Oracle Management Cloud (OMC) - AIOUG and... · Oracle Management Cloud (OMC) Security Modules ... –Oracle Database RAC 12c certified implementation specialist –Oracle Database

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle Management Cloud (OMC)Security Modules

June 2017

Chetan VithlaniPrincipal SC – SCC Solutions - InfoSec

Confidential – Oracle Internal/Restricted/Highly Restricted


Brief Introduction

• Cyber, Cloud and Information Security Solutions Architect

• AIOUG Bangalore Chapter, Founding and Core team member

• Over 2 decades of Global IT Industry experience across BFSI, Telco, Healthcare domains

• Certifications

– Oracle Database RAC 12c certified implementation specialist

– Oracle Database 12c certified implementation specialist

• 30+ Public events and 70+ customer facing sessions

• Social: Twitter: CMVithlani, LinkedIn: https://in.linkedin.com/in/chetanvithlani

• Blogs: https://www.linkedin.com/today/posts/chetanvithlani

• YouTube: https://www.youtube.com/watch?v=Mr6ByIPIwns

2

• https://in.linkedin.com/in/chetanvithlani

https://twitter.com/cmvithlani

https://in.linkedin.com/in/chetanvithlani

https://www.linkedin.com/today/posts/chetanvithlani

https://www.youtube.com/watch?v=Mr6ByIPIwns


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Confidential – Oracle Internal/Restricted/Highly Restricted 3


Agenda

4

Introduction to Oracle Management Cloud (OMC)

Cyber Security challenges

OMC Security Solutions

Demo

Q & A

1

2

3

4

5

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 5

Our Vision

Complete, integrated suite of management solutions

Designed for heterogeneous applications and infrastructure

Rapid time to valueOn Premise

Application PerformanceMonitoring

LogAnalytics IT

Analytics

Infrastructure Monitoring

ComplianceOrchestration

Security Monitoring & Analytics


Growing Impact of Cybersecurity

Oracle Confidential – Internal 6

eBay

148M customer records

2015

MySpace

427M passwords360M emails

111M usernames

2016

Yahoo

1Billion+user accounts

2016


Why Aren’t Security Teams Able to Keep Up

Shrinking Visibility

• Cloud, BYOD reduce perimeter security efficacy

• DevOps multiplies change rates

• Shrinking window to catch vulnerable config

Growing Detection Gap

• Zero day attacks require anomaly detection

• Low & slow, multi-stage threats require sequence awareness

• Targeted attacks require identity awareness

Falling Efficiency

• More assets, more security tools, more alerts

• Staffing shortages

• Negative impact on SOC metrics



Cyber Kill Chain

Recon InfiltrationLateral

MovementExfiltration



Current Solution: Fragmented and Integration Intensive

SIEM(Security Information and Event Management)

Security context, Rules based detection

UEBA(User and Entity Behavior Analytics)

User context, Anomaly detection

X Integration overhead in perpetuity

X Multiple UIs, support lines, M&A risk

X Redundancy within in each segment

X Lacking operational awareness

X Scale, delivery model discrepancies

Log ManagementRaw logs, Forensic search, IT ops analytics

Configuration ManagementSecure state, configuration auditing



Oracle Management

Cloud

Integrated SIEM/UEBA, log, configuration management

SMB to F100 trusted vendor globally Heterogeneous coverage across cloud and

on-premise assets Adds unique operational intelligence critical

to modern threat detection Delivered as cloud service suite for rapid

time to value, ease of expansion/scale

Security Monitoring and Compliance Redefined

Security Monitoring and Analytics

Configuration and Compliance



OMC Security Data Flow

Oracle Confidential – Internal/Restricted/Highly Restricted 11

COLLECT ANALYZE RESPONDINVESTIGATE

FORMATS

DashboardsReportsSearch

DIMENSIONS

UsersAssetsThreats

SOC Analyst, AdminSOC ManagerIncident ResponseAuditorsCSO, CIO

ANY ACTIVITY Logs, flows, metrics, transactions, config(On-premise, cloud)

ANY CONTEXT

Assets UsersThreats

Vulnerabilities

TRIAGE

IncidentsWorkflow

Configuration

Correlation RulesMachine Learning

ANALYTICS


Collection: Standardized Event Format• Comprehensive, multi-entity taxonomy spanning all data sources

• Auto-mapping for supported sources and extensibility with custom parser

• Faster onboarding, reduced training for SOC analysts

LDAPUserPrincipalName

Active Directory User logon name

IDCSLogin

Mapping and normalization

Normalized FormatAccount Name



Collection: Intuitive Categorization• Natural language, device and vendor independent analysis

• OOTB categorization for common sources; extensibility with flex parser

• Faster onboarding, reduced training for SOC staff

Device Type Event Category Event Outcome …

Host.windows Authentication.login Failure …

Host.linux Authentication.login Failure …

Application.BI Authentication.login Failure …



Analysis: Session Awareness [Identity Correlation]

• Activity to identity extrapolation

– VPN logs, AD logs, DHCP logs

– Logs with explicit identity context

• Composite identity awareness

– User model and identity adapters

– Enriched events with user context

• Faster “time to mitigation”

Alex Smith



Investigation: SOC Ready Content• Curated dashboards

– Users

– Assets

– Threats

• Domain specific activity dashboards– Access and authentication

– Cloud service activity

– Database activity

– DNS activity

…



External Threat Scenario

• THREAT SCENARIO! DBA compromised by spear-phishing attack

! Malware harvests credentials, queries DBs over time

! Malware contacts external command & control hosts


• OMC SMA ENABLING FEATURES– SQL query anomaly detection

– User attribution across identities

– Watchlist based threat escalation

– Multi-dimensional behavioral anomaly detection

– Cyber kill chain visualization

• OMC SMA SOLUTION SQL anomaly detection identifies anomalous SQL

query for DBA account

Attributes account to specific user & adds user to watch list for closer monitoring

Raises user risk score based on anomalous behavior

Visually presents sequence of attack chain

• SECURITY CHALLENGE– 0-day attack evades perimeter/endpoint protection

– Static, frequency based rules miss low & slow attack

– No ability to detect anomalous SQL queries by user


Insider Threat Scenario

• THREAT SCENARIO! New call center rep accesses several customer records

! Accesses customer support app out of shift hours

! Uses file sharing service from work


• OMC SMA ENABLING FEATURES– Rule logic integration with watchlists

– Peer group based anomaly detection

– Sequence driven correlation rule logic

– Multi-dimensional behavioral anomaly detection

– Policy based runbook orchestration & automation

• OMC SMA SOLUTIONWatchlist driven new employee monitoring

Peer baseline comparison shows anomalous access relative to shift team

Proxy logs reveal repeated file sharing service access

Policy based remediation triggers temporary account disablement till further investigation

• CUSTOMER CHALLENGE– Static rules don’t catch anomalous app activity

– No activity sequence awareness

– No cloud activity access or visibility

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 18

Intoducing Oracle Identity SOC Solution

Content Security User Security Network Security

Security PostureApplications, data and user activity analytics, threat intelligence, and compliance

One-Stop SOC Dashboard

Automated Incident Response & Remediation

Security Monitoring & Analytics + Compliance Cloud Services

Cloud Security Service

Identity Cloud Service

API Platform Cloud Service


01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 0110000101001 01110100 01100001 0110010001100001 01110100 01100001 01100100 0100 0110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100 010011

Comprehensive View of Security Posture and Threats

19

END USER EXPERIENCE/ACTIVITY

APPLICATION

MIDDLE TIER

DATA TIER

VIRTUALIZATION TIER

VM CONTAINER

INFRASTRUCTURE TIER

VM CONTAINER

Real UsersSynthetic Users

Unified Platform

App metricsTransactions

Server metricsDiagnosticsLogs

Host metricsVM metricsContainer metrics

CMDB/ComplianceTicketsAlerts

INTELLIGENT, UNIFIED PLATFORM

POWERED BY MACHINE LEARNING

INFORMED BY A COMPLETE DATA SET

HETEROGENEOUS AND OPEN

✔

✔

✔

✔

Security Events

Global Threat FeedsCASBIdentity


Why The Security Problem is Perfect for Machine Learning

Massive volume

Highly patterned

Predictable format

Possible to unify data

Exhibits long-term trends

Sources constantly change


Purpose-Built Machine Learning Answers Top Questions

What caused the breach?

What is the biggest threat?

Should I be concerned about what this user is

doing?

Is what I’m seeing normal or abnormal?

What do I need to pay attention to

right now?

WHAT WILL HAPPEN

TOMORROW?

How do I prevent the problem in the

future?

What areas can I harden, and how?


Security Monitoring and Analytics Cloud Service

• Comprehensive Detection– Any log, any intelligence feed, any metric, any

location (on-premises or cloud)

• Rapid Investigation– Intuitive visualization of threats and early

warning signs

• Intelligent Remediation– Powerful auto-remediation framework for any IT

stack

• Faster Time to Value– Next-gen cloud service with SOC ready content

Oracle Public 22Oracle PublicCopyright © 2016, Oracle and/or its affiliates. All rights reserved. |


Configuration and Compliance Cloud Service

• Standards Based– Execute industry standard compliance benchmarks

at cloud scale

• Application & Cloud Aware– Assess compliance against infrastructure and

applications stacks, on-premises or in the cloud

• Efficient & Actionable– Quickly determine your enterprise compliance

posture and remediate violations

• Extensible– Execute custom scripts and enforce your

organization’s standards

Oracle Public 23Oracle PublicCopyright © 2016, Oracle and/or its affiliates. All rights reserved. |


• Application topology awareness

– Lateral movement within application

– Multi-tier attack within application

• Orchestration/Remediation

– Execute configuration assessment

– Change user privileges

• Full visibility across stack and clouds

– End-user activity

– Application and Infrastructure Logs

– Configuration assessment results

– Operational metrics (CPU, memory etc.)

Confidential – Oracle Internal/Restricted/Highly Restricted 24

Application PerformanceMonitoring

Log Analytics

IT Analytics

Infrastructure Monitoring

Compliance

Orchestration

Security Monitoring & Analytics

Unified Data, Comprehensive Suite

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Oracle Public 25

CompleteVisibility

IncreasedAnalysis

Sophistication

Turbo-charged

IdentitySOC

ManagedChange

Unified Data, Machine Learning: Better Security

Anomaly detection Attack chain awareness 360° user & identity

awareness

Cross-cloud monitoring User sessionization Complete identity

management

Continuous assessment Benchmarking Drift analysis Real-time remediation

Risk based prioritization Single pane of glass Stack-independent

orchestration

Oracle Management Cloud


For More Information

Cloud.oracle.com/management

#MgmtCloud@OracleMgmtCloud community.oracle.com/mgmtcloud

Documents

Oracle Management Cloud (OMC) - AIOUG and... · Oracle Management Cloud (OMC) Security Modules ... –Oracle Database RAC 12c certified implementation specialist –Oracle Database