Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

Proac@veSecurityMonitoringandAnaly@csforOracleIaaS,PaaS,andSaaS

AnshPatnaikVP,ProductManagementOracleBenNelsonVP,CloudSecurityOpera@onsOracleAkshaiDuggalDirector,ProductManagementOracle

Confiden@al–OracleInternal/Restricted/HighlyRestricted


SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec@on.Itisintendedforinforma@onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc@onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and@mingofanyfeaturesorfunc@onalitydescribedforOracle’sproductsremainsatthesolediscre@onofOracle.

Confiden@al–OracleInternal/Restricted/HighlyRestricted 2


ProgramAgenda

CloudSecurityConsidera@ons

SecurityMonitoring&Analy@csCloudService:Overview

SecurityMonitoring&Analy@csCloudService:ServiceArchitecture

Q&A

1

2

3

4


Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

CloudSecurityConsidera@onsLogging,AnalysisandResponseBenNelsonVicePresident,OracleCloudSecurityOpera<ons



LoggingCoverageandInventory

LogAnalysis


Response

Detec@onandResponse–3Fundamentals


•  Youcan’tanalyzewhatyoudon’thave•  Youcan’tcollectwhatyoudon’tknowabout•  Inventory

– canbehardformanyorganiza@ons

• Collec@onshouldbeeasy– Na@veOScapabili@es– Agents


LogCoverageandInventory


Signature-Based• Hundredsofgoodtoolsonmarket•  20+yroldtechnology• Onlyasgoodas

– Yourvendor– Yoursecurityanalysts

SmartAnalysis• Machinelearning• Anomalydetec@on•  Threatintelligenceenrichment• Real-@meanalysis


LogAnalysis Timetoevolve….


Response• Nowwhat?!

– Wehavegoodlogcoverage– Wehavegoodanalysisandaler@ng

• Alertstohumansaregood• Responsefrommachinesisbeeer!

– Automatedresponseisthenextstepincybersecurity– Humanscan’treactorrespondquicklyenoughtoknownissueswithknownremedia@ons



TheSlidingScaleofCloudSecurityResponsibility

9

SaaS PaaS IaaS

MoreResponsibility

LessResponsibility


SecurityMonitoringandAnaly@csCloudService

Confiden@al–OracleInternal/Restricted/HighlyRestricted


SecurityMonitoringandAnaly@csFocus


ShrinkingVisibility

•  Cloud,BYODreduceperimetersecurityefficacy

•  DevOpsmul@plieschangerates

•  Shrinkingwindowtocatchvulnerableconfig

GrowingDetec@onGap

•  Zerodayaeacksrequireanomalydetec@on

•  Low&slow,mul@-stagethreatsrequiresequenceawareness

•  Targetedaeacksrequireiden@tyawareness

FallingEfficiency

• Moreassets,moresecuritytools,morealerts

•  Staffingshortages•  Nega@veimpactonSOCmetrics


CurrentApproach:FragmentedandIntegra@onIntensive


SIEM(SecurityInforma1onandEventManagement)

Securitycontext,Rulesbaseddetec@on

UEBA(UserandEn1tyBehaviorAnaly1cs)

Usercontext,Anomalydetec@on

X  Mul@-product/vendorchallengesX  Integra@on,UIs,datamodels,support…X  ScaleanddeliverymodeldifferencesX  HighviabilityandM&AriskX  Pointin@me,appspecificstatechecksLogManagement

Rawlogs,Forensicsearch,ITopsanaly@cs

Configura<onManagementSecurestate,configura@onaudi@ng


SecurityMonitoringandAnaly@csCloudService•  Protectenterprisewideassetsfromknownandzero-daythreats

–  Securitymonitoringvisibilityacrossheterogeneouson-premiseandcloudassets–  EfficientSOCmonitoringwithOOTBcontentformodernthreats(rules,anomaliesetc.)–  Con@nuousthreatintelligencecontext(URL/IPclassifica@on&reputa@on)

