167:, “DAM provides privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation-of-duties issues by monitoring administrator activity. The technology also improves database security by detecting unusual database read and update activity from the application layer. Database event aggregation, correlation and reporting provide a database audit capability without the need to enable native database audit functions (which become resource-intensive as the level of auditing is increased).”
204:, and outsourced personnel – who typically have unfettered access to corporate databases – is essential for protecting against both external and internal threats. Privileged user monitoring includes auditing all activities and transactions; identifying anomalous activities (such as viewing sensitive data, or creating new accounts with superuser privileges); and reconciling observed activities (such as adding or deleting tables) with authorized change requests.
957:
402:
all local access and can also intercept all networked access in case you do not want to use network gear or in case the database communications are encrypted. However, since the agent does not do all the processing — instead it relays the data to the DAM appliance where all the processing occurs — it may impact network performance with all of the local traffic and real-time session termination may be too slow to interrupt unauthorized queries.
22:
327:
indicate behavioral anomalies. DAM demand is driven primarily by the need for privileged user monitoring to address compliance-related audit findings, and by threat-management requirements to monitor database access. Enterprise DAM requirements are beginning to broaden, extending beyond basic functions, such as the capability to detect malicious activity or inappropriate or unapproved database administrator (DBA) access.”
947:
170:
According to a survey by the
Independent Oracle User Group (IOUG), “Most organizations do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are
401:
can be used. The advantage is that no processing is done on the host, however the main disadvantage is that both local traffic and sophisticated intra-database attacks will not be detected. To capture local access some network based vendors deploy a probe that runs on the host. This probe intercepts
385:
Most modern DAM systems collect what the database is doing by being able to “see” the communications between the database client and the database server. What DAM systems do is find places where they can view the communication stream and get the requests and responses without requiring participation
317:
One way that DAM can prevent SQL injection is by monitoring the application activity, generating a baseline of “normal behavior”, and identifying an attack based on a divergence from normal SQL structures and normal sequences. Alternative approaches monitor the memory of the database, where both the
159:
DAM is also an important technology for protecting sensitive databases from external attacks by cybercriminals. According to the 2009 Verizon
Business’ Data Breach Investigations Report—based on data analyzed from Verizon Business’ caseload of 90 confirmed breaches involving 285 million compromised
326:
As defined by
Gartner, “DAM tools use several data collection mechanisms (such as server-based agent software and in-line or out-of-band network collectors), aggregate the data in a central location for analysis, and report based on behaviors that violate the security policies and/or signatures or
274:
mask the identity of end-users at the database transaction level. This is done with an optimization mechanism known as “connection pooling.” Using pooled connections, the application aggregates all user traffic within a few database connections that are identified only by a generic service account
133:
technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach
430:
A solution that is agnostic to most IT infrastructure variables - no need to re-architect the network, to open span ports or to worry about key management if the network is encrypted, and this model can also be used to protect databases deployed in virtualized environments or in the
450:
are not and so these systems will augment the data that they gather from the redo logs with data that they collect from the native audit trails as shown in Figure 3. These systems are a hybrid between a true DAM system (that is fully independent from the
216:. This is a complex task as most privileged users are capable of using sophisticated techniques to attack the database - stored procedures, triggers, views and obfuscated traffic - attacks that may be difficult to detect using traditional methods.
479:
386:
from the database. Database
Security Proxy is a non-intrusive method for DAM. The interception itself can be done also at multiple points such as the database memory (e.g. the SGA), at the network (using a
207:
Since most organizations are already protected at the perimeter level, indeed a major concern lies with the need to monitor and protect from privileged users. There is a high correlation therefore between
275:
name. Application activity monitoring allows organizations to associate specific database transactions with particular application end-users, in order to identify unauthorized or suspicious activities.
219:
In addition, since targeted attacks frequently result in attackers gaining privileged user credentials, monitoring of privileged activities is also an effective way to identify compromised systems.
364:
DLP capabilities that address security concerns, as well as the data identification and protection requirements of the
Payment Card Industry (PCI) and other data-centric regulatory frameworks
314:
attack. The technique transforms an application SQL statement from an innocent SQL call to a malicious call that can cause unauthorized access, deletion of data, or theft of information.
