When it comes to logging, I won’t even step on the same court as Anton. But a couple weeks ago (while I was on the road, thus the late response) he posted on the options for database logging.
It’s a good overview of using native logs and log management vs. network appliances, but he totally misses a third option.
Most of the Database Activity Monitoring vendors use additional techniques, including agents, to gain a granularity that’s not supported by most native database logs (or better performance when that granularity exists). This is absolutely critical if you want to monitor SQL-statement activity; a growing security requirement. Log management won’t help you if you want to know which administrator is changing your corporate financials, detect SQL injection attacks, or alert when that call center employee drops a “SELECT CC# FROM Customers” using that ad-hoc query tool your forgot to block.
There are MANY cases where log management is enough today, but I think over time we’ll all migrate to needing to know the SQL (and then correlate that with application activity).
Reader interactions
One Reply to “Database Logging: Option Number 3”
While I totally agree with your comments, I would like to highlight additional topic, and hopefully start a healthy discussion and debate with industry experts and colleagues 🙂
I believe that in today’s environment, security architecture should include application activity monitoring in addition to database monitoring.
Application Servers using J2EE semantics can cache results of statements. In this case a request for an object by the application may not result in DB server access if the requested objected (according to its identifier) is already cached on the application server. In other words, one might access / attack a database via the application server, retrieve data and her actions will not be detected even by an agent-only solution.
That’s why you need to protect both your application and your database.
For the sake of full disclosure, I would like to mention that I am responsible for products strategy at a Database and Application security company (See http://www.imperva.com ) that provides a complete Application Data Security and Compliance solution.