Copyright © 2008 ISACA. All rights reserved. www.isaca.org.J OURNALO NLINE 1Most of a company’s business-critical data is stored indatabases. Losing data confidentiality, availability orintegrity can cost a company seemingly countlessrevenue in sales, reputation and litigation costs. Best practicesand, in many cases, government regulations mandate the useof controls to adequately safeguard business data. This article describes why a company should (or must) usedatabase monitoring as a vital part of its security controls andhow it should go about implementing it. Sources of Data BreachesAccording to a 2007 study,185 percent of businesses haveexperienced a data security breach. The survey also found thatabout 23 million adults had been notified that their data werecompromised or lost; of those, 20 percent terminated theiraccounts immediately after notification, while another 40 percent were considering termination at the time of thesurvey. The estimated breaches cost US $182 percompromised record; data breaches remain the leading causeof financial losses. Using data from Privacy RightsClearinghouse, a web site devoted to maintaining a record ofall data security breaches in the US, laptops are the numberone source of data breach incidents (47 percent), databasesare next (40 percent), then tapes (11 percent) and e-mail (2 percent).2Looking at the same data based on the amount ofdata lost (see figure 1), databases are the number one source(64 percent), laptops are next (25 percent), then tapes (10 percent) and finally e-mail (1 percent). Monitoring isfairly common at the network layer, but monitoring at theapplication layer remains relatively rare. A survey conductedby Application Security and the Ponemon Institute at the 2007Gartner IT Security Summit revealed that 40 percent ofcompanies are not monitoring their databases for suspiciousactivity. According to the survey of 649 IT professionals (60percent in chief information officer [CIO] or chief technologyofficer [CTO] positions), 78 percent of respondents said theirdatabases are critical or important to their business andcontain customer data.3It is clear that, while loss of datathrough corporate databases represents a major risk for mostorganizations, very few have adequate controls in place tomonitor data policy violations or attacks. This may be due tothe fact that using the raw auditing capability for monitoringhas been associated with performance degradation and therehave been few viable alternative solutions.Regulatory Requirements for MonitoringThe requirement to monitor log files is highlighted withinbest practices such as Control Objectives for Information andrelated Technology (COBIT) and industry requirements such asthe Payment Card Industry (PCI) Data Security Standard(DSS). Some of the major regulations/requirements—PCI, USHealth Insurance Portability and Accountability Act (HIPAA),Title 21 Code of Federal Regulations (CFR) Part 11 of the USFederal Drug Administration guidelines, US Gramm-Leach-Bliley Act, North American Electric Reliability Corporation(NERC)’s Critical Infrastructure Protection (CIP) standards,US Federal Information Security Management Act (FISMA)and US Sarbanes-Oxley Act—and the pertinent log filerequirements are compared in figure 2.The US Securities and Exchange Commission approved thePublic Company Accounting and Oversight Board (PCAOB)’sAuditing Standard No. 5 on 25 July 2007. Auditors use it toassess management’s internal control over financial reporting incomplying with the Sarbanes-Oxley Act. As a result of these regulations, there is a growing focus onusing enhanced continuous control monitoring (CCM) andcontinuous control auditing tools, which should reducecompliance costs and provide business efficiency.4One way toautomate application controls that are being checked manuallyis to use the information in log files to implement CCM. The Art of Database MonitoringBy Sushila Nair, CISA, CISSP, BS 7799 LADatabaseLaptopsTapesE-mail1%10%64%25%Figure 1—Sources of Data Breaches in the US byVolume of Data LostFigure 2—Regulations and Log File RequirementsPCI HIPAA 21 GLBA NERC FISMA Sarbanes-CFR Oxley Part 11Regular review At leastof logs Daily √√√√√monthlyOnline retention 1-6 √√ 1-7 years3+ months years days 90 √Offline retention 1+ 1-6 √√90 √ 1-7 yearsBackup of audit trails to separate media √√J OURNALO NLINE2Monitoring as a ServiceMost network devices support the Syslog protocol toredirect their log files to a central log server. Applications anddatabases generally do not support Syslog, although Oracle10g release 2 now supports writing audit records to theoperating system using a Syslog audit trail and other databasevendors should follow suit.5Databases generally store theiraudit information in a table within one of their systemdatabases. An agent or script can be run to “watch” this tableand convert any entries that are written to the audit table intoSyslog, so it can be forwarded to a central logging server.Instead of using the native auditing capability of the database,which may impact performance, it is possible to use databaseapplication monitoring appliances to monitor the database foractivity (this is described in more depth later in the article).The majority of these appliances support Syslog, enabling theinformation generated to be forwarded to a central log server.It is possible to outsource monitoring to a managedsecurity provider, enabling experts to help set up a robust andflexible monitoring infrastructure. Managedsecurity monitoring (MSM) providersaggregate, correlate, analyze and store the logdata to give organizations overall visibilityinto their network security and work withcustomers to improve their incident response.At the same time, MSM providers can helpsatisfy auditors as they provide a level ofobjectivity and are experienced in producingreports that auditors require. Regulatory pressures—fromlegislation such as Sarbanes-Oxley and HIPAA to individualindustry requirements—make log management and visibilityinto user access of systems and applications critical.Database Monitoring SolutionsThe solutions for monitoring databases are relatively newand yet form an important component in the drive towardautomated CCM. The ability to be alerted if there is a violationof policy at the application layer is extremely important; it maybe perfectly normal for a user to look at one credit card record,but an alert should be generated