Analysis in Database Security
In one of the previous articles we were discussing the importance of audit trails. You can find it here: https://www.datasunrise.com/professional-info/aim-of-a-db-audit-trail/
In this article we will discuss how these trails can be used to improve your database security. When used effectively, audit logs can help to identify weak points, fill these gaps, and protect the company from the problems associated with database security.
Some Useful Tips
Audit trails are most effective when they are automated. The point is that auditing can also help to reveal suspicious in-house activity or misuse. The place when the logs are stored and who has access to these logs is also critical when maintaining audit trail integrity.
Knowing what information to include in the logs is also important. We recommend the logs to include basic information, such as database users involved, date and time, and the query results. Note that DataSunrise’s logs include such information.
There may be other specific information to add which depends on security needs, security standards you strive to comply with, and reporting requirements.
Here are some important tips:
- Ensure that audit trail information is stored in a secure location and is backed up regularly;
- Include only useful and necessary information in the audit trail to avoid the storage overflow;
- Review audit logs basis periodically to mitigate risk;
- Coordinate with your related parties to ensure the security and availability of their system’s audit trails.
Tools for Analyzing Audit Trails
According to the NIST Handbook, audit trail analyzing tools should meet the following requirements:
- The ability for reviewers to recognize both normal and unusual activity;
- The ability to query and filter audit records for specific information;
- The ability to escalate audit trail reviews if a problem is detected;
- The development of review guidelines in order to identify unauthorized activities;
- The use of automated tools to keep audit trail information at a minimum and also extract useful information from the collected data.
DataSunrise includes some of the aforementioned features. But DataSunrise is not a SIEM analytical system though – it just collects audit events and passes them to dedicated programs via Syslog. We don’t recommend certain tools – it’s up to you which software piece to use.
In its turn, DataSunrise’s Data Audit functionality enables you to do database activity monitoring and collect the following information:
- Database username;
- Client application user;
- Client application used to query the database;
- Client host;
- Session duration;
- The number of affected rows;
- Query’s text;
- Databases, schemas, tables and columns affected by the intercepted query.
Some Best Practices
For how long to store the trail?
There are no guidelines on a specific timeframe for maintaining audit records. The only answer is – as long as possible. The specific time depends on your storage capacity mostly. But note that you should be able to retrieve an audit trail associated with a certain event. That’s why you should store the audit record for the life of the database record.
How often to review the trails?
Audit trail reviews vary by company and may take place quarterly or annually during a security audit. It’s recommended to develop you own review guidelines to maintain the regularity of reviews.