Database Activity Monitoring (DAM) refers to any solution that is used to actively monitor and analyze database activity. This technology is multipurpose, typically being used by organizations both to fulfill specific compliance criteria, as well as protect their most sensitive data from external hackers and malicious insiders.
Database Activity Monitoring Overview
By default, most databases do not log any activity data, or if they do, it is not enough activity data to enable a full forensic investigation of historical breach events. Furthermore, it is often logged to a table within the database itself. Assuming an attacker gains access to database credentials that have write access to the full collection of tables (as is often the case), the attacker can simply delete any activity rows associated with their exfiltration. As a result, the database activity logging available with most database products cannot be considered a source of truth that is consistent with reality. Following an exfiltration attack, it is often truncated and there may not ever be a way to know that a breach ever occurred!
A core tenet of the empirical understanding of any phenomena is the ability to measure and record data, in other words, to observe the event(s). It is impossible to refute or support any hypothesis if we cannot measure data relevant to that hypothesis. As the risk of exposure to data breach events continues to increase, there is an increase in the need to conduct forensic investigations on these breach events for a number of reasons. Primarily to notify the relevant users of the breach, per regulation, and to determine the means by which the attacker was able to gain access to the data and “plug that gap.” As a result, many security decision makers are finding themselves searching for a solution to record all database query activity to address the future need to investigate attacks.
These considerations lead organizations to adopt a DAM solution which could typically be deployed as a collection of agents on their database machines or on the network. A common solution is to forward database activity in approximately real-time to an offsite forensics service, such as Splunk. By replicating database queries in real-time, post-mortem forensics become possible with the assumption that the activity logs are not missing query events. Oftentime, a near real-time solution brought with it limitations on database performance by adding compute and network overhead to every database query.
As a result, an alternative approach is to copy a database’s own native access metrics to an outside forensic service as part of a scheduled task. However, it should be noted that temporal daily, weekly, etc., cronjob style replications do not offer as good of a guarantee that the activity log is complete, further necessitating a purpose-built enterprise-grade DAM solution. It provided customers with unified activity logs, correlated across databases and users, and the ability to enforce access control to data inside the databases. Historically, organizations have relied on DAM for compliance, access control and threat detection, and eventually for discovery and vulnerability management.
Changing Requirements Landscape
In recent years, the complications of securing data repositories from attacks and accidental exposure has grown as a result of the exponential upwards trend in volume of data stored. Further, the complications have been compounded by increased regulatory scrutiny and progressions in complexity of cybersecurity threats. These trends have created a difficult environment for modern cloud applications to operate in a secure and compliant manner. Furthermore, databases must operate in complicated cloud networks and grant access to a wide variety of applications and critical business operations, while simultaneously ensuring access to data conforms to policy and regulation.
Implementing a traditional DAM is often not an adequate solution for this challenge as organizations shift their workloads to the cloud. For example, in a cloud environment organizations often consume databases themselves as a managed SaaS service. In this environment there is no place for server or network based agents. As a result, to implement any kind activity monitoring requires a service that can intercept the database queries at the data endpoint.
When implementing a solution that intercepts database queries and replicates them to an offsite forensics service in real-time, performance of the outbound API requests should be considered. Importantly, the queries should be forwarded to the forensics service (Splunk, etc.) asynchronously, as to allow the query to continue execution without delay. If database queries are executed sequentially, performance of the production database can be severely limited. Engineering around this requirement can often be a challenge to both implement and maintain database performance. What is required is a novel parallel architecture that saddles the database infrastructure without hindering performance.
Cloud-Native Data Activity Monitoring
Database Activity Monitoring has historically been a key technology to measure access policy compliance for prior generation infrastructure, such as on-prem databases. The novel challenges that have developed as a result of the realization of cloud native applications have often shown to be outside the scope of capabilities of traditional DAM technologies.
However, the need for a new generation of Data Activity Monitoring cannot be ignored. As the costs of database breach events continue to rise in terms of customer trust, regulatory fines, and real damages, it is becoming more and more a requirement to detect and mitigate data exfiltration events when and where they occur. Traditional DAm that detects these anomalies and violations after-the-fact in an off site log have shown to be inadequate.
Measuring database queries at the endpoint, in situ, presents an enormous challenge. Traditional DAM products were built with SQL-based RDBMS in mind, whereas the cloud data for most organizations tends to be heterogeneously distributed across SQL, NoSQL and topic-based repositories. Introducing a “thick” layer of architecture to intercept, record, and decide whether to block or forward database queries, can severely affect performance of the applications and services that access thes cloud-native distributed data repositories. What is required by modern cloud architecture is a “thin” interception layer in time space, ideally one that has negligible effect on database response time, and that can work across modern database grammars and protocols.
The Next Generation: Cloud Native Data Activity Monitoring with Cyral
Today’s organizations seek solutions that address the cloud native gap in traditional DAM technologies that guarantee complete data activity observation without performance limitations. Cyral has developed patented technologies that successfully capture data activity, as measured directly at the data repo endpoint, while introducing negligible (microsecond) performance change. By integrating the solution with Authentication and Authorization services, Cyral also captures the context of specific user-level activity within metadata for each query. This enables Cyral’s technology to monitor activity for anomalies and violations from data access policies, and alert and block queries in real-time. To learn more about how Cyral can enable your organization with real-time data activity monitoring for cloud-native architectures without performance loss, register for a demo.