Kritva Technologies Pvt Ltd was engaged by a leading organization to enhance their database security through comprehensive activity monitoring. The primary objective was to track and log specific activities within their PostgreSQL databases to ensure data integrity, detect unauthorized access, and prevent potential security breaches.

Challenge: The customer required a robust solution to monitor a variety of database activities. This included detecting unauthorized changes, preventing data exfiltration, and ensuring that all database operations were performed by authorized personnel. The challenge was to implement an open-source security platform that could provide detailed logging and alerting capabilities without imposing significant performance overhead on the database.

Solution: Kritva Technologies set up a Database Activity Monitoring (DAM) system using an open-source security platform. The implementation focused on several critical use cases to ensure comprehensive monitoring and security of the PostgreSQL databases.

Implementation Steps:

1. Assessment and Planning:
   • Conducted a thorough assessment of the customer’s PostgreSQL environment and identified key areas requiring monitoring.
   • Developed a detailed implementation plan outlining the specific use cases and the corresponding monitoring strategies.
2. Deployment of Monitoring Agents:
   • Deployed lightweight monitoring agents on the PostgreSQL servers to capture and log relevant database activities.
   • Configured the agents to minimize performance impact on the database operations.
3. Configuration of Use Cases:
   • Implemented specific use cases to track and log various database activities, as detailed below.

Key Use Cases Implemented:

1. Stored Procedure and Function Execution:
   • Monitored the execution of stored procedures and functions to detect unauthorized or suspicious activity.
   • Logged details of each execution, including the user, timestamp, and procedure/function name.
2. PL/SQL Code Tampering:
   • Set up alerts to detect any tampering or unauthorized changes to PL/SQL code.
   • Ensured that any modifications to the code were logged and reviewed for legitimacy.
3. Attempt to Create Wrapped Object:
   • Monitored attempts to create wrapped objects, which could indicate attempts to obfuscate malicious code.
   • Generated alerts to investigate and validate the purpose of such objects.
4. SQL Delete View:
   • Tracked SQL delete view commands to ensure that deletions were authorized and intentional.
   • Logged the details of each deletion for audit purposes.
5. SQL Command – Alter Table:
   • Detected alter table commands to prevent unauthorized schema changes.
   • Ensured that any schema modifications were logged and authorized.
6. SQL Command – Drop Table:
   • Generated alerts on drop table commands to safeguard against data loss through accidental or malicious deletions.
   • Logged each drop table command for review and accountability.
7. Privileged Operation:
   • Monitored privileged operations to ensure that only authorized personnel performed sensitive tasks.
   • Logged details of privileged actions, including the user and the operation performed.
8. User Create:
   • Generated alerts on the creation of new users to prevent unauthorized access.
   • Logged the details of new user creation for review and authorization.
9. Table Created:
   • Monitored the creation of new tables to track changes in the database structure.
   • Logged details of table creation to ensure proper oversight and documentation.
10. User Deleted:
    • Detected user deletions to ensure accountability and traceability.
    • Logged the details of user deletions to maintain an accurate audit trail.
11. Attempted Data Exfiltration:
    • Monitored for any signs of data exfiltration attempts to protect sensitive information from being leaked or stolen.
    • Generated alerts and logs to investigate potential data exfiltration incidents.

Results:

• Enhanced Security Monitoring:
  • Achieved comprehensive monitoring of critical database activities, providing detailed insights into database operations and potential security threats.
  • The implementation of specific use cases ensured that all relevant activities were tracked and logged.
• Improved Incident Detection and Response:
  • The DAM system enabled quick detection of unauthorized activities and potential security breaches.
  • Generated real-time alerts allowed for immediate investigation and response to potential threats.
• Increased Accountability and Compliance:
  • Detailed logging of database activities ensured accountability and traceability of all operations.
  • The system helped the customer meet regulatory compliance requirements by providing a robust audit trail of database activities.
• Cost-Effective Solution:
  • Leveraged open-source technology to provide a cost-effective solution without compromising on security features and capabilities.
  • Reduced the need for expensive proprietary software, lowering overall operational costs.

Conclusion: The implementation of Database Activity Monitoring using an open-source security platform significantly enhanced the security posture of the customer’s PostgreSQL databases. By tracking and logging specific activities, detecting unauthorized access, and preventing potential security breaches, Kritva Technologies ensured robust protection of the customer’s sensitive data and database integrity. This project demonstrates the effectiveness of open-source solutions in delivering comprehensive and cost-efficient database security.