Organizations today rely on intuitive database monitoring for optimal performance of their business-critical applications. While most database monitoring tools generate notifications in case of performance issues, an ideal database monitoring tool will not only alert you. Still, it will also provide comprehensive insight into the root cause of the problems and help you troubleshoot them quickly.
Database activity monitoring (DAM) refers to a suite of tools that organizations can use to support the ability to identify and report on fraudulent, illegal, or other undesirable behavior with minimal impact on user operations and productivity. The tools have evolved from fundamental analysis of user activity in and around relational database management systems (RDBMSs). Such tools nowadays encompass a more comprehensive set of capabilities. Such capabilities include discovery and data classification, vulnerability management, application-level analysis, intrusion prevention, support for unstructured data security, identity and access management integration, and risk management support.
Database activity monitoring (DAM) is the process of observing, identifying, and reporting a database’s activities. Database activity monitoring tools use real-time security technology to monitor and analyze configured activities independently and without relying on the DBMS auditing or logs. Database monitoring tools allow for:
- Automatically discover, categorize, and monitor RDBMS, NoSQL, in-memory, distributed, and big data stores
- In-depth metrics collection for comprehensive database monitoring
- Troubleshoot faster with code-level insights
- Enables informed decision-making through intelligent analytics
Database Activity Monitoring tools are intended to provide deep visibility into the key performance indicators of databases. This visibility helps database admins understand the status of their database performance at any given time. The visibility also helps DBAs tune their databases based on the received insights and detect any database anomaly before users get affected. The following database attributes are critical for business operations and should be monitored and visualized on a custom dashboard.
Common Attributes to Monitor with Database Activity Monitoring
- CPU utilization
- Memory utilization
- Connection Statistics
- Buffer Cache details
- Query performance
- Resource pools
- User sessions
- Deadlock details
- System and user errors
Database activity monitoring tools capture and record all SQL activities in near real-time. There are several tools available, with varying levels of activity monitoring. However, the following are some of the common capabilities of DAM tools.
Main Capabilities of Database Activity Monitoring Tools
- Monitor and audit all database activity independently, including SELECT transactions and users’ activities, without performance degradation. Tools can work with multiple DBMSs and normalize transactions from different DBMSs, despite differences between SQL flavors.
Securely store the database activity outside the monitored database.
- Independently monitor and audit all database activity, including administrator activity and SELECT query transactions. Tools can record all SQL transactions: DML, DDL, DCL (and sometimes TCL).
- Aggregate and correlate database activities from multiple heterogeneous database management systems.
- Enforce separation of duties of database administrators, administrator activities, and prevent the manipulation or tampering of recorded activities or logs.
- Securely store the audit logs to a central server outside the audited database.
- Ensure that a service account only accesses a database from a defined source IP and runs a narrow group of authorized queries. This policy can alert you to compromises of a service account either from the system that generally uses it or if the account credentials show up in a connection from an unexpected system.
- Enforce separation of duties by monitoring and logging database administrator activities.
- Generate alerts whenever policy violations are detected and generate alerts for rule-based or heuristic-based policy violations. For example, you might create a rule to create an alert each time a privileged user performs a SELECT query that returns more than five results from a credit card column. The trigger alerts you to the possibility that the application has been compromised via SQL injection or other attacks.
Database activity monitoring combines several techniques such as network sniffing, memory scraping, and reading system tables and database audit logs. Regardless of the methods used, DAM tools enable data correlation to provide an accurate picture of all the activities in the database.
These tools also help detect unusual and unauthorized, internal, or external activities while still gauging the effectiveness of security tools and policies. In so doing, system administrators can improve the prevention and protection of sensitive data from intruders.
Database Activity Monitoring with Satori
Satori provides smart context-rich audit and monitoring across your data stores. The audit logs are universally available for reporting and analytics, and include a lot of additional metadata added from the IdP and from Satori’s continuous data classification engine.