Simon Rice, VP Enterprise Services, Cintra Jon Kobrick...
Transcript of Simon Rice, VP Enterprise Services, Cintra Jon Kobrick...
ArchitectingyoursuccessSimonRice,VPEnterpriseServices,CintraJonKobrick,COO,STIGroup
ModernDataSecurityCriticalinformationtokeepyourdataplatformsecureagainstcyber-securitythreats
Cintra…DrivingWorldClassOracleArchitectureSolutions,ServicesandSupport
● Oraclearchitectureexpertisedrivingmodernizationandtransformation● OraclearchitectureblueprintsdrivingtheOracleonOracleandcloudsolutions● Oracleproactive24x7expertmanagedservicesforoperationalexcellence● Oraclecommerciallicensingexpertisedrivinggreatervalueandefficiencies
OracleCommercialExpertise
OracleArchitectureExpertise
OracleonOracleArchitecture&CloudSolutions
ProactiveExpertOracleManaged
Services
STIGroup…Balancing Information Security Investment with Risk Mitigation
CyberSecurity Consulting (CSC)
Managed Security Operations (MSO)
● RiskAssessment&PolicyDevelopment● Audit&SecurityPostureAssessment● Architecture,Remediation,&Certification● InformationSecurityManagement
● SecOpsProgramManagement● Alert/EventMonitoring&Response● ManagedBreachDetection● SecurityInfrastructureManagement
InfrastructureSecurity
DataSecurity
ProcessSecurity
AppsSecurity
Design Build Support
BestofBreedEnterpriseSecurityAlliance 12 year partnership
Cintra/STITieredSecurityModel
Level Definition
DEFCON1
Securedinlinewithtopsecurityclearancestandards.Extremeaccesscontrolinlinewithstringentchangemanagementprocesses.AccesstoinformationlockeddownandgovernedbyCISO.
DEFCON2
Securedinlinewithregulatorycompliancerequirements.Centralized,protectedauditlogincludingsuperuseranddata-relatedactivities.Dataencryptedinmotionandatrest.
DEFCON3DefaultstateforallCintra/STImanagedservicescustomers.Infrastructure,OS,DBandAppshardening.Auditingofsuperuser activitiesenabled.
CyberSecurity:IntroductiontotheModernDataSecurityMethodology
SecurityControlsOverviewSurfaceAreaofAttack SecurityControls
CyberSecurity:UnderstandingtheThreatLandscape
OverallBreachTrends
*2016VerizonDataBreachInvestigationsReport*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
$4 million is the average total cost of data breach29% increase in total cost of data breach since 2013
$158 is the average cost per lost or stolen record15% percent increase in per capita cost since 2013
OverallBreachTrends
*2016VerizonDataBreachInvestigationsReport
Rootcausesofdatabreach
*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
Factorsthatreducethecostofadatabreach
*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
USDollarssavedpercompromisedrecord
BreachTrends– AssetVarieties
*2016VerizonDataBreachInvestigationsReport
InsiderandPrivilegeMisuse
*2016VerizonDataBreachInvestigationsReport
WannaCry
RealLifeExamples:CintraandSTIGroupCustomers
Customer1:HospitalPatientDataLoss• TheScenario
• Largehospitalnetwork• Patientdataisencrypted,runningonOracleEnterpriseEdition• For18monthsanurseprintedoffrecordsandsoldthemtoan
entityinRussia
• Whydidthishappen?• Lackofprocessesinplacetovalidateunusualbehavior• Lackofmanagementoversight
• HowdidCintra/STIhelp?• Deploymentofcentralizedauditingsoftware• AutomaticauditalertsinlinewithHIPAAregulations• Tighterstaffsecuritytrainingandcontrols
Customer2:WebsiteHacked• TheScenario
• Populareditorialcontentwebsite• Awebapplicationvulnerabilitywasexploited• Theywereafterthetarget’scustomers
• Whydidthishappen?• Lackofapplicationsecuritydevelopmentprocesses• Insufficientproductionchangemanagementandintegrity
monitoring
• HowdidCintra/STIhelp?• Coordinatedandexecutedincidentresponseplan• Conductedloganalysisandcodereview• Implementedenhancedintegritymonitoring
Customer3:RetailPOSBreach• TheScenario
• RetailsiteswithhundredsofPOSmachines• Compromisethroughinsecureremoteaccessconfiguration• Attackerlateralmovement
• Whydidthishappen?• Poorsecurityconfigurationhardening• Excessiveprivilegeassignment
• HowdidCintra/STIhelp?• Developedsecureconfigurationstandard• Implementedmorerobustaccessmanagementsolution
CyberSecurity:ArchitectingforSecurity
TheModernArchitectureJourneyRequiresModernSecurity
21
