Shulou(Shulou.com)05/31 Report--

This article mainly explains "what is database audit". Interested friends may wish to take a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is database audit?"

Database audit tools and their applications

There are four basic platforms for creating, collecting and analyzing database audits: local database platform, system information / event management and its log management, database activity monitoring and database audit platform.

1. Local audit: refers to the use of a local database for data acquisition, but the database system itself is used to store, classify, filter, and report events. IBM, Microsoft, Oracle and Sybase all offer different solutions to this situation, but they all essentially get the same information. Although data is usually stored in a database, it can be exported to plain text files or provided to other applications in the form of XML data. The use of local functions saves costs associated with acquiring, deploying, and managing dedicated audit tools, but makes the database incur additional performance overhead, and basic collection and storage can only be managed in a limited manner. and need to be managed artificially. Local audits take place within the scope of the database and are only applicable to the analysis of databases located in a single facility.

2. SIEM and log management: security Information and event Management (SIEM) and similar log management tools have the ability to collect audit files, but provide more functionality than local database tools. Keep in mind that these tools do not incur database overhead like local auditing, which reduces most of the burden on the database, but requires a dedicated server to store and process it. In addition to database audit logs, these tools collect information from network devices, operating systems, firewalls, and applications. SIEM and log management can provide comprehensive reporting, data collection, heterogeneous database support, data aggregation and compression capabilities, which are not available in local database audit. Log management systems launched by companies such as LogLogic and Splunk are specially designed to accommodate large amounts of data and are more focused on management and reporting. SIEM, launched by RSA, the security department of ArcSight and EMC, is designed to be more suitable for near-real-time monitoring of network security devices, so as to analyze the correlation between events and security alarms more deeply. However, the distinction between SIEM and log management may gradually blur because most vendors can offer both platforms at the same time, although the two are not fully integrated.

3. DAM: the database activity monitoring platform is designed to monitor threats in database activity and perform rule compliance control. Vendors such as Application Security, Fortinet, IBM, Netezza, and Oracle provide event acquisition in heterogeneous databases. Most vendors provide a variety of ways to obtain information, including collecting multiparty query (queries) information from the network, the operating system where the database resides, and database audit logs. DAM tools are dedicated to high-speed data retrieval and real-time policy enforcement. Like SIEM tools, DAM tools can collect data from heterogeneous databases and multiple data sources and are designed for analysis and alarm. Unlike SIEM, DAM is not designed for databases. It focuses more on database analysis at the application level than at the network or system level. In addition to forensic analysis of database operations, DAM also provides advanced features such as activity blocking, virtual patching, filtering, and evaluation.

4. Database audit platform: some database vendors provide specialized databases, which is very similar to log management servers. These databases consist of a dedicated platform that stores log files obtained from local database audits and collects log files from multiple databases in a central location. Some of these platforms also provide log file collectors for heterogeneous databases. Reporting, forensic analysis, aggregating log files into a common format, and secure storage are all benefits that such a platform can bring. Although these platforms do not provide multiple data sources, or conduct detailed analysis like DAM, do not have the correlation and analysis capabilities of SIEM, and do not have the same easy to use as log management, for those IT operations that focus on database audit, this is a cost-effective way to generate security reports and store security data for forensics.

The selection process of Database Audit

To facilitate the selection process of database audit, you need to consider the characteristics of the following platform types, as well as the solutions of each vendor. The order of importance is as follows:

Data sources: the main source of the information described in this article is the database audit log, which is created by the database engine. However, audit logs vary from database to database, and in some cases a variety of information can be classified as audit logs. In addition, some platforms can create activity logs for a user's database operations. Although this kind of logging is not as accurate as that created by the local platform, it can contain all SELECT statements and has better boot performance. You need to carefully examine which data is available from different data sources and see if the information is sufficient to meet your security, operational, and rule compliance requirements.

Rule compliance: since compliance with industry and government regulations is the main driving force for the adoption of database audit solutions, you need to review policies and product reports provided by suppliers. These reports can help you quickly meet the requirements of rule compliance and reduce the cost of customization.

Deployment: the user's complaint about all solution descriptions is that there are a lot of difficulties to face when deploying. Installation, configuration, policy management, reduction of false positives, custom reporting or data management are also problems that users need to solve. It is for this reason that you need to focus your resources to make field comparisons to assess the pros and cons of the tools. In addition, testing for the deployment of one or two databases is not enough, you need to make plans among multiple databases to conduct some scalability tests to simulate real-world scenarios. Of course, this adds to the burden of the proof-of-concept (proof-of-concept) process, but in the long run it is worth it, because vendors'UI problems, unreasonable choices in policy management and architecture will only show up in actual testing.

Performance: it does not have much to do with the vendor platform, but is more closely related to the data audit options of the database itself. There are multiple versions and options, and the performance of local audits is changing rapidly, so you need to run some tests. You may also need to balance the data you want to collect with the data you need, and look for ways to meet demand with minimal policies, because more policies mean more money is spent on all systems.

Integration: you need to validate the partner supplier in terms of workflow, fault reporting (trouble-ticketing), and the integration of system and policy management products.

Audit logs contain a lot of information that is helpful to auditors, security experts, and database administrators, but they can affect performance. For any novelty that database auditing can provide, you need to understand the burden it may add. The audit will cause some performance loss, and depending on your implementation, the loss may be serious. However, these problems can be mitigated, and for some business problems, database audit diaries are an essential part of rule compliance and security analysis.

Except for the local database audit (located at the top of the database resource), all the tools we describe are deployed as a stand-alone device or software. All database audits provide central policy (central policy) and data management, reporting, and data aggregation (data aggregation) functions. SIEM (Security Information and event Management), log management, and database activity monitoring vendors provide a hierarchical deployment model for scalability, in which multiple servers or devices are distributed in large IT organizations to improve user processing and storage requirements.

Aggregating data makes it easy to manage and report on the large amount of data being collected. In addition, the information collection is placed in the central server to protect the processing diary from tampering.

Which method suits you better depends on your needs, the business problems you need to solve, and how much time and money you are willing to invest in solving them. The good news is that you have a lot of options, such as having your database administrator perform a local audit of the database to get basic information, or data aggregation on thousands of devices.

At this point, I believe you have a deeper understanding of "what is database audit". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.