•  Detectthreatsearlyusingmachinelearningdrivenanaly<csandvisualiza<on–  Dataaccess(SQLbased)anomaliesattheuser,group,databaseandapplica@onlevel–  Nuancedanomaliesthroughmul@-dimensionalbaselines(ex:userloginsbyloca@on,@me,hostetc.)–  Usersessionawarenessandaeackchainvisualiza@on(ex:accounthijacking)

•  HarnessOMCplaQormandcross-servicecontextforrichersecuritymonitoring–  Mul@-@eraeacks(APTlateralmovement)throughOMCplasormtopologyawareness–  Con@nuousconfigura@ondritcontextinsecuritymonitoring–  SOCauto-remedia@on(accountlockouts,portorotherconfigura@onchange)withOMCOrchestra@on

OracleConfiden@al–Internal/Restricted/HighlyRestricted 13


01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011

14

OracleManagementCloud–ManageabilityEdi@onENDUSEREXPERIENCE

APPLICATION

MIDDLETIER

DATATIER

VIRTUALIZATIONTIER

VM CONTAINER

INFRASTRUCTURETIER

VM CONTAINER

RealUsersSynthe<cUsers

UnifiedPlasorm

AppmetricsTransac<ons

ServermetricsDiagnos<csLogs

HostmetricsVMmetricsContainermetrics

CMDBTicketsAlerts

✔ GREATERAGILITY

✔ INCREASEDEFFICIENCY

✔ FEWEROUTAGES


01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011

15

OracleManagementCloud–SecurityEdi@onENDUSEREXPERIENCE

APPLICATION

MIDDLETIER

DATATIER

VIRTUALIZATIONTIER

VM CONTAINER

INFRASTRUCTURETIER

VM CONTAINER

RealUsersSynthe<cUsers

UnifiedPlasorm

AppmetricsTransac<ons

ServermetricsDiagnos<csLogs

HostmetricsVMmetricsContainermetrics

CMDBTicketsAlerts

✔ GREATERAGILITY

✔ INCREASEDEFFICIENCY

✔ FEWEROUTAGES

✔ BETTERSECURITY

SecurityEventsConfigura<ondataIden<tycontextThreatintelligence

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| Confiden@al–OracleInternal/Restricted/HighlyRestricted 16

OracleIden@tySOCFramework

CONTENTSECURITY

USER

SECURITY

CONFIGURATION

DATA,TELEMETRY,ANALYTICSANDSECURITYPOSTUREApplica@ons,dataanduserac@vityanaly@cs,threatintelligence,andcompliance

SOCDashboard

AutomatedResponse&Remedia@on

SecurityMonitoring&Analy@csCloudService

CASBCloudService

Iden@tyCloudService

Configura@on&ComplianceCloudService

FORENSICS

LogAnaly@csCloudService


SecurityMonitoringandAnaly@csDataFlow

OracleConfiden@al–Internal/Restricted/HighlyRestricted 17

COLLECT ANALYZE RESPONDINVESTIGATE

FORMATS

DashboardsReportsSearch

DIMENSIONS

UsersAssetsThreats

SOCAnalyst,AdminSOCManagerIncidentResponseAuditorsCSO,CIO

ANYACTIVITYLogs,metrics,

transac@ons,config(On-premise,cloud)

ANYCONTEXTAssetsUsers

ThreatsVulnerabili@es

TRIAGE

Orchestra@onConfigura@on

Correla@onRulesMachineLearning

ANALYTICS


DataCollec@on•  Heterogeneousac@vitydatasources(formats,stacks,loca@ons)

•  Extensivedataenrichment(iden@ty,asset,threats)

•  Hybridconfigura@onassessmentresults


Host

PointSecuritySolu@o

ns Applica@ons

Infrastructure

Networking

Windows,Linux,Unix

Firewall,Proxy,VPN,IDS/IPS,AV,DLP,VAscanners,CASB,TIF

Fusionapps,3rdpartyapplica@ons,Customapplica@ons

IaaS,PaaS,SaaS

Directoryservices,Middleware,Database,Hypervisor

DHCP,DNS,Loadbalancer,Flow,Router,Switch

Confi

gura@o

n,Com

pliance

Clou

d


Normaliza@onUsingStandardEventFormat(SEF)•  Mul@-en@tyeventtaxonomyforalllogdatatypes

