's global area (SGA) to collect SQL statements while they are being performed. Similar architectures were previously used by performance optimization products that also use SGA and other shared data structures.
In the latest version of this technology, the light sensor runs on the host and attaches to processes at the OS level to examine the structure of personal data. The advantages of this approach are significant:
- Full coverage of all database transactions - sensors include traffic coming from the network, from hosts, as well as from back-doors (stored procedures, triggers, views)
- The agnostic solution to most of the IT infrastructure variables - no need to redesign the network, open port ranges or worry about key management if the network is encrypted, and this model can also be used to protect the distributed database in a virtual environment or in the cloud
Log-based: Some DAM systems analyze and extract information from transaction logs (e.g., redo logs). This system uses the fact that a lot of data is stored in redo logs and they are eroding this log. Unfortunately, not all the required information is in redo logs. For example, the SELECT statement does not and this system will add to the data they collect from redo logs with data they collect from the original audit trail as shown in Figure 3. This system is a hybrid between the actual DAM system (which is completely independent of the DBMS) and SIEM that depend on the data generated by the database. This architecture usually implies more overhead on the database server.
Other names for DAM
Auditing corporate databases and real-time protection
![Activity Monitor in SQL Server 2012 [HD] - YouTube](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t2OK1hrpePEtx17rED_p0RRbp0u3G42TeiWgfbBtFfBCU-I0ueWEwpCslcV0zZbKws5j32H9vL6j_SpbuSQ4ENLnD5r_XWNOCmQVlh6JuxJAGEh7P6mWvjH-2-FjjFb6OF5k6urY_CPg=s0-d "Activity Monitor in SQL Server 2012 [HD] - YouTube")
References
Source of the article : Wikipedia
0 Comments