Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Creating use cases/policies and monitoring events

    Posted 01-31-2020 09:31
    This is a general community question about how in your organization do you determine what policies to create, who monitors events, and how events are remediated 

    Most of the time for us the policies we develop are based on a regulation/standard that we need to meet.  It can be SOX, GDPR, PCI, ...

    Do you get any guidance from other departments on what they may want to monitor or report on?
    Does some group create use cases for what to monitor?
    Do auditors ask for specific monitoring or reports?  

    Do DBAs ask for reports, or do you provide reports to them?
    Does management ask for anything?

    Do you get help from other groups in monitoring events and remediating issues?

    We have created reports and provided to DBAs. 

    In the past I've had auditors ask for three months of events from a group of servers, once I explain how much data that is they usually narrow down the request.


    #DatabaseActivityMonitoring


  • 2.  RE: Creating use cases/policies and monitoring events

    Posted 01-31-2020 12:14
    Hello, 

    Do you get any guidance from other departments on what they may want to monitor or report on?
     - When the solution was first deployed we stared monitoring only what audit department suggested, based on compliances mentioned. Later, got input from the audit department, also DBA. As new projects emerged, made a procedure to add relevant sensitive information. Also, i have seen requests made after internal penetration testing.
    Do auditors ask for specific monitoring or reports?  
    - Login/Logout time is the most common one. Also, saving some weekly reports for specific tables which served as index of the time/day something happened. By having the exact time we could restore only archive logs of that day, no need for the entire month lets say. This is a very efficient approach. 
    Do DBAs ask for reports, or do you provide reports to them?
    - Yes, but not very frequently. They usually know how many days we save data before archiving and ask for reports, which usually are very long queries for them, but not for Imperva.
    Does management ask for anything?
    - Top 10 Alerts and some application-specific queries. Also, charts of db used.
    Do you get help from other groups in monitoring events and remediating issues?
    Maintain communication with departments to evaluate if an alert is false positive or if that user should/shouldn't do a particular action.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------