v14.

3 Database Activity Monitoring User Guide

Assessment

The SecureSphere Assessment Server scans services and databases in your network and looks for vulnerabilities
such as easy to guess passwords, missing service packs, problematic configuration, and more. SecureSphere
integrates Common Vulnerabilities Scoring System (CVSS), maintained by the National Institute of Standards and
Technology, which scores each vulnerability on a scale of 0 to 10 based on the effect the vulnerability has and the
effort required to exploit it. When SecureSphere discovers a vulnerability, it reports it.

385 Assessment Last modified: 5/23/2014 8:28:57 AM

v14.3 Database Activity Monitoring User Guide 61

 v14.3 Database Activity Monitoring User Guide

Policies

Security policies protect against the majority of known attacks and threats. A large number of default policies is
provided. Administrators can modify existing policies and create new policies.

Audit policies provide tools for auditing and compliance. Using these policies, administrators can generate real-time
reports on various database activities, alerts on suspicious actions and compliance reports. Administrators can
modify existing policies and create new policies.

In addition to the security and audit policies, SecureSphere provides action sets and followed actions, which define
the actions taken by SecureSphere when specific conditions are met. Action sets are configured, then attached as
followed actions to various SecureSphere items such as security policies, system events, audit policies, reports,
archiving, active modules, tasks and so on.

388 Policies Last modified: 5/23/2014 9:01:52 AM

v14.3 Database Activity Monitoring User Guide 62

 v14.3 Database Activity Monitoring User Guide

Monitoring

SecureSphere monitoring keeps you informed of all the events taking place in your system and enables you to
understand the risk posed by suspicious activity.

It clearly displays generated information in a central location. Real-time information that is generated includes system
events, alerts, violations, blocked sources, gateway status, system warnings, and archiving information.

SecureSphere automatically aggregates related security events, correlating them in intuitive alerts that categorizes
activity associating it with known attacks, and informing you of this information. Additionally, the SecureSphere
monitor updates you regarding system events such as logging into and out of the system, and system related errors or
warnings (for example, predefined thresholds being exceeded).

9068 Monitoring Last modified: 5/23/2014 8:58:42 AM

v14.3 Database Activity Monitoring User Guide 63

 v14.3 Database Activity Monitoring User Guide

Auditing

SecureSphere provide comprehensive auditing capabilities, enabling you to configure audit policies that determine
what data is audited, then displaying the audited data in easy to read graphs that breaks down audited data into
readable reports based on a variety of factors such as monitored servers, various types of users, query related aspects,
and much more. SecureSphere additionally can now integrate with external Security Information and Event
Management (SIEM) systems to include these systems as part of the data management workflow.

390 Auditing Last modified: 5/23/2014 8:30:35 AM

v14.3 Database Activity Monitoring User Guide 64

 v14.3 Database Activity Monitoring User Guide

Reporting

SecureSphere includes a robust reporting mechanism that enables you to produce pre-defined or user-defined
reports based on accumulated data that can be generated either automatically or on-the-fly, or schedule to run a
regular intervals, then distributed as required.

You can use automatic reporting capabilities to implement a workflow that assists in reviewing the most recent and
immediate threats on a regular basis. For example, you can schedule SecureSphere to automatically generate a report
at the beginning of every week which lists all new sensitive data tables that have been discovered in the network, then
automatically e-mail this report to the DBA, while at the same time creating a SecureSphere review task that is
assigned to the DBA. The DBA examines the report and can determine if the creation of the new data follows
guidelines for sensitive data in your network, then marks the task as closed. Furthermore, the task can be configured
to automatically update the manager when the status of the task has changed. This results in a comprehensive
workflow that guarantees that relevant staff are aware of all new sensitive that have been discovered on the network.

75995 Reporting Last modified: 6/29/2020 4:10:26 PM

v14.3 Database Activity Monitoring User Guide 65

 v14.3 Database Activity Monitoring User Guide

Discovering and Classifying Network Assets

Identifying the various assets in your network is a crucial step in proactively protecting them.

• Discovering assets in your network

• Classifying database data
• Monitoring access to database data for compliance purposes
• Creating security policies that determine who has the right to access database data
• Alerting when policies are violated

This section reviews the various aspects of working with SecureSphere Discovery and Classification and includes the
following topics:

• Introduction to SecureSphere Discovery and Classification

• Understanding the Discovery Window
• Major Discovery and Classification Tasks
• Working with SecureSphere Scans
• Managing Discovered Servers
• Working with Discovered Servers
• Managing Classified DB Data

4678 Discovering and Classifying Network Assets Last modified: 5/23/2014 8:46:26 AM

v14.3 Database Activity Monitoring User Guide 66

 v14.3 Database Activity Monitoring User Guide

Introduction to SecureSphere Discovery and Classification

SecureSphere Discovery and Classification provides a complete set of tools to help you discover, classify and manage
assets in your network that include database services, database data user rights and more. It then allows you to use
this information to create security policies to monitor them, alert you to suspicious activity, audit activity to these
various assets, and more.

The following types of discovery and classification are available:

• Service Discovery: Service discovery scans your network for open ports and determines the services listening
on these ports. For more information on configuring a service discovery scan, see Configuring a Service
Discovery Scan.
• Data Classification: Data Classification consists of scanning database services to classify data types hosted on
these services. It uses credentials you provide to search existing services, either found through service
discovery, or manually configured. For more information on configuring a database data classification scan, see
Configuring a DB Data Classification Scan.

Additionally, with service discoveryand database classification, you can configure SecureSphere to
automatically create configuration objects based on the items discovered, or enable you to review and
manually approve suggestions.

Note: For information on how to work with User Rights, see User Rights Management.

4751 Introduction to SecureSphere Discovery and Classification Last modified: 5/23/2014 8:53:43 AM

v14.3 Database Activity Monitoring User Guide 67

 v14.3 Database Activity Monitoring User Guide

Understanding the Discovery Window

The Discovery and Classification window provides a wide selection of options that enable you to navigate between
the available features to configure scans and display discovered servers and classified data. The Discovery and
Classification window offers a number of main views, as represented by links in the Discovery and Classification
navigation bar. These include:

• Scans: Lists scans used to discover services and user rights, and classify database data and files. Enables you to
create and configure new and existing scans.
• Discovered Servers: Displays services discovered by a service discovery scan operating in your network.
Enables you to manage these services and add them to your network’s SecureSphere architecture.
• Classified Database Data: Displays data that was classified by a data classification scan. Enables you to
manage classified data and add it to your network’s SecureSphere architecture.
• DB User Rights: Part of User Rights Management. Displays Database User Rights discovered by a Database User
Rights scan. Enables you to manage these User Rights.

Note: This section deals with configuring and running service discovery and database
classification. For more information about working with features related to User Rights, see
User Rights Management.

To view the Discovery and Classification window:

• In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.

The Discovery and Classification window consists of the following items:

• Filter: Enables you to filter scans using various criteria. For a list of available filter criteria, see Discovery
Filter Criteria.
• Navigation Bar: Enables you to move between the different parts of the Discovery and Classification
windows.
• Scans Pane: Displays the scans that have been configured to discover services and classify data in your
network.
• Details Pane: Enables you to configure scans. For more information see Working with SecureSphere
Scans.

4732 Understanding the Discovery Window Last modified: 5/23/2014 9:15:36 AM

v14.3 Database Activity Monitoring User Guide 68

 v14.3 Database Activity Monitoring User Guide

Major Discovery and Classification Tasks

The following table lists the primary tasks involved in working with SecureSphere Discovery and Classification.

Major Tasks Overview

Action Description For more information, see...

