NitroSecurity Solution Brochure (14.3 Mb)

Database Activity Monitoring

Database monitoring protects client information and sensitive financial data inside the databases and applications. As security breaches move from random hackers to carefully-timed attacks by knowledgeable technology experts, you need to monitor individual database transactions to:

  • Secure Confidential Data. A powerful application specifically built for complex heterogeneous environments, NitroGuard Database Monitor (DBM) monitors both databases and popular business applications. This single-solution approach reduces training and deployment costs and increases ROI.
  • Improve Compliance Reporting. NitroGuard DBM's pre-defined rules and reports, privacy-friendly logging features and encrypted, time-stamped files make it easy to comply with regulations such as Sarbanes-Oxley, PCI, HIPAA, GLBA, FDIC, FISMA, and ISO 17799, among others.
  • Avoid Liability. Nothing costs more than losing clients, informing regulators and facing unfavorable media reports after a security breach. Having the latest and greatest technology in place can prevent, limit or mediate the situation.

"Database Activity Monitoring is crucial because organizations store sensitive, business-critical information in their DBMSs. Monitoring & analysis of critical data access is becoming a compliance standard of due care, & this capability is also required to detect data breaches in the event of a successful targeted attack."

Mark Nicolett, Gartner, "DAM Technology Provides Monitoring & Analytics", NOV 2007

Database Monitoring

NitroGuard Database Monitor (DBM) identifies suspect activity from authorized users using a combination of "known good" and "known bad" activity monitoring - determining the level of risk, based on activity of the user within the database. For example, alerts can be triggered when an application that should only be using three queries begins generating new requests, or when a user that views user information one customer at a time starts performing mass downloads. In both of those cases, there was a deviation from "known good" activity. One example of "known bad" activity is if a database attempt is made to access a list of usernames and passwords.

NitroGuard DBM monitors all database activity and can spot tell-tale signs that the user is unfamiliar with the environment despite logging in as a user that should know exactly what it needs. For instance, a hacker with stolen credentials will (generally) be unaware of the database schema - generating access privilege errors, running scripts to enumerate table and field names, viewing sample data from many tables, and the like. By consolidating these database events with external information (e.g., the user is using an IP address outside of the perimeter) - the data security group can receive an alert that there is a potential ongoing attack, enabling an immediate response that can identify the threat and potentially shut it down before data is compromised.

Network or Host Based Monitoring?

Network-based database monitoring provides zero-impact to the performance of the database or the applications that access it, providing the ultimate level of protection without penalty. In some circumstances, however, a host-based monitor might be desired: for example, where the console and database coexist on a single server or mainframe, or when more in-depth system-level monitoring and remediation capabilities are desired. Many databases provide internal auditing, but at the cost of performance and protection (as internal auditors can be bypassed by authorized administrators). A discrete instance of host-based database monitoring is therefore ideal in some circumstances. NitroGuard DBM is available as either an installable agent or as a network-based database monitor, which sits on a network span port much like an IDS. All traffic is inspected in real time to detect and analyze database transactions without access the database itself. This eliminates performance overhead on the database server, keeping applications responsive.

"NitroGuard Database Monitor (reviewed as RippleTech NitroGuard DBM) is a strong performer in the enterprise database auditing market because it offers good features and functionality at an attractive price."

The Forrester Wave: Enterprise Database Auditing & Real-time Protection, Q4 2007

Why use a DBM?

Today's hacker is most likely to be a former technical employee using remote access to exploit system vulnerabilities, according to CERT, the Internet security research center run by the Software Engineering Institute at Carnegie Mellon University, which has access to U.S. Secret Service data.

Scary...But we bet you aren't surprised. What this really means to you as an IT professional?

  • The line between an external attack and an internal attack is blurring. A former employee using remote access is acting from a completely different set of motives and from a completely different base of knowledge than a hacker. He/she may know exactly where the most important or confidential data resides, and he/she may know colleague's passwords and enough security practices to cover his/her tracks.
  • A zero-day scenario is more likely to be a planned event: a former employee waiting for the opportunity to do damage. He/she may know your patch policies and the exact length of the window of opportunity.

CERT's report also says the majority of insider attackers compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. The majority of such attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable.

Database monitoring is your best protection against internal attacks. NitroGuard DBM, RippleTech's database monitoring solution, analyzes every data request going into the database to determine if the data being requested is suspicious--regardless of WHO is entering the request or where it initiates. It's unbiased, straight-forward application of your security policies and rules, puts control back in your hands.

When used with NitroGuard IPS, the system provides:

  • Edge-to-core network protection
    • Edge Defense - to prevent breaches at the network perimeter (IPS)
    • Network visibility - to catch anomalies and determine vectors through the trusted network(IPS)
    • Core Defense - to prevent breaches at the database itself (DBM)

    When used with NitroView ESM, the total solution provides even more:

    • Precise network- and event- information collection from all areas of your network, including NitroGuard DBM
    • Forensic analysis
    • Network flow analysis
    • Physical event mapping, pinpointing events within your network topology
    • Correlation of monitored database activity to other host, application, and third party event data collected by NitroView receivers
    • Automated remediation, including black-list capabilities




    These icons link to social bookmarking sites to help share this content.
    • share this page:
    • bodytext
    • del.icio.us
    • Reddit
    • Slashdot
    • Technorati
    • Propeller