StandardizeVersions
ConsolidateSystems
SecureModernPlatform
ManageData
EnableAgility
AdoptCloud
TraditionalSecuritymodelsarenolongersufficientintoday’smodernlandscape
LowerCosts
FasterTimeToMarket
BusinessFocus
InnovationFocus
AssessingAgainstModernCyberSecurityStandardsWeperformhonestassessmentsofdatabasearchitectures
ArchitectureElement Indicator
CurrentCapabilityScore Reasoning
People:Training Securitytraininginplace 7 AdequatesecuritytrainingPeople:Org Appropriateorganizationalstructure 5 MissingCISOroleandgovernancebodyPeople:Staff Adequatestafftomanagesecurity 3 RecruitmentrequiredtofillsecurityrolesProcess:Assess Periodicassessmentscarriedout 9 DetailedquarterlyassessmentsinplaceProcess:Start/Leave Newstarter/leaverpoliciesinplace 9 DocumentedandsecurepoliciesinplaceProcess:Monitor Securitymonitoredandupdated 5 SomegapsnotedinsecuritymonitoringProcess:Patch Patchingproceduresimplemented 5 DatabasetierpatchedregularlyTechnology:Access Appropriateaccesscontrols 2 ExcessiveprivilegeallocationnotedTechnology:Encrypt Encryptionimplemented 2 NoencryptionofPIIdatainplaceTechnology:Audit Auditingimplementedwithalerting 5 AuditingofnetworkassetsonlyTechnology:Detect Intrusiondetection 6 Someintrusiondetection,withgapsTechnology:Network Networkhardened 3 SignificantgapsinnetworksecurityTechnology:OS OperatingSystemhardened 9 OShardenedinlinewithPCIregulationsTechnology:DB Databasetierhardened 9 DBtierhardenedinlinewithPCIregulationsTechnology:Apps Applicationtierhardened 9 AppstierhardenedinlinewithPCIregulations
Physicalarchitecturediagram
TheCloudJourneyStartswithASecureFoundation
PrivateCloud PublicCloud
HYBRIDENTERPRISECLOUD
• CloudMaturity• NoSecurityCompromises
• MatchedorGreaterControls
• MatchedorGreaterCapabilities
• Notallcloudsarecreatedequal!
PUBLIC CLOUDYOUR CLOUD
CyberSecurity:GeneralRecommendations
SecurityConsiderations:People
People
Training– Commercial,inhouse,onthejob,etc.
SecurityAccountability– formallyassignedresponsibilities
SufficientResources– sufficient timeforsecuritytasks
PerformanceMetrics– measure,measure, measure
CyberSecurity:NetworkSecurity
NetworkSecurityConsiderations:ProcessBestPractices
Processes
ChangeControl
ConfigurationManagement
VulnerabilityManagement
Configuration Hardening
SecurityMonitoring
NetworkSecurityConsiderations:TechnologyBestPractices
Technology
Firewalls,ACLs,NetworkSegmentation,PrivateVLANs
SignatureIPS/AV,Threat Emulation,NetworkBehaviorMonitoring
DataLossPrevention
Encryption,TLS,IPSec,GRE,SSH
NetworkAccessControl,PortSecurity
SecureRemote Access/Multi-FactorAuthentication
CyberSecurity:OperatingSystemSecurity
OperatingSystemSecurityConsiderations:Processes
Processes
SecurityOperationsAssessment
Security Monitoring
VulnerabilityManagement
SecurityAdministration
Device andSoftwareInventory
Privilege/RBAC Review
OperatingSystemSecurityConsiderations:Technology
Technology
Endpoint Security(Anti-malware/AV,EDR,DLP,etc.)
DiskandFile SystemEncryption
MandatoryAccess ControlSystem,ApplicationWhitelisting
System andProcessAccounting,Logging,EDR
FileIntegrity Management
PrivilegeEscalationManagement
OperatingSystemSecurityConsiderations
1. Initialsetup1. Filesystemconfiguration2. Configuresoftwareupdates3. Filesystemintegritychecking4. Securebootsettings5. Additionalbootsettings6. Mandatoryaccesscontrol7. Warningbanners
2. Services1. Inetd services2. Specialpurposeservices3. Serviceclients
3. Networkconfiguration1. Networkparameters(hostonly)2. Networkparameters(hostand
router)3. IPv64. TCPwrappers5. Uncommonnetworkprotocols6. Firewallconfiguration
4. LoggingandAuditing1. Configuresystemaccounting(auditd)2. Configurelogging
5. Access,AuthenticationandAuthorization1. Configurecron2. SSHserverconfiguration3. ConfigurePAM4. Useraccountsandenvironment
6. SystemMaintenance1. Systemfilepermissions2. UserandGroupSettings
CyberSecurity:DatabaseSecurity
DatabaseSecurityConsiderations:TechnologyTechnology
Encryption – personallyidentifiableinformationisencryptedatrestandintransitandthatdatabaselogonsareencrypted.
Auditing – superuseraccessoraccesstosensitivedataisaudited, withtriggeredalerts.