Create a discovery or classification

1 Creating a Scan Creating a Scan
scan.

Configuring a Service Discovery

Configure the scan with settings Scan
2 Configuring a Scan for the specific type of scan you
want to conduct. Configuring a DB Data Classification
Scan

Run the scan to discover and

3 Running a Scan classify related components in Running a Scan
your network.

Review discovered components, Working with Discovered Servers

Editing and Adding Components
4 edit parameters if required and
to SecureSphere
add to SecureSphere architecture. Managing Classified DB Data

4707 Major Discovery and Classification Tasks Last modified: 9/17/2015 11:37:18 AM

v14.3 Database Activity Monitoring User Guide 69

 v14.3 Database Activity Monitoring User Guide

Using Service Discovery to Populate a SecureSphere Site

SecureSphere service discovery can be used as an alternative method to build a SecureSphere site. Once a site has
been manually created, a service discovery scan is configured while selecting the site. It is then run, and as a result
SecureSphere automatically creates Sites and Server Groups based on the New Entities configuration that is part of
the service discovery scan. If you use SecureSphere discovery to both discover your network assets, and automatically
create Sites and Server Groups using the Automatically Accept New Configuration option, you can later modify
these automatic configurations in the SecureSphere Setup > Sites window. For information on Automatically
Accepting New Configuration:

• For Services, see Configuring a Service Discovery Scan

• For Data, see Configuring a DB Data Classification Scan

397 Using Service Discovery to Populate a SecureSphere Site Last modified: 5/23/2014 9:18:50 AM

v14.3 Database Activity Monitoring User Guide 70

 v14.3 Database Activity Monitoring User Guide

Working with SecureSphere Scans

Discovery and classification scans are the means by which SecureSphere determines what to look for in your network.
SecureSphere enables you to configure a range of scans.

Once database data are classified, SecureSphere can be used to monitor these items and track access to them, then
report to meet regulatory requirements.

SecureSphere enables you to create customized default scans to match your requirements and your network.

Note: IPv6 DHCP is not supported for discovery and classification scans.

This section reviews the following subjects:

• Creating a Scan
• Configuring a Scan
• Configuring Cloud Accounts
• Running a Scan
• Configuring Database Data Types

398 Working with SecureSphere Scans Last modified: 2/4/2015 3:01:44 PM

v14.3 Database Activity Monitoring User Guide 71

 v14.3 Database Activity Monitoring User Guide

Creating a Scan

The following procedures describe how to create different types of Discovery or Classification scan.

60645 Creating a Scan Last modified: 12/19/2016 1:35:32 PM

v14.3 Database Activity Monitoring User Guide 72

 v14.3 Database Activity Monitoring User Guide

Creating a Service or DB User Rights Scan

This following procedures describe how create Discovery or Classification scans for Service or DB User Rights.

To create a Discovery or Classification Scan:

1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane in the middle of the Scans Management window, click New, then choose a scan type, as
follows:
◦ Service Discovery: Configures a service discovery scan to identify the services running in your network.
For details on configuring its settings, see Configuring a Service Discovery Scan.
◦ DB User Rights: Database User Rights scans enable you to scan your databases for granted User Rights,
and optionally interface with LDAP to import User and Group information, then manage granted user
rights by approving or rejecting them. For more information, see Configuring a Database User Rights Scan.

The Create New Scan dialog appears for the selected scan type.

3. Type a Name for the scan.

4. Choose to create the scan from scratch or select an existing scan on which to base the new scan. If creating the
scan from scratch select a site for the scan.
5. Click Create. The new scan appears in the central selection table.
6. Configure the scan as described in the following:
◦ Configuring a Service Discovery Scan
◦ Creating a User Rights Scan

For more information on creating a DB Data Classification Scan, see Creating a DB Data Classification Scan.

