OMC-Security and Compliance
OMC-Security and Compliance
OMC-Security and Compliance
Security Modules
June 2017
Chetan Vithlani
Principal SC SCC Solutions - InfoSec
Copyright 2016, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted
Brief Introduction
Cyber, Cloud and Information Security Solutions Architect
AIOUG Bangalore Chapter, Founding and Core team member
Over 2 decades of Global IT Industry experience across BFSI, Telco, Healthcare domains
Certifications
Oracle Database RAC 12c certified implementation specialist
Oracle Database 12c certified implementation specialist
30+ Public events and 70+ customer facing sessions
Social: Twitter: CMVithlani, LinkedIn: https://in.linkedin.com/in/chetanvithlani
Blogs: https://www.linkedin.com/today/posts/chetanvithlani
YouTube: https://www.youtube.com/watch?v=Mr6ByIPIwns
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 3
Agenda
eBay MySpace
Yahoo
427M passwords
148M
customer
360M emails 1Billion+
111M usernames user accounts
records
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 6
Why Arent Security Teams Able to Keep Up
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 7
Cyber Kill Chain
Lateral
Recon Infiltration Exfiltration
Movement
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 8
Current Solution: Fragmented and Integration Intensive
UEBA
(User and Entity Behavior Analytics)
User context, Anomaly detection
Configuration Management
Secure state, configuration auditing
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 9
Security Monitoring and Compliance Redefined
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 10
OMC Security Data Flow
COLLECT ANALYZE INVESTIGATE RESPOND
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted 11
Collection: Standardized Event Format
Comprehensive, multi-entity taxonomy spanning all data sources
Auto-mapping for supported sources and extensibility with custom parser
Faster onboarding, reduced training for SOC analysts
Active Directory
User logon name
LDAP
UserPrincipalName
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 12
Collection: Intuitive Categorization
Natural language, device and vendor independent analysis
OOTB categorization for common sources; extensibility with flex parser
Faster onboarding, reduced training for SOC staff
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 13
Analysis: Session Awareness [Identity Correlation]
Activity to identity extrapolation Alex Smith
VPN logs, AD logs, DHCP logs
Logs with explicit identity context
Composite identity awareness
User model and identity adapters
Enriched events with user context
Faster time to mitigation
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 14
Investigation: SOC Ready Content
Curated dashboards
Users
Assets
Threats
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 15
External Threat Scenario
THREAT SCENARIO SECURITY CHALLENGE
! DBA compromised by spear-phishing attack 0-day attack evades perimeter/endpoint protection
! Malware harvests credentials, queries DBs over time Static, frequency based rules miss low & slow attack
! Malware contacts external command & control hosts No ability to detect anomalous SQL queries by user
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted 16
Insider Threat Scenario
THREAT SCENARIO CUSTOMER CHALLENGE
! New call center rep accesses several customer records Static rules dont catch anomalous app activity
! Accesses customer support app out of shift hours No activity sequence awareness
! Uses file sharing service from work No cloud activity access or visibility
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted 17
Intoducing Oracle Identity SOC Solution
One-Stop SOC Dashboard
Security Monitoring & Analytics + Compliance Cloud Services
Security Posture
Applications, data and user activity analytics, threat intelligence, and compliance
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 18
Comprehensive View of Security Posture and Threats
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 01100001
01100100 01100001 01110100 01100001 0110010001100001 01011 01110100
END USER Global Threat Feeds
EXPERIENCE/ACTIVITY 110000101100100
CASB 01100001 01110100 110000101100100 01100001 01110100 01100001
0110010001100001
Identity 01110100 110000101100100 0100111 INTELLIGENT,
01100001 01110100
110000101100100
Real Users
UNIFIED PLATFORM
01100001 01110100 01100001 011010 0110010001100001 01110100
APPLICATION
Synthetic Users
01100001 0110010001100001 01110100 01001 01100001 0110010001100001 01110100
App metrics 0110010001100001 01001 01110100 01100001 0110010001100001 01110100
01100001 POWERED BY
Transactions
MIDDLE TIER 01100001 0100101001 001 0110010001100001 01110100 01100001 0110010001100001
MACHINE LEARNING
Server metrics
01110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001
Diagnostics
01001
Logs 01110100 01100001 0110010001100001 01110100 01100001 01100100 0100 01100001
DATA TIER 01110100 01100001 0110010001100001 01110100 01000100 0100INFORMED BY A
110000101100100
Host metrics COMPLETE DATA SET
01100001
VM metrics 01110100 110000101100100 01100001 01110100 01100001 0110010001100001
VIRTUALIZATION Container metrics
01110100 110000101100100 01100001 010001 01110100 110000101100100 01100001
VM CONTAINER
TIER 01110100 01100001 01000100 010011 0110010001100001 01110100 HETEROGENEOUS
01100001
VM CONTAINER
CMDB/Compliance
0110010001100001
Tickets 01110100 AND OPEN
01000 01110100 110000101100100 01100001
Unified Platform 01110100
INFRASTRUCTURE Alerts
TIER
01100001 01000100 010011 0110010001100001 01110100 01100001 0110010001100001
Security Events
01110100 010011
Massive volume
Highly patterned
Predictable format
What do I need to
pay attention to
Should I be right now?
concerned about
WHAT WILL
what this user is
HAPPEN
doing?
TOMORROW?
Copyright
Copyright
2016,
2017,
Oracle
Oracle
and/or
and/or
its its
affiliates.
affiliates.
AllAll
rights
rights
reserved.
reserved.
| Oracle
| Oracle
Public
Public 22
Configuration and Compliance Cloud Service
Standards Based
Execute industry standard compliance benchmarks
at cloud scale
Application & Cloud Aware
Assess compliance against infrastructure and
applications stacks, on-premises or in the cloud
Efficient & Actionable
Quickly determine your enterprise compliance
posture and remediate violations
Extensible
Execute custom scripts and enforce your
organizations standards
Copyright
Copyright
2016,
2017,
Oracle
Oracle
and/or
and/or
its its
affiliates.
affiliates.
AllAll
rights
rights
reserved.
reserved.
| Oracle
| Oracle
Public
Public 23
Unified Data, Comprehensive Suite
Infrastructure Application
Monitoring Performance Application topology awareness
Monitoring
Lateral movement within application
Multi-tier attack within application
Log Analytics
Orchestration/Remediation
Orchestration
Execute configuration assessment
Change user privileges
Full visibility across stack and clouds
Compliance
IT Analytics
End-user activity
Application and Infrastructure Logs
Configuration assessment results
Security Operational metrics (CPU, memory etc.)
Monitoring & Analytics
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 24
Unified Data, Machine Learning: Better Security
Oracle Management Cloud
Cloud.oracle.com/management
#MgmtCloud
@OracleMgmtCloud community.oracle.com/mgmtcloud