Oracle Information Security Visioni Pillar Partner Webcast Presenter: Ola Sergatchov, Senior Director Information Security Strategy t Oracle North America Technology Organization
Why are you here? 1 2 3 My boss told me to Want to learn more about Oracle Security Offering and Go to Market with security services. Believe in Oracle security vision and understand how to generate business around DB Security 2
Agenda Business Case for Database Security Oracle DB Security Portfolio Overview First Line of Defense Oracle Database Firewall Oracle DBFW Case Studies Service Engagements with Oracle DB Security Who We Should Talk To Target Customers Additional Opportunities with Oracle DBFW 3
Business Case for Database Security 4
Selling Security is a Tough Business! Stay Compliant Maintain Profit Margins Retain Customers: Customer Care Quality of Service Expand Services: Organic Growth M&A Maintain Competitive Edge Who Accessed What and When Database Security Monitor and Block Data Access 5
Business Case for Database Security (1) Business Value of Security Controls? Compliance Cyber Security Un-quantified UnRisk Exposure p to Cyber Threats 6
Business Case for Database Security (2)
Business Case for Database Security (3) What has not changed <from year 2009> is that servers and apps account for 98.5% of total records compromised. Verizon 2010 Data Breach Investigations Report http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/ 8
Check! Have malware specifically packed and tested to thwart antivirus products? Check! Have an entry vector that will sail past the firewall and won t be detected or blocked by IDS/IPS? Check! How about the ability to tunnel through firewalls to smuggle data using proxy-aware, HTTP-compliant communication protocols? Check! Have encryption for that smuggled data to render data loss prevention (DLP) useless? Absolutely! Got keyboard loggers to home in on the IT staff, steal their credentials, and eventually masquerade as them?. Security needs to move closer to the assets being targeted
Oracle DB Security Portfolio Overview 10
11
Database Defense In Depth - Features Data Prevent access by non-database users for data at rest, in motion, and storage Increase database user identity assurance Strict access control to application data even from privileged il users Enforce multi-factor authorization Audit database activity, and create reports Monitor database traffic and prevent threats from reaching the database Ensure database production environment is secure and prevent drift Mask sensitive data in non-production environments
Database Security Big Picture Audit consolidation Applications Procurement Auditing Authorization HR Authentication Rebates ti ti Unauthorized DBA Activity Multi-factor Authorization DB Consolidation Security Network SQL Monitoring and Blocking Encrypted Encrypted Encrypted Data Database Backups Traffic Masking
Oracle Database Defense In Depth Portfolio Oracle Advanced Security Oracle Identity Management Oracle Database Vault Oracle Label Security Data Oracle Audit Vault Oracle Total Recall Oracle Database Firewall Oracle Configuration Management Oracle Data Masking
First Line of Defense Oracle Database Firewall 15
Balancing Security and Performance Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged Trillions of packets travel through the network every day Billions of SQL requests travel to the database every day 16
Balancing Security and Performance Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged A look at how the system balances safety and speed. 17
Existing Security Solutions Not Enough! Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Antivirus/Anti-Spyware Privileged Web/App Firewall Application Security IDS/IPS/Vulnerability Mgmt Network Security User Management Access Management 18
Oracle Database Firewall First Line of Defense Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged A look at how Oracle Database Firewall balances safety and speed. 19
Oracle Database Firewall First Line of Defense Allow Monitor SQL Traffic Log Alert DATABASES Monitor Monitor Block Substitute Monitor Alerts Built-in Reports Custom Reports Policies Monitor database activity, classify and aggregate all incoming SQL. Unique SQLl language recognition and parsing engine to ensure accuracy Flexible SQL level enforcement options based on white lists and black lists Scalable architecture provides enterprise performance in all deployment modes Built-in and custom compliance reports for SOX, PCI, and other regulations 20
How Oracle Database Firewall does it? Understand Real-Time DB Activity Monitor, o to, Alert, R Report t Apply pp y Security Policy
Oracle Database Firewall Scalable and Safe Policy Enforcement SQL Traffic Allow SELECT * FROM accounts Log Becomes Alert SELECT * FROM dual where 1=0 Substitute DATABASES Block Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or clusters Flexible enforcement at SQL level: block, substitute, alert and pass, log only SQL substitution foils attackers without disrupting applications Centralized policy management and reporting Superior performance and policy scalability Oracle Confidential
