Lately, there has been a rising trend in the number of incidents where databases have been compromised. There have been quite a few significant data breaches since the start of the year.
Utilizing built-in security measures is often insufficient in safeguarding information within a Database Management System (DBMS). Specialized Database Activity Monitoring (DAM) solutions can assist in addressing this issue.
In this article, I will discuss where and how DAM is used, how to ready oneself for its implementation, and the common mistakes encountered during its usage.
Why relying solely on standard security tools provided by DBMS is not enough?
Database management systems have a wide range of built-in security mechanisms: access rights control, user accounts audit, event logs, etc. It is crucial to employ these tools; however, it is also vital to remember that they can put extra load on the database management system and cannot guarantee complete protection against all cyber dangers.
Until recently, many companies limited themselves to using standard built-in tools, focusing on meeting the requirements of regulators. In practice, this was not enough, which is confirmed by the increased number of database leaks.
Regular security and audit tools are extremely helpful in detecting mass and targeted hacker attacks. At the same time, more and more leaks occur due to legitimate access and malicious insiders. Standard tools cannot prevent such things as copying information from the database. Database Activity Monitoring, Data Loss Prevention (DLP), and User Activity Monitoring (UAM) solutions come to the rescue.
Another fundamental drawback of the built-in security mechanisms is that the event log is stored in the same place as the DBMS itself. Imagine that when stealing data, a hypothetical attacker also deletes all the logs. It is unlikely that the company will be able to investigate the incident in this case.
So, today, you cannot do without specialized, properly configured solutions. Database Activity Monitoring systems are designed to monitor requests to the DBMS by analyzing network traffic and narrowing down the protection of vital data to just the database. These tools help in managing access for authorized users, admins and any associated systems that manage sensitive information stored within the database.
How do DAM solutions work, and how do they differ from traditional DBMS security tools?
Users connect to the database by utilizing specialized network equipment. A copy of the data traffic is configured on this equipment, which is then forwarded to the DAM system for examination. This method allows for complete monitoring of all database interactions while minimizing the impact on its performance. This is crucial considering the shortage of resources and the exponentially increasing volume of data stored in databases.
When evaluating network data, the system considers not only the SQL requests from users to the database but also the responses. This fundamental difference separates the DAM solution from traditional DBMS audit tools. In practice, it is often more important to discover if a user was able to obtain confidential information rather than just identifying attempts to access data in the database. All of this can be accomplished through monitoring network traffic.
What are the common use cases and top functionalities of DAM systems?
Many businesses today are concerned with auditing the security of their databases. They aim to comprehensively understand what is happening with their databases and who is accessing them, so they can analyze how sensitive information is being handled within their organization.
Additionally, the ability to create behavior profiles to identify unusual activity in database interactions is in high demand. In DAM, profiling can be applied both to user accounts and to the data that users are requesting.
DAM solutions are popular among financial industry players such as banks and insurance companies. They handle vast amounts of personal information and make every effort to not only comply with regulations but also to safeguard their databases. DAM is also in high demand in the telecommunications field. It is used to monitor and protect billing systems. Industrial companies have recently begun showing significant interest in this class of solutions as it is crucial for them to secure confidential data stored in databases and used for automated calculations. Additionally, big retail businesses also express interest in Database Activity Monitoring solutions, specifically for profiling customer requests.
What types of harmful actions can be identified and stopped using DAM?
One example of how DAM can detect and prevent malicious actions is in the banking industry. In an effort to launder money, fraudsters can open so-called "pyramid" accounts. They register new accounts one after another, each time transferring money to a newly created account and closing the previous one. DAM can identify these patterns by monitoring accounts that are opened and closed within a single day. This is accomplished by setting up policies that track the software and hardware systems involved in opening and closing accounts. Specific account numbers are singled out from the identified suspicious cases. After that, automated reports are generated at the end of each business day. Reports display accounts that were opened and closed on the same day.
