"... the ability to reduce the time to true incident identification to a number that is measured in seconds, versus minutes, hours or even longer"
— Rocky DeStefano, CEO, Decurity
 
 

Database Activity Monitoring

Database monitoring protects client information and sensitive financial data inside the databases and applications. As security breaches move from random hackers to carefully-timed attacks by knowledgeable technology experts, you need to monitor individual data transactions to:

  • Secure Confidential Data. A powerful application specifically built for complex heterogeneous environments, NitroView DBM (DBM) monitors both databases and popular business applications. This single-solution approach reduces training and deployment costs and increases ROI.
  • Improve Compliance Reporting. NitroView DBM's pre-defined rules and reports, privacy-friendly transaction and session logging features and encrypted, time-stamped files make it easy to comply with regulations such as Sarbanes-Oxley, PCI, HIPAA, GLBA, FDIC, FISMA, and ISO 17799, among others.
  • Avoid Liability. Nothing costs more than losing clients, informing regulators and facing unfavorable media reports after a security breach. Having the latest and greatest technology in place to protect your data can prevent, limit or mediate the situation.

The Importance of Database Monitoring

NitroView DBM (DBM) identifies suspect activity activity from authorized users using a combination of "known good" and "known bad" activity - determining the level of risk, based on activity of the user within the database.

"Database Activity Monitoring is crucial because organizations store sensitive, business-critical information in their DBMSs. Monitoring & analysis of critical data access is becoming a compliance standard of due care, & this capability is also required to detect data breaches in the event of a successful targeted attack."

Mark Nicolett, Gartner, "DAM Technology Provides Monitoring & Analytics", NOV 2007

For example, alerts can be triggered when an application that should only be using three queries begins generating new requests, or when a user that views user information one customer at a time starts performing mass downloads. In both of those cases, there was a deviation from "known good" activity. One example of "known bad" activity is if an attempt is made to access a list of usernames and passwords.

NitroView DBM monitors all activity and can spot tell-tale signs that the user is unfamiliar with the environment despite logging in as a user that should know exactly what it needs. For instance, a hacker with stolen credentials will (generally) be unaware of the data schema - generating access privilege errors, running scripts to enumerate table and field names, viewing sample data from many tables, and the like. By consolidating these events with external information (e.g., the user is using an IP address outside of the perimeter) - the data security group can receive an alert that there is a potential ongoing attack, enabling an immediate response that can identify the threat and potentially shut it down before data is compromised.

"In this study, respondents estimated that databases are the repository for nearly two-thirds of their sensitive data, so it's no surprise that they place a high priority on database security,"

Derek E. Brink, vice president and research fellow for IT Security, Aberdeen.


Compelling Facts from Aberdeen's research on Database Security:
  • Best-in-Class companies reduced the number of actual data loss / data exposure incidents by 8% compared to other respondents.
  • Best-in-Class companies reduced the number of audit deficiencies related to database security by 10% compared to other respondents.
  • Best-in-Class companies reduced the annual cost of modifying applications related to database security by 8% compared to other respondents.
  • Best-in-Class companies reduced unscheduled downtime related to database security by more than 6% compared to other respondents."

Aberdeen, Benchmark Report: Protecting the Database

Network or Host Based Database Monitoring?

Network-based monitoring provides zero-impact to the performance of the database or the applications that access it, providing the ultimate level of protection without penalty. In some circumstances, however, a host-based monitor might be desired: for example, where the console and database coexist on a single server or mainframe, or when more in-depth system-level monitoring and remediation capabilities are desired. Many databases provide internal auditing, but at the cost of performance and protection (as internal auditors can be bypassed by authorized administrators). A discrete instance of host-based monitoring is therefore ideal in some circumstances. NitroView DBM is available as either an installable agent or as a network-based monitor, which sits on a network span port much like an IDS. All traffic is inspected in real time to detect and analyze database transactions without access the database itself. This eliminates performance overhead on the server, keeping applications responsive.

The Universal DBM Agent

Looking for more detail about database server activity? Reluctant to accept the performance loss when using native auditing? The NitroView DBM Universal Agent is a complimentary product that provides local monitoring and native auditing to provide the perfect balance between visibility and performance. When used together with the NitroView DBM appliance, the agent supplements the information already being gathered by the network appliance—meaning there's less of a performance impact than when using native auditing alone, but much more robust data collection.

"NitroView DBM (reviewed as RippleTech Informant) is a strong performer in the enterprise database auditing market because it offers good features and functionality at an attractive price."

The Forrester Wave: Enterprise Database Auditing & Real-time Protection, Q4 2007

Why use a Database Monitor (DBM)?

Today's hacker is most likely to be a former technical employee using remote access to exploit system vulnerabilities, according to CERT, the Internet security research center run by the Software Engineering Institute at Carnegie Mellon University, which has access to U.S. Secret Service data.

Scary... But we bet you aren't surprised. What this really means to you as an IT professional?

  • The line between an external attack and an internal attack is blurring. A former employee using remote access is acting from a completely different set of motives and from a completely different base of knowledge than a hacker. He/she may know exactly where the most important or confidential data resides, and he/she may know colleague's passwords and enough security practices to cover his/her tracks.
  • A zero-day scenario is more likely to be a planned event: a former employee waiting for the opportunity to do damage. He/she may know your patch policies and the exact length of the window of opportunity.

CERT's report also says the majority of insider attackers compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. The majority of such attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable.

Database monitoring is your best protection against internal attacks. NitroView DBM, analyzes every data request going into the database to determine if the data being requested is suspicious--regardless of WHO is entering the request or where it initiates. It's unbiased, straight-forward application of your security policies and rules, puts control back in your hands.



These icons link to social bookmarking sites to help share this content.
  • bodytext
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • Propeller
  • TwitThis
              
 

Search NitroSecurity.com