60677 Creating a Service or DB User Rights Scan Last modified: 12/19/2016 2:16:21 PM

v14.3 Database Activity Monitoring User Guide 73

 v14.3 Database Activity Monitoring User Guide

Creating a DB Data Classification Scan

Data Classification scans enable you to scan your network for databases, and use custom algorithms to classify
various types of data contained within these databases. This information can then be used to protect activity to
sensitive databases, understand what users have access rights, audit this activity, and more. By configuring a data
classification scan you determine the parameters by which SecureSphere searches for these databases and data in
your network, and whether they are automatically added to a SecureSphere service for monitoring and protection or
need to be manually reviewed and added to a service.

Notes:

• Data search is not case sensitive in Oracle, DB2, MSSQL, and Informix databases. However
data classification searching in Sybase database is case sensitive.
• IMS classification is not supported on z/OS.
• Classification results can be impacted by DB activity. Data being accessed during a scan may
result in this information no being included in classification results. Subsequently it is
recommended that classification scans be run while the database is idle.
• The maximum column width for a database classification scan is 32,768 characters. Columns
larger than this will not be scanned.

A DB Data Classification Scan scans a database using a set of rules contained in a scan profile. When you create a DB
Classification Scan, you associate it with a single scan profile.

Scan profiles are persistent objects and can therefore be used by many DB Classification Scans. A scan profile contains
one or more data types. Data types contain the rules that the scan uses. You can at any time configure a data type by
adding rules or deleting user-defined rules. In this way, a scan profile is a persistent container for the rules that a scan
uses when you run that scan.

You can at any time configure a profile by enabling or disabling its component data types, or enabling or disabling
individual rules within those data types, thus tailoring a scan profile for a particular use.

To create a scan profile, perform the actions in the table below:

Creating a DB Data Classification Scan Task Overview

Task Overview Description For more information, see

If the appropriate data type exists,

1 Create a Data Type (Optional) you can enable it in a profile. If not, Creating New Global Objects
you can create a new data type.

v14.3 Database Activity Monitoring User Guide 74

 v14.3 Database Activity Monitoring User Guide

Task Overview Description For more information, see

If necessary, you can configure a

2 Configure a Data Type (Optional) data type by adding rules or Configuring Database Data Types
deleting user-defined rules.

You can create a scan profile for Creating a Scan Profile

Create/Configure a Scan Profile
3 your new scan, or alternatively,
(Optional)
you can use an existing profile. Configuring a Scan Profile

Create a DB Data Classification

Create a DB Data Classification Creating a New DB Data
4 Scan by associating it with a scan
Scan Classification Scan
profile.

• Creating a Scan Profile

• Configuring a Scan Profile
• Creating a New DB Data Classification Scan

60649 Creating a DB Data Classification Scan Last modified: 4/25/2018 11:29:08 AM

v14.3 Database Activity Monitoring User Guide 75

 v14.3 Database Activity Monitoring User Guide

Creating a Scan Profile

A scan profile is a persistent container of the rules that apply to any scan with which you associate it.

To create a scan profile:

1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scan Profiles.
3. Click the New button . The Create Scan Profile dialog box appears.
4. Enter parameters for the scan profile:
◦ Type a Name.
◦ You can create a scan profile from scratch, or base it on an existing profile.
5. Click Create.

60668 Creating a Scan Profile Last modified: 12/19/2016 2:36:49 PM

v14.3 Database Activity Monitoring User Guide 76

 v14.3 Database Activity Monitoring User Guide

Configuring a Scan Profile

You can enable or disable data types and/or individual rules in any scan profile.

To configure a scan profile:

1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scan Profiles.
3. Select a scan profile.
4. In the Data Types tab:
◦ You can enable or disable any data type by selecting or de-selecting the appropriate check box.
◦ You can select any data type, and then enable or disable any of its rules by selecting or de-selecting the
appropriate check box.
5. In the Settings tab, configure the data classification options in accordance with the table below.
6. Click Save.

DB Data Classification Options

Option Description

Automatically Accept New Data: Automatically adds newly discovered tables that
are assigned to existing table groups, to the SecureSphere configuration. If left
deselected, all discovered data can be manually accepted or rejected in the
Discovered Data window.

