DEV5059: Using Machine Learning to Make DevSecOps a Reality Oracle Code One

Transcription

1 DEV5059: Using Machine Learning to Make DevSecOps a Reality Oracle Code One Vijay Tatkar Director, Product Management Oracle Management Cloud October 25, 2018

2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle s products may change and remains at the sole discretion of Oracle Corporation.

3 Program Agenda Defining terms Why DevSecOps is Perfect for Machine Learning Making Machine Learning Smarter for SecOps Demo Q&A

4 Data Breaches are Exploding World-Wide 200M Experian Mar 14 56M 150M 76M Adobe 143M JPMC Oct 13 Oct 14 Equifax July 17 98M Target DEC 13 11M Premera Blue Cross Mar 15 US Voters 191M, Dec 15 32M Home Depot Ashley Sep 14 Madison 77M Jul 15 Edmodo May M ebay May 14 TBs IP Sony Nov 14 Sabre Mar 16 80M Anthem Feb 15 1B Yahoo Dec M US Voter Jun M Scottrade Oct 15 CIA 15M T-Mobile Oct 15 Apr US 17 OPM, 22M Jun 15 93M Mexico Voter Apr M Friend Finder Dec 16 Carphone Warehouse Aug M 4M Talk Talk Oct 15 Vodafone Oct 13 2M 2M Orange Feb/Apr 14 Hacking Team Jul GB IP Theft 4 out of 5 breaches were human errors! Espionage Kaspersky Jun 15 50M Turkish Govt Apr M Debit cards Oct 16 30M BSNL Telco Journal Jul 15 S. Korea Jan 14 20M Credit Bureau 12M Telecom 5M VTech Nov 15 55M Philippines Voter list Apr 16 Kmart Oct 15 Japan 22M Benesse Education Jul 14 42M Cupid Media Jan 13

5 Program Agenda Defining terms Why DevSecOps is perfect for machine learning Making Machine Learning Smarter for SecOps Demo Q&A

6 Defining Terms (source: wikipedia.com) Machine Learning Machine learning is the subfield of computer science that gives computers the ability to learn without being explicitly programmed. Evolved from the study of pattern recognition and computational learning theory in artificial intelligence, machine learning explores the study and construction of algorithms that can learn from and make predictions on data. DevSecOps DevSecOps is a practice that aims at integrating security into every aspect of an application lifecycle from design to development, testing, production, and ongoing operations. DevSecOps is increasingly being used in the context of cloud deployments where organizations already have DevOps teams and tools in place to integrate, automate and monitoring every aspect of the development lifecycle from development to production. Systems Management or IT Operations Management IT Operations is responsible for the smooth functioning of the infrastructure and operational environments that support application deployment to internal and external customers, including the network infrastructure; server and device management; computer operations; IT infrastructure library (ITIL) management; and help desk services for an organization.

7 DevSecOps is changing Development and Operations Cloud is forcing an evolution away from established practices Developer Trends Microservices Continuous Integration High Frequency Releases Open Source Frameworks Real time Data pipelines SPARK, Cassandra, Kafka Akka, Scala Jenkins Security Loss of Fortress or Perimeter of protection Cyber Kill Chain 2000: Thrill seeking Geeks 2008: Profit seeking insiders Now: Highly organized cyber syndicates, nation states Operations transformation Docker Kubernetes Hybrid Clouds Continuous Deployment Zero Downtime releases Chef, Ansible, Jenkins

8 The Cyber Security Kill-Chain Research Infiltration Discovery Bad Guys Good Guys Capture Exfiltration

9 Program Agenda Defining terms Why DevSecOps is perfect for machine learning Making Machine Learning Smarter for SecOps Demo Q & A

10 Developers Need To Increase Code Security Awareness Because fixing code at development is 60x cheaper than a patch Top Security threat concerns:* Phishing: 43% SQL Injection: 49% DDoS: 46% XSS: 37% Protect yourself: Static Checking, Dynamic Checking tools: Coverity, FindBugs, AppScan, HP Fortify, Lint, Analyzer Appropriate privileges to bots, agents Data types and sensitivity Build system controls: add logging, event monitoring, configuration * Source: Dzone survey of >1000 developers: 2016 Simple Preventions: 93% of breaches could have been easily prevented (*Online Trust Alliance Report) Regularly patch & update software Block fake s via authentication Train engineers to recognize phishing attacks Do risk assessments Encrypt end-to-end Ensure that devices & servers are configured

