Oracle Audit Vault and Database Firewall

Transcription

1 Oracle Audit Vault and Database Firewall Matteo Galimberti, Solution Account Manager BSC Consulting Paolo Marchei, Principal Sales Consultant Oracle Italia

2 Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with Basic Controls 98% records stolen from databases 84% records breached using stolen credentials 71% fell within minutes 92% discovered by third party 2

3 Why are Databases so Vulnerable? 80% of IT Security Programs Don t Address Database Security Forrester Research Network Security Enterprises are taking on risks that they may not even be aware Authentication & User Security SIEM of. Especially as more and more attacks against databases exploit legitimate access. Security Database Security Web Application Firewall Endpoint Security 3

4 Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 4

5 Oracle Database Security Solutions Detect and Block Threats, Alert, Audit and Report PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 5

6 Oracle Audit Vault and Database Firewall New Solution for Oracle and Non-Oracle Databases Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events Auditor Security Manager Reports Alerts Policies! Audit Vault Audit Data OS, Directory, File System & Custom Audit Logs 6

7 Oracle AVDF Accuracy Why is understanding SQL critical? SQL is a language with about 400 key words and a strict grammar structure (ISO SQL spec pages): SELECT id, username, password, acccount_no FROM tbl_users WHERE username = Bill AND account_no BETWEEN AND ; OPERATORS KEY SCHEMA DATA WORDS Unless the grammar and structure of the language is known, then errors are made when analysing SQL UPDATE tbl_users SET comments = The user has asked for another account_no, and wishes to be billed for services between 1/2/2009 and 2/2/2009, and wants to know where the invoice should be sent to. She will select the new service level agreement to run from 3/7/2009 next month WHERE id = A ; 7

8 False Alarms are too costly 8

9 False Alarms are too costly 9

10 The cost of inaccuracy 10

11 Oracle AVDF Accuracy Oracle AVDF can understand every SQL interaction and correctly segregate it based on the intent of the transaction. Uses semantic analysis of the grammar and structure of a SQL transaction to determine all of the relevant information about a query. Can also associate attributes with a SQL transactions such as who, what, when, from where, by whom, with what and what happened. 11

12 Oracle DB Auditing: Fine-Grained Auditing Audit Policy AUDIT_CONDITION : NAME!= USER AUDIT_COLUMN = SALARY Not audited SELECT name, job, deptno FROM emp Audit Records (FGA_LOG$) SELECT name, salary FROM emp <timestamp>, <SCN>, <userid>, etc. SELECT name, salary FROM emp 12

13 Oracle Audit Vault and Database Firewall SQL Injection Protection with Positive Security Model SELECT * from stock where catalog-no='phe8131' White List Allow Applications SELECT * from stock where catalog-no= ' union select cardno,0,0 from Orders -- Block Databases Allowed behavior can be defined for any user or application Automated white list generation for any application Out-of-policy database transaction detected and blocked/alerted 13

14 Oracle Audit Vault and Database Firewall Enforcing Database Activity with Negative Security Model DBA activity from Application? DBA activity from Approved Workstation SELECT * FROM v$session SELECT * FROM v$session Black List Block Allow + Log Stop specific unwanted SQL interactions, user or schema access Blacklisting can be done on factors such as time of day, day of week, network, application, user name, OS user name etc Provide flexibility to authorized users while still monitoring activity 14

15 Oracle Audit Vault and Database Firewall Comprehensive Enterprise Audit and Log Consolidation Databases: Oracle, SQL Server, DB2 LUW, DB2 z/os*, Sybase ASE New Audit Sources Operating Systems: Microsoft Windows, Solaris Directory Services: Active Directory File Systems: Oracle ACFS Audit Collection Plugins for Custom Audit Sources XML file maps custom audit elements to canonical audit elements Collect and map data from XML audit file and database tables * Third party integration by BSC Consulting Spa & AlfaGroup 15

16 Oracle Audit Vault and Database Firewall Solution for DB2 on z/os Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events Intercept SQL Write Recorder DAEMON Applies Rules Generates Alerts & SQL Statistics Auditor Security Manager Reports Alerts Policies! Audit Data Audit Vault Integration by 16

17 Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 17

18 Governance & Compliance regulations 18

19 Catalog Sensitive Data in Your Enterprise Databases Person Name Maiden Name Business Address Business Telephone Number Business Address Custom Name Employee Number User Global Identifier Party Number or Customer Number Account Name Mail Stop GPS Location Student Exam Hall Ticket Number Club Membership ID Library Card Number Identity Card Number Instant Messaging Address Web site National Identifier Passport Number Driver s License Number Personal Address Personal Telephone Number Personal Address Visa Number or Work Permit Bank Account Number Card Number (Credit or Debit Card Number) Tax Registration Number or National Tax ID Person Identification Number Welfare Pension Insurance Number Unemployment Insurance Number Government Affiliation ID Military Service ID Social Insurance Number Pension ID Number Article Number Civil Identifier Number Hafiza Number Social Security Number Trade Union Membership Number Pension Registration Number National Insurance Number Health Insurance Number Personal Public Service Number Electronic Taxpayer Identification Number Biometrics Data Digital ID Citizenship Number Voter Identification Number Residency Number (Green Card) Business-driven Criteria: Violate government regulations Violate business regulations Damage shareholder value through loss of Market capital Valuation Reputation Customers Lawsuits Business-driven 19

20 Sensitive Data Discovery Find and Catalog Sensitive Data Data Finder Patterns Table Name: EMP* Column Name *SSN* Data Format ### - ## - #### Enterprise Data Sources Define pattern match rules for Tables, columns and data Connect to Databases Search for Data Finder patterns across databases 4. Data Privacy Catalog New database fields added and then protected PERSON_SSN, EMP_SSN, SOC_SEC_NUM 3. Data Finder Reports Data Finder Results Results rendered by confidence factor Relevant database fields imported into the Data Privacy Catalog 20

21 Oracle Audit Vault and Database Firewall Auditing and Reporting Tens of default audit reports Out-of-the Box Compliance Reporting. Report with Data from Multiple Source Types Auditing Stored Procedure Calls Not Visible on the Network Powerful Alerting Filter Conditions 21

22 Oracle Audit Vault and Database Firewall Increasing auditing value: out-of-the-box Integration Oracle AVDF is integrated with the following third-party products: BIG-IP Application Security Manager (ASM): This product from F5 Networks, Inc. is an advanced Web Application Firewall (WAF) that provides comprehensive edge-ofnetwork protection against a wide range of Web-based attacks. It analyzes each HTTP and HTTPS request, and blocks potential attacks before they reach the Web application server. ArcSight Security Information Event Management (SIEM): This product is a centralized system for logging, analyzing, and managing syslog messages from different sources. 22

23 Demo AVDF 23 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted

24 Oracle Database Security Customers Customers Worldwide Rely on Oracle Customer Benefits Enterprise ready Security and compliance Simple and flexible Speed and scale Trasparent and accurate oracle.com/goto/database/security-customers 24 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

25 T-Mobile Protecting Customer Data in Oracle and non-oracle Databases Provider of wireless voice, messaging, and data services throughout the U.S. Fourth largest wireless company in the U.S. with more than 35 million subscribers Industry: Telecom Challenge Protect sensitive data PCI, CPNI, SPII in both Oracle and non- Oracle Databases Monitor database threats, including SQL injection attacks and data harvesting, without having to change application code Full visibility into database activity Understand what types of changes are being made to sensitive data Solution Addresses data security with Database Firewall, TDE, Data Masking as comprehensive database security defense-in-depth strategy Database activity monitoring prevents insider and external threats Deployed and setup within a few hours; already protected against a few compromised accounts that were harvesting data 25

26 26

27 Oracle Database Security Solutions Additional Resources Web Sites Customer Successes Newsletters Social Media Blogs Security Inside Out Database Insider LindkedIn Group: Database Insider Twitter: Oracle Database Copyright 2012, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted