Database activity monitoring technology vs. SIEM tools

In this expert response, Peter Wood explains the difference between database activity monitoring systems and security information and event management (SIEM) tools.

What is the difference between database activity monitoring and security information and event management ( SIEM) tools? Is one a better choice than the other?

As the name suggests, database activity monitoring (DAM) systems watch and record activity in a database and generate alerts for anything unusual. The objective is to mitigate insider misuse of databases, enforce separation of duties for database administrators (DBAs) and prevent certain types of external attacks (depending on a variety of complex factors).

In contrast, SIEM tools interface with existing logs from network devices and systems (log management), and also from a variety of supported products, such as antivirus, intrusion detection (IDS)/intrusion prevention (IPS) systems, ERP applications and databases, thus providing a much larger picture.

So whether you choose one over the other depends on your objective: If you wish to monitor specific databases, a database activity monitoring system is the best choice; if you are after all-encompassing monitoring, then a SIEM product is what you need.

Regardless, beware the cost and time overheads associated with monitoring systems. Historically, many organizations have underestimated how much effort is required to implement and run an IDS or IPS system, and a SIEM tool will require considerably more resources to be genuinely useful. The larger the system, the more complex and expensive to operate, which means SIEM tools are a bit more labour-intensive than database activity monitoring systems. But, that's not to diminish the time and effort involved in operating a DAM system, either. So in short, be sure to weigh your organisation's needs against the time, effort and cost needed to properly apply the "solution" you choose.

Read more on Application security and coding requirements