ArchitectingyoursuccessSimonRice,VPEnterpriseServices,CintraJonKobrick,COO,STIGroup

ModernDataSecurityCriticalinformationtokeepyourdataplatformsecureagainstcyber-securitythreats

Cintra…DrivingWorldClassOracleArchitectureSolutions,ServicesandSupport

● Oraclearchitectureexpertisedrivingmodernizationandtransformation● OraclearchitectureblueprintsdrivingtheOracleonOracleandcloudsolutions● Oracleproactive24x7expertmanagedservicesforoperationalexcellence● Oraclecommerciallicensingexpertisedrivinggreatervalueandefficiencies

OracleCommercialExpertise

OracleArchitectureExpertise

OracleonOracleArchitecture&CloudSolutions

ProactiveExpertOracleManaged

Services

STIGroup…Balancing Information Security Investment with Risk Mitigation

CyberSecurity Consulting (CSC)

Managed Security Operations (MSO)

● RiskAssessment&PolicyDevelopment● Audit&SecurityPostureAssessment● Architecture,Remediation,&Certification● InformationSecurityManagement

● SecOpsProgramManagement● Alert/EventMonitoring&Response● ManagedBreachDetection● SecurityInfrastructureManagement

InfrastructureSecurity

DataSecurity

ProcessSecurity

AppsSecurity

Design Build Support

BestofBreedEnterpriseSecurityAlliance 12 year partnership

Cintra/STITieredSecurityModel

Level Definition

DEFCON1

Securedinlinewithtopsecurityclearancestandards.Extremeaccesscontrolinlinewithstringentchangemanagementprocesses.AccesstoinformationlockeddownandgovernedbyCISO.

DEFCON2

Securedinlinewithregulatorycompliancerequirements.Centralized,protectedauditlogincludingsuperuseranddata-relatedactivities.Dataencryptedinmotionandatrest.

DEFCON3DefaultstateforallCintra/STImanagedservicescustomers.Infrastructure,OS,DBandAppshardening.Auditingofsuperuser activitiesenabled.

CyberSecurity:IntroductiontotheModernDataSecurityMethodology

SecurityControlsOverviewSurfaceAreaofAttack SecurityControls

CyberSecurity:UnderstandingtheThreatLandscape

OverallBreachTrends

*2016VerizonDataBreachInvestigationsReport*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC

$4 million is the average total cost of data breach29% increase in total cost of data breach since 2013

$158 is the average cost per lost or stolen record15% percent increase in per capita cost since 2013

OverallBreachTrends

*2016VerizonDataBreachInvestigationsReport

Rootcausesofdatabreach

*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC

Factorsthatreducethecostofadatabreach

*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC

USDollarssavedpercompromisedrecord

BreachTrends– AssetVarieties

*2016VerizonDataBreachInvestigationsReport

InsiderandPrivilegeMisuse

*2016VerizonDataBreachInvestigationsReport

WannaCry

RealLifeExamples:CintraandSTIGroupCustomers

Customer1:HospitalPatientDataLoss• TheScenario

• Largehospitalnetwork• Patientdataisencrypted,runningonOracleEnterpriseEdition• For18monthsanurseprintedoffrecordsandsoldthemtoan

entityinRussia

• Whydidthishappen?• Lackofprocessesinplacetovalidateunusualbehavior• Lackofmanagementoversight

• HowdidCintra/STIhelp?• Deploymentofcentralizedauditingsoftware• AutomaticauditalertsinlinewithHIPAAregulations• Tighterstaffsecuritytrainingandcontrols

Customer2:WebsiteHacked• TheScenario

• Populareditorialcontentwebsite• Awebapplicationvulnerabilitywasexploited• Theywereafterthetarget’scustomers

• Whydidthishappen?• Lackofapplicationsecuritydevelopmentprocesses• Insufficientproductionchangemanagementandintegrity

monitoring

• HowdidCintra/STIhelp?• Coordinatedandexecutedincidentresponseplan• Conductedloganalysisandcodereview• Implementedenhancedintegritymonitoring

Customer3:RetailPOSBreach• TheScenario

• RetailsiteswithhundredsofPOSmachines• Compromisethroughinsecureremoteaccessconfiguration• Attackerlateralmovement

• Whydidthishappen?• Poorsecurityconfigurationhardening• Excessiveprivilegeassignment

• HowdidCintra/STIhelp?• Developedsecureconfigurationstandard• Implementedmorerobustaccessmanagementsolution

CyberSecurity:ArchitectingforSecurity

TheModernArchitectureJourneyRequiresModernSecurity

21

StandardizeVersions

ConsolidateSystems

SecureModernPlatform

ManageData

EnableAgility

AdoptCloud

TraditionalSecuritymodelsarenolongersufficientintoday’smodernlandscape

LowerCosts

FasterTimeToMarket

BusinessFocus

InnovationFocus

AssessingAgainstModernCyberSecurityStandardsWeperformhonestassessmentsofdatabasearchitectures

ArchitectureElement Indicator

CurrentCapabilityScore Reasoning

People:Training Securitytraininginplace 7 AdequatesecuritytrainingPeople:Org Appropriateorganizationalstructure 5 MissingCISOroleandgovernancebodyPeople:Staff Adequatestafftomanagesecurity 3 RecruitmentrequiredtofillsecurityrolesProcess:Assess Periodicassessmentscarriedout 9 DetailedquarterlyassessmentsinplaceProcess:Start/Leave Newstarter/leaverpoliciesinplace 9 DocumentedandsecurepoliciesinplaceProcess:Monitor Securitymonitoredandupdated 5 SomegapsnotedinsecuritymonitoringProcess:Patch Patchingproceduresimplemented 5 DatabasetierpatchedregularlyTechnology:Access Appropriateaccesscontrols 2 ExcessiveprivilegeallocationnotedTechnology:Encrypt Encryptionimplemented 2 NoencryptionofPIIdatainplaceTechnology:Audit Auditingimplementedwithalerting 5 AuditingofnetworkassetsonlyTechnology:Detect Intrusiondetection 6 Someintrusiondetection,withgapsTechnology:Network Networkhardened 3 SignificantgapsinnetworksecurityTechnology:OS OperatingSystemhardened 9 OShardenedinlinewithPCIregulationsTechnology:DB Databasetierhardened 9 DBtierhardenedinlinewithPCIregulationsTechnology:Apps Applicationtierhardened 9 AppstierhardenedinlinewithPCIregulations

Physicalarchitecturediagram

TheCloudJourneyStartswithASecureFoundation

PrivateCloud PublicCloud

HYBRIDENTERPRISECLOUD

• CloudMaturity• NoSecurityCompromises

• MatchedorGreaterControls

• MatchedorGreaterCapabilities

• Notallcloudsarecreatedequal!

PUBLIC CLOUDYOUR CLOUD

CyberSecurity:GeneralRecommendations

SecurityConsiderations:People

People

Training– Commercial,inhouse,onthejob,etc.

SecurityAccountability– formallyassignedresponsibilities

SufficientResources– sufficient timeforsecuritytasks

PerformanceMetrics– measure,measure, measure

CyberSecurity:NetworkSecurity

NetworkSecurityConsiderations:ProcessBestPractices

Processes

ChangeControl

ConfigurationManagement

VulnerabilityManagement

Configuration Hardening

SecurityMonitoring

NetworkSecurityConsiderations:TechnologyBestPractices

Technology

Firewalls,ACLs,NetworkSegmentation,PrivateVLANs

SignatureIPS/AV,Threat Emulation,NetworkBehaviorMonitoring

DataLossPrevention

Encryption,TLS,IPSec,GRE,SSH

NetworkAccessControl,PortSecurity

SecureRemote Access/Multi-FactorAuthentication

CyberSecurity:OperatingSystemSecurity

OperatingSystemSecurityConsiderations:Processes

Processes

SecurityOperationsAssessment

Security Monitoring

VulnerabilityManagement

SecurityAdministration

Device andSoftwareInventory

Privilege/RBAC Review

OperatingSystemSecurityConsiderations:Technology

Technology

Endpoint Security(Anti-malware/AV,EDR,DLP,etc.)

DiskandFile SystemEncryption

MandatoryAccess ControlSystem,ApplicationWhitelisting

System andProcessAccounting,Logging,EDR

FileIntegrity Management

PrivilegeEscalationManagement

OperatingSystemSecurityConsiderations

1. Initialsetup1. Filesystemconfiguration2. Configuresoftwareupdates3. Filesystemintegritychecking4. Securebootsettings5. Additionalbootsettings6. Mandatoryaccesscontrol7. Warningbanners

2. Services1. Inetd services2. Specialpurposeservices3. Serviceclients

3. Networkconfiguration1. Networkparameters(hostonly)2. Networkparameters(hostand

router)3. IPv64. TCPwrappers5. Uncommonnetworkprotocols6. Firewallconfiguration

4. LoggingandAuditing1. Configuresystemaccounting(auditd)2. Configurelogging

5. Access,AuthenticationandAuthorization1. Configurecron2. SSHserverconfiguration3. ConfigurePAM4. Useraccountsandenvironment

6. SystemMaintenance1. Systemfilepermissions2. UserandGroupSettings

CyberSecurity:DatabaseSecurity

DatabaseSecurityConsiderations:TechnologyTechnology

Encryption – personallyidentifiableinformationisencryptedatrestandintransitandthatdatabaselogonsareencrypted.

Auditing – superuseraccessoraccesstosensitivedataisaudited, withtriggeredalerts.

Patch Procedures– databaseclustersandinstancesarepatchedwiththelatestsecurityfixesatleastquarterly.