222:
As a result, auditors are now demanding monitoring of privileged users for security best practices as well as a wide range of regulations. Privileged user monitoring helps ensure:
427:
Complete coverage of all database transactions — the sensor covers traffic coming from the network, from the host, as well as from back-doors (stored procedures, triggers, views)
416:
statements as they are being performed. A similar architecture was previously used by performance optimization products that also used the SGA and other shared data structures.
370:
The ability to offer database activity monitoring in virtualized environments, or even in the cloud, where there is no well-defined or consistent network topology
353:
The ability to offer database activity monitoring in virtualized environments, or even in the cloud, where there is no well-defined or consistent network topology
483:
310:
Many application developers compose SQL statements by concatenating strings and do not use prepared statement; in this case the application is susceptible to a
137:
Database activity monitoring and prevention (DAMP) is an extension to DAM that goes beyond monitoring and alerting to also block unauthorized activities.
504:
Pattern
Discovery With Security Monitoring and Fraud Detection Technologies, Mark Nicolett, Avivah Litan, Paul E. Proctor, 2 September 2009, Gartner Inc.
447:
149:
480:"The Forrester Wave: Enterprise Database Auditing And Real-Time Protection, Q4 2007, October 2007, Jonathan Penn, Katie Smillie, Forrester Research"
318:
database execution plan and the context of the SQL statements are visible, and based on policy can provide granular protection at the object level.
303:
is a type of attack used to exploit bad coding practices in applications that use relational databases. The attacker uses the application to send a
852:
39:
145:
86:
58:
456:
287:
65:
307:
statement that is composed from an application statement concatenated with an additional statement that the attacker introduces.
243:(and other abuses of legitimate access) that occurs via enterprise applications, rather than via direct access to the database.
749:
72:
334:
The ability to monitor intra-database attacks and back-doors in real time (such as stored procedures, triggers, views, etc.)
882:
692:
239:
The primary purpose of application activity monitoring is to provide a greater level of end-user accountability and detect
867:
446:
and they scrape these logs. Unfortunately, not all of the information that is required is in the redo logs. For example,
54:
459:
which relies on data generated by the database. These architectures usually imply more overhead on the database server.
233:, so that critical database structures and values are not being changed outside of corporate change control procedures.
564:
105:
534:
419:
In the latest versions of this technology a lightweight sensor runs on the host and attaches to the process at the
950:
877:
862:
408:
Some DAM systems have a lightweight sensor that attaches to the protected databases and continuously polls the
213:
43:
898:
791:
745:
535:
Database
Activity Monitoring Market Overview, Jeffrey Wheatman, Mark Nicolett, 3 February 2009, Gartner Inc.
857:
659:
79:
770:
654:
980:
913:
786:
682:
602:
587:
872:
677:
824:
134:
investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.
807:
193:
32:
755:
644:
557:
291:
283:
271:
266:, Business Intelligence, and custom applications built on standard middle-tier servers such as
160:
records during 2008—75 percent of all breached records came from compromised database servers.
829:
442:(e.g., the redo logs). These systems use the fact that much of the data is stored within the
141:
903:
765:
622:
423:
level to inspect private data structures. The advantages of this approach are significant:
197:
8:
923:
627:
960:
844:
834:
722:
409:
174:
153:
669:
928:
908:
727:
704:
550:
338:
209:
130:
503:
367:
Database user rights attestation reporting, required by a broad range of regulations
361:
Configuration auditing to comply with audits required by the U.S. Sarbanes–Oxley Act
817:
637:
607:
420:
391:
812:
760:
737:
649:
617:
612:
592:
439:
398:
279:
230:
524:
HOWTO Secure and Audit Oracle 10g and 11g, Ron Ben Natan, Ph.D., CRC Press, 2009
717:
687:
597:
263:
229:, so that only authorized applications and users are viewing sensitive data. •
974:
311:
300:
267:
156:(SOX), U.S. government regulations such as NIST 800-53, and EU regulations.
933:
226:
387:
177:
refers to this category as “database auditing and real-time protection”.
632:
523:
255:
251:
247:
189:
918:
201:
21:
573:
443:
294:
compliance has also increased the emphasis on anti-fraud controls.
344:
Blocking and prevention, without being in-line to the transactions
259:
164:
438:
Some DAM systems analyze and extract the information from the
390:
or a SPAN port if the communication is not encrypted), at the
357:
Some enterprises are also seeking other functions, including:
240:
542:
452:
413:
304:
171:
still unable to even detect such breaches or incidents.”
