Security Monitoring and for Oracle IaaS, PaaS, and SaaS

Transcription

1 Security Monitoring and for Oracle IaaS, PaaS, and SaaS Ansh Patnaik VP, Product Management Oracle Ben Nelson VP, Cloud Security Oracle Akshai Duggal Director, Product Management Oracle Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted

2 Safe Harbor Statement The following is intended to outline our general product It is intended for purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or func@onality, and should not be relied upon in making purchasing decisions. The development, release, of any features or func@onality described for Oracle s products remains at the sole discre@on of Oracle. Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 2

3 Program Agenda Cloud Security Considera@ons Security Monitoring & Analy@cs Cloud Service : Overview Security Monitoring & Analy@cs Cloud Service : Service Architecture Q&A Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 3

4 Cloud Security Logging, Analysis and Response Ben Nelson Vice President, Oracle Cloud Security Opera<ons Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 4

5 and Response 3 Fundamentals Logging Coverage and Inventory Log Analysis Response Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 5

6 Log Coverage and Inventory You can t analyze what you don t have You can t collect what you don t know about Inventory can be hard for many organiza@ons Collec@on should be easy Na@ve OS capabili@es Agents Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 6

7 Log Analysis Time to evolve. Signature-Based Hundreds of good tools on market 20+ yr old technology Only as good as Your vendor Your security analysts Smart Analysis Machine learning Anomaly Threat intelligence enrichment analysis Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 7

8 Response Now what?! We have good log coverage We have good analysis and Alerts to humans are good Response from machines is beeer! Automated response is the next step in cybersecurity Humans can t react or respond quickly enough to known issues with known remedia@ons Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 8

9 The Sliding Scale of Cloud Security Responsibility More Responsibility Less Responsibility SaaS PaaS IaaS Copyright 2017, Oracle and/or its affiliates. All rights reserved. 9

10 Security Monitoring and Cloud Service Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted

11 Security Monitoring and Focus Shrinking Visibility Cloud, BYOD reduce perimeter security efficacy DevOps change rates Shrinking window to catch vulnerable config Growing Gap Zero day aeacks require anomaly Low & slow, threats require sequence awareness Targeted aeacks require awareness Falling Efficiency More assets, more security tools, more alerts Staffing shortages impact on SOC metrics Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 11

12 Current Approach: Fragmented and Intensive UEBA (User and En1ty Behavior Analy1cs) User context, Anomaly SIEM (Security Informa1on and Event Management) Security context, Rules based Log Management Raw logs, Forensic search, IT ops X challenges X Integra@on, UIs, data models, support X Scale and delivery model differences X High viability and M&A risk X Point app specific state checks Configura<on Management Secure state, configura@on audi@ng Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 12

13 Security Monitoring and Cloud Service Protect enterprise wide assets from known and zero-day threats Security monitoring visibility across heterogeneous on-premise and cloud assets Efficient SOC monitoring with OOTB content for modern threats (rules, anomalies etc.) threat intelligence context (URL/IP & Detect threats early using machine learning driven analy<cs and visualiza<on Data access (SQL based) anomalies at the user, group, database and level Nuanced anomalies through baselines (ex: user logins host etc.) User session awareness and aeack chain (ex: account hijacking) Harness OMC plaqorm and cross-service context for richer security monitoring aeacks (APT lateral movement) through OMC plasorm topology awareness drit context in security monitoring SOC (account lockouts, port or other change) with OMC Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 13

14 Oracle Management Cloud Manageability END USER EXPERIENCE APPLICATION MIDDLE TIER DATA TIER VIRTUALIZATION TIER INFRASTRUCTURE TIER VM VM CONTAINER CONTAINER Real Users Synthe<c Users App metrics INCREASED EFFICIENCY Transac<ons Server metrics Diagnos<cs FEWER OUTAGES Logs Host metrics VM metrics Container metrics GREATER AGILITY CMDB Tickets Unified Plasorm Alerts Copyright 2017, Oracle and/or its affiliates. All rights reserved. 14

