Page 187 - DCAP508_DATABASE_ADMINISTRATION
P. 187

Unit 13: Monitoring Database Modifications




                                                                                                Notes


             Notes  Today, SOX compliance is the single biggest market driver, followed by PCI. Despite
            impressive capabilities, internally driven security initiatives motivate a distant third of
            DAM deployments as most database security projects seem to be driven by compliance
            needs.

          13.3 Use Cases

          Since Database Activity Monitoring is so versatile, here are a few examples of how it can be
          used:
               To enforce separation of duties on database administrators for SOX compliance by
               monitoring all their activity and generating SOX-specific reports for audits.
               If an application typically queries a database for credit card numbers, a DAM tool can
               generate an alert if the application requests more card numbers than a defined threshold.
               This can indicate that the application has been compromised via SQL injection or some
               other attack.

               To ensure that a service account only accesses a database from a defined source IP, and
               only runs a narrow group of authorized queries. This can alert on compromise of a service
               account either from the system that normally uses it, or if the account credentials show up
               in a connection from an unexpected system.

               For PCI compliance some organizations encrypt the database files or media where they’re
               stored, and also use DAM to audit and alert on access to the credit card field. The encryption
               protects against physical theft, while the DAM protects against insider abuse and certain
               forms of external attack.
               As a change and configuration management tool. Some DAM tools offer closed-loop
               integration with external change management tools to track approved database changes
               implemented in SQL. Other tools can then track administrator activity and provide change
               management reports for manual reconciliation.

          13.4 Common Use Cases for DAM


          Privileged User Monitoring: Monitoring privileged users (or superusers), such as database
          administrators (DBAs), systems administrators (or sysadmins), developers, help desk, and
          outsourced personnel – who typically have unfettered access to corporate databases – is essential
          for protecting against both external and internal threats. Privileged user monitoring includes
          auditing all activities and transactions; identifying anomalous activities (such as viewing
          sensitive data, or creating new accounts with superuser privileges); and reconciling observed
          activities (such as adding or deleting tables) with authorized change requests.
          Since most organizations are already protected at the perimeter level, indeed a major concern
          lies with the need to monitor and protect from privileged users. There is a high correlation
          therefore between Database Security and the need to protect from the insider threat. This is a
          complex task as most privileged users are capable of using sophisticated techniques to attack the
          database - stored procedures, triggers, views and obfuscated traffic - attacks that may be difficult
          to detect using traditional methods.
          In addition, since targeted attacks frequently result in attackers gaining privileged user
          credentials, monitoring of privileged activities is also an effective way to identify compromised
          systems.



                                           LOVELY PROFESSIONAL UNIVERSITY                                   181
   182   183   184   185   186   187   188   189   190   191   192