Oracle Management Cloud (OMC)

Security Modules

June 2017

Chetan Vithlani
Principal SC SCC Solutions - InfoSec

Copyright 2016, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted
Brief Introduction
Cyber, Cloud and Information Security Solutions Architect
AIOUG Bangalore Chapter, Founding and Core team member
Over 2 decades of Global IT Industry experience across BFSI, Telco, Healthcare domains
Certifications
Oracle Database RAC 12c certified implementation specialist
Oracle Database 12c certified implementation specialist
30+ Public events and 70+ customer facing sessions
Social: Twitter: CMVithlani, LinkedIn: https://in.linkedin.com/in/chetanvithlani
Blogs: https://www.linkedin.com/today/posts/chetanvithlani
YouTube: https://www.youtube.com/watch?v=Mr6ByIPIwns

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 2

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 3
Agenda

1 Introduction to Oracle Management Cloud (OMC)

2 Cyber Security challenges
3 OMC Security Solutions
4 Demo
5 Q&A

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 4

 Our Vision
Complete, integrated suite of Security
management solutions Infrastructure
Monitoring &
Analytics
Monitoring
Orchestration
Application Compliance
Designed for heterogeneous Performance Log
applications and infrastructure Monitoring Analytics IT
Analytics

Rapid time to value

On Premise

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 5

Growing Impact of Cybersecurity
2015 2016 2016

eBay MySpace
Yahoo
427M passwords
148M
customer
360M emails 1Billion+
111M usernames user accounts
records

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 6
Why Arent Security Teams Able to Keep Up

Shrinking Growing Falling

Visibility Detection Gap Efficiency
Cloud, BYOD reduce Zero day attacks require More assets, more
perimeter security anomaly detection security tools, more
efficacy Low & slow, multi-stage alerts
DevOps multiplies threats require sequence Staffing shortages
change rates awareness Negative impact on SOC
Shrinking window to Targeted attacks require metrics
catch vulnerable config identity awareness

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 7
Cyber Kill Chain

Lateral
Recon Infiltration Exfiltration
Movement

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 8
Current Solution: Fragmented and Integration Intensive
UEBA
(User and Entity Behavior Analytics)
User context, Anomaly detection

SIEM X Integration overhead in perpetuity

(Security Information and Event Management)
Security context, Rules based detection
Log Management
Raw logs, Forensic search, IT ops analytics
X Multiple UIs, support lines, M&A risk
X Redundancy within in each segment
X Lacking operational awareness
X Scale, delivery model discrepancies

Configuration Management
Secure state, configuration auditing

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 9
 Security Monitoring and Compliance Redefined

Oracle Integrated SIEM/UEBA, log, configuration

management
Management SMB to F100 trusted vendor globally
Heterogeneous coverage across cloud and
Cloud on-premise assets
Adds unique operational intelligence critical
to modern threat detection
Delivered as cloud service suite for rapid
time to value, ease of expansion/scale

Security Monitoring Configuration and

and Analytics Compliance

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 10
OMC Security Data Flow
COLLECT ANALYZE INVESTIGATE RESPOND

SOC Analyst, Admin

ANY ACTIVITY SOC Manager
Logs, flows, metrics,
transactions, config Incident Response
(On-premise, cloud) ANALYTICS Auditors
CSO, CIO
Correlation Rules
Machine Learning
ANY CONTEXT FORMATS DIMENSIONS TRIAGE
Assets Users Dashboards Users Incidents
Threats Reports Assets Workflow
Vulnerabilities Search Threats Configuration

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted 11
Collection: Standardized Event Format
Comprehensive, multi-entity taxonomy spanning all data sources
Auto-mapping for supported sources and extensibility with custom parser
Faster onboarding, reduced training for SOC analysts

Active Directory
User logon name

IDCS Mapping and Normalized Format

Login normalization Account Name

LDAP
UserPrincipalName

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 12
Collection: Intuitive Categorization
Natural language, device and vendor independent analysis
OOTB categorization for common sources; extensibility with flex parser
Faster onboarding, reduced training for SOC staff

Device Type Event Category Event Outcome

Host.windows Authentication.login Failure

Host.linux Authentication.login Failure

Application.BI Authentication.login Failure

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 13
Analysis: Session Awareness [Identity Correlation]
Activity to identity extrapolation Alex Smith
VPN logs, AD logs, DHCP logs
Logs with explicit identity context
Composite identity awareness
User model and identity adapters
Enriched events with user context
Faster time to mitigation

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 14
Investigation: SOC Ready Content
Curated dashboards
Users
Assets
Threats

Domain specific activity

dashboards
Access and authentication
Cloud service activity
Database activity
DNS activity

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 15
External Threat Scenario
THREAT SCENARIO
! DBA compromised by spear-phishing attack
! Malware harvests credentials, queries DBs over time
! Malware contacts external command & control hosts
SECURITY CHALLENGE
0-day attack evades perimeter/endpoint protection
Static, frequency based rules miss low & slow attack
No ability to detect anomalous SQL queries by user

OMC SMA SOLUTION OMC SMA ENABLING FEATURES

SQL anomaly detection identifies anomalous SQL SQL query anomaly detection
query for DBA account User attribution across identities
Attributes account to specific user & adds user to Watchlist based threat escalation
watch list for closer monitoring
Multi-dimensional behavioral anomaly detection
Raises user risk score based on anomalous behavior
Cyber kill chain visualization
Visually presents sequence of attack chain

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted 16
Insider Threat Scenario
THREAT SCENARIO
! New call center rep accesses several customer records
! Accesses customer support app out of shift hours
! Uses file sharing service from work
OMC SMA SOLUTION
Watchlist driven new employee monitoring
Peer baseline comparison shows anomalous access
relative to shift team
Proxy logs reveal repeated file sharing service access
Policy based remediation triggers temporary account
disablement till further investigation
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal/Restricted/Highly Restricted
CUSTOMER CHALLENGE
Static rules dont catch anomalous app activity
No activity sequence awareness
No cloud activity access or visibility
OMC SMA ENABLING FEATURES
Rule logic integration with watchlists
Peer group based anomaly detection
Sequence driven correlation rule logic
Multi-dimensional behavioral anomaly detection
Policy based runbook orchestration & automation
17
Intoducing Oracle Identity SOC Solution
One-Stop SOC Dashboard
Security Monitoring & Analytics + Compliance Cloud Services

Content Security User Security Network Security

Cloud Identity API Platform
Security Service Cloud Service Cloud Service

Security Posture
Applications, data and user activity analytics, threat intelligence, and compliance

Automated Incident Response & Remediation

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 18
 Comprehensive View of Security Posture and Threats
01100100 01100001 01110100 01100001 0110010001100001 01110100 0100 01100001
01100100 01100001 01110100 01100001 0110010001100001 01011 01110100
END USER Global Threat Feeds
EXPERIENCE/ACTIVITY 110000101100100
CASB 01100001 01110100 110000101100100 01100001 01110100 01100001
0110010001100001
Identity 01110100 110000101100100 0100111 INTELLIGENT,
01100001 01110100
110000101100100
Real Users
UNIFIED PLATFORM
01100001 01110100 01100001 011010 0110010001100001 01110100
APPLICATION
Synthetic Users
01100001 0110010001100001 01110100 01001 01100001 0110010001100001 01110100
App metrics 0110010001100001 01001 01110100 01100001 0110010001100001 01110100
01100001 POWERED BY