•  Auto-mappingforsupportedsourcesandextensibilitywithcustomparser

•  Fasteronboarding,reducedtrainingforSOCanalysts


LDAPUserPrincipalName

Ac<veDirectoryUserlogonname

IDCSLogin

Mappingandnormaliza@on

NormalizedFormatAccountName


Intui@veCategoriza@on•  Naturallanguage,deviceandvendorindependentanalysis•  OOTBcategoriza@onandextensibilitywithcustomparser

•  Fasteronboarding,reducedtrainingforSOCstaff


Subject:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>LogonID:0x0LogonType:<type>AccountForWhichLogonFailed:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>FailureInformaEon:FailureReason:Unknownusernameorbadpassword.Status:0xc000006dSubStatus:0xc0000064ProcessInformaEon:CallerProcessID:0x0CallerProcessName:-NetworkInformaEon:WorkstaEonName:<workstaEonname>SourceNetworkAddress:<IPaddress>SourcePort:<port>DetailedAuthenEcaEonInformaEon:LogonProcess:NtLmSspAuthenEcaEonPackage:NTLMTransitedServices:-PackageName(NTLMonly):-KeyLength:0

Jul710:55:56srbarrigasshd(pam_unix)[16660]:authen>ca>onfailure;logname=uid=0euid=0Dy=NODEVsshruser=rhost=192.168.20.111user=root

2012-01-1001:44:14.630-05:00LoginusingStandardSecuritywithUser='dahjkfd'2012-01-1001:44:14.864-05:00Incorrectlogin/password.2012-01-1001:44:14.880-05:00MsiSessionManager::LoginStandardUser(UserName=dahjkfd,MachineName=ServerMachine:10.16.154.13ClientMachine:127.0.0.1):AuthenRcaRonfailed:hr=%3.

DeviceType EventCategory EventOutcome …

Host.windows Authen@[email protected] Failure …

Host.linux Authen@[email protected] Failure …

[email protected] Authen@[email protected] Failure …


Analysis:SessionAwareness[Iden@tyCorrela@on]•  Compositeiden@tyawareness

–  Richuserdatamodelandadaptersforiden@tydatasourcesenable360degreeusermonitoringacrossalliden@@es

–  Securitylogsarecon@nuouslyenrichedwithusercontext

•  Ac@vitytoiden@tyextrapola@on–  Logswithexplicitiden@tycontextlikeVPNandIDMareusedtosessionizeandaeributeiden@tytootherlogsthatlackusercontext



Analysis:ContextAwareness[ContextCorrela@on]


Users

Threats

Assets

•  Isthisaprivilegeduser?•  Isthisuseronawatchlist?(privileged,terminated,suspicious)•  Hasthisuser(acrossiden@@es)takenotheranomalousac@ons?

•  HowreputableisaURLbeingaccessedbyanenduser?•  Istheanomalouscommunica@onwithaknownmaliciousIPaddress?•  Whatcategoryofsitesposesthemostriskgivenuserbrowsingbehavior?

•  Whatisthebusinessrole,regulatoryclassifica@onofatargetedasset?•  Istheasset@edtootherrecentsuspiciousoranomalousac@vity?•  Whatvulnerabili@esisaserverexposedto/notpatchedfor?


Analysis:FlexibleCorrela@onEngine•  InsiderThreat:Bruteforceaeack

–  Rule:Xfailedlogins+successfulloginwithin1min–  Context:Assetcri@cality=High

•  Compliance:Accountmisuse(SOX)–  Rule:Useraccountcreated&deletedwithin24hours–  Context:Assetrole=Produc@on;UserGroup=Accoun@ng

•  ExternalThreat:Hijackedaccount–  Rule:Simultaneoususerloginfrommul@pleloca@ons–  Context:LoginIPaddressonLatestMaliciousIPwatchlist


RulesEnginePrimi<ves

ü  Aggrega@onü Windowingü  Contextlookupsü  Escala@on(watchlists)ü  Sequenceü  Presence/Absence…


