An initiative of Mobiliar IT

How to Protect Your Database Data against Insider Threats?

At this year’s ISACA North American CACS conference (#NACACS) in Anaheim, CA, I will discuss a paper about database activity monitoring, encryption and privatization and how this helps to safeguard our data against intentional and unintentional threats. Eventually, I will also talk how Machine Learning algorithms did help us to uncover anomalous user activities.


Typical insider threats include both unintentional threat types such as database misconfiguration, uncontrolled use of shared user IDs, or use of production data for test and development, and intentional threats such as downloading sensitive data or performing unauthorized changes. Database data contain your most valuable information, store and process high volumes of data and are structured for easy access: Or – in a nutshell – databases are an ideal target for attacks. The costs of data breaches are high, see as a reference.

It is important to understand that different countermeasures are helpful to protect against different scenarios. I will highlight which countermeasures are effective in which scenario. Eventually, a combination of all these countermeasures only produces a sufficient protection. However, not all your data needs to be encrypted completely, not all activities need strict supervision and not all data needs masking and/or privatization. Data classification is key in order to implement a successful data protection strategy.

Countermeasures include data encryption, database activity monitoring and data privatization. These countermeasures are effective not only against insider attacks, but also against attacks from the outside.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.  Marriott quickly engaged leading security experts to help determine what occurred.  Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.    On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”



Now let’s talk about insider threats: Some of the most important among them are:

  • Misusing the database interface: e.g. sensitive data is downloaded by a database administrator.
  • Bypassing the database interface: e.g. a system administrator accesses (and manipulates) the underlying file system.
  • Theft or decommissioning of Physical Data Store: e.g. data is recovered from unsanitized decommissioned data.

A system administrator accesses the underlying file systems of a database and extracts data. What is the most efficient control in this situation: Database encryption, privatization, hardware encryption or database activity monitoring?


As database encryption is helpful in some scenarios, by far the largest risk is misusing the database interface: Hot to detect queries which users do not require for their daily work? Typically, this kind of queries have similar patterns: They touch more data than usual, are more frequently executed as usual, are fired at a different time of the day or produce significantly more errors, login failures or SQL error codes. To detect this kind of activities, a set of rules should be created so that all the static of employees’ day-to-day work activities, such as accessing various services and servers, does not trigger attack warnings and only the important information will be reported.

As fixed rules are too static and too easy to circumvent by an attacker with sufficient energy, the application of Machine Learning (ML) algorithms or at least Applied Statistical methods is mandatory in order to detect activities labeled as “outliers”. Most database activity monitoring (DAM) products therefore use a certain period to “learn” what is normal behavior and create a ML model during this training phase. After that, if a database access scores high enough when compared against the model, an alarm will be fired. Meanwhile, most database products offer sufficient in-database analytics capabilities which might make an explicit DAM product become obsolete, depending on what level of risk you are tolerating. At Swiss Mobiliar, we detect outliers by application of the «adjusted boxplot for skewed distributions» approach presented by E. Vanderviere and M. Huber, Compstat 2004 graphics.

Additional to detecting outliers, a report of all accesses of privileged users including access details such as the query text is important when it comes to analyzing any problems as a follow-up of a database manipulation. On the other hand, such a report also allows to establish what has NOT been executed, which is often at least as important as the report of executed database queries.

A database administrator downloads sensitive data. What is the most efficient control in this situation: Database encryption, privatization, hardware encryption or database activity monitoring?


In a more general context, security incident and event management (SIEM) systems can play the same role for all kind of data that database activity monitoring (DAM) plays for database data. Often, both approaches are used in combination, such that the DAM component reports critical activities to the SIEM, where correlation with other events takes place. We also follow this approach and send detected database access anomalies to our SIEM tool, in our case QRADAR.

Eventually, the most effective countermeasure is the combination of database encryption, privatization and database activity monitoring. But not necessarily all measures need to be applied to all your data.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Basic HTML is allowed. Your email address will not be published.

Subscribe to this comment feed via RSS

%d bloggers like this: