Not Monitoring SQL Server with Your SIEM is Close to Negligent: What are Your Options?


Isn't it ironic how important databases are to corporate infosec yet how difficult it (at least until recently) is to monitor DB activity with your SIEM? Forget about network security, endpoints, operating systems and privileged access. If information thieves (internal and external) can access your database – they don't care about the rest. If I were a bad guy, the only thing I'd like better than access to the database is maybe the application running on top of it – but that is another can of worms.

Most of us have done a pretty good job of getting our SIEM to the first level on the maturity model and that includes collecting and monitoring network and OS level activity. The next step is to know what's happening inside your databases.

But until recently that has been pretty hard to do with SQL Server. There were 2 extremes for monitoring SQL Server. Either enable SQL Trace or write your own audit logic into the application itself or at the database level with things like triggers. Neither was a good solution because SQL Trace is a heavy-handed all-or-nothing audit approach that massively impacts DB performance on busy servers. And it generates a massive amount of noise too. On the other hand writing your own audit logic is out of the question for most admins and very expensive and slow to do. Basically a Sisyphean task of re-inventing the wheel over and over again.

All of that changed with SQL Server 2008 – depending on your edition. SQL Server 2008 introduced a comprehensive, granular and high performance audit capability simply called SQL Audit.

In this webinar I will dive into:

  1. Why is it so critical to monitor your database servers with your SIEM? What are you missing?
  2. What are your options and how do they compare?
      a. SQL Trace (C2 Audit)
      b. SQL Audit
      c. Other options
  3. How does SQL Audit work?
      a. What versions and editions support SQL Audit?
      b. How to maximize SQL audit performance
      c. How can you get SQL audit data into your SIEM

This will be a technical and interesting webinar with live demonstrations. LOGbinder is the sponsor and I'll briefly show you how LOGbinder allows you to get SQL Audit events into your SIEM with zero touch – that's right – not a single bit installed on your SQL Server and not a single packet sent.

This is real training for free ™. Don't miss it! Please register now.



Additional Resources