Allow me to view results before updating: Displays discovered data but enables
you to manually review and accept results, and only then add them to SecureSphere
configuration for monitoring and protection.

Searches for and identifies views and synonyms on a database. For more information
Scan for Views and
on views and synonyms, see Understanding Table Views, Synonyms and Select into
Synonyms
Tables.

Sets SecureSphere to randomly sample 200 data entries to perform the classification
scan.

By default, the first 200 data entries are used to perform the classification scan. If you
Random Sampling Data
check this option, those 200 entries are instead selected randomly.

This can have a negative performance impact when the quantities of data are very
large.

v14.3 Database Activity Monitoring User Guide 77

 v14.3 Database Activity Monitoring User Guide

Option Description

If during classification, sensitive data is discovered, five samples from the matching
Save Sample Data column are saved and can be viewed in additional details Data Classification Results.
For more information see Classified DB Data Details.

Defines the level of confidence used to grade content based data classification rules.
Data Sample Accuracy A setting of 1 means that all rows tested for a specific sensitive data type would need
to match for the table to be included in the results.

Determines the focus of database and schema discovery based on the items
configured in the Databases table. Databases and Schemas check for names
containing the keywords entered in the scan.

• Exclude: Excludes the database or schema configured in table from discovery.

• Include: Limits discovery to the database or schema configured in the table. If
an included database or schema list is empty, it is ignored and all databases
and schemas are scanned.

Note: Selecting the Any option includes or excludes any databases or schemas and
disables all other options.

To add a new database or schema to the list, click Create, then type a Database or
Schema name.

Include/Exclude Database Guidelines

Databases and Schemas
Different databases have different infrastructures. Subsequently, when configuring
include or exclude of databases, use the following database guidelines:

• Oracle: Enable Any database, then complete schema info. Oracle databases
have one database and many schemas
• MSSQL: Complete both database and schema information
• DB2: Enable Any database, then complete schema info
• MYSQL: Complete database info, enable Any schema
• Sybase: Complete both database and schema information
• Informix: Complete both database and schema information
• Scan System Schemas: Scans internal schemas. This feature is optional.
• Teradata: Complete both database and schema information
• Postgres: Complete both database and schema information
• Progress: Complete both database and schema information
• Netezza: Enable any database, then complete schema information

v14.3 Database Activity Monitoring User Guide 78

 v14.3 Database Activity Monitoring User Guide

Option Description

Lists database tables and columns to exclude from discovery.

To exclude a table or column from discovery, click Create. Then type a table or
Excluded Tables and
column name.
Columns
Note: Selecting the Any option excludes any databases or schemas and disables all
other options.

Throttle settings can be used to tune the performance of data classification.

Note: It is not recommended to change these settings.

Throttle Settings • Number of concurrent database connections: Defines the maximum number
of database connections that can be run at one time. Default: 3.
• Delay Between Queries: Defines the delay between queries. Default: 0 ms.

Notes:

• Names of databases, tables and schemas can be specified as full names or patterns.
• The exclusion list takes precedence over the limit list. For example, if the same database is
listed both under Excluded Databases and Limit Databases, then that database is
excluded.

74159 Configuring a Scan Profile Last modified: 10/17/2019 1:42:11 PM

v14.3 Database Activity Monitoring User Guide 79

 v14.3 Database Activity Monitoring User Guide

Creating a New DB Data Classification Scan

Once you have created a scan profile, you can create a new DB data classification scan.

To create a new DB data classification scan:

1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scans.
3. Click the New button . From the drop down menu, select DB Data Classification. The Create New DB Data
Classification Scan appears.
4. Enter a name and select a scan profile for the new scan.
5. Click Create.

60684 Creating a New DB Data Classification Scan Last modified: 12/19/2016 2:36:47 PM

v14.3 Database Activity Monitoring User Guide 80