Our organization is considering a database activity monitoring (DAM) product for both security and compliance reasons, but having been through the ringer with our SIEM service during the past three years, I don't want to deal with painful tuning, false positives, performance management, etc. How would you compare the implementation and configuration pain points of SIEM vs. DAM, and is there a way to make DAM easier?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Security information and event management (SIEM) technology provides real-time analysis of security alerts generated by network hardware and applications, producing reports of events requiring further investigation and for compliance purposes. Database activity monitoring (DAM) also provides constant, real-time analysis, but is limited to database activity. This makes implementation of an enterprise DAM technology simpler, as an organization does not need to deal with aggregated log data sourced from a variety of different devices and applications.
However, for any type of activity monitoring system to work effectively, it must "know" what is deemed normal and acceptable within the environment in which it is operating, and conversely be able to highlight unusual and unwanted activity. A monitoring product that lacks situational awareness, or an understanding of standard daily activity, produces too many false positive alerts, which impacts productivity and security. As a SIEM must aggregate data from many sources, it requires time to understand the subtle correlation of different events, link them together and differentiate between usual and unusual patterns across related sources. This results in exactly what you want to avoid: a period of painful tuning, false positives and performance management.
For a DAM investment to be worthwhile, an organization must traverse a similar process of benchmarking and tuning the event thresholds so it can produce more substantial and detailed alerts, and help identify what needs to be investigated. To minimize the implementation and configuration pain points of any such device, an organization should be clear about what it is trying to achieve. Is the technology to be used for threat identification, compliance and audit reporting, or forensics? Do reports and alerts need to be in real-time or is the next day acceptable? If the main purpose is compliance, auditing or forensics, the DAM or SIEM needs to analyze and report based on each of an organization’s policy and compliance needs. Also, it does not have to be as accurately tuned as it is not being used primarily as an intrusion detection system.
DAM can be an important technology for protecting sensitive databases from internal and external attacks. It adds a layer of protection by monitoring privileged user and application access that is independent of native database logging and audit functions. It also improves database security by detecting unusual database read and update activity from the application layer. To perform this task effectively, it first needs to monitor application activity and generate a baseline of normal behavior in order to identify an attack based on a divergence from regular SQL structures and activity. To prevent privileged users or an attacker who has gained privileged access from attacking the database, many DAMs can monitor the memory of the database, where both the database execution plan and the context of the SQL statements are visible. Based on policy, DAMs can then provide granular protection at the object level.
Configuration and tuning does take time and patience from an organization, but it is well worth the effort as a well-tuned and informed monitoring system can spot even the most subtle and sophisticated attack.
This was first published in April 2012