AccessControls– least-privilegedaccess,withdeactivationontermination.

IntelligentFirewalls– SQLinjectionattackprotectionfromsoftwarefirewalls.

CompleteVaulting– Totallockdownofadministrativeanddatabaseaccessusingvaulttechnology.

OracleListeners – Non-standardports,white-listsofallowedhosts,passwordprotection

TransparentDataEncryptionFeatureSummary

Disks

Exports

Off-SiteFacilities

§ Encryptscolumnsorentireapplicationtablespaces§ Protectsthedatabasefilesondiskandonbackups§ Transparenttoapplications,nochangesrequired§ High-speedperformance,lowoverhead§ OptimizedforExadata

Applications

EncryptedData

Backups

ClearData

36

OracleAuditVaultandDatabaseFirewall

APPS

Users

AUDITVAULT

FirewallEvents

DatabaseFirewall

AUDITDATA

OperatingSystemsFileSystemsDirectories

CustomAuditData

Reports

!Alerts

Policies

Auditor

SecurityManager

DatabaseSecurityConsiderations

3.0OracleDatabaseHardening– Oracle11gR23.1UserAccountsSecurity:GeneralBestPractices3.2DataAccessfromNon-ProdDatabases3.3Non-defaultDatabaseNamingisinplace3.4DatabaseConfigurationParameters3.5Implementprofilestoenforceusersecurityandcompliance3.5.1AssignProfilesAppropriately3.6Emptycachesduringdatabaseshutdown3.7StorageissufficienttopreventDoS attacks3.8Usershaveappropriateprivilegesandtablespacequota3.9Publicaccesstosensitivepackageshasbeenremoved3.10Regularlyreviewchangestodatabaseobjects3.11Productionexportsandbackupsaresecure3.12Largeobjects(LOBs)arestoredsecurely3.13AuditJavaaccesstotheO/S3.14OracleTextOption

4.0OracleAuditing4.1ImplementAuditingtoDedicatedTablespace4.1.1AuditTablespaceDefinedwithASSM4.2Databaseauditingisconfiguredappropriately4.3EnsureAuditInformationisRegularlyReviewed4.4EnsureAuditTrailRecordsareRegularlyPurged

5.0OracleWalletManagementfor11gR25.1UsingOracleTransparentDataEncryption5.1.1UsingDifferentEncryptionAlgorithms5.1.2EncryptingExternalTables5.1.3RemovingEncryption5.1.4TablespaceEncryption5.2RestrictedAccesstoOracleWallets5.3Walletpasswordsandkeysarecycledatregularintervals5.4OracleWalletsareconfiguredoptimallyforRAC

CyberSecurity:ApplicationSecurity

ApplicationTierSecurityConsiderations:TechnologyTechnology

Encryption – oftrafficbetweenthedatabaseandappserverandoftrafficbetweenthewebtierandapptier.

Auditing – monitoring ofperformancebaselinesandsuspiciousactivity.

Patch Procedures– fulltechnologystackpatchingeveryquarter.Moreaggressivepatchingofpublic-facingassets.

AccessControls– integrationwithcontrolledLDAPdirectorieswherepossible.Adoptionofleast-requiredprivileges.

HardwareSecurity Modules– adoptionofHSMtolockdownwebandapptiertraffic.

Dedicated,securedomains– Javacontainer designtoensurenocommonalitybetweenclients/apps/environments.

MobileSecurity– ensurethatmobileaccesspointsarelockeddownandaccessedappropriately.

CyberSecurity:WrappingUp

CyberSecurity:HowcanCintraandSTIGrouphelp?Assessment Design&Planning Configuration Deployment Management

SecureDatabaseandApplicationUpgrades

SecurityRoadmapandBusinessCase

DetailedSecureArchitectureDesign

SecureArchitectureImplementation

SecureDatabaseBuildsandInitialMigrations

Proactive24x7DatabaseSupport

SecureDataMigrationServices

EncryptedRMANDatabaseBackups

BenchmarkingofEncryptionOverheads

SecureMonitoringServer

EncryptedDataGuardforDRSiteProtection

OngoingHardwareSupport

DeploymentofCentralizedAuditing

SecurityTraining

OngoingPatchingSupport

SecurityHealthChecks

MaskingofDataforNon-Production

QuarterlySecurityAssessments

What’sNext:DatabaseSecurityAssessment/Design• Contactustoday: info@cintra.com

• AssessthesecurityofyourcurrentDatabaseplatformandidentifyanygaps

• Buildabusinesscaseforamodern,secureDatabasearchitecture

• MaximizeyourinvestmentinOracleSoftwareandadoptsecurityoptions

• EstablishaCintraandSTIGrouppartnershipforexpertOraclearchitectureguidance

• BenefitfromSecurity-FocusedProactiveExpert24x7ManagedServicesSupport