373:
Better integration with vulnerability scanning products
150:
Health
Insurance Portability and Accountability Act
46:. Unsourced material may be challenged and removed.
394:level, or at the level of the database libraries.
341:variables - such as encryption or network topology
972:
519:
517:
515:
513:
511:
474:
472:
397:If there is unencrypted network traffic, then
278:End-user accountability is often required for
558:
508:
469:
350:Improved visibility into application traffic
146:Payment Card Industry Data Security Standard
377:
246:Multi-tier enterprise applications such as
180:
565:
551:
288:Public Company Accounting Oversight Board
106:Learn how and when to remove this message
321:
973:
546:
337:A solution which is agnostic to most
330:More advanced DAM functions include:
198:systems administrators (or sysadmins)
44:adding citations to reliable sources
15:
946:
13:
14:
992:
212:and the need to protect from the
956:
955:
945:
347:Active discovery of at-risk data
286:. New auditor guidance from the
237:Application Activity Monitoring:
188:Monitoring privileged users (or
20:
31:needs additional citations for
528:
497:
55:"Database activity monitoring"
1:
899:Database-centric architecture
462:
140:DAM helps businesses address
572:
123:Enterprise database auditing
119:Database activity monitoring
7:
186:Privileged User Monitoring:
10:
997:
914:Locks with ordered sharing
746:Entities and relationships
603:Database management system
942:
891:
843:
800:
792:Object–relational mapping
779:
736:
703:
668:
580:
282:requirements such as the
378:Common DAM architectures
181:Common use cases for DAM
298:Cyberattack Protection:
194:database administrators
272:Oracle WebLogic Server
693:information retrieval
142:regulatory compliance
904:Intelligent database
322:Core features of DAM
127:Real-time protection
40:improve this article
713:Activity monitoring
383:Interception-based:
883:Online real estate
410:system global area
284:Sarbanes–Oxley Act
154:Sarbanes-Oxley Act
144:mandates like the
981:Database security
968:
967:
929:Halloween Problem
909:Two-phase locking
868:Facial expression
787:Abstraction layer
728:Negative database
683:Data manipulation
448:SELECT statements
412:(SGA) to collect
339:IT infrastructure
210:database security
131:database security
116:
115:
108:
90:
988:
959:
958:
949:
948:
567:
560:
553:
544:
543:
537:
532:
526:
521:
506:
501:
495:
494:
492:
491:
482:. Archived from
476:
440:transaction logs
392:operating system
111:
104:
100:
97:
91:
89:
48:
24:
16:
996:
995:
991:
990:
989:
987:
986:
985:
971:
970:
969:
964:
938:
887:
839:
796:
775:
732:
699:
678:Data definition
664:
576:
571:
541:
540:
533:
529:
522:
509:
502:
498:
489:
487:
478:
477:
470:
465:
399:packet sniffing
380:
324:
280:data governance
231:Data governance
183:
148:(PCI DSS), the
112:
101:
95:
92:
49:
47:
37:
25:
12:
11:
5:
994:
984:
983:
966:
965:
943:
940:
939:
937:
936:
931:
926:
921:
916:
911:
906:
901:
895:
893:
889:
888:
886:
885:
880:
875:
870:
865:
860:
855:
849:
847:
841:
840:
838:
837:
832:
827:
822:
821:
820:
810:
808:Virtualization
804:
802:
798:
797:
795:
794:
789:
783:
781:
777:
776:
774:
773:
768:
763:
758:
753:
742:
740:
734:
733:
731:
730:
725:
720:
715:
709:
707:
701:
700:
698:
697:
696:
695:
685:
680:
674:
672:
666:
665:
663:
662:
657:
652:
647:
642:
641:
640:
635:
625:
620:
615:
610:
605:
600:
595:
590:
584:
582:
578:
577:
570:
569:
562:
555:
547:
539:
538:
527:
507:
496:
467:
466:
464:
461:
433:
432:
428:
379:
376:
375:
374:
371:
368:
365:
362:
355:
354:
351:
348:
345:
342:
335:
323:
320:
264:Siebel Systems
214:insider threat
200:, developers,
182:
179:
114:
113:
96:September 2017
28:
26:
19:
9:
6:
4:
3:
2:
993:
982:
979:
978:
976:
963:
962:
953:
952:
941:
935:
932:
930:
927:
925:
922:
920:
917:
915:
912:
910:
907:
905:
902:
900:
897:
896:
894:
890:
884:
881:
879:
876:
874:
871:
869:
866:
864:
861:
859:
856:
854:
851:
850:
848:
846:
842:
836:
833:
831:
828:
826:
823:
819:
816:
815:
814:
811:
809:
806:
805:
803:
799:
793:
790:
788:
785:
784:
782:
778:
772:
769:
767:
764:
762:
759:
757:
756:Normalization
754:
751:
747:
744:
743:
741:
739:
735:
729:
726:
724:
721:
719:
716:
714:
711:
710:
708:
706:
702:
694:
691:
690:
689:
686:
684:
681:
679:
676:
675:
673:
671:
667:
661:
658:
656:
653:
651:
648:
646:
645:Administrator
643:
639:
636:
634:
631:
630:
629:
626:
624:
621:
619:
616:
614:
611:
609:
606:
604:
601:
599:
596:
594:
591:
589:
586:
585:
583:
579:
575:
568:
563:
561:
556:
554:
549:
548:
545:
536:
531:
525:
520:
518:
516:
514:
512:
505:
500:
486:on 2019-06-28
485:
481:
475:
473:
468:
460:
458:
454:
449:
445:
441:
437:
429:
426:
425:
424:
422:
417:
415:
411:
407:
406:Memory-based:
403:
400:
395:
393:
389:
384:
372:
369:
366:
363:
360:
359:
358:
352:
349:
346:
343:
340:
336:
333:
332:
331:
328:
319:
315:
313:
312:SQL injection
308:
306:
302:
301:SQL injection
299:
295:
293:
289:
285:
281:
276:
273:
269:
268:IBM WebSphere
265:
261:
257:
253:
249:
244:
242:
238:
234:
232:
228:
223:
220:
217:
215:
211:
205:
203:
199:
195:
191:
187:
178:
176:
172:
168:
166:
163:According to
161:
157:
155:
152:(HIPAA), the
151:
147:
143:
138:
135:
132:
128:
124:
121:(DAM, a.k.a.
120:
110:
107:
99:
88:
85:
81:
78:
74:
71:
67:
64:
60:
57: –
56:
52:
51:Find sources:
45:
41:
35:
34:
29:This article
27:
23:
18:
17:
954:
944:
934:Log shipping
878:Online music
863:Biodiversity
830:Preservation
712:
588:Requirements
530:
499:
488:. Retrieved
484:the original
435:
434:
418:
405:
404:
396:
382:
381:
356:
329:
325:
316:
309:
297:
296:
277:
245:
236:
235:
227:Data privacy
224:
221:
218:
206:
185:
184:
173:
169:
162:
158:
139:
136:
126:
122:
118:
117:
102:
93:
83:
76:
69:
62:
50:
38:Please help
33:verification
30:
951:WikiProject
780:Programming
771:Cardinality
766:Refactoring
623:Application
388:network TAP
192:), such as
924:Publishing
858:Biological
801:Management
633:datasource
628:Connection
490:2009-12-10
463:References
436:Log-based:
256:JD Edwards
252:PeopleSoft
248:Oracle EBS
190:superusers
66:newspapers
919:Load file
835:Integrity
825:Migration
752:notation)
723:Forensics
670:Languages
444:redo logs
202:help desk
175:Forrester
975:Category
961:Category
892:See also
853:Academic
845:Lists of
750:Enhanced
705:Security
574:Database
455:) and a
196:(DBAs),
818:caching
608:Machine
165:Gartner
129:) is a
80:scholar
873:Online
813:Tuning
761:Schema
738:Design
618:Server
613:Engine
598:Models
593:Theory
82:
75:
68:
61:
53:
748:(and
718:Audit
688:Query
660:Tools
655:Types
431:cloud
241:fraud
87:JSTOR
73:books
650:Lock
581:Main
457:SIEM
453:DBMS
290:for
270:and
125:and
59:news
638:DSN
414:SQL
305:SQL
292:SOX
260:SAP
42:by
977::
510:^
471:^
421:OS
262:,
258:,
254:,
250:,
225:•
566:e
559:t
552:v
493:.
109:)
103:(
98:)
94:(
84:·
77:·
70:·
63:·
36:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.