Page 1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1
CUSTOMER LOGO
“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”
Name
Title, Company Name
blogs.oracle.com/IMC
Page 2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2
Page 3
Oracle Audit Vault and
Database Firewall
Tarek Salama
DB Options Specialist MEA
Page 4
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
Program Agenda
Database Security Defense in Depth
Oracle Audit Vault & Database Firewall
Activity Monitoring and Blocking
Fine Grained, Customizable Reporting and Alerting
Enterprise Audit Data Consolidation and Lifecycle Management
Deployment Flexibility and Scalability
Oracle Audit Vault & Database Firewall Value Proposition
Oracle Maximum Security Architecture
Q&A
Page 5
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
Database Sprawl Makes Attacking Easier!
Sensitive
Data
Outsourced Data DW/Analytics Reports Stand By Test Dev Temp use
Page 6
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
Only 35% Can Prevent SQL Injection Attacks
Have you taken steps to prevent SQL injection attacks?
Page 7
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7
Only 30% Using a Network-Based Database Firewall Solution
Are you using a network-based database firewall solution
for blocking unauthorized database activity?
(Total does not equal 100% due to rounding.)
Page 8
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8
Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with Basic Controls
98% records stolen
from databases
96% of victims subject to
PCI DSS had not achieved
compliance
71% Breach within minutes
92% discovered
by third party
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Page 9
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
85% Breached in Minutes or Faster
Page 10
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10
85% Took Weeks, Months and Even Years to Discover
Page 11
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
“Forrester estimates
that although 70%
of enterprises have
an information security plan, only 20%
of enterprises have a
database security plan.”
Are Databases Adequately Protected?
Source: Forrester Research Inc., Creating An Enterprise Database Security Plan, July 2010
Endpoint Security
Vulnerability Management
Network Security
Email Security
Authentication Security
Database
Security
Page 12
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12
“Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices”.
The Business Response Is Reactive IT has shifted attention away from the applications & data
Page 13
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
The Reactive Approach Fails Increased IT Spending & Focused on The Wrong Risks
8.2% IT Budget
2007 14% IT Budget
2010 Endpoint Security
Vulnerability Management
Network Security
Email Security
Other Security
94% against servers
96% Non-compliance PCI
5% Privilege Misuse
32% of hacking involved
stolen login credentials
Page 14
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
Focus On The Core Systems
The Experience The Applications The Cloud The Data Center
Page 15
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15
Security at Every Layer Security between layers and across layers
• Encryption and Masking
• Privileged User Controls
• Database Firewall
• Secure Configuration
Database Security • Trusted OS Extensions
• Virtualization Security
• Cryptographic Acceleration
• Key Storage Built-In
• Secure Storage
Infrastructure Security
• Auditing
• Attestation
• Segregation of Duties
• Process Controls
• Transaction Controls
Risk & Compliance • Privilege Account Management
• User and Role Management
• Entitlements Management
• Risk-Based Access Control
• Directory Services
Identity Management
Page 16
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16
Customer Experience Security Challenges
Expanding business requires securing the interaction
Regulatory Compliance
PII, PCI DSS, PIPEDA, EU DPD
Quality of Service
Brand & Reputation
Identity Theft
Fraud Detection & Trust
Data Security & Integrity
Consumer Privacy
Page 17
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17
Page 18
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Forrester Research
Network Security
SIEM
Endpoint Security
Web Application
Firewall
Email Security
Authentication & User Security
Database Security
Why are Databases so Vulnerable?
“Enterprises are taking on risks
that they may not even be aware
of. Especially as more and more
attacks against databases exploit
legitimate access.”
80% of IT Security Programs Don’t Address Database Security
Page 19
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19
Why We Care About Auditing?
Applications & Data
Anytime
Anywhere
Page 20
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20
UNLOCK THE OPPORTUNITIES
PREVENT THE THREATS
MANAGE THE RISKS
Transform IT Security Take an inside out approach
SECURITY INSIDE-OUT
Page 21
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21
Oracle Database Security Solutions Defense-in-Depth for Maximum Security
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Page 22
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22
Oracle Database Security Solutions Detect and Block Threats, Alert, Audit and Report
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Page 23
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
Oracle Audit Vault and Database Firewall Product Overview
Page 24
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24
Expands protection beyond Oracle and third party
databases.