15 Oracle Management Cloud Security END USER EXPERIENCE APPLICATION MIDDLE TIER DATA TIER VIRTUALIZATION TIER INFRASTRUCTURE TIER VM VM CONTAINER CONTAINER Real Users Synthe<c Users INCREASED EFFICIENCY App metrics Transac<ons FEWER OUTAGES Server metrics Diagnos<cs Logs Host metrics GREATER AGILITY VM metrics Container metrics CMDB Tickets Unified Plasorm BETTER SECURITY Alerts Security Events Configura<on data Iden<ty context Threat intelligence Copyright 2017, Oracle and/or its affiliates. All rights reserved. 15

16 Oracle SOC Framework SOC Dashboard Security Monitoring & Cloud Service CONTENT SECURITY USER SECURITY CONFIGURATION FORENSICS CASB Cloud Service Cloud Service & Compliance Cloud Service Log Cloud Service DATA, TELEMETRY, ANALYTICS AND SECURITY POSTURE data and user threat intelligence, and compliance Automated Response & Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 16

17 Security Monitoring and Data Flow COLLECT ANALYZE INVESTIGATE RESPOND ANY ACTIVITY Logs, metrics, config (On-premise, cloud) ANALYTICS SOC Analyst, Admin SOC Manager Incident Response Auditors CSO, CIO Rules Machine Learning ANY CONTEXT Assets Users Threats FORMATS Dashboards Reports Search DIMENSIONS Users Assets Threats TRIAGE Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 17

18 Data Heterogeneous data sources (formats, stacks, Extensive data enrichment asset, threats) Hybrid assessment results IaaS, PaaS, SaaS Cloud Compliance Point Security Infrastructure Host Networking Fusion apps, 3 rd party applica@ons, Custom applica@ons Directory services, Middleware, Database, Hypervisor Windows, Linux, Unix DHCP, DNS, Load balancer, Flow, Router, Switch Firewall, Proxy, VPN, IDS/IPS, AV, DLP, VA scanners, CASB, TIF Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 18

19 Using Standard Event Format (SEF) event taxonomy for all log data types Auto-mapping for supported sources and extensibility with custom parser Faster onboarding, reduced training for SOC analysts IDCS Login LDAP UserPrincipalName Mapping and Normalized Format Account Name Ac<ve Directory User logon name Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 19

20 Natural language, device and vendor independent analysis OOTB and extensibility with custom parser Faster onboarding, reduced training for SOC staff Subject: Security ID: S Account Name: <account name> Account Domain: <domain> Logon ID: 0x0 Logon Type: <type> Account For Which Logon Failed: Security ID: S Account Name: <account name> Account Domain: <domain> Failure InformaEon: Failure Reason: Unknown user name Status: 0xc000006d Sub Status: 0xc Process InformaEon: Caller Process ID: 0x0 Caller Process Name: :44: :00 Login using Standard Security with User='dahjkfd' :44: :00 Incorrect login/password :44: :00 MsiSessionManager::LoginStandardUser(User Name=dahjkfd, MachineName=Server Machine: Client Machine: ): AuthenRcaRon failed: hr = %3. Jul 7 10:55:56 srbarriga sshd(pam_unix)[16660]: authen>ca>on failure; logname= uid=0 euid=0 Dy=NODEVssh ruser= rhost= user=root Device Type Event Category Event Outcome Host.windows Authen@ca@on.login Failure Host.linux Authen@ca@on.login Failure Applica@on.BI Authen@ca@on.login Failure Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 20

21 Analysis: Session Awareness Composite awareness Rich user data model and adapters for data sources enable 360 degree user monitoring across all Security logs are enriched with user context to Logs with explicit context like VPN and IDM are used to sessionize and aeribute to other logs that lack user context Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 21

22 Analysis: Context Awareness [Context Users Assets Threats Is this a privileged user? Is this user on a watch list? (privileged, terminated, suspicious) Has this user (across iden@@es) taken other anomalous ac@ons? What is the business role, regulatory classifica@on of a targeted asset? Is the to other recent suspicious or anomalous ac@vity? What vulnerabili@es is a server exposed to / not patched for? How reputable is a URL being accessed by an end user? Is the anomalous communica@on with a known malicious IP address? What category of sites poses the most risk given user browsing behavior? Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 22

