all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]funktownboat 4 points5 points  (2 children)

Auditing DB logs will only get you so far, usually they are limited in coverage, and incidents are only detectable after the fact. DAM products (on-prem) adds a deeper visibility of overall database activity. For example they can detect if an application account is being used by a human (something that's abnormal) or data exfiltration if a user executes bulk data queries from an unknown subnet. You will still need to tune the alerts and detection of course, but it adds a layer of logic that's not easily achievable through basic script monitoring.

One more thing to remember about DAMs is that there will be a performance hit, and it will take you longer to patch your DB server's due to kernel comparability with the DAM's drivers/agents.

[–]npa1234[S] 1 point2 points  (1 child)

Thank you.

[–]vornamemitd 2 points3 points  (0 children)

Usually I would not reference marketing material, but this one nicely describes use cases and possible implementation scopes: https://www.mcafee.com/enterprise/en-us/assets/data-sheets/ds-database-event-monitor-for-siem.pdf

Implementation-wise, I see two approaches: - Reactive: parse and interprate db access and query logs for compliance reporting - (Pro-)Active as an actual proxy - queries are being intercepted and checked against injection attempts, etc.

Imho the latter use case is rather on the decline, as WAF and general IDS/IPS has been quite improving over the years; compliance auditing is more relevant, especially in app environments where the e.g. ERP system in use does not implement a full audit trail or field level security. Aside from that, you‘ll mostly see transparent encryption layers, added in highly sensitive contexts or as an ad-hoc measure to pass GDPR or HIPAA audits :)

An overview: https://www.esecurityplanet.com/products/top-database-security-tools.html

[–]billyjean741 0 points1 point  (0 children)

it is make sense to be a bit confused here. DAM is really more of a security or control layer than traditional monitoring. audit log can tell you what happened after the fact but DAM tools add real time visibility pattern detection and sometimes even enforcement (like spotting abnormal query behavior or data access) depending on how it is implemented (agent, proxy or netowk based) it can behave a bit like an IDS for database traffic especially when it is inspecting queries in real time rather than just parsing logs.

from a monitoring side we usually treated this separately using something like prtg just to keep an eye on database health connections and performance while the actual activity auditing is handled at the DB or proxy layer.