Stacey Gregerson, senior database security analyst at Diebold, agrees that it takes a while to fine-tune auditing tools. "When I first started, I turned on all the alerts right off the bat," he says. "I overdid it and taxed myself, personally." He has since learned how to digest the same amount of information in a manageable way.

Gregerson, who uses IBM's Guardium system for database monitoring and real-time protection, works with multiple database systems and version levels. He advises that when you first get the system, point it at the system you want to audit and monitor everything that comes through the box. "While doing that, start to fine-tune the system as to what to trigger alerts on," he says.

Once you learn what you want to protect, you will begin getting fewer alerts. For instance, databases use a lot of linked tables, but you're mainly concerned about small subsets of data in the database. "You go from triggering alerts on thousands of tables to just five or six," he says.

"We still get a report on other activities, but instantaneous alerts are just on the critical data." It's a matter of learning more about your data and understanding what is sensitive and what is not. "That alone gives us a competitive advantage," he says.

Gregerson chose Guardium because he didn't want to affect the performance of Diebold's systems. Some third-party tools are designed as database add-ons, he says, which he considers an unnecessary layer. Guardium, on the other hand, sits on the server itself and monitors at the database kernel level. "The impact has been extremely minimal," he says.