Oracle Information
S
it Vi i
Security Vision
Pillar Partner Webcast
Pillar Partner Webcast
Why are you here?
11
11
22
22
33
33
Believe in
My boss told
Want to learn
more about
Oracle Security
Offering and Go
Believe in
Oracle security
vision and
understand how
y
me to
Offering and Go
to Market with
security
services.
to generate
business
around DB
Security
Security
Agenda
•
Business Case for Database Security
•
Oracle DB Security Portfolio Overview
Oracle DB Security Portfolio Overview
•
First Line of Defense – Oracle Database Firewall
•
Oracle DBFW Case Studies
•
Service Engagements with Oracle DB Security
•
Who We Should Talk To – Target Customers
Who We Should Talk To Target Customers
Business Case for
D t b
S
it
Selling Security is a Tough Business!
Maintain Profit Margins
Stay Compliant Expand Services: Organic Growth M&A Retain Customers: Customer Care Quality of Service Maintain Competitive Edge
Who Accessed What and When
Database
Monitor and Block Data Access
Business Case for Database Security (1)
Compliance
Compliance
≠ Cyber
≠ Cyber
Business
Business
Value of
Value of
≠ Cyber
≠ Cyber
Security
Security
Security
Security
Controls?
Controls?
Un
Un--quantified
quantified
Risk Exposure to
Risk Exposure to
p
p
Cyber Threats
Cyber Threats
Business Case for Database Security (3)
“What has not changed <from
year 2009> is that servers and
apps account for 98.5% of total
records compromised.”
Verizon 2010 Data Breach Investigations Report http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/
Check!
• Have malware specifically packed and tested to thwart antivirus products?
Check! p
Check!
• Have an entry vector that will sail past the firewall and won’t be detected or blocked by IDS/IPS?
Check!
• How about the ability to tunnel through firewalls to smuggle data using proxy-aware, HTTP-compliant communication protocols?
Check!
• Have encryption for that smuggled data to render data loss prevention (DLP) useless?
Absolutely !
• Got keyboard loggers to home in on the IT staff, steal their credentials, and eventually masquerade as them?.”
Oracle DB Security
Portfolio Overview
Portfolio Overview
Database Defense In Depth - Features
9 Prevent access by non-database users for d t t t i ti d t
data at rest, in motion, and storage
9 Increase database user identity assurance
9 Strict access control to application data even f i il d
Data
Data
Data
from privileged users
9 Enforce multi-factor authorization
9 Audit database activity, and create reports
9 Monitor database traffic and prevent threats from reaching the database
9 Ensure database production environment is d t d ift
secure and prevent drift
9 Mask sensitive data in non-production environments
Database Security – Big Picture
A dit Audit consolidation U Procurement HR Procurement HR Auditing Auditing Authorization Authorization A th ti ti A th ti ti Multi-factor Authorization DB Consolidation SecurityUnauthorized DBA Activity
Users
Rebates Rebates
Authentication
Authentication DB Consolidation Security
Network SQL Monitoring Applications Encrypted Backups Encrypted
Database Encrypted Traffic MaskingData Monitoring
and Blocking
Backups
Oracle Database Defense In Depth Portfolio
9
Oracle Advanced Security
Oracle Advanced Security
9
Oracle Identity Management
9
Oracle Database Vault
9
Oracle Label Security
9
Oracle Audit Vault
Data
Data
Data
9
Oracle Total Recall
9
Oracle Database Firewall
9
Oracle Configuration Management
First Line of Defense
Oracle Database Firewall
Oracle Database Firewall
Balancing Security and Performance
Trusted Users NETWORK Administrators APPLICATIONS DATABASES External Users NETWORK APPLICATIONS DATABASES Internal Users Privileged UsersTrillions of
packets
travel
through the network
every day
Billions of
SQL requests
travel to the
database
every day
Balancing Security and Performance
Trusted Users NETWORK Administrators APPLICATIONS DATABASES External Users NETWORK APPLICATIONS DATABASES Internal Users Privileged UsersA look at how
the system
balances
safety and speed.
Existing Security Solutions – Not Enough!