11 Four Drivers in Modern-Day Cybersecurity Security posture must be Asset-, Identity and Hybrid Cloud-Aware at DevOps speed Protected Assets = Data Perimeter = Identity Model = Hybrid Cloud Driver = Innovation Protect the data, forget the perimeter, says PwC security chief IAM leaders should adopt these identity life cycle best practices to properly establish an identity perimeter. The secure use of public clouds requires explicit effort on the part of the customer. The reality is business leaders are moving full speed ahead, with or without you -- Silicon Republic Interview with Kris McKonkey, PwC Cybersecurity Partner, Nov IGA Best Practices, Gartner, Aug Jay Heiser, Gartner Analyst, Nov Neil MacDonald, Gartner Analyst, Nov 2017

12 Program Agenda Defining terms Why DevSecOps is perfect for machine learning Making Machine Learning Smart for SecOps Demo Q&A

13 Oracle Management Cloud First Cloud Native Management and Security Solution END USER EXPERIENCE / ACTIVITY APPLICATION MIDDLE TIER Global threat feeds Cloud access Identity Real users Synthetic users App metrics Transactions Server metrics Diagnostics logs Infrastructure Monitoring Application Performance Monitoring Orchestration Unified, Intelligent Management Platform Powered by Machine Learning DATA TIER VIRTUALIZATION TIER INFRASTRUCTURE TIER Host metrics VM metrics Container metrics Configuration Compliance Tickets & Alerts Security & Network events Log Analytics Configuration & Compliance Security Monitoring & Analytics IT Analytics Auto-remediation Copyright 2018 Oracle and/or its affiliates. All rights reserved.

14 ML Is Ideally-Suited for Security & Management Massive Data Volume Terabytes of telemetry generated every day overwhelm humans Data Is Highly-Patterned Unified metric and log data can be understood by purpose-built ML Need Insights, Not Data We know the kinds of questions we want to ask What caused the problem? Is what I m seeing normal or abnormal? What do I need to pay attention to right now? What problem is coming up in the near future?

15 Unified Data Informs Both Security and Management Example: Configurations/Topology Example: Performance metrics >3800 >5600 >49000 Number of property settings available in basic installs of Oracle Database, Exalogic, Exadata Time-series performance data from end-user to disk across hybrid estate Modeled and correlated over time for anomaly detection and forecasting Why security cares: misconfigurations leave data and IT assets exposed Why ops cares: misconfigurations cause majority of performance issues Why security cares: anomalies may indicate malware or ransomware Why ops cares: root cause analysis of issues; outage prevention

16 Security Monitoring & Analytics Cloud-native Built on integrated OMC platform Continuous monitoring, analyticsdriven, and self-learning Automated response Has identity context ML models, rules, and correlation for high fidelity threat detection Copyright 2018 Oracle and/or its affiliates. All rights reserved.

17 Configuration & Compliance Cloud Service Continuous Compliance Across Hybrid Cloud Estate Maintain industry and regulatory compliance (STIG, GDPR, etc.) Enforce company-specific compliance across hybrid clouds ML driven configuration drift management

18 Program Agenda Defining terms Why DevSecOps is perfect for machine learning Making Machine Learning Smart for SecOps Demo Q&A

19 DEMO: Decoding the Cyber Kill Chain A Spearfish starts a chain of threat events Mary Baker gets infected Sets in motion a Cyber Kill Chain Kill Chain is a sequence: Recon: Suspicious User Activity Infiltration: Hijacked Account Lateral Movement: Malicious User Behavior Exfiltration: Data exposure We will decode some threat types: WebAccessAnomaly MultipleFailedLogins BruteForceAttack CASBAlertO365 SQLAnomaly TargetAccountAttacks MultipleAccountCreation LocalAccountCreation

20 The Cyber Security Kill-Chain & How to prevent Threats Security Intelligence Research Apps & Network Logs Infiltration Discovery DB Security Bad Guys Correlation & ML models Capture Good Guys Exfiltration Autoremediation Copyright 2018, Oracle and/or its affiliates. All rights reserved.

21 How to protect yourself Continuous Monitoring Continuous monitoring of Users, Applications and Databases to reduce Mean time to Detect (MTTD) Continuous assessment of users and entity behavior for anomaly detection Identify Anomalous behavior, suspicious activities and policy violations Ensure the right security controls are on your IT Algorithms and Insights Purpose-built ML to dynamically set baselines to detect and correlate anomalies Enrichment of log data with rich security categorization Real-time snapshot of your security and compliance posture for better risk management Deep Security monitoring for Database and Applications Automated Security Auto-response to critical alerts Orchestrate playbooks to trigger auto-remediation Quick forensics and automated ticketing to reduce mean time to respond (MTTR) Real-time snapshot of security and compliance posture

22 Key Takeaways DevSecOps depends on SecOps speed matching DevOps speed The DevSecOps problem is well-suited to machine learning BUT Machine Learning must be matured Unified data and context increases the effectiveness of ML and analysis

23 Oracle POVs on ML-Enabled Management & Security

24 For More Information Cloud.oracle.com/management Cloud.oracle.com/security #MgmtCloud

25