Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

Similar documents
SANS Institute Product Review: Oracle Database Vault

Oracle Audit Vault Implementation

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

An Oracle White Paper June Oracle Audit Vault and Database Firewall

Oracle Database Auditing

Private Clouds: Opportunity to Improve Data Security and Lower Costs. InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy

Cyber Risks in the Boardroom Conference

Database access control, activity monitoring and real time protection

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Red Flags/Identity Theft Prevention Policy: Purpose

A Security Admin's Survival Guide to the GDPR.

Data Privacy and Protection GDPR Compliance for Databases

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

Oracle Audit Vault. Auditor's Guide Release E

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR SARBANES OXLEYANDCOBIT

Securing Office 365 with SecureCloud

Comprehensive Database Security

Demonstrating Compliance in the Financial Services Industry with Veriato

IBM services and technology solutions for supporting GDPR program

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Continuous protection to reduce risk and maintain production availability

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

locuz.com SOC Services

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

SOC for cybersecurity

Oracle Database Vault

Oracle Data Cloud ( ODC ) Inbound Security Policies

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

GDPR Controls and Netwrix Auditor Mapping

The New Era of Cognitive Security

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Fabrizio Patriarca. Come creare valore dalla GDPR

Cybersecurity The Evolving Landscape

How AlienVault ICS SIEM Supports Compliance with CFATS

Teradata and Protegrity High-Value Protection for High-Value Data

Privileged Account Security: A Balanced Approach to Securing Unix Environments

the SWIFT Customer Security

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Oracle Database Vault

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Securely maintaining sensitive financial and

SOX/COBIT Framework. and Netwrix Auditor Mapping. Toll-free:

Judiciary Judicial Information Systems

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

Part 2: How to Detect Insider Threats

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Security Architecture

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

IBM Internet Security Systems Proventia Management SiteProtector

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Imperva CounterBreach

CONSOLIDATING RISK MANAGEMENT AND REGULATORY COMPLIANCE APPLICATIONS USING A UNIFIED DATA PLATFORM

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Transparent Solutions for Security and Compliance with Oracle Database 11g. An Oracle White Paper September 2008

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

SQL Server Solutions GETTING STARTED WITH. SQL Secure

INTELLIGENCE DRIVEN GRC FOR SECURITY

ISO27001 Preparing your business with Snare

Watson Developer Cloud Security Overview

CyberArk Privileged Threat Analytics

Cyber Security Incident Response Fighting Fire with Fire

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

VANGUARD POLICY MANAGERTM

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

PCI DSS Requirements. and Netwrix Auditor Mapping. Toll-free:

Identity Theft Policies and Procedures

IPLocks Vulnerability Assessment: A Database Assessment Solution

IBM Security Guardium Analyzer

Lakeshore Technical College Official Policy

Best Practices for PCI DSS Version 3.2 Network Security Compliance

PROTECT AND AUDIT SENSITIVE DATA

SECURITY & PRIVACY DOCUMENTATION

The McGill University Health Centre (MUHC)

SIEM Solutions from McAfee

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Privacy: Pre- and Post-Breach

White Paper. Complying with SOX Regulations Using the Exabeam Security Intelligence Platform

The 10 Principles of Security in Modern Cloud Applications

Cyber Security Program

Tracking and Reporting

Managing Microsoft 365 Identity and Access

VANGUARD Policy Manager TM

Database Centric Information Security. Speaker Name / Title

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Transcription:

Sponsored by Oracle SANS Institute Product Review: Oracle Audit Vault March 2012 A SANS Whitepaper Written by: Tanya Baccam Product Review: Oracle Audit Vault Page 2 Auditing Page 2 Reporting Page 4 Alerting Page 9

Introduction The number, scale and severity of successful data theft and espionage attacks rose considerably last year, according to Verizon s 2011 Data Breach Investigations Report. 1 While 92 percent of these attacks are executed from outside the enterprise, many attacks made their way into databases, accounting for the majority of financial losses over the history of the report. Loss of records due to insider or outsider breach can have a huge impact on organizations. The average organizational cost of a data breach is $7.2 million, or $214 per compromised record, according to the most recent Ponemon Annual Study: U.S. Cost of Data Breach. 2 When breaches are related to customer personal data, there is no doubt that an investigation is needed to apprise regulators, law enforcement and affected consumers. In the case of espionage against private and government enterprises, investigations are an ongoing part of doing business. Such investigations help close up vulnerabilities and improve overall security of operations. When those investigations get down to the database level, how can auditors and responders determine what databases were impacted, what access and commands were used, and what applications were utilized within the database? Equally important, how can organizations be alerted to this activity occurring within their databases in time to take action and prevent an attack from being successful? This paper is a review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases. With Oracle Audit Vault, investigators and auditors can gather information about who accessed data, what applications were accessed, what was changed, and more. This centralization makes it easier to identify and contain potential compromises before they occur, as well as create reports for compliance and forensics. Oracle Audit Vault can be set to send alerts, which are critical for a fast response to stop risky behavior and attacks, and provide out-of-the-box compliance reports and methods of detecting unauthorized activities. 1 www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf 2 www.symantec.com/about/news/release/article.jsp?prid=20110308_01 SANS Analyst Program 1 SANS Institute Product Review: Oracle Audit Vault