New software appliance-based platform accelerates
enterprise-wide deployments.
Detective and preventive control to protect against the
abuse of legitimate access.
Expanded Enterprise Auditing: Capabilities to collect,
consolidate, and manage native audit and event logs.
Consolidated Reporting and Alerting: Consolidated,
centralized repository for all audit and event logs to be
analyzed in real-time.
New Product
Oracle Announces Oracle Audit Vault and Database Firewall
Unified
platform to
display
audit
reports
Consolidate audit data from multiple sources
Page 25
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25
Built-in Reports
Alerts
Custom Reports
!
Oracle Audit Vault and Database Firewall New Solution for Oracle and Non-Oracle Databases
Firewall Events
Users
Applications
Database Firewall Allow
Log
Alert
Substitute
Block
Audit Data
Audit Vault
OS, Directory, File System &
Custom Audit Logs Policies
Security
Analyst
Auditor
SOC
Page 26
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26
Oracle Audit Vault and Database Firewall SQL Injection Protection with Positive Security Model
White List
Applications Block
Allow
SELECT * from stock
where catalog-no='PHE8131'
SELECT * from stock
where catalog-no=‘
' union select cardNo,0,0
from Orders --’
• “Allowed” behavior can be defined for any user or application
• Automated white list generation for any application
• Out-of-policy database transaction detected and blocked/alerted
Databases
Page 27
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27
Oracle Audit Vault and Database Firewall Enforcing Database Activity with Negative Security Model
• Stop specific unwanted SQL interactions, user or schema access
• Blacklisting can be done on factors such as time of day, day of week,
network, application, user name, OS user name etc
• Provide flexibility to authorized users while still monitoring activity
SELECT * FROM
v$session
Block
Allow + Log
Black List
DBA activity from Application?
SELECT * FROM
v$session
DBA activity from Approved Workstation
Page 28
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
Oracle Audit Vault and Database Firewall
Databases: Oracle, SQL Server, DB2 LUW, Sybase ASE
New Audit Sources
– Operating Systems: Microsoft Windows, Solaris
– Directory Services: Active Directory
– File Systems: Oracle ACFS
Audit Collection Plugins for Custom Audit Sources
– XML file maps custom audit elements to canonical audit elements
– Collect and map data from XML audit file and database tables
Comprehensive Enterprise Audit and Log Consolidation
Page 29
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29
Oracle Audit Vault and Database Firewall Audit and Event Repository
Based on proven Oracle Database technology
– Includes compression, partitioning, scalability, high availability, etc.
– Open schema for flexible reporting
Information lifecycle management for target specific data retention
Centralized web console for easy administration
Command line utility for automation and scripting
Page 30
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30
Oracle Audit Vault and Database Firewall Audit and Event Data Security
Software appliance based on hardened OS and pre-configured
database
Fine-grained administrative groups
– Sources can be grouped for access authorization
– Individual auditor reports limited to data from the ‘grouped’ sources
Separation of duties
Powerful multi-event alerting with thresholds and group-by
Page 31
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
Oracle Audit Vault and Database Firewall Flexible Deployment Architectures
Inbound
SQL Traffic
Audit Vault
Standby
In-Line Blocking
and Monitoring
HA Mode
Out-of-Band
Monitoring
Audit Vault
Primary
Applications and Users
Remote Monitoring
Software Appliances
Audit Data
Audit Agents
Page 32
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
Oracle Audit Vault and Database Firewall Performance and Scalability
Audit Vault
– Supports monitoring and auditing multiple hundreds of heterogeneous
database and non-database targets
– Supports wide range of hardware to meet load requirements
Database Firewall
– Decision time is independent of the number of rules in the policy
– Multi-device / multi-process / multi-core scalability
– 8 core can handle between 30K – 60K transactions/second
Page 33
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
Oracle Audit Vault and
Database Firewall
Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases
Monitors network traffic, detect and
block unauthorized activity
Highly accurate SQL grammar analysis
Can detect/stop SQL injection attacks
Whitelist approach to enforce activity
Blacklists for managing high risk activity
Scalable secure software appliance
Block
Log
Allow
Alert
Substitute Apps
Whitelist Blacklist
SQL Analysis Policy
Factors
Users
Page 34
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
Oracle Audit Vault and
Database Firewall
Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-Oracle Databases
Audit Data & Event Logs
Policies
Built-in Reports
Alerts
Custom Reports
!
OS & Storage
Directories
Databases
Oracle Database
Firewall
Custom
Security
Analyst
Auditor
SOC
Centralized secure repository delivered
as secure, scalable software appliance
Powerful alerting - thresholds, group-by
Out-of-the box and custom reports
Consolidated multi-source reporting
Built-in fine grain segregation of duties
Page 35
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
Oracle Audit Vault and Database Firewall Summary
• Snapshot view of audit settings for reporting
• Provision audit settings from a centralized interface
• Eliminate the need to wait for the DBA to send you the audit settings
• Automate collection of native database auditing from Oracle, SQL Server, IBM DB2, & Sybase
• Consolidated secure repository
• Reduce manual time to correlate audit data
• Schedule reports to be reviewed automatically by security team
• Continues view of database access
• Save HOURS of time creating reports manually
• Review only out of policy behavior
• Automatic notification means you can proactively review database access
• Disregard the behavior that doesn’t require your attention
Page 36
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36
Oracle Audit Vault and Database Firewall Value Proposition
Page 37
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37
Oracle Audit Vault and Database Firewall Value Proposition
Value to the Partners
Ease of deployment & High availability of expertise
Detailed and effective audit controls
Increased competitiveness/revenues by protecting the end user’s data and reputation
Minimize costs of offering security solutions
Complete protection of data from one vendor
Earning customer trust – Security Advisor
Value to the Customers
Eliminate existing manual processes for audit data consolidation and reporting
Out-of-the-box compliance reports
Real-Time notification on out of policy behavior with automated alerts
Centralized database audit setting Management
heterogeneous database security framework
Multiple levels/layers of protection
Enforcing regulations compliance & standards
Page 38
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38
Database Security Additional Enhancement
Page 39
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39
Oracle Label Security
Label Based Access Control Preventive Control for Oracle Databases
Transactions
Report Data
Reports
Confidential Sensitive
Sensitive
Confidential
Public
Virtual information partitioning for cloud,
SaaS, hosting environments
Classify users and data using labels
Labels based on business drivers
Automatically enforced row level access
control, transparent to applications
Labels can be factors in other policies
Page 40
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40
Replace sensitive application data
Extensible template library and formats
Application templates available
Referential integrity detected/preserved
At source masking and sub-setting*
Support for masking data in non-Oracle
databases
Oracle Data Masking
Masking Data for Non-Production Use Preventive Control for Oracle Databases
LAST_NAME SSN SALARY
ANSKEKSL 323—23-1111 60,000
BKJHHEIEDK 252-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production
Non-Production
Dev
Test
Production
Page 41
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41
Scan Oracle for sensitive data
Built-in, extensible data definitions
Discover application data models
Protect sensitive data appropriately:
encrypt, redact, mask, audit…
Oracle Enterprise Manager 12c
Discover Sensitive Data and Databases Administrative Control for Oracle Database
Page 42
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42
Oracle Database Lifecycle Management
Configuration Management Administrative Control for Oracle Databases
Discover
Scan & Monitor
Patch
Discover and classify databases
Scan for best practices, standards
Detect unauthorized changes
Automated remediation
Patching and provisioning
Page 43
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43
Oracle Maximum Security Architecture
Oracle Audit Vault
Oracle Database Firewall
Applications
Procurement
HR
Rebates
HR
Rebates
Auditing
Authorization
Authentication
Sensitive
Confidential
Public
Multi-factor Authorization
DB Consolidation Security
Unauthorized DBA Activity
Oracle Database Vault
Encrypted Database Encrypted Traffic
Oracle Advanced Security Oracle Data Masking Mask For Test and Dev
Enterprise Manager
Secure
Configuration
Scanning
Patch
Management
Page 44
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44
Next Steps…
Protect sensitive data and database
infrastructure ASAP!
Database consolidation and private
clouds enable better security at lower
cost and complexity
Secured Oracle Exadata Database
Machines provide the secure database
cloud building block you need
Securing your databases will allow you
to outsource/take advantage of Public
Clouds with less risk
Page 45
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45
Oracle Database Security Partner Support and Resources
Page 46
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46
Useful Resources for Partners and Customers
Test your company IT security! : Questions resulting in a diagram assessing your
company’s security readiness
Cost Effective Security and Compliance with Oracle Database 11g Release 2:
http://www.oracle.com/us/products/database/056892.pdf
Oracle Audit Vault and Database Firewall FAQ:
http://www.oracle.com/technetwork/products/audit-vault-and-database-firewall/audit-
vault-database-firewall-faq-1906550.pdf
Introducing Oracle Audit Vault and Database Firewall Web-Cast:
http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.jsp&eventid=541890&sessionid=1&part
nerref=prod_sec_db12122012&key=E38B905176AAA94A27C94F87B829007A&eventuserid=73511945
Audit Vault and Database Firewall Forum
Page 47
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47
Oracle Database Security Partner Resell Requirements
http://www.oracle.com/partners/en/knowledge-zone/database/database-021468.htm
• OPN member at Gold+ in good standing
• Acceptance into Oracle Database Knowledge Zone
• Valid Oracle Full Use Program Distribution Agreement
• NO competency or specialization requirements
Page 48
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48
OPN “Security” Specialization
Business Criteria Required
Customer References 3
# Of Transactions *
Resell or
Non-Commission Co-sell or
Referral
2
Competency Criteria Required
•Oracle Database 11g Security Sales Specialist Recommended Training
•Oracle Database 11g Security Sales Specialist 2
•Oracle Database 11g Security PreSales Specialist Recommended Training
•Oracle Database 11g Security PreSales Specialist 2
General Product Support Assessment (v3.0) Or
Oracle Database 11g Security Technology Support Specialist acceptable:
Count before March 1, 2013 - valid until March 1, 2014
•Recommended Training
•Oracle Database 11g Security Technology Support Specialist
1
•Oracle Database 11g Security Certified Implementation Specialist.
Oracle Database 11g Security Essentials (1Z0-528)
•Recommended Training
•Oracle Database 11g Security Implementation Specialist
1
Page 49
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 49
For More Information Oracle Audit Vault and Database Firewall
http://www.oracle.com/database/security/audit-vault-database-firewall/overview/index.html
http://www.oracle.com/technetwork/products/audit-vault-and-database-firewall/overview/index.html
Page 50
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 50
Key Take Away &
Next Steps
Page 51
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 51
Oracle Database
Appliance
Engineered System
Single Box
Consolidated
Manageable
High Performance
Simple Affordable
Reliable
+ DB Options
DB Products
ISV Applications =
Enabling Partners
ORACLE DATABASE APPLIANCE SECURE HA PLATFORM
• to deliver a higher quality of
service at much lower cost in
shorter time.
• to deliver simplified IT
solutions (simplify DBaaS).
• to easily adopt a wider range of
products.
• to rapidly offer endless custom
solutions.
• to expand their services
opportunities
• to increase their solution
competitiveness & revenue
Small To Medium Business
Page 52
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 52
BETTER PERFORMANCE AT EVERY LEVEL
A HOLISTIC & COMPREHENSIVE APPROACH
SECURITY AT EVERY LAYER & BETWEEN
SECURING BUSINESS AT THE CORE
SECURITY INSIDE-OUT
Inside Out Approach
Page 53
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 53
Oracle Database Security Solutions Key Benefits
Simple and Flexible
Security and Compliance
Enterprise Ready
Speed and Scale
Page 54
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 54
Thank You !
[email protected]
Page 55
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 55
Page 56
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 56
CUSTOMER LOGO
“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”
Name
Title, Company Name
blogs.oracle.com/IMC