Transactions
MIDDLE TIER 01100001 0100101001 001 0110010001100001 01110100 01100001 0110010001100001
MACHINE LEARNING
Server metrics
01110100 010011 01100001 0110010001100001 01110100 01100001 01100100 01100001
Diagnostics
01001
Logs 01110100 01100001 0110010001100001 01110100 01100001 01100100 0100 01100001
DATA TIER 01110100 01100001 0110010001100001 01110100 01000100 0100INFORMED BY A
110000101100100
Host metrics COMPLETE DATA SET
01100001
VM metrics 01110100 110000101100100 01100001 01110100 01100001 0110010001100001
VIRTUALIZATION Container metrics
01110100 110000101100100 01100001 010001 01110100 110000101100100 01100001
VM CONTAINER
TIER 01110100 01100001 01000100 010011 0110010001100001 01110100 HETEROGENEOUS
01100001

VM CONTAINER
CMDB/Compliance
0110010001100001
Tickets 01110100 AND OPEN
01000 01110100 110000101100100 01100001
Unified Platform 01110100
INFRASTRUCTURE Alerts
TIER
01100001 01000100 010011 0110010001100001 01110100 01100001 0110010001100001
Security Events
01110100 010011

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 19

Why The Security Problem is Perfect for Machine Learning

Massive volume

Highly patterned

Predictable format

Possible to unify data

Exhibits long-term trends

Sources constantly change

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Purpose-Built Machine Learning Answers Top Questions
How do I prevent Is what Im seeing
What caused the the problem in the normal or
breach? future? abnormal?

What areas can I

harden, and how?
What is the biggest
threat?

What do I need to
pay attention to
Should I be right now?
concerned about
WHAT WILL
what this user is
HAPPEN
doing?
TOMORROW?

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 21

Security Monitoring and Analytics Cloud Service
Comprehensive Detection
Any log, any intelligence feed, any metric, any
location (on-premises or cloud)
Rapid Investigation
Intuitive visualization of threats and early
warning signs
Intelligent Remediation
Powerful auto-remediation framework for any IT
stack
Faster Time to Value
Next-gen cloud service with SOC ready content

Copyright
Copyright
2016,
2017,
Oracle
Oracle
and/or
and/or
its its
affiliates.
affiliates.
AllAll
rights
rights
reserved.
reserved.
| Oracle
| Oracle
Public
Public 22
Configuration and Compliance Cloud Service
Standards Based
Execute industry standard compliance benchmarks
at cloud scale
Application & Cloud Aware
Assess compliance against infrastructure and
applications stacks, on-premises or in the cloud
Efficient & Actionable
Quickly determine your enterprise compliance
posture and remediate violations
Extensible
Execute custom scripts and enforce your
organizations standards

Copyright
Copyright
2016,
2017,
Oracle
Oracle
and/or
and/or
its its
affiliates.
affiliates.
AllAll
rights
rights
reserved.
reserved.
| Oracle
| Oracle
Public
Public 23
Unified Data, Comprehensive Suite
Infrastructure Application
Monitoring Performance Application topology awareness
Monitoring
Lateral movement within application
Multi-tier attack within application

Log Analytics
Orchestration/Remediation
Orchestration
Execute configuration assessment
Change user privileges
Full visibility across stack and clouds
Compliance
IT Analytics
End-user activity
Application and Infrastructure Logs
Configuration assessment results
Security Operational metrics (CPU, memory etc.)
Monitoring & Analytics
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 24
Unified Data, Machine Learning: Better Security
Oracle Management Cloud

Increased Complete Managed Turbo-

Analysis Visibility Change charged
Sophistication IdentitySOC

Anomaly detection Cross-cloud monitoring Continuous assessment Risk based prioritization

Attack chain awareness User sessionization Benchmarking Single pane of glass
360 user & identity Complete identity Drift analysis Stack-independent
awareness management Real-time remediation orchestration

Copyright 2017, Oracle and/or its affiliates. All rights reserved.

Oracle |Public 25
For More Information

Cloud.oracle.com/management

#MgmtCloud
@OracleMgmtCloud community.oracle.com/mgmtcloud

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 26