Oracle Management Cloud (OMC) - AIOUG and... · Oracle Management Cloud (OMC) Security Modules ......
Transcript of Oracle Management Cloud (OMC) - AIOUG and... · Oracle Management Cloud (OMC) Security Modules ......
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Management Cloud (OMC)Security Modules
June 2017
Chetan VithlaniPrincipal SC – SCC Solutions - InfoSec
Confidential – Oracle Internal/Restricted/Highly Restricted
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Brief Introduction
• Cyber, Cloud and Information Security Solutions Architect
• AIOUG Bangalore Chapter, Founding and Core team member
• Over 2 decades of Global IT Industry experience across BFSI, Telco, Healthcare domains
• Certifications
– Oracle Database RAC 12c certified implementation specialist
– Oracle Database 12c certified implementation specialist
• 30+ Public events and 70+ customer facing sessions
• Social: Twitter: CMVithlani, LinkedIn: https://in.linkedin.com/in/chetanvithlani
• Blogs: https://www.linkedin.com/today/posts/chetanvithlani
• YouTube: https://www.youtube.com/watch?v=Mr6ByIPIwns
2
• https://in.linkedin.com/in/chetanvithlani
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Confidential – Oracle Internal/Restricted/Highly Restricted 3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
4
Introduction to Oracle Management Cloud (OMC)
Cyber Security challenges
OMC Security Solutions
Demo
Q & A
1
2
3
4
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 5
Our Vision
Complete, integrated suite of management solutions
Designed for heterogeneous applications and infrastructure
Rapid time to valueOn Premise
Application PerformanceMonitoring
LogAnalytics IT
Analytics
Infrastructure Monitoring
ComplianceOrchestration
Security Monitoring & Analytics
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Growing Impact of Cybersecurity
Oracle Confidential – Internal 6
eBay
148M customer records
2015
MySpace
427M passwords360M emails
111M usernames
2016
Yahoo
1Billion+user accounts
2016
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Why Aren’t Security Teams Able to Keep Up
Shrinking Visibility
• Cloud, BYOD reduce perimeter security efficacy
• DevOps multiplies change rates
• Shrinking window to catch vulnerable config
Growing Detection Gap
• Zero day attacks require anomaly detection
• Low & slow, multi-stage threats require sequence awareness
• Targeted attacks require identity awareness
Falling Efficiency
• More assets, more security tools, more alerts
• Staffing shortages
• Negative impact on SOC metrics
Oracle Confidential – Internal 7
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Cyber Kill Chain
Recon InfiltrationLateral
MovementExfiltration
Oracle Confidential – Internal 8
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Current Solution: Fragmented and Integration Intensive
SIEM(Security Information and Event Management)
Security context, Rules based detection
UEBA(User and Entity Behavior Analytics)
User context, Anomaly detection
X Integration overhead in perpetuity
X Multiple UIs, support lines, M&A risk
X Redundancy within in each segment
X Lacking operational awareness
X Scale, delivery model discrepancies
Log ManagementRaw logs, Forensic search, IT ops analytics
Configuration ManagementSecure state, configuration auditing
Oracle Confidential – Internal 9
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Management
Cloud
Integrated SIEM/UEBA, log, configuration management
SMB to F100 trusted vendor globally Heterogeneous coverage across cloud and
on-premise assets Adds unique operational intelligence critical
to modern threat detection Delivered as cloud service suite for rapid
time to value, ease of expansion/scale
Security Monitoring and Compliance Redefined
Security Monitoring and Analytics
Configuration and Compliance
Oracle Confidential – Internal 10
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
OMC Security Data Flow
Oracle Confidential – Internal/Restricted/Highly Restricted 11
COLLECT ANALYZE RESPONDINVESTIGATE
FORMATS
DashboardsReportsSearch
DIMENSIONS
UsersAssetsThreats
SOC Analyst, AdminSOC ManagerIncident ResponseAuditorsCSO, CIO
ANY ACTIVITY Logs, flows, metrics, transactions, config(On-premise, cloud)
ANY CONTEXT
Assets UsersThreats
Vulnerabilities
TRIAGE
IncidentsWorkflow
Configuration
Correlation RulesMachine Learning
ANALYTICS
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Collection: Standardized Event Format• Comprehensive, multi-entity taxonomy spanning all data sources
• Auto-mapping for supported sources and extensibility with custom parser
• Faster onboarding, reduced training for SOC analysts
LDAPUserPrincipalName
Active Directory User logon name
IDCSLogin
Mapping and normalization
Normalized FormatAccount Name
Oracle Confidential – Internal 12
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Collection: Intuitive Categorization• Natural language, device and vendor independent analysis
• OOTB categorization for common sources; extensibility with flex parser
• Faster onboarding, reduced training for SOC staff
Device Type Event Category Event Outcome …
Host.windows Authentication.login Failure …
Host.linux Authentication.login Failure …
Application.BI Authentication.login Failure …
Oracle Confidential – Internal 13
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Analysis: Session Awareness [Identity Correlation]
• Activity to identity extrapolation
– VPN logs, AD logs, DHCP logs
– Logs with explicit identity context
• Composite identity awareness
– User model and identity adapters
– Enriched events with user context
• Faster “time to mitigation”
Alex Smith
Oracle Confidential – Internal 14
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Investigation: SOC Ready Content• Curated dashboards
– Users
– Assets
– Threats
• Domain specific activity dashboards– Access and authentication
– Cloud service activity
– Database activity
– DNS activity
…
Oracle Confidential – Internal 15
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
External Threat Scenario
• THREAT SCENARIO! DBA compromised by spear-phishing attack
! Malware harvests credentials, queries DBs over time
! Malware contacts external command & control hosts
Oracle Confidential – Internal/Restricted/Highly Restricted 16
• OMC SMA ENABLING FEATURES– SQL query anomaly detection
– User attribution across identities
– Watchlist based threat escalation
– Multi-dimensional behavioral anomaly detection
– Cyber kill chain visualization
• OMC SMA SOLUTION SQL anomaly detection identifies anomalous SQL
query for DBA account
Attributes account to specific user & adds user to watch list for closer monitoring
Raises user risk score based on anomalous behavior
Visually presents sequence of attack chain
• SECURITY CHALLENGE– 0-day attack evades perimeter/endpoint protection
– Static, frequency based rules miss low & slow attack
– No ability to detect anomalous SQL queries by user
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Insider Threat Scenario
• THREAT SCENARIO! New call center rep accesses several customer records
! Accesses customer support app out of shift hours
! Uses file sharing service from work
Oracle Confidential – Internal/Restricted/Highly Restricted 17
• OMC SMA ENABLING FEATURES– Rule logic integration with watchlists
– Peer group based anomaly detection
– Sequence driven correlation rule logic
– Multi-dimensional behavioral anomaly detection
– Policy based runbook orchestration & automation
• OMC SMA SOLUTIONWatchlist driven new employee monitoring
Peer baseline comparison shows anomalous access relative to shift team
Proxy logs reveal repeated file sharing service access
Policy based remediation triggers temporary account disablement till further investigation
• CUSTOMER CHALLENGE– Static rules don’t catch anomalous app activity
– No activity sequence awareness
– No cloud activity access or visibility
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 18
Intoducing Oracle Identity SOC Solution
Content Security User Security Network Security
Security PostureApplications, data and user activity analytics, threat intelligence, and compliance
One-Stop SOC Dashboard
Automated Incident Response & Remediation
Security Monitoring & Analytics + Compliance Cloud Services
Cloud Security Service
Identity Cloud Service
API Platform Cloud Service
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 0110000101001 01110100 01100001 0110010001100001 01110100 01100001 01100100 0100 0110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100 010011
Comprehensive View of Security Posture and Threats
19
END USER EXPERIENCE/ACTIVITY
APPLICATION
MIDDLE TIER
DATA TIER
VIRTUALIZATION TIER
VM CONTAINER
INFRASTRUCTURE TIER
VM CONTAINER
Real UsersSynthetic Users
Unified Platform
App metricsTransactions
Server metricsDiagnosticsLogs
Host metricsVM metricsContainer metrics
CMDB/ComplianceTicketsAlerts
INTELLIGENT, UNIFIED PLATFORM
POWERED BY MACHINE LEARNING
INFORMED BY A COMPLETE DATA SET
HETEROGENEOUS AND OPEN
✔
✔
✔
✔
Security Events
Global Threat FeedsCASBIdentity
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Why The Security Problem is Perfect for Machine Learning
Massive volume
Highly patterned
Predictable format
Possible to unify data
Exhibits long-term trends
Sources constantly change
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21
Purpose-Built Machine Learning Answers Top Questions
What caused the breach?
What is the biggest threat?
Should I be concerned about what this user is
doing?
Is what I’m seeing normal or abnormal?
What do I need to pay attention to
right now?
WHAT WILL HAPPEN
TOMORROW?
How do I prevent the problem in the
future?
What areas can I harden, and how?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Security Monitoring and Analytics Cloud Service
• Comprehensive Detection– Any log, any intelligence feed, any metric, any
location (on-premises or cloud)
• Rapid Investigation– Intuitive visualization of threats and early
warning signs
• Intelligent Remediation– Powerful auto-remediation framework for any IT
stack
• Faster Time to Value– Next-gen cloud service with SOC ready content
Oracle Public 22Oracle PublicCopyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Configuration and Compliance Cloud Service
• Standards Based– Execute industry standard compliance benchmarks
at cloud scale
• Application & Cloud Aware– Assess compliance against infrastructure and
applications stacks, on-premises or in the cloud
• Efficient & Actionable– Quickly determine your enterprise compliance
posture and remediate violations
• Extensible– Execute custom scripts and enforce your
organization’s standards
Oracle Public 23Oracle PublicCopyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
• Application topology awareness
– Lateral movement within application
– Multi-tier attack within application
• Orchestration/Remediation
– Execute configuration assessment
– Change user privileges
• Full visibility across stack and clouds
– End-user activity
– Application and Infrastructure Logs
– Configuration assessment results
– Operational metrics (CPU, memory etc.)
Confidential – Oracle Internal/Restricted/Highly Restricted 24
Application PerformanceMonitoring
Log Analytics
IT Analytics
Infrastructure Monitoring
Compliance
Orchestration
Security Monitoring & Analytics
Unified Data, Comprehensive Suite
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Oracle Public 25
CompleteVisibility
IncreasedAnalysis
Sophistication
Turbo-charged
IdentitySOC
ManagedChange
Unified Data, Machine Learning: Better Security
Anomaly detection Attack chain awareness 360° user & identity
awareness
Cross-cloud monitoring User sessionization Complete identity
management
Continuous assessment Benchmarking Drift analysis Real-time remediation
Risk based prioritization Single pane of glass Stack-independent
orchestration
Oracle Management Cloud
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 26
For More Information
Cloud.oracle.com/management
#MgmtCloud@OracleMgmtCloud community.oracle.com/mgmtcloud