Patch Procedures– databaseclustersandinstancesarepatchedwiththelatestsecurityfixesatleastquarterly.
AccessControls– least-privilegedaccess,withdeactivationontermination.
IntelligentFirewalls– SQLinjectionattackprotectionfromsoftwarefirewalls.
CompleteVaulting– Totallockdownofadministrativeanddatabaseaccessusingvaulttechnology.
OracleListeners – Non-standardports,white-listsofallowedhosts,passwordprotection
TransparentDataEncryptionFeatureSummary
Disks
Exports
Off-SiteFacilities
§ Encryptscolumnsorentireapplicationtablespaces§ Protectsthedatabasefilesondiskandonbackups§ Transparenttoapplications,nochangesrequired§ High-speedperformance,lowoverhead§ OptimizedforExadata
Applications
EncryptedData
Backups
ClearData
36
OracleAuditVaultandDatabaseFirewall
APPS
Users
AUDITVAULT
FirewallEvents
DatabaseFirewall
AUDITDATA
OperatingSystemsFileSystemsDirectories
CustomAuditData
Reports
!Alerts
Policies
Auditor
SecurityManager
DatabaseSecurityConsiderations
3.0OracleDatabaseHardening– Oracle11gR23.1UserAccountsSecurity:GeneralBestPractices3.2DataAccessfromNon-ProdDatabases3.3Non-defaultDatabaseNamingisinplace3.4DatabaseConfigurationParameters3.5Implementprofilestoenforceusersecurityandcompliance3.5.1AssignProfilesAppropriately3.6Emptycachesduringdatabaseshutdown3.7StorageissufficienttopreventDoS attacks3.8Usershaveappropriateprivilegesandtablespacequota3.9Publicaccesstosensitivepackageshasbeenremoved3.10Regularlyreviewchangestodatabaseobjects3.11Productionexportsandbackupsaresecure3.12Largeobjects(LOBs)arestoredsecurely3.13AuditJavaaccesstotheO/S3.14OracleTextOption
4.0OracleAuditing4.1ImplementAuditingtoDedicatedTablespace4.1.1AuditTablespaceDefinedwithASSM4.2Databaseauditingisconfiguredappropriately4.3EnsureAuditInformationisRegularlyReviewed4.4EnsureAuditTrailRecordsareRegularlyPurged
5.0OracleWalletManagementfor11gR25.1UsingOracleTransparentDataEncryption5.1.1UsingDifferentEncryptionAlgorithms5.1.2EncryptingExternalTables5.1.3RemovingEncryption5.1.4TablespaceEncryption5.2RestrictedAccesstoOracleWallets5.3Walletpasswordsandkeysarecycledatregularintervals5.4OracleWalletsareconfiguredoptimallyforRAC
CyberSecurity:ApplicationSecurity
ApplicationTierSecurityConsiderations:TechnologyTechnology
Encryption – oftrafficbetweenthedatabaseandappserverandoftrafficbetweenthewebtierandapptier.
Auditing – monitoring ofperformancebaselinesandsuspiciousactivity.
Patch Procedures– fulltechnologystackpatchingeveryquarter.Moreaggressivepatchingofpublic-facingassets.
AccessControls– integrationwithcontrolledLDAPdirectorieswherepossible.Adoptionofleast-requiredprivileges.
HardwareSecurity Modules– adoptionofHSMtolockdownwebandapptiertraffic.
Dedicated,securedomains– Javacontainer designtoensurenocommonalitybetweenclients/apps/environments.
MobileSecurity– ensurethatmobileaccesspointsarelockeddownandaccessedappropriately.
CyberSecurity:WrappingUp
CyberSecurity:HowcanCintraandSTIGrouphelp?Assessment Design&Planning Configuration Deployment Management
SecureDatabaseandApplicationUpgrades
SecurityRoadmapandBusinessCase
DetailedSecureArchitectureDesign
SecureArchitectureImplementation
SecureDatabaseBuildsandInitialMigrations
Proactive24x7DatabaseSupport
SecureDataMigrationServices
EncryptedRMANDatabaseBackups
BenchmarkingofEncryptionOverheads
SecureMonitoringServer
EncryptedDataGuardforDRSiteProtection
OngoingHardwareSupport
DeploymentofCentralizedAuditing
SecurityTraining
OngoingPatchingSupport
SecurityHealthChecks
MaskingofDataforNon-Production
QuarterlySecurityAssessments
What’sNext:DatabaseSecurityAssessment/Design• Contactustoday: [email protected]
• AssessthesecurityofyourcurrentDatabaseplatformandidentifyanygaps
• Buildabusinesscaseforamodern,secureDatabasearchitecture
• MaximizeyourinvestmentinOracleSoftwareandadoptsecurityoptions
• EstablishaCintraandSTIGrouppartnershipforexpertOraclearchitectureguidance
• BenefitfromSecurity-FocusedProactiveExpert24x7ManagedServicesSupport