All the data in the world doesn't have any value if it's not used. In a security context audit data isn't all that useful if it's only examined when an incident is discovered.
And yet we don't have time to build automatic reviewers, maintain them for new ideas, instances, etc, and then spend the time to deal with the billion false hits we'll get to find the one true one. It ends up as a complete time sink and even a good DBA eventually gets tired of hearing the boy cry wolf.
You could have entire teams of people doing nothing but building and examing auditable information for pattern detection. Then reviewing again for the items they hadn't though of yet. And digging into every message not only for what it does mean but what it might mean, and combinations that indicate an attack vs. simple business.
Time and money are against us. Audits are there to explain what happened. The realistic chances of catching it in motion are nil if they've gotten through the firewalls...
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA