Database Activity Monitoring

Data makes the world go ‘round and a lot of this critical data resides in databases.  This is why it is important to monitor database activity in order to prevent attacks and invasions. 

I recently had an interesting discussion with Rani Osnat, VP of Marketing at Sentrigo Software about its database monitoring product called Hedgehog and its recently announced 2.0 release.  For those of you who aren’t familiar with Sentrigo, it is an Israeli/US based company, founded in 2006, that focuses on real time database activity monitoring and intrusion prevention.  The company released its first product, Hedgehog 1.0 in 2007. 

Here’s how it works

 Hedgehog samples and monitors transactions using data that in the database cache. It uses the cache to minimize performance issues.  The software utilizes rules that act on certain parameters such as time of day, day of week, IP addresses, etc.  All of the parameters can be combined in Boolean conditions and operators such as “includes”, “does not include”, “between” (for a range of values), as well as AND, OR, NOT and nested expressions using parentheses.  For example, a simple rule might be something like this: 

If  <certain user type> accesses <Credit Card Table> at <non-working hours> then terminate. 

Rules can be developed by administrators using a wizard-based interface.  Hedgehog also comes with a series of built in rules called Virtual Patches, that provide rules to detect and prevent vulnerabilities in databases as they become known.  Sentrigo maintains a team of security professionals that research and track these issues and provide the patches that act as a band-aid until the database vendor issues their own patches.  These updates are distributed continually.  

In release 2.0, the company provides:

  • Support for Microsoft SQL Server in addition to already supported Oracle (with Sybase and DB2 to follow). 
  • Hedgehog IDentifier – a patent-pending technology that allows positive user identification in n-tier environments by attaching tags with IDs for every transaction.  This means, if 1000 people are using SAP finance in a pooled manner, but connect through a super-user in database, Hedgehog can identify the individual user.
  • Compliance templates- which guide users through the process of translating requirements into rules for monitoring compliance in support of PCI DSS, Sarbannes Oxley, and SAS 70. 

Get Proactive

 I have had a number of conversations with database administrators in the past and I was frankly surprised that some of these administrators seemed to be more reactive than proactive in regard to monitoring their database(s).    Many seem to be driven by compliance mandates, rather than taking a proactive approach to intrusion detection and prevention.  Companies need to think through their entire data security strategy which includes attacks on data from inside and outside the organization.  Perhaps attacks such as those that we’ve all read about in the past year and the addition of new mandates have opened their eyes.      

1 thought on “Database Activity Monitoring”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s