Trusted Users NETWORK Administrators APPLICATIONS DATABASES External Users NETWORK APPLICATIONS DATABASES Internal Users Privileged Users Application Security Antivirus/Anti-Spyware User Management Web/App Firewall IDS/IPS/Vulnerability Mgmt N k S iOracle Database Firewall
First Line of Defense
Trusted Users Administrators APPLICATIONS DATABASES External Users NETWORK APPLICATIONS DATABASES Internal Users NETWORK Privileged Users
A look at how
Oracle Database Firewall
balances
safety and speed.
Oracle Database Firewall
First Line of Defense
DATABASES SQL Traffic SQL Traffic Log Allow Alert Monitor Monitor Monitor Block Substitute Monitor Policies Built-in Reports
Alerts CustomReports
• Monitor database activity, classify and aggregate all incoming SQL.
U i SQL l iti d i i t
• Unique SQL language recognition and parsing engine to ensure accuracy
• Flexible SQL level enforcement options based on white lists and black lists
• Scalable architecture provides enterprise performance in all deployment modes
How Oracle Database Firewall does it?
Understand Real-Time DB ActivityMonitor,
o to ,
Alert,
R
t
ApplyReport
pp y Security PolicyOracle Database Firewall
Scalable and Safe Policy Enforcement
y
DATABASES SQL Traffic SQL Traffic Log Allow Alert Substitute
SELECT * FROM accounts
Becomes
SELECT * FROM dual where 1=0
Substitute Block
• Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters”
• Flexible enforcement at SQL level: block substitute alert and pass log only
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Centralized policy management and reporting
S i f d li l bilit
Oracle Database Firewall
Positive Security Model
White List
y
Block Allow DATABASES APPLICATIONS• “Allowed” behavior can be defined for any user or application
• Whitelist can take into account built-in factors such as time of day, day of week
• Automatically generate whitelists for any application
Oracle Database Firewall
Negative Security Model
Black List
g
y
Block Allow DATABASES APPLICATIONS• Stop specific unwanted SQL transactions, user or schema access
• Prevent privilege or role escalation and unauthorized access to sensitive data
• Blacklist can take into account built-in factors such as time of day, day of
Oracle Database Firewall
Architecture
Alerts Reports
High Availability Mode
Users
Local Monitor
Applications
NETWORK
Database Firewall
Management Server Policy Analyzer
• Policy enforcement separated from policy management and reporting
Oracle Database Firewall
Fast and Flexible Deployments
p y
Out-of-Band Log
Alert Allow
D t b S
Users Application Servers NETWORK
Database Servers In-Line Local Monitor Log Alert Substitute Allow Block
• In-Line (Monitor or Block): All database traffic goes through the Database Firewall
• Out-of-Band (Monitor Only): Database Firewall connected to a SPAN port or TAP( y) p
• Optional Host Based Remote or Local Monitors (Monitor Only)
• Sends database transactions to Oracle Database Firewall
Oracle Database Firewall
Reporting
Oracle Database Firewall
p
g
• Database Firewall log data consolidated into reporting co so dated to epo t g database
• Over 130 built in reports that can be modified and customized
• Entitlements reporting for
database attestation and audit
• Database activity and
Oracle Database Firewall
Oracle Database Firewall
privileged user reports
• Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls
Enterprise Security Challenges
Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknownand Audit Security Impact Workforce
What’s Unique about the Solution?
Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown and Audit Single Source of A dit Security First Line of Defense for Impact Fast to Deploy, Easy Workforce Monitor Network d L l Database Usage Audit Information Defense forDatabase Deploy, Easy to Maintain
Non Intrusive and Local Access Usage Profiling Full Compliance Ready Solution Minimize False Positives Non-Intrusive Network Based Approach Flexible to Deploy and Scale Full Monitoring of DB Activity
Business Goals - Tomorrow
Maintain Profit Margins
Stay Compliant Expand Services: Organic Growth M&A Retain Customers: Customer Care Quality of Service Maintain Competitive Edge
Oracle DBFW
Case Studies
Case Studies
Case Study 1: Major Investment Bank
Privileged user database activity audit
Customer Requirements
• Database activity audit for 600 databases (MS-SQL and Sybase) in three geographically separated data centers (US, NJ and Ireland).
• 24*7*365 high availability in each data center and also between major and disaster recovery sites.g y j y • Automated distribution of uniquely formatted reports (PDF and Excel) to internal auditors via email. • Ad-hoc reporting for real-time incident analysis and forensics.
• Ability to process and analyze 1.7 billion unique SQL transactions per day.
• Ability to identify escalated user privileges and to trace stored procedures execution. Oracle Database Firewall Solution
• Oracle Database Firewall non-intrusively monitors all network database activity and also local DB traffic. • High Availability deployment in three separated data centers. Single copy of all log data without duplications. • Fully automated daily distribution of custom reports on selected types of activities and users.Fully automated daily distribution of custom reports on selected types of activities and users.
• Privileged User and Stored Procedures Audit performed daily. Business Benefits
• Oracle Database Firewall fully replaced in-house developed database activity reporting that utilized native database audit functionality and Linux-based log parsing.
• Oracle Database Firewall allowed more than 600 databases to be fully monitored eliminating maintenance load on IT team to support the system.
• Improved database performance with 10% to15% reduction in CPU load on each DB host.
• The infrastructure team was able to focus on production and application issues (not related to Database Firewall), hil i t l dit t bl t “t k ” th dit ti t
Case Study 1: Major Investment Bank
Privileged user database activity audit
In a competitive cook-off between Guardium, Imperva, and Tizor, Oracle Database Firewall
was selected as best of breed for accuracy was selected as best of breed for accuracy, customizable reporting and high performance.
Case Study 2: Major Retail Bank
Full database activity monitoring, reporting and blocking
Customer Requirements
• Database activity monitoring in 5 data centers across the world.
• 24*7*365 high availability in each data center and support for distributed environments • 24 7 365 high availability in each data center and support for distributed environments.
• Automated distribution of DB activity monitoring reports (selected activities/users) to internal auditors via email. • Ad-hoc reporting for real-time incident analysis and forensics.
• Ability to block unauthorized SQL from reaching the database. • In-line and out-of-band deployments combined in each data center. Oracle Database Firewall Solution
• Oracle Database Firewalls deployed in each data center with Management Servers (one per data center) • High Availability deployment for in-line deployments.
• Fully automated daily distribution of custom reports on selected types of activities and users • Fully automated daily distribution of custom reports on selected types of activities and users.
• Monitoring heterogeneous environment – MS-SQL, Sybase, Oracle, DB2 (distributed and MainFrame) Business Benefits
• Oracle Database Firewall allowed the customer to demonstrate compliance with internal and external auditOracle Database Firewall allowed the customer to demonstrate compliance with internal and external audit requirements and also to maintain it’s high rating, due to blocking capabilities.
• Oracle Database Firewall customized reports are distributed daily via email. Security review became an easy and low maintenance task.
Case Study 2: Major Retail Bank
Case Study 2: Major Retail Bank
Key Unique Features of Oracle DBFW
• Intelligent analysis of SQL traffic using semantics and intent recognition Patented
1
• Intelligent analysis of SQL traffic using semantics and intent recognition. Patented Technology.
2
• Ability to aggregate SQL traffic into meaningful groups. Million statements result in 300 groups Policy set based on real time traffic
2 300 groups. Policy set based on real-time traffic. 3
• Network based deployment. Fixed processing time and low overhead in in-line
mode. No overhead in out of band mode. Performance is independent of policy size
4
• Clever approach to blocking, DBFW can substitute statement on the fly instead of sending TCP Reset.
O R ti D t b ODBC t bli h d h t i ti
5
• Open Reporting Database. ODBC support, published schema, easy customization. No “black box” approach to reporting.
6
• Open Scalable Hardware Platform. Can install on any hardware, scales vertically d h i t ll
6 and horizontally. 7
• Stored Procedure Audit, User Role Audit. Ability to see actual code executed in the stored procedure.
What does it mean to the business
• Accuracy in reporting for compliance purposes and accuracy in security policy
1
• Accuracy in reporting for compliance purposes and accuracy in security policy setting. Minimize false positives and false negatives.
2
• Full profiling of the DB traffic that can be utilized for BI purposes, performance tuning DB debug in production environments understanding of data usage
2 tuning, DB debug in production environments, understanding of data usage. 3
• No impact on the infrastructure or DB performance. Does not introduce any additional maintenance headaches to the IT.
4
• User Friendly Security, disabling malicious SQL while enabling all legitimate users to continue their activities.
V d i d d t ti b i t t d i t BI d hb d D i
5
• Vendor independent reporting , can be integrated into any BI dashboard. Drives business value. The customer fully controls the reports and including ad-hoc reports.
6
• Allows customer to use their own hardware, to reduce vendor dependency and ll f ll hi f th t
6 allow full ownership for the customer. 7
• Provides full visibility into DB traffic and users. Most applications use thousands of Stored Procedures and there are thousands of users defined in the database.
Common Objections and Questions
•
What is the difference between DB Monitoring with
DBFW and Competitors?
DBFW and Competitors?
•
It is a Firewall, we already have one!
•
Network Appliances cause huge overhead, how you
handle that?
•
Can you support local traffic monitoring?
A
li
/ ft
d h
d
•
Are you appliance/software and how doe you
scale/deploy?
•
How do you handle large log files, do you aggregate?
How do you handle large log files, do you aggregate?
Common Objections and Questions
•
How do you handle encryption?
•
Why white list is better?
•
Why white list is better?
•
Why don’t you use built in policies for known threats?
•
Full monitoring vs. Privileged user monitoing
u
o to g s
eged use
o to g
•
Cases where white list won’t work?
•
How do you integrate with SIEM?
•
Do you support/certified with Oracle Apps,
PeopleSoft, Siebel?
H
A dit V lt
d DBFW i t
t ?
•
How Audit Vault and DBFW integrate?
Services
Services
with Oracle DB
with Oracle DB
Security
Security
Business Case for Database Security
Compliance
Compliance
≠ Cyber
≠ Cyber
Business
Business
Value of
Value of
≠ Cyber
≠ Cyber
Security
Security
Security
Security
Controls?
Controls?
Un
Un--quantified
quantified
Risk Exposure to
Risk Exposure to
p
p
Cyber Threats
Cyber Threats
Driving Business Value
•
Migrating from manual home-grown
tools to automated and centralized
Business
Business
tools to automated and centralized
monitoring and audit.
•
BI analytics dashboard – DB traffic
l i
d
fili
f
b i
Business
Business
Value of
Value of
Security
Security
Controls?
Controls?
analysis and profiling for business
decision making.
•
DB migration and consolidation
Controls?
Controls?
DB migration and consolidation
projects.
•
DB performance monitoring and
d ti
t
d b
Compliance vs. Cyber Security
•
PCI compliance projects –
enhancing/improving PCI
compliance with security controls
compliance with security controls.
•
Internal Audit focus – how to better
audit and improve monitoring and
Compliance ≠
Compliance ≠
Cyber
Cyber
Security
Security
p
g
access control.
•
Identity Management projects
tt h
t
attachment.
•
Easy compliance with Oracle ASO
– data at rest encryption. Out of jail
data at est e c ypt o
Out o ja
free.
Risk Exposure to Cyber Threats
•
Security Evaluation and Risk Management Initiatives.
•
Security Breaches Response Strategy.
•
Strategic Advising on Data Privacy Strategy.
•
Cyber Risk Exposure and GRC Initiatives.
Un
Un--quantified Risk
quantified Risk
Exposure to Cyber
Exposure to Cyber
Threats
Threats
Threats
Threats
Who We Should Talk To
-Target Customers
5 Questions to Ask the Customer
1
• Can you guarantee privacy of your customer data?
2
• Have many security breaches did you mitigate last
year? How do you know?
3
• Do your DBAs know the financial results before the
CEO?
4
• Are you in compliance with all regulations?
5
• What are your plans to automate compliance?
