Sentrigo has added support for SQL Server to its database activity-monitoring solution, Sentrigo Hedgehog 2.0. The company wanted to move to being a cross-platform solution, and SQL Server was the logical next choice, say Slavik Markovich, Sentrigo’s CTO, and Rani Osnat, Sentrigo’s vice president for marketing. Sentrigo plans to add support for SQL Server 2008 also.
Hedgehog is a host-based solution as opposed to a network-based solution. With network-based solutions, Markovich says, “You’re missing the internal threat. On the network, you can’t see what stored procedure is running. You can see more details from a host-based solution as opposed to a network-based one.”
Several customers have encryption on the network, which makes it difficult to use network-based appliance solutions, he says. Host-based solutions had challenges, too, in the past. “The hosting approach was known to hit performance on the database. But those were solutions which used APIs.”
Hedgehog doesn’t add anything to the load, he says. “The solution has no I/O impact. We’re not doing any queries on the database. We take a very small amount of CPU.”
Hedgehog has a very small sensor installed on the database that samples the procedural cache. Because all transactions pass through that cache, you can see everything that’s going on. Based on policies and rules in Hedgehog, you can alert or terminate user sessions when things look suspicious. You can also create granular policies that alert you based on time of day, IP address, or the SQL statement itself. Wizards guide you through policy templates to create rules fitting your particular needs and compliance requirements.
Sentrigo’s red team (ethical hackers) adds another layer of policies by addressing known vulnerabilities with “virtual patches.” However, SQL Server 2005 “doesn’t have many” vulnerabilities, he says. Sentrigo can address those vulnerabilities in a day or two in a policy it sends to customers.
Network-based competitors may be doing log analysis, he says, but it’s after the fact, not real-time, and they don’t alert on select operations. The solution also prevents SQL Server injection attacks and can quarantine users.
“Hedgehog was set up from the start to be a monitoring approach, not an auditing approach,” he says. “You can use \[Hedgehog\] for auditing—fine-grained or selective auditing. Some may have requirements for full auditing—this is not what Hedgehog is for. With Hedgehog, you can enforce.”
For additional coverage about Sentrigo Hedgehog, see "Sentrigo Hedgehog Minds Your Database".