23 Analysis: Flexible Engine Insider Threat: Brute force aeack Rule: X failed logins + successful login within 1 min Context: Asset cri@cality = High Compliance: Account misuse (SOX) Rule: User account created & deleted within 24 hours Context: Asset role = Produc@on; User Group = Accoun@ng External Threat: Hijacked account Rule: Simultaneous user login from mul@ple loca@ons Context: Login IP address on Latest Malicious IP watchlist Rules Engine Primi<ves ü Aggrega@on ü Windowing ü Context lookups ü Escala@on (watchlists) ü Sequence ü Presence/Absence Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 23

24 Analysis: Machine Learning Based Anomaly Mul<-dimensional Anomaly Detec<on Baseline behavior for members AND peer groups (network access) Across dimensions (1me of access, login loca1on, login host) Diane G. is exhibi1ng anomalous access behavior rela1ve to her peers Data Access Anomaly Detec<on Baseline SQL queries executed By a user/group, DB/DB group, or host/applica@on Queries being run against the finance database are anomalous Dynamic Peer Group Iden<fica<on Cluster users based on common behavioral paeerns Iden@fies peer groups across organiza@onal boundaries Alice is in Finance, but her behavior matches a peer group that mostly consists of SysAdmins Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 24

25 Security Monitoring and Service Architecture Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 25

26 Security Monitoring and leverages Oracle Management Cloud (OMC) Plasorm Topology awareness Lateral movement within aeack within Execute assessment Change user privileges Cross service visibility assessment results metrics (CPU, memory etc.) Modern service plasorm benefits Scale, Availability, Security Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 26

27 Security Monitoring and Cloud Service Infrastructure Monitoring Applica<on Performance Monitoring Orchestra<on Log Analy<cs Security Monitoring & Analy<cs Compliance Monitor Asset Anywhere Tradi<onal On Premises Private Cloud Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 27

28 OMC Client Deployment Architecture SecopsUsers Exadata Servers Windows Servers & Linux VMs Pool of Gateways Accessing Cloud Portal Infrastructure Monitoring Applica<on Performance Monitoring HTTPS Corporate proxy server OMC Cloud Agent on Oracle Cloud Servers Security Monitoring & Analy<cs Orchestra<on Compliance Log Analy<cs Internet Servers Includes SaaS, PaaS, IaaS, Infra Servers, Internal and External Compute, Syslog, Cloud security DC1 /Service firewall Oracle Cloud Data Center DC1 DC2 /Service firewall Oracle Cloud Data Center DC2its affiliates. All rights reserved. Copyright 2017, Oracle and/or Gateway Cloud Agent

29 Conclusion: Security Monitoring & Cloud Service Unified security monitoring (SIEM + UEBA) Protect Against Known and Unknown Threats Universal threat visibility SOC-ready content External threat feeds Advanced Threat Analy@cs and Visualiza@on Unauthorized data access detec@on Mul@-dimensional behavioral anomaly detec@on Session awareness and aeack chain visualiza@on Next-Genera1on Security Solu@on Topology awareness Configura@on change awareness Auto-remedia@on Copyright 2017, Oracle and/or its affiliates. All rights reserved. 29

30 Learn More : Security Monitoring and Analy@cs Demo Grounds Security Monitoring and Analy@cs for Hybrid Cloud Environments with Oracle Management Cloud Con@nuous Compliance Management of Hybrid Cloud Environments with Oracle Management Cloud HOL Security and Compliance for Hybrid Clouds with Oracle Management Cloud HOL7821 Tue Oct 3 and Wed Oct 4 9:45 a.m. - 10:45 a.m. Hilton San Francisco Union Square (Ballroom Level) - Con@nental Ballroom 7 Copyright 2017, Oracle and/or its affiliates. All rights reserved. Confiden@al Oracle Internal/Restricted/Highly Restricted 30

31 Sign Up for Free Trial h\ps://cloud.oracle.com/tryit Copyright 2017, Oracle and/or its affiliates. All rights reserved. Oracle Internal/Restricted/Highly Restricted 31

32 Learn More About Oracle Security Oracle.com/Security /OracleSecurity Copyright 2017, Oracle and/or its affiliates. All rights reserved. 32

33