Product Review: Oracle Audit Vault Most organizations utilize multiple database types and versions that are difficult and time-consuming to audit and report on individually. Oracle Audit Vault acts as a secure, centralized database audit trail repository. It is able to collect audit trails from a variety of databases, including Microsoft SQL Server 2000, 2005, and 2008; IBM DB2 UDB 8.2 through 9.5 and Sybase ASE 12.5.4 through 15.0.x as well as Oracle databases. These audit trails can be automatically consolidated and reported on for audit and compliance purposes as well as for early threat detection. With unified reporting against their disparate databases, organizations can get more accurate reports and alerts without trying to manually tie events together across database systems. Oracle Audit Vault uses collectors designed to collect data for the database audit trail, operating system audit trail, and redo logs for Oracle to gather logs from multiple databases. Oracle Audit Vault centrally and securely consolidates the audit data, making it easier to search and manage data drawn from multiple databases. The ability to search and manage audit data from multiple databases can be used for alerting, notifying, following trends, and for more comprehensive audit/compliance functionality. For example, a secure repository for logs not only meets specific compliance needs, but also offers more scalability for searching and reporting. In this functional review of the Oracle Audit Vault product, we used Oracle Database 11g to generate the audit data to be collected by Oracle Audit Vault, then conducted the review in three phases: Auditing, Reporting, and Alerting. Auditing In centralizing the audit data, database audit trails are stored in Oracle Audit Vault, which provides a secure repository on a separate server. Leaving audit data on the originating system leaves the data open to alteration. Keeping the repository securely separated from the system is critical to most compliance requirements that dictate that data cannot be altered. By storing the data in Oracle Audit Vault, administrators can be restricted from the data completely, or simply provided a read-only role so they cannot change the data inside the repository. Oracle Audit Vault leverages Oracle Database Vault and Oracle Advanced Security to strictly control access and prevent tampering with the audit data. Oracle Audit Vault includes Oracle Partitioning to enhance manageability and performance and can, optionally, be deployed with Oracle Real Application Clusters (RAC) and Oracle Data Guard for additional scalability and high-availability deployments. Oracle Audit Vault can also be deployed on Oracle Exadata and the Oracle Database Appliance. SANS Analyst Program 2 SANS Institute Product Review: Oracle Audit Vault

In the first part of this review, we tested the Audit Policy features against a single Oracle Database 11g. This involved clicking on the Audit Policy tab and then selecting the database being audited. We retrieved the policy by clicking the Audit Settings radio button, which provided the link for the database and a summary of what audit was occurring, as shown in Figure 1. Figure 1: Summary of Audit Settings Audit settings were easy to review. They enable users to easily obtain an understanding of what was being audited and sent to Audit Vault. The In Use column notes the number of active settings from the database sending records to Audit Vault. The Needed column notes the number of required audit settings the auditor has specified. And, the Problem column notes the number of audit settings that require attention from the auditor. Users can follow each of the links to get additional details about how the audit was set up. SANS Analyst Program 3 SANS Institute Product Review: Oracle Audit Vault

Reporting Next, we evaluated the default reports provided. Reports on access, database account management, system management, entitlement, exceptions, alerts and more are provided by default with Audit Vault. Oracle Audit Vault s default report options are shown in Figure 2. By clicking on the links, we were able to review the log reports, which provided basic audit information that might be required of any centralized logging solution immediately. Figure 2: Default Reports Provided by Audit Vault SANS Analyst Program 4 SANS Institute Product Review: Oracle Audit Vault

Next, we tested what detail the reports would show. For example, to audit specific statements that might indicate employee abuse, we issued the following queries in the database: update oe.orders set order_total=54 where order_id=2458 select count (*) from HR.employees where salary>10000 The results appeared in the Data Access report showing all queries that matched the specified parameters, as summarized in Figure 3. Figure 3: Data Access Report under the Audit Reports Tab SANS Analyst Program 5 SANS Institute Product Review: Oracle Audit Vault

Oracle Audit Vault can be used to query for specific data in order to identify signs of malicious intent or policy violations. By clicking on the individual records, we could read each of the queries in order to understand what data had been queried by which users. Figure 4 shows an example of what appears to be an employee querying for specific employee salary information. Figure 4: Observing the SELECT Query The SQL Text in Figure 4 specified the query that was conducted. In this particular case, the user (SYSTEM) had queried for a count of the employees that make over $10,000. Security personnel can use a number of the reports to query the audit data being created. By centralizing all the data in a single location, it makes it easier to investigate and identify potentially suspicious activity. We could also create customized queries based on specific organizational data concerns such as who is viewing credit cards, Social Security numbers and other such sensitive data. Of course, all of this is dependent on how auditing is set up in the source database, because Audit Vault reflects data that is sent to it. SANS Analyst Program 6 SANS Institute Product Review: Oracle Audit Vault

