December 7, 2016

For some odd reason, data compliance and data security are generally treated as one and the same; even though at this point, every security practitioner knows that compliance does not sufficiently provide security coverage. I’ve been asking myself then, why is Database Security such a low priority across the Cyber Security Defensive Strategy?

By implementing database compliance solutions, improved security posture is a natural byproduct. However, it is still not enough to establish an impenetrable moat around your most sensitive data repositories. Regardless of these compliance initiatives, data thefts continue to accelerate at an alarming rate. Meanwhile, the majority of sensitive corporate data that resides in databases (e.g., structured, non-structure, file systems, etc.), these repositories are overwhelmingly the most risky assets within any enterprise. All the while, there is little to no active monitoring at the database tier. Its no wonder attackers are raking it in!

Database Activity Monitoring (DAM) solutions are one of those products that not many security or database administrators want to deploy, but are generally forced to as the alternatives are limited – their choices are either implementing a cumbersome DAM product or enable native database auditing. The latter option is typically not feasible due to resource constraints. (Native logging adds additional load onto the databases, as the volume of logging gets expansive. This can result in costly operational expenditures to support the load of basic database functions and native logging for compliance purposes – sometimes upward of 20-30% over the base licensing cost.)

In order to stem high recurring licensing costs to the database platform vendors, DAM solutions have carved out a niche. The problem with DAM solutions is that they have not kept up with current cyber security techniques and sophisticated attacks that affect databases, and as a result security initiatives fall further behind. The solutions available on the market today have not evolved much in the past several years. The real core problem is the amount of upfront tuning and configuration that DAM tools require.

Humans (i.e. tuning) will generally be the biggest gap in data security and incidence response processes. This is why ultimately we must offload some of the heavy lifting onto machine learning, driven by behavior analytics. Learning the normal behavior of a database environment will allow anomalous or malicious behaviors to be pinpointed much sooner in an attack lifecycle. It will also reduce the burden on security analysts who cannot possibly investigate each and every generic login failure alert produced by their countless slew of security tools.