"NitroView is a strong performer in the enterprise database auditing market"
— The Forrester Wave: Enterprise Database Auditing & Real-time Protection, 2007
 

Nitro on linked in Foolow us on twitter NitroSecurity's YouTube channel

 
 

Security at the Core

The target of most hackers is your sensitive data: including personal identification information (PII) or credit card information. Because this information is stored within a database, monitoring that database protects client information and sensitive financial data—thwarting hackers while reducing the costs associated with a data breach. Monitoring the data itself also protects against internal data theft. NitroView DBM (DBM) identifies suspect database activity from authorized users using a combination of "known good" and "known bad" activity - determining the level of risk, based on activity of the user within the database. For example, alerts can be triggered when an application that should only be using three queries begins generating new requests, or when a user that views user information one customer at a time starts performing mass downloads.

Added Visibility for Better Security

NitroView DBM monitors all database activity and can spot tell-tale signs that the user is unfamiliar with the environment despite logging in as a user that should know exactly what it needs. For instance, a hacker with stolen credentials will (generally) be unaware of the database schema - generating access privilege errors, running scripts to enumerate table and field names, viewing sample data from many tables, etc.

Alerts generated by this type of activity might be enough to mitigate a threat, making a database monitor an important security tool. However, when combined with multi-source correlation and analysis features of a SIEM, this information becomes invaluable. For example, using NitroView ESM, suspect user activity within the database can be compared to other activity by that user, across applications. Has that user violated any security policies that might have been detected by an intrusion prevention system? Is that user generating more network traffic than usual? Who is that user talking to on the network? All of these answers can be answered quickly using NitroView ESM and NitroView DBM together.

"Database Activity Monitoring is crucial because organizations store sensitive, business-critical information in their DBMSs. Monitoring & analysis of critical data access is becoming compliance standard of due care, & this capability is also required to detect data breaches in the event of a successful targeted attack."

Mark Nicolett, Gartner, "DAM Technology Provides Monitoring & Analytics", NOV 2007

Why use a Database Monitor (DBM)?

Today's hacker is most likely to be a former technical employee using remote access to exploit system vulnerabilities, according to CERT, the Internet security research center run by the Software Engineering Institute at Carnegie Mellon University, which has access to U.S. Secret Service data.

Scary... But we bet you aren't surprised. What this really means to you as an IT professional?

  • The line between an external attack and an internal attack is blurring. A former employee using remote access is acting from a completely different set of motives and from a completely different base of knowledge than a hacker. He/she may know exactly where the most important or confidential data resides, and he/she may know colleague's passwords and enough security practices to cover his/her tracks.
  • A zero-day scenario is more likely to be a planned event: a former employee waiting for the opportunity to do damage. He/she may know your patch policies and the exact length of the window of opportunity.

CERT's report also says the majority of insider attackers compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. The majority of such attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable.

"The database activity monitoring (DAM) market space is undergoing considerable consolidation, with a broad range of delivery models and providers available. Security managers considering these technologies should use Gartner market guidance when making purchasing and deployment decisions. Key Findings
  • DAM technologies are available as point solutions or as capabilities delivered along with related technologies.
  • These technologies may be offered with database and application intrusion prevention system (IPS) functions, in database vulnerability management suites, or within security information and event management (SIEM) offerings.

Jeffrey Wheatman & Mark Nicolett, Gartner, "Database Activity Monitoring Market Overview", Feb 2009
Access the Gartner Report (requires registration)

Database monitoring is your best protection against internal attacks. NitroView DBM, analyzes every data request going into the database to determine if the data being requested is suspicious—regardless of WHO is entering the request or where it initiates. It's unbiased, straight-forward application of your security policies and rules, puts control back in your hands.



These icons link to social bookmarking sites to help share this content.
  • share this page:
  • bodytext
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • Propeller
  • TwitThis
 

Search NitroSecurity.com