Who to contact in the HC organization
Role Pains Objections
Audit/Compliance Officers
“Audit Fatigue”, Lack of
Visibility, Manual Processing, N R l ti
No budget, Lack of Influence, Hard to
ROI/TCO New Regulations measure ROI/TCO COO, CIO, CEO Keep up with
competition/new
technologies not to make
Already have security apps, security budget spent high maintenance technologies, not to make
news headlines, keep low TCO high ROI
spent , high maintenance costs, no resources.
Chief Security Make data available but Not user-friendly, Already Chief Security
Officers/Information Security
Make data available but secure without impacting normal business operations
Not user friendly, Already have, Lack of cooperation from other departments Database Avoid finger pointing in case Need unlimited access, Administration/Managers
g p g
of breach/data abuse, enable production/development
operations, provide best level of support/functionality
don’t like to be monitored, we are the “trusted ones”, application security is
built in no need for more Development/Project
Managers
End-to-End
End to End
Application Data
Security
Security Landscape at a Glance
Trusted Users Administrators APPLICATIONS External Users NETWORK DATABASES Administrators APPLICATIONS Internal Users Privileged UsersTrillions of
packets
travel
through the network
every day
Billions of
SQL requests
travel to the
database
every day
Billions of
SQL requests
travel to the
database
every day
Web Application Security Landscape
Trusted Users APPLICATIONS External Users Administrators NETWORK DATABASES APPLICATIONS Internal Users Administrators Privileged UsersApplications
and
Networks
are fully secured with F5
How can we further secure the
Databases
?
How can we further secure the
Databases
?
End-to-End Security with F5 and Oracle
Trusted Users APPLICATIONS DATABASES External Users Administrators NETWORK APPLICATIONS Internal Users Administrators Privileged UsersTwo Best of Breed Technologies to Deliver
What’s Unique about F5 ASM?
Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown and Audit Protect Sensitive Security Web Application Impact User -Friendly Workforce Network and A li ti Application Usage SensitiveData Application Security SecurityFriendly Application Assess ProfilingUsage
Compliance Ready Solution Network Based Approach Flexible to Deploy and Scale
What’s Unique about Oracle DB Firewall?
Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown and Audit Comply with Data A Security Impact Network Based Workforce Network and Local Access Regulations Based Approach Fast to and Local Access Compliance Ready Solution Database Security Fast to Deploy, Easy to Maintain Flexible to Deploy and Scale Database Usage ProfilingWhat’s Unique about the Solution?
Ensure Compliance and Audit Provide Multi-level Security Minimize Infrastructure Impact Support Distributed Workforce Revealing the Unknown and Audit Single Source of A dit Security Web Application d DB Impact User -Friendly Workforce Network, Application d L l Application and D t b AuditInformation Securityand DB
Friendly
Security and Local Access Database Usage
Full Compliance Ready Solution Minimize False Positives Network Based Approach Flexible to Deploy and Scale Full Visibility Across the Enterprise
How Does it Work?
www.acme.com?id=%27+OR+1%3D1+-ASM Event User Identity NETWORK APPLICATIONS DATABASES External Users Administrators APPLICATIONS Internal Users AdministratorsCorrelated Syslog Event Integrated Log
DBFW SIEM
DBFW Management
Server
Web Application traffic is secured with
ASM
,
Database traffic is secured with
Database Firewall
How Does it Work?
Correlated event data is sent
• User logged in into a Web Application
• F5 identifies possible SQL injection event • User logged in into a
Web Application
• F5 identifies possible SQL injection event
• DBFW correlates the ASM event with
database traffic log • DBFW correlates the
ASM event with database traffic log
data is sent
to SIEM Log • Enriched log data is
available for reporting and forensic analysis. • Integrated report is • Enriched log data is
available for reporting and forensic analysis. • Integrated report is SQL injection event
SQL injection event
Security event containing User and Web app info is sent
database traffic log. • DBFW takes an
appropriate action (Block, Alert, Pass) database traffic log. • DBFW takes an
appropriate action (Block, Alert, Pass)
• Integrated report is distributed via email • Integrated report is distributed via email
Integrated log entry is generated and
d i DBFW Web app info is sent
from ASM to DBFW stored in DBFW