Upload
vantu
View
224
Download
0
Embed Size (px)
Citation preview
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Proac@veSecurityMonitoringandAnaly@csforOracleIaaS,PaaS,andSaaS
AnshPatnaikVP,ProductManagementOracleBenNelsonVP,CloudSecurityOpera@onsOracleAkshaiDuggalDirector,ProductManagementOracle
Confiden@al–OracleInternal/Restricted/HighlyRestricted
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec@on.Itisintendedforinforma@onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc@onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and@mingofanyfeaturesorfunc@onalitydescribedforOracle’sproductsremainsatthesolediscre@onofOracle.
Confiden@al–OracleInternal/Restricted/HighlyRestricted 2
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
CloudSecurityConsidera@ons
SecurityMonitoring&Analy@csCloudService:Overview
SecurityMonitoring&Analy@csCloudService:ServiceArchitecture
Q&A
1
2
3
4
Confiden@al–OracleInternal/Restricted/HighlyRestricted 3
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
CloudSecurityConsidera@onsLogging,AnalysisandResponseBenNelsonVicePresident,OracleCloudSecurityOpera<ons
Confiden@al–OracleInternal/Restricted/HighlyRestricted 4
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LoggingCoverageandInventory
LogAnalysis
Confiden@al–OracleInternal/Restricted/HighlyRestricted 5
Response
Detec@onandResponse–3Fundamentals
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
• Youcan’tanalyzewhatyoudon’thave• Youcan’tcollectwhatyoudon’tknowabout• Inventory
– canbehardformanyorganiza@ons
• Collec@onshouldbeeasy– Na@veOScapabili@es– Agents
Confiden@al–OracleInternal/Restricted/HighlyRestricted 6
LogCoverageandInventory
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Signature-Based• Hundredsofgoodtoolsonmarket• 20+yroldtechnology• Onlyasgoodas
– Yourvendor– Yoursecurityanalysts
SmartAnalysis• Machinelearning• Anomalydetec@on• Threatintelligenceenrichment• Real-@meanalysis
Confiden@al–OracleInternal/Restricted/HighlyRestricted 7
LogAnalysis Timetoevolve….
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Response• Nowwhat?!
– Wehavegoodlogcoverage– Wehavegoodanalysisandaler@ng
• Alertstohumansaregood• Responsefrommachinesisbeeer!
– Automatedresponseisthenextstepincybersecurity– Humanscan’treactorrespondquicklyenoughtoknownissueswithknownremedia@ons
Confiden@al–OracleInternal/Restricted/HighlyRestricted 8
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
TheSlidingScaleofCloudSecurityResponsibility
9
SaaS PaaS IaaS
MoreResponsibility
LessResponsibility
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService
Confiden@al–OracleInternal/Restricted/HighlyRestricted
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csFocus
Confiden@al–OracleInternal/Restricted/HighlyRestricted 11
ShrinkingVisibility
• Cloud,BYODreduceperimetersecurityefficacy
• DevOpsmul@plieschangerates
• Shrinkingwindowtocatchvulnerableconfig
GrowingDetec@onGap
• Zerodayaeacksrequireanomalydetec@on
• Low&slow,mul@-stagethreatsrequiresequenceawareness
• Targetedaeacksrequireiden@tyawareness
FallingEfficiency
• Moreassets,moresecuritytools,morealerts
• Staffingshortages• Nega@veimpactonSOCmetrics
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
CurrentApproach:FragmentedandIntegra@onIntensive
Confiden@al–OracleInternal/Restricted/HighlyRestricted 12
SIEM(SecurityInforma1onandEventManagement)
Securitycontext,Rulesbaseddetec@on
UEBA(UserandEn1tyBehaviorAnaly1cs)
Usercontext,Anomalydetec@on
X Mul@-product/vendorchallengesX Integra@on,UIs,datamodels,support…X ScaleanddeliverymodeldifferencesX HighviabilityandM&AriskX Pointin@me,appspecificstatechecksLogManagement
Rawlogs,Forensicsearch,ITopsanaly@cs
Configura<onManagementSecurestate,configura@onaudi@ng
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService• Protectenterprisewideassetsfromknownandzero-daythreats
– Securitymonitoringvisibilityacrossheterogeneouson-premiseandcloudassets– EfficientSOCmonitoringwithOOTBcontentformodernthreats(rules,anomaliesetc.)– Con@nuousthreatintelligencecontext(URL/IPclassifica@on&reputa@on)
• Detectthreatsearlyusingmachinelearningdrivenanaly<csandvisualiza<on– Dataaccess(SQLbased)anomaliesattheuser,group,databaseandapplica@onlevel– Nuancedanomaliesthroughmul@-dimensionalbaselines(ex:userloginsbyloca@on,@me,hostetc.)– Usersessionawarenessandaeackchainvisualiza@on(ex:accounthijacking)
• HarnessOMCplaQormandcross-servicecontextforrichersecuritymonitoring– Mul@-@eraeacks(APTlateralmovement)throughOMCplasormtopologyawareness– Con@nuousconfigura@ondritcontextinsecuritymonitoring– SOCauto-remedia@on(accountlockouts,portorotherconfigura@onchange)withOMCOrchestra@on
OracleConfiden@al–Internal/Restricted/HighlyRestricted 13
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011
14
OracleManagementCloud–ManageabilityEdi@onENDUSEREXPERIENCE
APPLICATION
MIDDLETIER
DATATIER
VIRTUALIZATIONTIER
VM CONTAINER
INFRASTRUCTURETIER
VM CONTAINER
RealUsersSynthe<cUsers
UnifiedPlasorm
AppmetricsTransac<ons
ServermetricsDiagnos<csLogs
HostmetricsVMmetricsContainermetrics
CMDBTicketsAlerts
✔ GREATERAGILITY
✔ INCREASEDEFFICIENCY
✔ FEWEROUTAGES
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 0110000101100100 01100001 01110100 01100001 0110010001100001 01011 01110100110000101100100 01100001 01110100 110000101100100 01100001 01110100 011000010110010001100001 01110100 110000101100100 0100111 01100001 01110100110000101100100 01100001 01110100 01100001 011010 0110010001100001 0111010001100001 0110010001100001 01110100 01001 01100001 0110010001100001 0111010001100001 0110010001100001 01001 01110100 01100001 0110010001100001 0111010001100001 0100101001 001 0110010001100001 01110100 01100001 011001000110000101110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001010010111010001100001011001000110000101110100011000010110010001000110000101110100 01100001 0110010001100001 01110100 01000100 0100 11000010110010001100001 01110100 110000101100100 01100001 01110100 01100001 011001000110000101110100 110000101100100 01100001 010001 01110100 110000101100100 0110000101110100 01100001 01000100 010011 0110010001100001 01110100 011000010110010001100001 01110100 01000 01110100 110000101100100 01100001 0111010001100001 01000100 010011 0110010001100001 01110100 01100001 011001000110000101110100010011
15
OracleManagementCloud–SecurityEdi@onENDUSEREXPERIENCE
APPLICATION
MIDDLETIER
DATATIER
VIRTUALIZATIONTIER
VM CONTAINER
INFRASTRUCTURETIER
VM CONTAINER
RealUsersSynthe<cUsers
UnifiedPlasorm
AppmetricsTransac<ons
ServermetricsDiagnos<csLogs
HostmetricsVMmetricsContainermetrics
CMDBTicketsAlerts
✔ GREATERAGILITY
✔ INCREASEDEFFICIENCY
✔ FEWEROUTAGES
✔ BETTERSECURITY
SecurityEventsConfigura<ondataIden<tycontextThreatintelligence
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| Confiden@al–OracleInternal/Restricted/HighlyRestricted 16
OracleIden@tySOCFramework
CONTENTSECURITY
USER
SECURITY
CONFIGURATION
DATA,TELEMETRY,ANALYTICSANDSECURITYPOSTUREApplica@ons,dataanduserac@vityanaly@cs,threatintelligence,andcompliance
SOCDashboard
AutomatedResponse&Remedia@on
SecurityMonitoring&Analy@csCloudService
CASBCloudService
Iden@tyCloudService
Configura@on&ComplianceCloudService
FORENSICS
LogAnaly@csCloudService
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csDataFlow
OracleConfiden@al–Internal/Restricted/HighlyRestricted 17
COLLECT ANALYZE RESPONDINVESTIGATE
FORMATS
DashboardsReportsSearch
DIMENSIONS
UsersAssetsThreats
SOCAnalyst,AdminSOCManagerIncidentResponseAuditorsCSO,CIO
ANYACTIVITYLogs,metrics,
