Page 189 - DCAP508_DATABASE_ADMINISTRATION
P. 189
Unit 13: Monitoring Database Modifications
sophisticated intra-database attacks will not be detected. To capture local access some network Notes
based vendors deploy a probe that runs on the host. This probe intercepts all local access and can
also intercept all networked access in case you do not want to use network gear or in case the
database communications are encrypted. However, since the agent does not do all the processing
— instead it relays the data to the DAM appliance where all the processing occurs — it may
impact network performance with all of the local traffic and real-time session termination may
be too slow to interrupt unauthorized queries.
Memory-based: Some DAM systems have a light weight sensor that attaches to the protected
databases and continuously polls the system global area (SGA) to collect SQL statements as they
are being performed. A similar architecture was previously used by performance optimization
products that also used the SGA and other shared data structures.
Did u know? In the latest versions of this technology a light weight sensor runs on the host
and attaches to the process at the OS level to inspect private data structures.
The advantages of this approach are significant:
Complete coverage of all database transactions — the sensor covers traffic coming from
the network, from the host, as well as from back-doors (stored procedures, triggers,
views)
A solution that is agnostic to most IT infrastructure variables - no need to re-architect the
network, to open span ports or to worry about key management if the network is encrypted,
and this model can also be used to protect databases deployed in virtualized environments
or in the cloud
Log-based: Some DAM systems analyze and extract the information from the transaction logs
(e.g., the redo logs). These systems use the fact that much of the data is stored within the redo
logs and they scrape these logs. Unfortunately, not all of the information that is required is in
the redo logs. For example, SELECT statements are not and so these systems will augment the
data that they gather from the redo logs with data that they collect from the native audit trails as
shown in Figure 3. These systems are a hybrid between a true DAM system (that is fully
independent from the DBMS) and a SIEM which relies on data generated by the database. These
architectures usually imply more overhead on the database server.
13.6 User Benefits
The user benefits can be quantified as:
1. Monitoring
i. Privileged users monitoring: DBAs, root, system admins – which have access to access
and alter data either via the application either by logging in at the system OS or
local console. Their access has to be monitored in order to prevent privileged users
from accessing data, making modifications to schema or table structure, or creating
or modifying user accounts or permissions
ii. User activity monitoring: In order to track the users and the applications that connect
to the database. Beside fraud access, an important aspect is also to monitor and
eventually prevent also malicious or unintended activity of the legitimate users.
iii. If possible, also the user accounts have to be constantly monitored in order to detect
the dormant user accounts, and take appropriate action.
LOVELY PROFESSIONAL UNIVERSITY 183
