Insider Threat Management

How to Protect Databases from Insider Threats

Share with your network!

There’s a reason why robbers target banks. Where else can you find such a high concentration of cash on hand?

When it comes to protecting digital assets, organizations must think like their attackers. In other words, they must understand where they have the highest concentration of sensitive information and develop a plan to protect these assets.

A recent Insider Threat Report from CA Technologies calls out databases as the number one most vulnerable IT asset—ahead of cloud apps, mobile devices, and even file servers. In fact, a full 50% of cybersecurity professionals name databases as their most vulnerable asset.

While this might be surprising at first glance, when we stop to consider the volume and nature of sensitive data in a given database—whether personally identifiable information, payment card information, or protected health information—it’s easy to understand why this would be such a high-value target for someone with nefarious aims.

Insider threats may include employees or third party contractors who want to steal information directly, but even more common is accidental exposure by insiders, which can happen via phishing or simply mistake. Regardless of the motives or means, it’s key that organizations have visibility into what is happening with their databases to protect them from insider threats.

In this post, we’ll take a look at the three key methods for securing databases against the threat posed by insiders.

It’s Not About the Data

It might be surprising to some, but it’s not all about the data. Here’s what we mean by that: Categorizing and classifying your most sensitive data is not the ideal way to go about protecting it. While data loss prevention platforms (DLPs) and some other security tools focus on carefully cataloguing sensitive assets, this is not a viable approach in today’s fast-paced business climate. Data is created and modified at such a rapid clip that it’s truly impossible to stay on top of it via this type of approach. Moreover, DLPs and other old-school security tools can’t provide the level of context needed to understand what happened when a database has been breached and data exposed or exfiltrated.

With this important caveat in mind, let’s take a look at the key protections needed to safeguard databases against insider threats.


The first key is to have sufficient visibility to detect when a database is being accessed, moved, downloaded or otherwise affected by risky user activity. The keyword here is activity. Again, data classification is a static and unwieldy tool. The organization doesn’t really need to know exactly what data is in each and every database file (and cataloguing this can be incredibly heavy on the endpoint, causing all kinds of crashes and user frustration). The organization simply needs to know if and when risky user activity related to a database takes place.

Detection means having visibility into user and data activity and receiving alerts when any potential breach of policy takes place. In many cases, early detection can be used to stop an actual data breach from taking place.


If an actual insider threat takes place, the security team will need to investigate. In the traditional world of DLP, it has been very difficult to sort through logs and correlate activity. Logs are simply a chronological list of activities and do not indicate which ones are related to one another.

With proper visibility into user and data activity, investigators can quickly hone in on key metadata around data exfiltration or abuse. It’s one thing to know that a user downloaded a sensitive database of customer credit card data. It’s another to be able to see exactly who the user was, what they did before and after the incident, and whether the action represents intentional theft or careless behavior.

Proper visibility means investigations can take place in hours or days, rather than weeks or months, and this can drastically reduce the overall risk for the organization even in the event of a confirmed incident.


Finally, as the saying goes, an ounce of prevention is worth a pound of cure. It’s entirely possible to reduce the risk of database theft and misuse with real-time user alerts. In many cases, employees and other insiders simply forget about a policy or don’t fully understand it and make a mistake. A real-time alert can quickly remind them and keep them acting within corporate policy using timely education. If the user is misusing a database on purpose, it’s still possible to prevent exfiltration using blocking. This way, even if a file is downloaded from a sensitive location or accessed inappropriately, the organization can prevent it from being uploaded to the internet or exfiltrated via removable media.

Protecting Your Most Vulnerable Assets

In the Insider Threat Report, 90% of those surveyed said they felt vulnerable to insider attacks. In fact, 53% confirmed they had been victim of an insider attack in the last year. The good news is that organizations are increasingly embracing the value of user and data activity monitoring. The survey also found that 94% of organizations are using some form of user activity monitoring, and 93% are monitoring access to sensitive data.

These numbers are encouraging, as they indicate that security teams recognize the very real risk at hand. The next important step is to ensure that the monitoring in place is capable of providing the level of context and detailed visibility needed to detect, investigate, and prevent insider threat incidents in a timely fashion. Only with complete visibility into the details of user activity can organizations fully protect their most vulnerable assets and reduce their risk in today’s threat climate.

Want to see for yourself how Proofpoint protects databases from insider threats? Try it out in our sandbox environment (no downloads or configuration required).