transac@ons,config(On-premise,cloud)
ANYCONTEXTAssetsUsers
ThreatsVulnerabili@es
TRIAGE
Orchestra@onConfigura@on
Correla@onRulesMachineLearning
ANALYTICS
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
DataCollec@on• Heterogeneousac@vitydatasources(formats,stacks,loca@ons)
• Extensivedataenrichment(iden@ty,asset,threats)
• Hybridconfigura@onassessmentresults
Confiden@al–OracleInternal/Restricted/HighlyRestricted 18
Host
PointSecuritySolu@o
ns Applica@ons
Infrastructure
Networking
Windows,Linux,Unix
Firewall,Proxy,VPN,IDS/IPS,AV,DLP,VAscanners,CASB,TIF
Fusionapps,3rdpartyapplica@ons,Customapplica@ons
IaaS,PaaS,SaaS
Directoryservices,Middleware,Database,Hypervisor
DHCP,DNS,Loadbalancer,Flow,Router,Switch
Confi
gura@o
n,Com
pliance
Clou
d
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Normaliza@onUsingStandardEventFormat(SEF)• Mul@-en@tyeventtaxonomyforalllogdatatypes
• Auto-mappingforsupportedsourcesandextensibilitywithcustomparser
• Fasteronboarding,reducedtrainingforSOCanalysts
Confiden@al–OracleInternal/Restricted/HighlyRestricted 19
LDAPUserPrincipalName
Ac<veDirectoryUserlogonname
IDCSLogin
Mappingandnormaliza@on
NormalizedFormatAccountName
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Intui@veCategoriza@on• Naturallanguage,deviceandvendorindependentanalysis• OOTBcategoriza@onandextensibilitywithcustomparser
• Fasteronboarding,reducedtrainingforSOCstaff
Confiden@al–OracleInternal/Restricted/HighlyRestricted 20
Subject:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>LogonID:0x0LogonType:<type>AccountForWhichLogonFailed:SecurityID:S-1-0-0AccountName:<accountname>AccountDomain:<domain>FailureInformaEon:FailureReason:Unknownusernameorbadpassword.Status:0xc000006dSubStatus:0xc0000064ProcessInformaEon:CallerProcessID:0x0CallerProcessName:-NetworkInformaEon:WorkstaEonName:<workstaEonname>SourceNetworkAddress:<IPaddress>SourcePort:<port>DetailedAuthenEcaEonInformaEon:LogonProcess:NtLmSspAuthenEcaEonPackage:NTLMTransitedServices:-PackageName(NTLMonly):-KeyLength:0
Jul710:55:56srbarrigasshd(pam_unix)[16660]:authen>ca>onfailure;logname=uid=0euid=0Dy=NODEVsshruser=rhost=192.168.20.111user=root
2012-01-1001:44:14.630-05:00LoginusingStandardSecuritywithUser='dahjkfd'2012-01-1001:44:14.864-05:00Incorrectlogin/password.2012-01-1001:44:14.880-05:00MsiSessionManager::LoginStandardUser(UserName=dahjkfd,MachineName=ServerMachine:10.16.154.13ClientMachine:127.0.0.1):AuthenRcaRonfailed:hr=%3.
DeviceType EventCategory EventOutcome …
Host.windows Authen@[email protected] Failure …
Host.linux Authen@[email protected] Failure …
[email protected] Authen@[email protected] Failure …
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:SessionAwareness[Iden@tyCorrela@on]• Compositeiden@tyawareness
– Richuserdatamodelandadaptersforiden@tydatasourcesenable360degreeusermonitoringacrossalliden@@es
– Securitylogsarecon@nuouslyenrichedwithusercontext
• Ac@vitytoiden@tyextrapola@on– Logswithexplicitiden@tycontextlikeVPNandIDMareusedtosessionizeandaeributeiden@tytootherlogsthatlackusercontext
Confiden@al–OracleInternal/Restricted/HighlyRestricted 21
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:ContextAwareness[ContextCorrela@on]
Confiden@al–OracleInternal/Restricted/HighlyRestricted 22
Users
Threats
Assets
• Isthisaprivilegeduser?• Isthisuseronawatchlist?(privileged,terminated,suspicious)• Hasthisuser(acrossiden@@es)takenotheranomalousac@ons?
• HowreputableisaURLbeingaccessedbyanenduser?• Istheanomalouscommunica@onwithaknownmaliciousIPaddress?• Whatcategoryofsitesposesthemostriskgivenuserbrowsingbehavior?
• Whatisthebusinessrole,regulatoryclassifica@onofatargetedasset?• Istheasset@edtootherrecentsuspiciousoranomalousac@vity?• Whatvulnerabili@esisaserverexposedto/notpatchedfor?
