As Rothman sees it, the biggest advantage to integrating DAM with SIEM is the context it provides. “A database attack is usually one aspect of a broader attack…. The DAM has no visibility on network traffic, server configurations, exfiltration attempts, user activity, or a million other things,” Rothman says.
According to Rick Caccia, vice president of marketing at SIEM vendor ArcSight, this additional context is particularly important for monitoring database access through applications that are tied into data stores — but only through some layer of technological complexity. “The common problem DAM products have is most customers don’t have their applications directly talking to a database; they have some sort of application server that runs applications that talk to the database, and that application server tends to hold one connection to the database,” Caccia explains.
Tying DAM information into the SIEM allows an organization to more easily correlate the activity a user might have done on a front-end application with the query activity by an application server sent directly into the database.
“Organizations take application logs, send the application logs to the SIEM, send the DAM logs to the SIEM, and the SIEM correlates those two together,” Caccia says.
Rothman and Caccia agree that one of the biggest challenges in feeding DAM into SIEM isn’t the technology — DAM and SIEM vendors have worked together during the past few years — but is often caused by internal staff battles.
http://www.darkreading.com/database-security/167901020/security/security-management/228500270/to-improve-security-get-your-dam-info-into-siem.html