Oracle Database Firewall Positive Security Model White List APPLICATIONS Allow Block DATABASES Allowed behavior can be defined for any user or application Whitelist can take into account built-in factors such as time of day, day of week Automatically generate whitelists for any application Transactions found not to match the policy instantly rejected 23
Oracle Database Firewall Negative Security Model Black List APPLICATIONS Allow Block DATABASES Stop specific unwanted SQL transactions, user or schema access Prevent privilege or role escalation and unauthorized access to sensitive data Blacklist can take into account built-in factors such as time of day, day of Selectively block any part of transaction in context to business and security goals 24
Oracle Database Firewall Architecture Alerts Reports High Availability Mode NETWORK Applications Local Monitor Database Firewall Management Server Policy Analyzer Policy enforcement separated from policy management and reporting Supports Oracle and non-oracle Databases, and application agnostic Intel-based OEL compatible install for vertical and horizontal scalability
Oracle Database Firewall Fast and Flexible Deployments Out-of-Band Log Allow Alert Application Servers NETWORK Log Allow Alert Substitute Block In-Line Database Servers Local Monitor In-Line (Monitor or Block): All database traffic goes through the Database Firewall Out-of-Band (Monitor Only): Database Firewall connected to a SPAN port or TAP Optional Host Based Remote or Local Monitors (Monitor Only) Sends database transactions to Oracle Database Firewall Monitors local / non-network network access to the database
Oracle Database Firewall Reporting Oracle Database Firewall Oracle Database Firewall Oracle Database Firewall Database Firewall log data consolidated into reporting database Over 130 built in reports that can be modified and customized Entitlements reporting for database attestation and audit Database activity and privileged user reports Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls
Enterprise Security Challenges Ensure Provide Minimize Support Compliance Multi-level Infrastructure Distributed and Audit Security Impact Workforce Revealing the Unknown????? 28
What s Unique about the Solution? Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown Single Source of Audit Information First Line of Defense for Database Fast to Deploy, Easy to Maintain Monitor Network and dlocal Access Database Usage Profiling Compliance Ready Solution Minimize False Positives Non-Intrusive Network Based Approach Flexible to Deploy and Scale Full Monitoring of DB Activity 29
Business Goals - Tomorrow Stay Compliant Maintain Profit Margins Retain Customers: Customer Care Quality of Service Expand Services: Organic Growth M&A Maintain Competitive Edge Visibility into Data Usage Data Abuse Prevention 30
Oracle DBFW Case Studies 31
Case Study 1: Major Investment Bank Privileged user database activity audit Customer Requirements Database activity audit for 600 databases (MS-SQL and Sybase) in three geographically separated data centers (US, NJ and Ireland). 24*7*365 high availability in each data center and also between major and disaster recovery sites. Automated distribution of uniquely formatted reports (PDF and Excel) to internal auditors via email. Ad-hoc reporting for real-time incident analysis and forensics. Ability to process and analyze 1.7 billion unique SQL transactions per day. Ability to identify escalated user privileges and to trace stored procedures execution. Oracle Database Firewall Solution Oracle Database Firewall non-intrusively monitors all network database activity and also local DB traffic. High Availability deployment in three separated data centers. Single copy of all log data without duplications. Fully automated daily distribution of custom reports on selected types of activities and users. Privileged User and Stored Procedures Audit performed daily. Business Benefits Oracle Database Firewall fully replaced in-house developed database activity reporting that utilized native database audit functionality and Linux-based log parsing. Oracle Database Firewall allowed more than 600 databases to be fully monitored eliminating maintenance load on IT team to support the system. Improved database performance with 10% to15% reduction in CPU load on each DB host. The infrastructure team was able to focus on production and application issues (not related to Database Firewall), while internal audit team was able to take over the auditory reporting management. 32
Case Study 1: Major Investment Bank Privileged user database activity audit In a competitive cook-off between Guardium, Imperva, and Tizor, Oracle Database Firewall was selected as best of breed for accuracy, customizable reporting and high performance. 33
Case Study 2: Major Retail Bank Full database activity monitoring, reporting and blocking Customer Requirements Database activity monitoring in 5 data centers across the world. 247365 24*7*365 high availability in each data center and support for distributed environments. Automated distribution of DB activity monitoring reports (selected activities/users) to internal auditors via email. Ad-hoc reporting for real-time incident analysis and forensics. Ability to block unauthorized SQL from reaching the database. In-line and out-of-band deployments combined in each data center. Oracle Database Firewall Solution Oracle Database Firewalls deployed in each data center with Management Servers (one per data center) High Availability deployment for in-line deployments. Fully automated daily distribution of custom reports on selected types of activities and users. Monitoring heterogeneous environment MS-SQL, Sybase, Oracle, DB2 (distributed and MainFrame) Business Benefits Oracle Database Firewall allowed the customer to demonstrate compliance with internal and external audit requirements and also to maintain it s high rating, due to blocking capabilities. Oracle Database Firewall customized reports are distributed daily via email. Security review became an easy and low maintenance task. Database traffic is fully profiled and aggregated for BI Analytics and DB Performance tuning purposes. 34
Case Study 2: Major Retail Bank Full database activity monitoring, reporting and blocking
Case Study 2: Major Retail Bank Full database activity monitoring, reporting and blocking
Key Unique Features of Oracle DBFW 1 Intelligent analysis of SQL traffic using semantics and intent recognition. Patented Technology. Ability to aggregate SQL traffic into meaningful groups. Million statements result in 2 300 groups. Policy set based on real-time traffic. 3 4 5 Network based deployment. Fixed processing time and low overhead in in-line mode. No overhead in out of band mode. Performance is independent of policy size Clever approach to blocking, DBFW can substitute statement on the fly instead of sending TCP Reset. Open Reporting Database. ODBC support, published schema, easy customization. ti No black box approach to reporting. Open Scalable Hardware Platform. Can install on any hardware, scales vertically 6 and dhorizontally. 7 Stored Procedure Audit, User Role Audit. Ability to see actual code executed in the stored procedure. 37
What does it mean to the business 1 Accuracy in reporting for compliance purposes and accuracy in security policy setting. Minimize false positives and false negatives. Full profiling of the DB traffic that can be utilized for BI purposes, performance 2 tuning, DB debug in production environments, understanding of data usage. 3 4 5 No impact on the infrastructure or DB performance. Does not introduce any additional maintenance headaches to the IT. User Friendly Security, disabling malicious SQL while enabling all legitimate users to continue their activities. Vendor independent d reporting, can be integrated t into any BI dashboard. d Drives business value. The customer fully controls the reports and including ad-hoc reports. Allows customer to use their own hardware, to reduce vendor dependency and 6 allow full ownership for the customer. 7 Provides full visibility into DB traffic and users. Most applications use thousands of Stored Procedures and there are thousands of users defined in the database. 38
Common Objections and Questions What is the difference between DB Monitoring with DBFW and Competitors? It is a Firewall, we already have one! Network Appliances cause huge overhead, how you handle that? Can you support local traffic monitoring? Are you appliance/software and how doe you scale/deploy? How do you handle large log files, do you aggregate? How do you search in the log files? 39
Common Objections and Questions How do you handle encryption? Why white list is better? Why don t you use built in policies for known threats? Full monitoring vs. Privileged user monitoing Cases where white list won t work? How do you integrate with SIEM? Do you support/certified with Oracle Apps, PeopleSoft, Siebel? How Audit Vault and DBFW integrate? t What are the key unique features of DBFW? 40
Services with Oracle DB Security 41
Business Case for Database Security Business Value of Security Controls? Compliance Cyber Security Un-quantified UnRisk Exposure p to Cyber Threats 42
Driving Business Value Business Value of Security Controls? Migrating from manual home-grown tools to automated and centralized monitoring and audit. BI analytics dashboard DB traffic analysis and profiling for business decision making. DB migration and consolidation projects. DB performance monitoring and production systems debug. 43
Compliance vs. Cyber Security PCI compliance projects enhancing/improving PCI compliance with security controls. Internal Audit focus how to better audit and improve monitoring and access control. Identity Management projects attachment. t Easy compliance with Oracle ASO data at rest encryption. Out of jail free. Network security initiatives with F5. Compliance Cyber Security 44
Risk Exposure to Cyber Threats Security Evaluation and Risk Management Initiatives. Security Breaches Response Strategy. Strategic Advising on Data Privacy Strategy. Cyber Risk Exposure and GRC Initiatives. Un-quantified Risk Exposure to Cyber Threats 45
Who We Should Talk To - Target Customers 46
5 Questions to Ask the Customer 1 2 3 4 5 Can you guarantee privacy of your customer data? Have many security breaches did you mitigate last year? How do you know? Do your DBAs know the financial results before the CEO? Are you in compliance with all regulations? What are your plans to automate compliance?
Who to contact in the HC organization Role Pains Objections Audit/Compliance Officers COO, CIO, CEO Audit Fatigue, Lack of Visibility, Manual Processing, New Regulations Keep up with competition/new technologies, not to make news headlines, keep low TCO high ROI No budget, Lack of Influence, Hard to measure ROI/TCO Already have security apps, security budget spent, high maintenance costs, no resources. Chief Security Make data available but Not user-friendly, Already Officers/Information Security secure without impacting normal business operations have, Lack of cooperation from other departments Database Avoid finger pointing in case Need unlimited access, Administration/Managers of breach/data abuse, enable don t like to be monitored, Development/Project production/development we are the trusted ones, Managers operations, provide best application security is level of support/functionality built-in, in no need for more
End-to-End Application Data Security
Security Landscape at a Glance Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged Trillions of packets travel through the network every day Billions of SQL requests travel to the database every day 50
Web Application Security Landscape Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged Applications and Networks are fully secured with F5 How can we further secure the Databases? 51
End-to-End Security with F5 and Oracle Trusted External APPLICATIONS NETWORK DATABASES Administrators Internal Privileged Two Best of Breed Technologies to Deliver Integrated Application Data Security Solution 52
What s Unique about F5 ASM? Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown Protect Sensitive Data Web Application Security User - Friendly Security Network and Application Assess Application Usage Profiling Compliance Ready Solution Network Based Approach Flexible to Deploy and Scale 53
What s Unique about Oracle DB Firewall? Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown Comply with Data Access Regulations Network Based Approach Network and Local Access Compliance Ready Solution Database Security Fast to Deploy, Easy to Maintain Flexible to Deploy and Scale Database Usage Profiling 54
What s Unique about the Solution? Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown Single Source of Audit Information Web Application and ddb Security User - Friendly Security Network, Application and dlocal Access Application and Database Usage Compliance Ready Solution Minimize False Positives Network Based Approach Flexible to Deploy and Scale Full Visibility Across the Enterprise 55
How Does it Work? www.acme.com?id=%27+or+1%3d1+- ASM Event User Identity External APPLICATIONS NETWORK DATABASES Administrators Internal SIEM Correlated Syslog Event Integrated Log DBFW Management Server Web Application traffic is secured with ASM, Database traffic is secured with Database Firewall 56
How Does it Work? User logged in into a Web Application F5 identifies possible SQL injection event Security event containing User and Web app info is sent from ASM to DBFW Correlated event data is sent to SIEM Log DBFW correlates the ASM event with database traffic log. DBFW takes an appropriate action (Block, Alert, Pass) Enriched log data is available for reporting and forensic analysis. Integrated report is distributed via email Integrated log entry is generated and stored in DBFW Web Application traffic is secured with ASM, Database traffic is secured with Database Firewall 57
Oracle Database Firewall Dashboard
Oracle Database Firewall Traffic Log
It s Question Time!