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:FlexibleCorrela@onEngine• InsiderThreat:Bruteforceaeack
– Rule:Xfailedlogins+successfulloginwithin1min– Context:Assetcri@cality=High
• Compliance:Accountmisuse(SOX)– Rule:Useraccountcreated&deletedwithin24hours– Context:Assetrole=Produc@on;UserGroup=Accoun@ng
• ExternalThreat:Hijackedaccount– Rule:Simultaneoususerloginfrommul@pleloca@ons– Context:LoginIPaddressonLatestMaliciousIPwatchlist
Confiden@al–OracleInternal/Restricted/HighlyRestricted 23
RulesEnginePrimi<ves
ü Aggrega@onü Windowingü Contextlookupsü Escala@on(watchlists)ü Sequenceü Presence/Absence…
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Analysis:MachineLearningBasedAnomalyDetec@on• Mul<-dimensionalAnomalyDetec<on
– Baselinebehaviorforen@tymembersANDpeergroups(networkaccess)– Acrossmul@pledimensions(1meofaccess,loginloca1on,loginhost)– DianeG.isexhibi1nganomalousaccessbehaviorrela1vetoherpeers
• DataAccessAnomalyDetec<on– BaselineSQLqueriesexecuted– Byauser/group,DB/DBgroup,orhost/applica@on– Queriesbeingrunagainstthefinancedatabaseareanomalous
• DynamicPeerGroupIden<fica<on– Clusterusersbasedoncommonbehavioralpaeerns– Iden@fiespeergroupsacrossorganiza@onalboundaries– AliceisinFinance,butherbehaviormatchesapeergroupthatmostlyconsistsofSysAdmins
Confiden@al–OracleInternal/Restricted/HighlyRestricted 24
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csServiceArchitecture
Confiden@al–OracleInternal/Restricted/HighlyRestricted 25
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csleveragesOracleManagementCloud(OMC)Plasorm
• Topologyawareness– Lateralmovementwithinapplica@on– Mul@-@eraeackwithinapplica@on
• Orchestra@on/Remedia@on– Executeconfigura@onassessment– Changeuserprivileges
• Crossservicevisibility– Configura@onassessmentresults– Opera@onalmetrics(CPU,memoryetc.)
• Modernserviceplasormbenefits– Scale,Availability,Security
Confiden@al–OracleInternal/Restricted/HighlyRestricted 26
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityMonitoringandAnaly@csCloudService
Confiden@al–OracleInternal/Restricted/HighlyRestricted 27
PrivateCloud
Tradi<onalOnPremises
MonitorAssetAnywhere
Applica<onPerformanceMonitoring Log
Analy<cs
InfrastructureMonitoring
ComplianceOrchestra<on
SecurityMonitoring&Analy<cs
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
OMCClientDeploymentArchitecture
Corporate proxy server
Gateway Cloud Agent
DC1 /Service firewall
Internet
HTTPS
SecopsUsers Poolof
Gateways
OracleCloudDataCenterDC1
OracleCloudDataCenterDC2
ServersIncludesSaaS,PaaS,IaaS,InfraServers,InternalandExternalCompute,Syslog,Cloudsecurity
OMCCloudAgentonOracleCloudServers
AccessingCloudPortalExadataServers
WindowsServers&LinuxVMs
DC2 /Service firewall
Applica<onPerformanceMonitoring Log
Analy<cs
InfrastructureMonitoring
ComplianceOrchestra<on
SecurityMonitoring&Analy<cs
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Conclusion:SecurityMonitoring&Analy@csCloudService
• ProtectAgainstKnownandUnknownThreats– Universalthreatvisibility– SOC-readycontent– Externalthreatfeeds
• AdvancedThreatAnaly@csandVisualiza@on– Unauthorizeddataaccessdetec@on– Mul@-dimensionalbehavioralanomalydetec@on– Sessionawarenessandaeackchainvisualiza@on
• Next-Genera1onSecuritySolu@on– Topologyawareness– Configura@onchangeawareness– Auto-remedia@on
29
Unifiedsecuritymonitoring(SIEM+UEBA)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LearnMore:SecurityMonitoringandAnaly@csDemoGrounds• 2017-SecurityMonitoringandAnaly@csforHybridCloudEnvironmentswithOracleManagementCloud
• 2019-Con@nuousComplianceManagementofHybridCloudEnvironmentswithOracleManagementCloud
HOL• SecurityandComplianceforHybridCloudswithOracleManagementCloudHOL7821–TueOct3andWedOct49:45a.m.-10:45a.m.HiltonSanFranciscoUnionSquare(BallroomLevel)-Con@nentalBallroom7
Confiden@al–OracleInternal/Restricted/HighlyRestricted 30
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SignUpforFreeTrial
Confiden@al–OracleInternal/Restricted/HighlyRestricted 31
h\ps://cloud.oracle.com/tryit
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
LearnMoreAboutOracleSecurity
Oracle.com/SecurityBlogs.Oracle.com/CloudSecurity@OracleSecurity/OracleSecurity
32