Database Activity Monitoring (DAM)
What is Database Activity Monitoring (DAM)?
Database Activity Monitoring (DAM)A security control that continuously observes database queries, privileged-user actions, and schema changes to enforce policy and detect data abuse in real time.
Database Activity Monitoring (DAM) is a category of products that captures every SQL statement reaching a database engine — through network sniffing, kernel taps, or native audit hooks — and correlates it against policy to flag privilege escalation, mass exports, schema tampering, and anomalous DBA behavior. Leading vendors include IBM Guardium, Imperva SecureSphere, Trellix, and Oracle Audit Vault; cloud-native equivalents include AWS DAS and Microsoft Defender for SQL. DAM is widely deployed to satisfy PCI DSS, SOX, HIPAA, and GDPR requirements for separation of duties and auditable trails of access to sensitive data. Modern deployments stream events to SIEMs and trigger automated quarantine playbooks.
● Examples
- 01
Alerting when a service account selects more than 10,000 rows from a PII table outside business hours.
- 02
Blocking a DBA from issuing GRANT DBA TO PUBLIC on a production Oracle instance.
● Frequently asked questions
What is Database Activity Monitoring (DAM)?
A security control that continuously observes database queries, privileged-user actions, and schema changes to enforce policy and detect data abuse in real time. It belongs to the Defense & Operations category of cybersecurity.
What does Database Activity Monitoring (DAM) mean?
A security control that continuously observes database queries, privileged-user actions, and schema changes to enforce policy and detect data abuse in real time.
How does Database Activity Monitoring (DAM) work?
Database Activity Monitoring (DAM) is a category of products that captures every SQL statement reaching a database engine — through network sniffing, kernel taps, or native audit hooks — and correlates it against policy to flag privilege escalation, mass exports, schema tampering, and anomalous DBA behavior. Leading vendors include IBM Guardium, Imperva SecureSphere, Trellix, and Oracle Audit Vault; cloud-native equivalents include AWS DAS and Microsoft Defender for SQL. DAM is widely deployed to satisfy PCI DSS, SOX, HIPAA, and GDPR requirements for separation of duties and auditable trails of access to sensitive data. Modern deployments stream events to SIEMs and trigger automated quarantine playbooks.
How do you defend against Database Activity Monitoring (DAM)?
Defences for Database Activity Monitoring (DAM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Database Activity Monitoring (DAM)?
Common alternative names include: DAM, database auditing.
● Related terms
- defense-ops№ 288
Database Firewall
An inline security appliance or proxy that inspects SQL traffic against an allow-list policy and blocks injection, privilege misuse, and unauthorized statements before they hit the database.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- identity-access№ 861
Privileged Access Management (PAM)
A set of practices and tools that secure, control, monitor, and audit access to accounts and systems with elevated administrative privileges.
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.