With the transition to a remote workforce dispersing access to databases far beyond the network perimeter, coupled with the rise in privileged credential attacks and insider threats, the importance of database activity monitoring has never been greater. This post will explain what database activity monitoring is, how it shrinks your attack surface, and why it should be a critical control in your cybersecurity program.

What is Database Activity Monitoring?

Database activity monitoring is the process of observing, analyzing, and reporting/alerting on database activities, especially unusual, unauthorized, and/or potentially malicious or fraudulent actions and policy violations. A top question that database activity monitoring tools answer is, “What data is being accessed, and by whom, and is that a problem?”

Capabilities of database activity monitoring tools range from simple user activity analysis to comprehensive solutions that offer application-level analytics, intrusion detection and prevention, discovery/classification, vulnerability management, and integration with identity and access management (IAM) solutions.

How Does Database Activity Monitoring Work?

Database activity monitoring solutions fall into two general categories: standalone applications (often SaaS tools), and software modules that run on your database servers. Both rely on multiple techniques, from network monitoring to analyzing database audit logs, to deliver early warnings and/or block suspect activity.

Database activity monitoring solutions work in or near real-time, separate from your database management system (DBMS) auditing and logging functions to minimize performance impacts. They can detect issues originating inside or outside your network, and some can block requests before they are executed. This gives you a preventive layer of protection over your most sensitive data, while also supporting data breach investigations and incident response. The more you know about potential threats and the quicker you know it, the better you can identify causes and take corrective action before data is compromised or exfiltrated.

What are the Top Database Activity Monitoring Features?

Database activity monitoring tools often have the following key features, which are important to ask vendors about:

  • The ability to monitor, analyze and alert on database activities without impacting database performance
  • The ability to alert on policy violations, suspicious activity, and other threats to data
  • A secure architecture that prevents privileged database users from compromising the tool’s operation or data, such as tampering with recorded activities or logs
  • The capability to monitor and report on privileged users’ activities, often called separation of duties
  • An “IT infrastructure agnostic” design that doesn’t clash with your encryption solution and other security controls, and/or can integrate with your data protection, operations monitoring, and compliance reporting solutions.
  • The capacity to monitor your entire database environment across both cloud and on-premises systems, multiple physical and virtual server platforms, and even different DBMSs

More sophisticated database activity monitoring tools may offer additional features and capabilities, such as:

  • Predefined policies to address common compliance requirements like HIPAA, SOX, and PCI out-of-the-box
  • Enabling deeper visibility into how much data you have and where it is stored, across on-premises, cloud-based, and legacy databases
  • Automated (or semi-automated) discovery and classification of data by type and/or cyber risk level, particularly personal data (email addresses, credit card numbers, medical records) 
  • Integration with third-party change management solutions to “close the loop” on tracking approved database changes, including generating change management reports based on tracked database activity

How Can Database Activity Monitoring Help My Business?
Database activity monitoring controls help companies comply with regulations like the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA). These controls can also support compliance with evolving and escalating US government regulations. This includes the NIST SP 800-171 cybersecurity standard mandated by the US Department of Defense (DoD) and other agencies across all sectors for government contractors and their vendors that handle Controlled Unclassified Information (CUI).

If you need to monitor database access and privileged users to fulfill compliance requirements, meet contract obligations, and/or address risk management guidelines, database activity monitoring can streamline and simplify these processes significantly. It is also one of the best ways to protect sensitive databases from external cyber-attacks (e.g., using stolen administrator credentials) and to block insider threats.

Among the most common use cases for database monitoring are:

  • Monitoring application activity to detect fraudulent access and enforce end-user accountability. Many firms need the ability to identify and associate individual database transactions with individual application users to trace unapproved or malicious events to their source. This type of monitoring also helps mitigate risk from widespread cyber-attack vectors like SQL injection.
  • Monitoring privileged users like database administrators, IT staff, software developers, and help desk staff, whether in-house or outsourced. This includes monitoring and logging all transactions and identifying abnormal activities like viewing sensitive data. These controls are a critical adjunct to network-level controls like firewalls because they help protect your data if your perimeter is breached or if an attacker is already prowling “inside the castle.” 
  • Ensuring data governance by enforcing change control procedures so that unapproved database changes are blocked or quickly rolled back. These capabilities also support anti-fraud programs.

Moving Your Database Security Program Forward

Databases store a company’s most sensitive data assets, yet they are often poorly protected. In today’s world of constantly escalating and evolving security threats, combined with continuous data growth and new data uses, most organizations need database-centric security measures to reduce business risk. The growing importance of data integrity and privacy to regulators and customers is another major driver for implementing database activity monitoring. 

For these reasons and more, database activity monitoring is a vital part of a robust, holistic database security program that encompasses your data, your database configurations, and servers, your database security policies, your patch management program, your identity, and access controls, your network and application security controls, your physical environment, your vendor risk management, and more.

As an ideal starting point, an expert database security risk assessment can find the gaps in your current security posture and guide prioritized mitigation. To find out more, connect with Buda Consulting.