At Fiserv, Isenberg uses Imperva's database scanner for identity and rights management, patch management and database server configuration. "It takes routine audits to let us know where our configurations are out of compliance with industry standards and best practices," he says. He also conducts scans to keep up-to-date with the location of sensitive data, which can change over time. "We need to make sure our policies are protecting the right data at a level that we need," he says.

Database auditing and monitoring

Representative vendors: Application Security, Fortinet, Guardium (owned by IBM), Imperva, Microsoft, Oracle, Sentrigo (owned by McAfee), Sybase

Auditing tools--the second-most-commonly-used tool, Oltsik says--detect malicious activity by monitoring database transactions and changes. Many companies use these tools to record and produce audit logs for compliance purposes.

Using these tools is a step up the maturity curve from passive scanning, Hortobagyi says. Companies need to plan on adding people and infrastructure (such as SIEM integration) to support the firehose of information that results from monitoring and capturing every single statement that gets executed in all your databases, he says. Another strategy is to limit use to high-risk databases or specific threat patterns.