Analysis:MachineLearningBasedAnomalyDetec@on•  Mul<-dimensionalAnomalyDetec<on

–  Baselinebehaviorforen@tymembersANDpeergroups(networkaccess)–  Acrossmul@pledimensions(1meofaccess,loginloca1on,loginhost)–  DianeG.isexhibi1nganomalousaccessbehaviorrela1vetoherpeers

•  DataAccessAnomalyDetec<on–  BaselineSQLqueriesexecuted–  Byauser/group,DB/DBgroup,orhost/applica@on–  Queriesbeingrunagainstthefinancedatabaseareanomalous

•  DynamicPeerGroupIden<fica<on–  Clusterusersbasedoncommonbehavioralpaeerns–  Iden@fiespeergroupsacrossorganiza@onalboundaries–  AliceisinFinance,butherbehaviormatchesapeergroupthatmostlyconsistsofSysAdmins


Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

SecurityMonitoringandAnaly@csServiceArchitecture



SecurityMonitoringandAnaly@csleveragesOracleManagementCloud(OMC)Plasorm

•  Topologyawareness–  Lateralmovementwithinapplica@on– Mul@-@eraeackwithinapplica@on

•  Orchestra@on/Remedia@on–  Executeconfigura@onassessment–  Changeuserprivileges

•  Crossservicevisibility–  Configura@onassessmentresults–  Opera@onalmetrics(CPU,memoryetc.)

•  Modernserviceplasormbenefits–  Scale,Availability,Security



SecurityMonitoringandAnaly@csCloudService


PrivateCloud

Tradi<onalOnPremises

MonitorAssetAnywhere

Applica<onPerformanceMonitoring Log

Analy<cs

InfrastructureMonitoring

ComplianceOrchestra<on

SecurityMonitoring&Analy<cs


OMCClientDeploymentArchitecture

Corporate proxy server

Gateway Cloud Agent

DC1 /Service firewall

Internet

HTTPS

SecopsUsers Poolof

Gateways

OracleCloudDataCenterDC1

OracleCloudDataCenterDC2

ServersIncludesSaaS,PaaS,IaaS,InfraServers,InternalandExternalCompute,Syslog,Cloudsecurity

OMCCloudAgentonOracleCloudServers

AccessingCloudPortalExadataServers

WindowsServers&LinuxVMs

DC2 /Service firewall

Applica<onPerformanceMonitoring Log

Analy<cs

InfrastructureMonitoring

ComplianceOrchestra<on

SecurityMonitoring&Analy<cs


Conclusion:SecurityMonitoring&Analy@csCloudService

•  ProtectAgainstKnownandUnknownThreats–  Universalthreatvisibility–  SOC-readycontent–  Externalthreatfeeds

•  AdvancedThreatAnaly@csandVisualiza@on–  Unauthorizeddataaccessdetec@on– Mul@-dimensionalbehavioralanomalydetec@on–  Sessionawarenessandaeackchainvisualiza@on

•  Next-Genera1onSecuritySolu@on–  Topologyawareness–  Configura@onchangeawareness–  Auto-remedia@on

29

Unifiedsecuritymonitoring(SIEM+UEBA)


LearnMore:SecurityMonitoringandAnaly@csDemoGrounds•  2017-SecurityMonitoringandAnaly@csforHybridCloudEnvironmentswithOracleManagementCloud

•  2019-Con@nuousComplianceManagementofHybridCloudEnvironmentswithOracleManagementCloud

HOL•  SecurityandComplianceforHybridCloudswithOracleManagementCloudHOL7821–TueOct3andWedOct49:45a.m.-10:45a.m.HiltonSanFranciscoUnionSquare(BallroomLevel)-Con@nentalBallroom7



SignUpforFreeTrial


h\ps://cloud.oracle.com/tryit


LearnMoreAboutOracleSecurity

Oracle.com/SecurityBlogs.Oracle.com/CloudSecurity@OracleSecurity/OracleSecurity

32

Documents

Proac@ve Security Monitoring and Analy@cs for Oracle … · – Mul@-@er aacks (APT lateral movement) through OMC plaorm topology awareness ... – Logs with explicit iden@ty context