Database Activity Monitoring – A Security Investment That Pays Off

Database activity monitoring is a very important precaution that all companies must take to stop cyberattacks.

Since databases store companies’ valuable digital assets and corporate secrets, they are on the receiving end of quite a few cyber-attack vectors these days. How can database activity monitoring (DAM) tools help avoid these threats? What are the ties between DAM and data loss prevention (DLP) systems? Does DAM need a user behavior analytics (UBA) module? What is the role of machine learning in monitoring database activity? This article will provide the answers.

How do DAM solutions work?

It is common knowledge that malicious actors think of corporate databases as juicy targets. Therefore, protecting them against intruders should be top of mind for businesses. On the other hand, monitoring administrators’ actions is an important task as well. The first step in building these defenses is to understand how users, administrators, or applications interact with a database. This will give you insights into what is normal and what could be a sign of unauthorized activity.

Supervising privileged users such as database management system (DBMS) administrators, controlling access to business-critical data, and assuring compliance with regulatory requirements are the main DAM usage scenarios. As privacy laws become more rigid, a growing number of companies are purchasing DAM systems to thwart data leaks.

DAM is also an indispensable tool in e-commerce. Maintaining logs in a customer relationship management (CRM) system, which keeps a record of all the sales, may badly affect its performance. Moreover, this approach only allows companies to track changes in a database without providing any in-depth oversight. DAM takes it a step further by logging all user actions, including views of confidential information.


The functionality of modern database activity monitoring solutions goes beyond the original concept of such systems. For instance, extensive access control is one of the features that emerged in the course of DAM evolution, allowing you to find out who viewed specific data. In most cases, the use and maintenance of such tools are the areas of a company’s information security (InfoSec) team’s responsibility. These tasks may also be outsourced to the IT department, with InfoSec specialists performing a supervisory function.

DAM is also an incredibly useful instrument to follow regulatory requirements concerning data security, although no laws specify that an organization needs to purchase add-on tools for that purpose. The auditing and logging features built into most DBMS packages can suffice to meet the challenges set by regulators, albeit with less convenience. To convince business owners into buying standalone DAM solutions, vendors need to list additional arguments in favor of such a decision – for example, the increased load on a database when its native controls are being used.

Different DAM providers use different approaches to defining the key metrics that influence the cost of an off-the-shelf solution. For some vendors, the basic parameter is the number of database servers or cores; for others – it’s the amount of the processed traffic and the number of transactions. In addition, the customer can purchase extra modules that extend the system’s functionality. A subscription model with annual or monthly payments is the most common licensing mechanism at this point.

DAM features

Before dwelling on the functionality of DAM solutions, let’s touch upon how they interact with databases that come with tools of their own for access auditing. Some developers have a negative attitude toward the interference of third-party activity monitoring systems, thinking that they use illegitimate methods of working with databases.


On the other hand, the functionality of native tools is not always enough to solve customers’ tasks. Furthermore, tampering with built-in controls shouldn’t be an issue because many DAM systems use the Switched Port Analyzer (SPAN) method, also known as port mirroring, to inspect traffic without reference to the kernel.

Do database activity monitoring systems need user behavior analytics features? There is no single answer here. Some vendors include UBA modules in their products, while others believe that such systems should be implemented as separate tools. One of the things on the plus side of using a separate system is the need to analyze the behavior of users based on all actions, not only their work with the database.

When it comes to the role of database activity monitoring in the Zero Trust access framework, it should be noted that the latter spans several layers: network, infrastructure, users, and data. DAM systems provide granular enforcement of security policies regarding database access and monitor open sessions. That being said, DAM is not a mandatory element of Zero Trust, but it’s undoubtedly an effective and handy tool for putting this concept into practice.

Should a DAM system process all requests by means of a software agent, or is it more reasonable to only use the above-mentioned SPAN mechanism for traffic analysis without interfering with database operation? There are different opinions. On the one hand, the use of agents allows you to actively monitor and respond to events. On the other hand, many companies are skeptical about third-party intervention in their business processes and limit the use of DAM to logging only.


DAM deployment best practices

A typical DAM deployment project can last from one month up to several years. During this process, you need to analyze your data assets, categorize and prioritize them, conduct a risk assessment, and establish appropriate monitoring and response techniques.

The implementation of database activity monitoring usually isn’t limited to the deployment and configuration of a single system. It may include a great deal of consulting and delivery of other security tools and data, such as dark web threat intelligence. By and large, you need to build an entire data protection strategy. However, if the sole purpose is to comply with regulatory requirements, it takes less time and effort to implement such projects.

DAM implementation is an ongoing, cyclical process. That’s because the range of the average company’s databases expands over time, security policies are improved and modified, and security tools get new functions.

There are several recommendations for optimizing the costs of maintaining a DAM system. In the case of mature solutions that have been on the market for a long time, it is easier to find qualified administrators. In addition, well-known products boast a lot of implementations and use cases that are comprehensively reflected in the documentation. In some situations, resorting to the vendor’s expertise to solve typical tasks that arise in the course of product usage can also reduce the cost of operation.


Stopping insiders in their tracks

With information being a precious asset, proper control over databases is one of the most important components of any company’s security posture. A data leak or compromise leads not only to reputational repercussions but also to material losses.

DAM systems are the last line of defense and can help professionals identify the most intricate type of cybercrime – the insider threat. Employees who hand over data to competitors, administrators who abuse elevated privileges for personal gain, or unscrupulous contractors who have access to proprietary business records – the risk can stem from either one of these parties. DAM is the silver bullet that forestalls these scenarios. Not only can it log each user’s actions, but it also works proactively and prevents leaks from ever happening.

How will database activity monitoring solutions evolve in the coming years? What trends will dominate this area of enterprise security? Let’s get to the bottom of this.

A promising trend is the refinement of these systems’ UBA functionality through machine learning methods that help analyze chains of events, establish baseline activity patterns, and find deviations from normal user behavior. Another interesting approach that some vendors already use is to containerize individual InfoSec solutions and integrate them within a single platform. This allows organizations to quickly implement complex systems with the required set of functions.


The steady growth of data volumes collected and stored by businesses has called forth the need for solutions that can visualize the results of processing these data flows. The next big thing in this domain is the emergence of self-configuring cloud databases that can update and monitor their operation automatically. On a side note, cloud-based monitoring centers that can connect to customers’ deployed databases already exist.


Nowadays, DAM systems only scarcely cover the segment of SQL databases that are widely represented in microservices architectures. Vendors should interpret this as a call to action and adjust their features and licensing practices to this area. Another direction in the progress of database monitoring systems is the interoperability with so-called data warehouses, which are increasingly popular among corporate customers.