Another example of DAM's application can be found in the oil industry, where it can be used to identify various forms of employee misconduct. In one instance, an administrator attempted to replace sensors connected to the database and used to calculate the volume and temperature of oil in storage. This fact was noticed in time, and nothing bad happened.
The above-described malicious actions are a good example of abnormal activity that the DAM system successfully detects due to the built-in behavioral analytics module. The tool immediately notifies cybersecurity specialists if deviations from the typical behavior profile are detected.
How well do DAMs work out of the box? When is the additional configuration needed?
Often, a DAM product comes with a vast array of pre-set templates and policies that can be used out of the box. Nevertheless, depending on the task, some customization may be required. For example, when developing behavior profiles, it may be necessary to create individual policies. It is also important to consider the need to minimize false positives.
The pre-configured settings and templates are a kind of "best practices" that can be implemented in any organization. As new security cases and scenarios arise, vendors add them to the collection of pre-configured policies. Typically, when a new issue arises relevant to one bank, it is highly likely that it can be applied to the entire banking sector. The same is true for other industries. With the accumulation of expertise, vendors not only improve their products but also can assist in setting up the DAM solution in a complex business situation.
Factors to consider for successful DAM implementation and operation
Firstly, it is crucial to determine precisely what needs to be protected. To do this, you need to understand how the organization's internal infrastructure is arranged, where important data is stored, and in what format. It is also essential to know how business processes are organized within the company and which employees can access sensitive information.
In cases where this information is not readily available, it is recommended to begin by monitoring SPAN traffic. At the initial stage, this analysis can help to gather information about all available databases, understand which ones are used the most, and prioritize measures to protect them.
After this, you can proceed to analyze network traffic using an agent solution and control the identified critical databases by creating individual policies for them.
In order to fully benefit from the DAM product, it is essential to control not only the security events identified during the monitoring of requests to the DBMS but also to ensure the stability of the DAM system itself. You need to make sure it is in good working order.
For customers who prefer to outsource the operation of a solution, some DAM vendors can provide around-the-clock monitoring and response to functional incidents. This is possible to implement both with the help of monitoring tools on the customer's side as well as with the connection of vendor monitoring tools. In the second case, information about incidents goes to the vendor's duty line, and it provides response and troubleshooting.
Database protection is closely related to the life cycle of information systems that interact with them. Information in databases is constantly updated, and new forms and places of its storage appear. Therefore, when operating a Database Activity Monitoring system, one cannot be guided by the "set it and forget it" principle. It is vital to keep track of changes in the current databases and the emergence of new databases.
To ensure the best protection, it is recommended to conduct regular cyber drills and pentests at least once every six months, preferably after each significant change in the infrastructure.
In addition to implementing a DAM solution to detect potential security threats, organizations can also benefit from disaster recovery solutions to quickly recover from any disruptions to database operations. Actually, there are plenty of tools and solutions that can be used along with Database Activity Monitoring solutions to enhance database security. This may include data masking and encryption tools, Identity and access management (IAM) solutions, log management and analysis solutions, etc.
What typical errors are encountered during the operation of the DAM product?
The most common problematic situation is the use of default policies. This is often due to the fact that customers do not have a complete picture and understanding of their internal infrastructure and the availability and location of critical information.
There may be several reasons for this: in some companies, the team of cybersecurity specialists has changed, and in other companies, there is no documentation and description of the configuration of the information systems used.
In such cases, vendors and customers can brainstorm, audit the security of the infrastructure, and form a list of critical data. When it becomes clear what exactly needs to be protected, the most effective methods of ensuring information security can be developed.
The future of Database Activity Monitoring solutions
There is a tendency in the market to expand the functionality of DAM products. Today, DAM solutions can work in firewall mode. Some vendors have already implemented this, but often this function is limited to blocking user access to specific tables. Vendors are working on implementing connection blocking based on various signatures. DAM vendors are also constantly expanding the number of supported types of databases and operating systems.
