I have spoken about this subject many times over the years and its one that I particularly like. The idea is that you could have different levels of security or different levels of audit trails dependant on the current circumstances in the particular database that the adaptive security or audit trails refers to or across the estate.
A good example would be in Sherlock Holmes (the modern one) where Moriarty is stealing the crown jewels in the Tower of London and the sirens go off and the whole room is locked down and doors closed and shutters down and the police and security services are heading in. This is what I would think about with adaptive audit trails and adaptive security in the database.
Audit trails could be expensive in terms of cpu and storage of the trails themselves if we had a much more detailed audit set up running all of the time.
The audit trail is an important part of any database forensics investigation. If we find a breach without an audit trail it becomes much more difficult to get to the answers of how they go in, why, what did they see or steal and what could they have done with more time and effort. With a detailed audit trail it is of course much easier to answer questions like this. BUT, the compromise, do we need really detailed trails all of the time or could be be running at defcon 5 and when a breach is suspected move to defcon 4 or happening move to defcon 1.
We can do this with adaptive audit trails. Include enough events that we for sure detect an attack but when its detected up the level of audit trails; even more than once. Then we get minimal audit and storage and CPU requirements most of the time and during the attack we get whats needed for a forensic analysis.
The idea can be adapted to Oracle database security as well. As the attack is confirmed we can also lock down the database security much more. The same effect as the Tower of London. The database being attacked could also signal other databases in the estate to also raise their audit trail levels and also raise the security.
There is a problem of course; there always is a problem!! If someone who is attacking knows that this model exists he/she could simulate enough of an attack that causes the audit trails to rise and security to lock down in all databases causing a Denial Of Service for users of the applications that run in the databases.
This is a very interesting area for me; have a look at the MS PPT above
#oracleace #dbsec #23c #adaptive #oracle #security #audit #audittrails #databreach #forensics