Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall What’s New and Best Practices Andrey Brozhko.

Similar presentations


Presentation on theme: "Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall What’s New and Best Practices Andrey Brozhko."— Presentation transcript:

1

2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall What’s New and Best Practices Andrey Brozhko Melody Liu Oracle Database Security Product Management September 30, 2014

3 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3

4 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Session Agenda 4 Oracle Audit Vault and Database Firewall Overview What’s New Best Practices Q&A

5 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall Heterogeneous Audit Data Consolidation and Database Activity Monitoring 5

6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Apps OS & Storage DirectoriesDatabasesCustom 6 High-level architecture Oracle Audit Vault and Database Firewall Reports Alerts Policies Database Firewall Events Audit Vault Users Audit Data & Event Logs

7 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Audit Vault Consolidate and secure event data Extensive and customizable reporting Powerful, threshold based alerting Enterprise-scale deployment 7 Trust but verify OS & Storage DirectoriesDatabasesCustom Audit Data & Event Logs Reports Alerts Policies Audit Vault

8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Databases, Operating Systems, Directories 8

9 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Predefined reports Interactive browsing Build custom reports Report scheduling and notification Report attestation 9 Extensive and Customizable Reporting

10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |10 Powerful Alerting

11 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Firewall Monitor user activity from network Detect and block unauthorized activity Detect and block SQL injection attacks Advanced grammatical SQL analysis Positive and negative security model Scalable software appliance 11 Apps Database Firewall Reports Alerts Audit Vault Policies Events Users

12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |12 Anomaly detection and threat blocking with positive security model Database Firewall White List Block Allow SELECT * from stock where catalog-no='PHE8131' SELECT * from stock where catalog-no=' ' union select cardNo,0,0 from Orders --' Databases Block out-of-policy SQL statements from reaching the database Automated white list generation for any application Define permitted SQL behavior per user or application Apps

13 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |13 Enforcing behavior with negative security model Database Firewall Black List Block Allow Log SELECT * from stock Databases Unauthorized workstation or application Legitimate data access Block specific unauthorized SQL statements, users or object access Blacklist on session factors: IP address, application, DB user, OS user

14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | What’s New in Enhanced Scalability, Security and Deployment Simplicity 14

15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | iSCSI SAN support for Audit Repository 15

16 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | NFS Storage for Audit Data Archives 16

17 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Forwarding Policy Alerts to Syslog Simple to setup Alerts contain link to detailed description in Auditor Dashboard Jan 7 13:59:40 avs00161eb81587 logger: name="Alert_FailLogOn" severity="Critical" url="https:// /console/f?p=7700:33:::NO::P33_ALERT_ID:1" time=" T13:59: Z" target="avsource" user="INVALID" desc=" "] 17

18 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Security and Usability Enhancements Database Vault protection of audit repository Simplified deployment of Audit Vault Agents Auto-upgrade capability in Audit Vault Agents Improved administration dashboard Enhanced diagnostic tools 18

19 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Extended Target Platform Support Oracle Big Data Appliance (BDA) support Database Firewall support for MYSQL 5.6 Database Firewall support for Oracle 9i Windows & Linux 32-bit host OS support for Audit Vault Agents XSL transformation capability in XML file collection plugins 19

20 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall Best Practices 20

21 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Deployment Best Practices Understand your database security needs Estimate aggregate volume of logged audit and event data Roll out audit logs consolidation, or activity monitoring, or both 21 Auditing? Monitoring? Blocking?

22 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |22 Making your audit data safe, secure and accessible with Oracle Audit Vault Rolling Out Audit Log Consolidation Install and configure Audit Vault Server Register Secured Targets Configure Audit Vault Install and activate Audit Vault Agents on target hosts Configure native audit policies Configure Targets Configure archive locations Configure data retention policies Data Lifecycle Settings Start collecting and consolidating audit data from trails Create baseline set of alerts Alerts & Reports

23 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |23 Monitoring all relevant SQL activity on the network Rolling Out Monitoring Deploy Database Firewalls Architect and configure Database Firewall networking Setup Database Firewalls Configure Enforcement Points Switch on Database Activity Monitoring Configure Monitoring Assign ‘Unique’ policy to Enforcement Points Fine-tune policy based on logged SQL Configure Policy

24 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |24 Protecting your databases with Database Firewall Rolling Out Blocking Review SQL activity for the period Identify sets of users with common behavior Learn from Logged Data Define permitted session profiles and privileged users Specify what activity is to be logged Create Whitelists Deploy against production traffic Tighten policy by rules on out of policy SQL Refine Policy Set-up alerts on all out of policy activity Switch to Database Policy Enforcement Mode Enable Blocking

25 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Firewall Policy Exceptions are applied first Session factors determine profile Profile defines the range of permitted SQL activity Novelty rules look at what is accessed and how Default rule is applied to everything else Default Rule Novelty Policy Session Profile If YES (Match), then PASS/ALERT/BLOCK SQL Statements SQL Baseline If YES (Match), then PASS/ALERT/BLOCK Exceptions List 25

26 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Firewall Policy Best Practices Be selective in what you log Use Exceptions to log all activity for users with elevated privileges White list (ie ‘Pass’) all regular application activity in a Profile, only set ‘Log’ action for sensitive SQL Configure Novelty Policies to identify and log access to sensitive objects Set Default Rule to capture out-of-policy SQL Periodically review and update policies 26 Choose the right tools for the job

27 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Firewall For passive monitoring (DAM) deploy out-of-band Use Proxy mode for no impact on network infrastructure Deploy in-line DAM if planning to turn on DPE (blocking) in the future 27 Network deployment best practices Apps Users Database Firewall Reports Alerts Policies Events Out of band Proxy Inline blocking and monitoring

28 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Custom Collection Plug-ins XML-file and database table audit trail types are supported No need to write code, package configuration using avpack tool Create custom reports to address specific presentation needs Once deployed new plug-in and reports become integral part of the product installation Oracle Confidential – Internal28 When built-in audit collection plugins are not enough

29 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |29 Annotated Example for custom database table audit trail Custom Collection Plug-ins ‘Source’ to Audit Vault field mapping Value ‘mapping’ (optional)

30 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Custom Collection Plug-ins Separate individual Secured Target trails Make sure that XML trail files are standard-conformant Correctly identify unique record field (or fields) in the trail Check filesystem and database permissions Verify time stamp functions properly Break audit data into multiple trails for increased performance Oracle Confidential – Internal30 Best practices and recommendations

31 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Q&A 31

32 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |32 Connect With Us oracle.com/database/security oracle.com/technetwork/database/security /OracleDatabase/OracleSecurityblogs.oracle.com/ SecurityInsideOut blogs.oracle.com/ KeyManagement Oracle Database Insider/Oracle/database /OracleLearning

33 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |33

34


Download ppt "Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall What’s New and Best Practices Andrey Brozhko."

Similar presentations


Ads by Google