Audit trails have been a feature of databases for a long time, but are they still compatible with today’s data security demands?
What do you need to do, as a security officer, to get the most information about what’s happening to your company’s data?
Are audit trail features impregnable to possible malicious actions from company workers?
Can the audit feature provide all the tools you need to follow cybersecurity standards?
In this article, I’ll review the audit trails of four databases. Two are RDBMS and two are Big Data. Each audit trail will have to answer basic security questions, and will have to be proven as easy to use and securable.
What data do you need in the audit trail?
The audit trail needs to provide you with enough data to answer the following questions:
What happened to my data?
What actions were performed in the database?
The audit log needs to contain the text of the action or a sign that this action occurred in the database’s language. MongoDB doesn’t use SQL queries, but if a collection.findOneAndDelete() happened to one of the documents, you better be able to spot it.
When did it happen?
A timestamp of the event’s occurrence. Some databases will only log something when it happened on the data, even if it was sent from a client hours prior.
If you’re tracing a hacker’s footsteps, it’s also good to see the stream of their actions. Logging the time a user ran the query to the database will help you do that.
Whodunit?
Across the hall from your office sits your trusty colleague Dave. Dave would never hurt a byte of the company’s data, and has been an exemplar SOC team member.
You look at the database’s audit trail one morning and see Dave’s username logged in at 2 AM to snoop around HR’s employee schema.
What do you do?
The following data in the audit log will help you identify the real culprit behind Dave’s username:
- The IP of the computer Dave’s username connected from
- The OS username the database client was running on
- The OS hostname of that computer
With this user profiling, you’ll be able to see that this wasn’t really Dave, but actually a bot or identity thief.
Dave isn’t a bad guy. Dave just makes questionable passwords and web browsing choices in life.
What would make the audit feature easy for you to work with?
The audit trail will give you all the data you’ll need to know if your company’s data is safe.
But, is logging all an audit trail needs to do?
Can anyone mess with this data?
A clicheed crime drama will often have a character found dead after the lights suddenly go out.
Similarly, an audit trail can be temporarily meddled with to hide a crime. The audit policy can be turned off, audit configuration can be changed, audit log files can be edited or rerouted.
Some users need ample privileges on the database and its machine. Can you isolate the audit trail’s configuration or logs from their reach?
With granular privileges on the database you’ll be able to designate an admin user with no power over your audit trail. Log files can be protected by OS directory locks.
Is audit data easy to understand?
A lot of audit trails were designed to only look at actions on the data. Audit features can log privilege actions in one log, login actions in another, and data actions in a third.
A single audit log will save you the constant Alt+Tab-ing between windows, and allow you to follow the trail of a user’s actions from start to finish.
How much will this cost the company?
What is the cost of the audit feature to an on-premise server, where the audit log files keep piling up? How will more and more storage space for audit data affect your company’s cloud database’s pay-as-you-go monthly bill?
An audit trail with a log rotation or archiving policy will help you cut these costs.
“Costs” don’t have to mean money – if the audit trail affects your database’s performance, the damage to your company can be as great, if not greater.
Do I have to do everything myself?!
It’s the morning after Black Friday.
The audit trail is loaded with traffic from all that mercantile madness. You need to sift through the logs to see if someone used a credit card they shouldn’t have.
A UI tool to help you pin-point suspicious actions will allow you to find those dangers much faster.
A feature to set an alarm, when a specific action occurs, allows you to respond on time.
Any data filtering that can be done on the audit logs, without altering the logs themselves, will be a great tool to focus your attention on what matters.
A feature to export a report with all that UI for your manager to see, is another excellent bonus.
And now, the audit trail assessment you’ve all been looking for
The results of this review are conclusions I reached when asked to research these databases’ audit trails for use in Imperva products. I chose these because they each represent a varied scope of where the audit trail stands as a security feature.
Oracle | PostgreSQL | MongoDB | HDInsight | |
Audit data completion | ||||
What happened? | V | V | V | X |
When? | V | V | V | V |
Whodunit? | V | X | X | X |
Audit trail features | ||||
Trail hardening | X | X | X | V |
Unity of trail | X | V | V | X |
Cost | X | V | V | X |
Ease of use | Only on cloud | Via open source tools only | X | V |
But is it enough?
Now let’s look forward to the rest of your tasks as a security officer, guarding the company’s data.
You’ve got the “what the hell is going on” answer sorted, well done.
Compliance to security standardization organizations, such as CVE and PCI, demands hardening capabilities. Regulations, such as HIPAA and SOX, require the ability to stop specific user behavior.
Not meeting these regulations will expose your company’s data to great harm, and cost your company dearly in fines and customer loss.
This can even become a burden on a whole team of security officers, such as yourself, zealous as you are. Few database services will help you in this effort. Few audit log analytics meet one of these industry standards’ demands. Regulation-specific policies and alerts are rarer still.
Securing databases becomes a greater challenge as new features are added and hacking techniques become more sophisticated.
Imperva offers a solution that establishes tamper-proof database audit trails and automates auditing best practice enterprise-wide. In addition, it provides advanced analytics that can help you pro-actively manage risk, by alerting you about access behavior that violates compliance rules or is risky or suspicious. Learn more about Imperva Database Security solutions at www.imperva.com/products/data-protection/
Try Imperva for Free
Protect your business for 30 days on Imperva.