Another type of access report provided is Entitlement reports. Entitlement reports are important for organizations wanting to protect regulated data and intellectual property from those with privileged user access to administer systems. We retrieved the entitlement information from our database by going to the Audit Policy tab and selecting the User Entitlement option for the appropriate Audit Store. Then we clicked the Retrieve button, as shown in Figure 5. Figure 5: Retrieving Entitlement Reports Data SANS Analyst Program 7 SANS Institute Product Review: Oracle Audit Vault

Once the entitlement information was retrieved, we needed to view the specific data via the Entitlement reports. We found multiple built-in Entitlement reports for objects, users and systems that cover privileged user accounts, roles, profiles, privileges and more. In this case, we selected the User Privileges report and then clicked Go. The data was displayed in Audit Vault as shown in Figure 6. Figure 6: Privileged Users Entitlement Report The Entitlement reports were simply reporting on the data from the databases related to privileges in use when the snapshot was obtained. Reports can be automatically scheduled and generated for management and compliance purposes. Auditors can be alerted when reports are available and an attestation process set in motion for review and approval. SANS Analyst Program 8 SANS Institute Product Review: Oracle Audit Vault

Alerting Reports also provide data on login/logoff, startup/shut down, failures, audit settings, changes, system events and user activity, among other data revealed by database logs. These, and other access and system events, provide valuable security intelligence that can be fed into Oracle Audit Vault alert reports, which can be classified based on level of severity. Reports can also create an alert in realtime as the data is analyzed. To review this feature, we created an individual alert whenever a new user was added to the system. To set up the alert, we went to the Audit Policy tab, chose Alerts, and clicked Create. Figures 7 and 8 show how the alert was configured. Figure 7: Setting up an Alert The alert was titled CREATE_USER, and the severity was set to Warning. We selected the audit source type (ORCLDB) and the specific database to alert on. Each of the alerts can also be placed in a category, so we used the Account Management category. The audit event was set to occur when the CREATE USER activity occurs. Additionally, this was done for both Success and Failure activities. SANS Analyst Program 9 SANS Institute Product Review: Oracle Audit Vault

Once the alert was saved and properly set up, two accounts were created in the database. Once the accounts had been created, we went to the Audit Reports tab and selected All Alerts to see whether the alerts had been created. The alerts included the accounts that had been created for TANYA and PAUL. See Figure 8. Figure 8: Completed Alerts The alerts were easy to set up and allowed customization of the data that is important to a given organization. Alerts could also be sent via e-mail or even SMS text messages. SANS Analyst Program 10 SANS Institute Product Review: Oracle Audit Vault

Conclusion Oracle Audit Vault automates the collection and consolidation of database audit data into a central, secure repository so that investigators and auditors can gather information and report on who accessed the data, what applications were accessed, what was changed, and more. Adding detective measures to a comprehensive database security strategy can help protect sensitive customer data and comply with industry and governmental compliance requirements. Organizations need actionable data on who accessed the database, what methods they used, what they accessed, and what actions were taken. Oracle Audit Vault can quickly and automatically detect unauthorized activities that violate security and governance policies, thereby stopping perpetrators from covering their tracks. Overall, Oracle Audit Vault was easy to use for analyzing the Oracle Database 11g audit data with which it was reviewed. By using the reports provided by Audit Vault, organizations can quickly identify and mitigate risks in a more proactive manner, thus limiting the number of compromises that occur and their associated costs. Although not covered in this review, centralizing and managing log data from heterogeneous databases consolidates actionable information that can be queried for better alerting, quicker response and smoother audit processes. Oracle Audit Vault takes a deep approach to collecting and centralizing log data on a variety of database types and schemas. As observed during this review, the combined auditing, alerting and reporting in realtime can help address security events quicker. This is important to auditors and responders as well security personnel charged with preventing breaches from occurring. SANS Analyst Program 11 SANS Institute Product Review: Oracle Audit Vault

About the Author Tanya Baccam is a SANS senior instructor as well as a SANS courseware author. She is the current author for the SANS Security 509: Securing Oracle Databases course. Tanya works for Baccam Consulting, where she provides many security consulting services for clients, including system audits, vulnerability and risk assessments, database audits, and web application audits. Today much of her time is spent on the security of databases and applications within organizations. Tanya has also played an integral role in developing multiple business applications. She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, and OCP DBA certifications. SANS would like to thank its sponsors: SANS Analyst Program 12 SANS Institute Product Review: Oracle Audit Vault

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback