proac@ve security monitoring and analy@cs for oracle … · – mul@-@er aacks (apt lateral...
TRANSCRIPT
![Page 1: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/1.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Proac@veSecurityMonitoringandAnaly@csforOracleIaaS,PaaS,andSaaS
AnshPatnaikVP,ProductManagementOracleBenNelsonVP,CloudSecurityOpera@onsOracleAkshaiDuggalDirector,ProductManagementOracle
Confiden@al–OracleInternal/Restricted/HighlyRestricted
![Page 2: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/2.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec@on.Itisintendedforinforma@onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc@onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and@mingofanyfeaturesorfunc@onalitydescribedforOracle’sproductsremainsatthesolediscre@onofOracle.
Confiden@al–OracleInternal/Restricted/HighlyRestricted 2
![Page 3: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/3.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
CloudSecurityConsidera@ons
SecurityMonitoring&Analy@csCloudService:Overview
SecurityMonitoring&Analy@csCloudService:ServiceArchitecture
Q&A
1
2
3
4
Confiden@al–OracleInternal/Restricted/HighlyRestricted 3
![Page 4: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/4.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
CloudSecurityConsidera@onsLogging,AnalysisandResponseBenNelsonVicePresident,OracleCloudSecurityOpera<ons
Confiden@al–OracleInternal/Restricted/HighlyRestricted 4
![Page 5: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/5.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LoggingCoverageandInventory
LogAnalysis
Confiden@al–OracleInternal/Restricted/HighlyRestricted 5
Response
Detec@onandResponse–3Fundamentals
![Page 6: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/6.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
• Youcan’tanalyzewhatyoudon’thave• Youcan’tcollectwhatyoudon’tknowabout• Inventory
– canbehardformanyorganiza@ons
• Collec@onshouldbeeasy– Na@veOScapabili@es– Agents
Confiden@al–OracleInternal/Restricted/HighlyRestricted 6
LogCoverageandInventory
![Page 7: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/7.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Signature-Based• Hundredsofgoodtoolsonmarket• 20+yroldtechnology• Onlyasgoodas
– Yourvendor– Yoursecurityanalysts
SmartAnalysis• Machinelearning• Anomalydetec@on• Threatintelligenceenrichment• Real-@meanalysis
Confiden@al–OracleInternal/Restricted/HighlyRestricted 7
LogAnalysis Timetoevolve….
![Page 8: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/8.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Response• Nowwhat?!
– Wehavegoodlogcoverage– Wehavegoodanalysisandaler@ng
• Alertstohumansaregood• Responsefrommachinesisbeeer!
– Automatedresponseisthenextstepincybersecurity– Humanscan’treactorrespondquicklyenoughtoknownissueswithknownremedia@ons
Confiden@al–OracleInternal/Restricted/HighlyRestricted 8
![Page 9: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/9.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
TheSlidingScaleofCloudSecurityResponsibility
9
SaaS PaaS IaaS
MoreResponsibility
LessResponsibility
![Page 10: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/10.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService
Confiden@al–OracleInternal/Restricted/HighlyRestricted
![Page 11: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/11.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csFocus
Confiden@al–OracleInternal/Restricted/HighlyRestricted 11
ShrinkingVisibility
• Cloud,BYODreduceperimetersecurityefficacy
• DevOpsmul@plieschangerates
• Shrinkingwindowtocatchvulnerableconfig
GrowingDetec@onGap
• Zerodayaeacksrequireanomalydetec@on
• Low&slow,mul@-stagethreatsrequiresequenceawareness
• Targetedaeacksrequireiden@tyawareness
FallingEfficiency
• Moreassets,moresecuritytools,morealerts
• Staffingshortages• Nega@veimpactonSOCmetrics
![Page 12: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/12.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
CurrentApproach:FragmentedandIntegra@onIntensive
Confiden@al–OracleInternal/Restricted/HighlyRestricted 12
SIEM(SecurityInforma1onandEventManagement)
Securitycontext,Rulesbaseddetec@on
UEBA(UserandEn1tyBehaviorAnaly1cs)
Usercontext,Anomalydetec@on
X Mul@-product/vendorchallengesX Integra@on,UIs,datamodels,support…X ScaleanddeliverymodeldifferencesX HighviabilityandM&AriskX Pointin@me,appspecificstatechecksLogManagement
Rawlogs,Forensicsearch,ITopsanaly@cs
Configura<onManagementSecurestate,configura@onaudi@ng
![Page 13: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/13.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService• Protectenterprisewideassetsfromknownandzero-daythreats
– Securitymonitoringvisibilityacrossheterogeneouson-premiseandcloudassets– EfficientSOCmonitoringwithOOTBcontentformodernthreats(rules,anomaliesetc.)– Con@nuousthreatintelligencecontext(URL/IPclassifica@on&reputa@on)
• Detectthreatsearlyusingmachinelearningdrivenanaly<csandvisualiza<on– Dataaccess(SQLbased)anomaliesattheuser,group,databaseandapplica@onlevel– Nuancedanomaliesthroughmul@-dimensionalbaselines(ex:userloginsbyloca@on,@me,hostetc.)– Usersessionawarenessandaeackchainvisualiza@on(ex:accounthijacking)
• HarnessOMCplaQormandcross-servicecontextforrichersecuritymonitoring– Mul@-@eraeacks(APTlateralmovement)throughOMCplasormtopologyawareness– Con@nuousconfigura@ondritcontextinsecuritymonitoring– SOCauto-remedia@on(accountlockouts,portorotherconfigura@onchange)withOMCOrchestra@on
OracleConfiden@al–Internal/Restricted/HighlyRestricted 13
![Page 14: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/14.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011
14
OracleManagementCloud–ManageabilityEdi@onENDUSEREXPERIENCE
APPLICATION
MIDDLETIER
DATATIER
VIRTUALIZATIONTIER
VM CONTAINER
INFRASTRUCTURETIER
VM CONTAINER
RealUsersSynthe<cUsers
UnifiedPlasorm
AppmetricsTransac<ons
ServermetricsDiagnos<csLogs
HostmetricsVMmetricsContainermetrics
CMDBTicketsAlerts
✔ GREATERAGILITY
✔ INCREASEDEFFICIENCY
✔ FEWEROUTAGES
![Page 15: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/15.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011
15
OracleManagementCloud–SecurityEdi@onENDUSEREXPERIENCE
APPLICATION
MIDDLETIER
DATATIER
VIRTUALIZATIONTIER
VM CONTAINER
INFRASTRUCTURETIER
VM CONTAINER
RealUsersSynthe<cUsers
UnifiedPlasorm
AppmetricsTransac<ons
ServermetricsDiagnos<csLogs
HostmetricsVMmetricsContainermetrics
CMDBTicketsAlerts
✔ GREATERAGILITY
✔ INCREASEDEFFICIENCY
✔ FEWEROUTAGES
✔ BETTERSECURITY
SecurityEventsConfigura<ondataIden<tycontextThreatintelligence
![Page 16: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/16.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| Confiden@al–OracleInternal/Restricted/HighlyRestricted 16
OracleIden@tySOCFramework
CONTENTSECURITY
USER
SECURITY
CONFIGURATION
DATA,TELEMETRY,ANALYTICSANDSECURITYPOSTUREApplica@ons,dataanduserac@vityanaly@cs,threatintelligence,andcompliance
SOCDashboard
AutomatedResponse&Remedia@on
SecurityMonitoring&Analy@csCloudService
CASBCloudService
Iden@tyCloudService
Configura@on&ComplianceCloudService
FORENSICS
LogAnaly@csCloudService
![Page 17: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/17.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csDataFlow
OracleConfiden@al–Internal/Restricted/HighlyRestricted 17
COLLECT ANALYZE RESPONDINVESTIGATE
FORMATS
DashboardsReportsSearch
DIMENSIONS
UsersAssetsThreats
SOCAnalyst,AdminSOCManagerIncidentResponseAuditorsCSO,CIO
ANYACTIVITYLogs,metrics,
transac@ons,config(On-premise,cloud)
ANYCONTEXTAssetsUsers
ThreatsVulnerabili@es
TRIAGE
Orchestra@onConfigura@on
Correla@onRulesMachineLearning
ANALYTICS
![Page 18: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/18.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
DataCollec@on• Heterogeneousac@vitydatasources(formats,stacks,loca@ons)
• Extensivedataenrichment(iden@ty,asset,threats)
• Hybridconfigura@onassessmentresults
Confiden@al–OracleInternal/Restricted/HighlyRestricted 18
Host
PointSecuritySolu@o
ns Applica@ons
Infrastructure
Networking
Windows,Linux,Unix
Firewall,Proxy,VPN,IDS/IPS,AV,DLP,VAscanners,CASB,TIF
Fusionapps,3rdpartyapplica@ons,Customapplica@ons
IaaS,PaaS,SaaS
Directoryservices,Middleware,Database,Hypervisor
DHCP,DNS,Loadbalancer,Flow,Router,Switch
Confi
gura@o
n,Com
pliance
Clou
d
![Page 19: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/19.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Normaliza@onUsingStandardEventFormat(SEF)• Mul@-en@tyeventtaxonomyforalllogdatatypes
• Auto-mappingforsupportedsourcesandextensibilitywithcustomparser
• Fasteronboarding,reducedtrainingforSOCanalysts
Confiden@al–OracleInternal/Restricted/HighlyRestricted 19
LDAPUserPrincipalName
Ac<veDirectoryUserlogonname
IDCSLogin
Mappingandnormaliza@on
NormalizedFormatAccountName
![Page 20: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/20.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Intui@veCategoriza@on• Naturallanguage,deviceandvendorindependentanalysis• OOTBcategoriza@onandextensibilitywithcustomparser
• Fasteronboarding,reducedtrainingforSOCstaff
Confiden@al–OracleInternal/Restricted/HighlyRestricted 20
Subject:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>LogonID:0x0LogonType:<type>AccountForWhichLogonFailed:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>FailureInformaEon:FailureReason:Unknownusernameorbadpassword.Status:0xc000006dSubStatus:0xc0000064ProcessInformaEon:CallerProcessID:0x0CallerProcessName:-NetworkInformaEon:WorkstaEonName:<workstaEonname>SourceNetworkAddress:<IPaddress>SourcePort:<port>DetailedAuthenEcaEonInformaEon:LogonProcess:NtLmSspAuthenEcaEonPackage:NTLMTransitedServices:-PackageName(NTLMonly):-KeyLength:0
Jul710:55:56srbarrigasshd(pam_unix)[16660]:authen>ca>onfailure;logname=uid=0euid=0Dy=NODEVsshruser=rhost=192.168.20.111user=root
2012-01-1001:44:14.630-05:00LoginusingStandardSecuritywithUser='dahjkfd'2012-01-1001:44:14.864-05:00Incorrectlogin/password.2012-01-1001:44:14.880-05:00MsiSessionManager::LoginStandardUser(UserName=dahjkfd,MachineName=ServerMachine:10.16.154.13ClientMachine:127.0.0.1):AuthenRcaRonfailed:hr=%3.
DeviceType EventCategory EventOutcome …
Host.windows Authen@[email protected] Failure …
Host.linux Authen@[email protected] Failure …
[email protected] Authen@[email protected] Failure …
![Page 21: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/21.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:SessionAwareness[Iden@tyCorrela@on]• Compositeiden@tyawareness
– Richuserdatamodelandadaptersforiden@tydatasourcesenable360degreeusermonitoringacrossalliden@@es
– Securitylogsarecon@nuouslyenrichedwithusercontext
• Ac@vitytoiden@tyextrapola@on– Logswithexplicitiden@tycontextlikeVPNandIDMareusedtosessionizeandaeributeiden@tytootherlogsthatlackusercontext
Confiden@al–OracleInternal/Restricted/HighlyRestricted 21
![Page 22: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/22.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:ContextAwareness[ContextCorrela@on]
Confiden@al–OracleInternal/Restricted/HighlyRestricted 22
Users
Threats
Assets
• Isthisaprivilegeduser?• Isthisuseronawatchlist?(privileged,terminated,suspicious)• Hasthisuser(acrossiden@@es)takenotheranomalousac@ons?
• HowreputableisaURLbeingaccessedbyanenduser?• Istheanomalouscommunica@onwithaknownmaliciousIPaddress?• Whatcategoryofsitesposesthemostriskgivenuserbrowsingbehavior?
• Whatisthebusinessrole,regulatoryclassifica@onofatargetedasset?• Istheasset@edtootherrecentsuspiciousoranomalousac@vity?• Whatvulnerabili@esisaserverexposedto/notpatchedfor?
![Page 23: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/23.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:FlexibleCorrela@onEngine• InsiderThreat:Bruteforceaeack
– Rule:Xfailedlogins+successfulloginwithin1min– Context:Assetcri@cality=High
• Compliance:Accountmisuse(SOX)– Rule:Useraccountcreated&deletedwithin24hours– Context:Assetrole=Produc@on;UserGroup=Accoun@ng
• ExternalThreat:Hijackedaccount– Rule:Simultaneoususerloginfrommul@pleloca@ons– Context:LoginIPaddressonLatestMaliciousIPwatchlist
Confiden@al–OracleInternal/Restricted/HighlyRestricted 23
RulesEnginePrimi<ves
ü Aggrega@onü Windowingü Contextlookupsü Escala@on(watchlists)ü Sequenceü Presence/Absence…
![Page 24: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/24.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:MachineLearningBasedAnomalyDetec@on• Mul<-dimensionalAnomalyDetec<on
– Baselinebehaviorforen@tymembersANDpeergroups(networkaccess)– Acrossmul@pledimensions(1meofaccess,loginloca1on,loginhost)– DianeG.isexhibi1nganomalousaccessbehaviorrela1vetoherpeers
• DataAccessAnomalyDetec<on– BaselineSQLqueriesexecuted– Byauser/group,DB/DBgroup,orhost/applica@on– Queriesbeingrunagainstthefinancedatabaseareanomalous
• DynamicPeerGroupIden<fica<on– Clusterusersbasedoncommonbehavioralpaeerns– Iden@fiespeergroupsacrossorganiza@onalboundaries– AliceisinFinance,butherbehaviormatchesapeergroupthatmostlyconsistsofSysAdmins
Confiden@al–OracleInternal/Restricted/HighlyRestricted 24
![Page 25: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/25.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csServiceArchitecture
Confiden@al–OracleInternal/Restricted/HighlyRestricted 25
![Page 26: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/26.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csleveragesOracleManagementCloud(OMC)Plasorm
• Topologyawareness– Lateralmovementwithinapplica@on– Mul@-@eraeackwithinapplica@on
• Orchestra@on/Remedia@on– Executeconfigura@onassessment– Changeuserprivileges
• Crossservicevisibility– Configura@onassessmentresults– Opera@onalmetrics(CPU,memoryetc.)
• Modernserviceplasormbenefits– Scale,Availability,Security
Confiden@al–OracleInternal/Restricted/HighlyRestricted 26
![Page 27: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/27.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService
Confiden@al–OracleInternal/Restricted/HighlyRestricted 27
PrivateCloud
Tradi<onalOnPremises
MonitorAssetAnywhere
Applica<onPerformanceMonitoring Log
Analy<cs
InfrastructureMonitoring
ComplianceOrchestra<on
SecurityMonitoring&Analy<cs
![Page 28: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/28.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
OMCClientDeploymentArchitecture
Corporate proxy server
Gateway Cloud Agent
DC1 /Service firewall
Internet
HTTPS
SecopsUsers Poolof
Gateways
OracleCloudDataCenterDC1
OracleCloudDataCenterDC2
ServersIncludesSaaS,PaaS,IaaS,InfraServers,InternalandExternalCompute,Syslog,Cloudsecurity
OMCCloudAgentonOracleCloudServers
AccessingCloudPortalExadataServers
WindowsServers&LinuxVMs
DC2 /Service firewall
Applica<onPerformanceMonitoring Log
Analy<cs
InfrastructureMonitoring
ComplianceOrchestra<on
SecurityMonitoring&Analy<cs
![Page 29: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/29.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Conclusion:SecurityMonitoring&Analy@csCloudService
• ProtectAgainstKnownandUnknownThreats– Universalthreatvisibility– SOC-readycontent– Externalthreatfeeds
• AdvancedThreatAnaly@csandVisualiza@on– Unauthorizeddataaccessdetec@on– Mul@-dimensionalbehavioralanomalydetec@on– Sessionawarenessandaeackchainvisualiza@on
• Next-Genera1onSecuritySolu@on– Topologyawareness– Configura@onchangeawareness– Auto-remedia@on
29
Unifiedsecuritymonitoring(SIEM+UEBA)
![Page 30: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/30.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LearnMore:SecurityMonitoringandAnaly@csDemoGrounds• 2017-SecurityMonitoringandAnaly@csforHybridCloudEnvironmentswithOracleManagementCloud
• 2019-Con@nuousComplianceManagementofHybridCloudEnvironmentswithOracleManagementCloud
HOL• SecurityandComplianceforHybridCloudswithOracleManagementCloudHOL7821–TueOct3andWedOct49:45a.m.-10:45a.m.HiltonSanFranciscoUnionSquare(BallroomLevel)-Con@nentalBallroom7
Confiden@al–OracleInternal/Restricted/HighlyRestricted 30
![Page 31: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/31.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SignUpforFreeTrial
Confiden@al–OracleInternal/Restricted/HighlyRestricted 31
h\ps://cloud.oracle.com/tryit
![Page 32: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/32.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LearnMoreAboutOracleSecurity
Oracle.com/SecurityBlogs.Oracle.com/CloudSecurity@OracleSecurity/OracleSecurity
32
![Page 33: Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context](https://reader031.vdocuments.mx/reader031/viewer/2022022521/5b23514d7f8b9ae3158b5247/html5/thumbnails/33.jpg)