Database activity monitoring (DAM) and security information and event management (SIEM) technologies historically have worked separately. To gain a comprehensive view of the activity in the database and its surrounding environs, organizations need to feed their DAM information into a SIEM tool, analysts and other observers advise. “If all a customer is doing is trying to monitor a database, then clearly there isn’t a lot of leverage in using SIEM for that use case,” says Mike Rothman, analyst with Securosis.<\/p>\n","protected":false},"excerpt":{"rendered":"
As Rothman sees it, the biggest advantage to integrating DAM with SIEM is the context it provides. “A database attack is usually one aspect of a broader attack…. The DAM has no visibility on network traffic, server configurations, exfiltration attempts, user activity, or a million other things,” Rothman says.<\/p>\n
According to Rick Caccia, vice president of marketing at SIEM vendor ArcSight, this additional context is particularly important for monitoring database access through applications that are tied into data stores — but only through some layer of technological complexity. “The common problem DAM products have is most customers don’t have their applications directly talking to a database; they have some sort of application server that runs applications that talk to the database, and that application server tends to hold one connection to the database,” Caccia explains.<\/p>\n
Tying DAM information into the SIEM allows an organization to more easily correlate the activity a user might have done on a front-end application with the query activity by an application server sent directly into the database.<\/p>\n
“Organizations take application logs, send the application logs to the SIEM, send the DAM logs to the SIEM, and the SIEM correlates those two together,” Caccia says.<\/p>\n
Rothman and Caccia agree that one of the biggest challenges in feeding DAM into SIEM isn’t the technology — DAM and SIEM vendors have worked together during the past few years — but is often caused by internal staff battles.<\/p>\n
http:\/\/www.darkreading.com\/database-security\/167901020\/security\/security-management\/228500270\/to-improve-security-get-your-dam-info-into-siem.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=217"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":2704,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/217\/revisions\/2704"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}