Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1

CUSTOMER LOGO

“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”

Name

Title, Company Name

blogs.oracle.com/IMC

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2

Oracle Audit Vault and

Database Firewall

Tarek Salama

DB Options Specialist MEA

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4

Program Agenda

Database Security Defense in Depth

Oracle Audit Vault & Database Firewall

Activity Monitoring and Blocking

Fine Grained, Customizable Reporting and Alerting

Enterprise Audit Data Consolidation and Lifecycle Management

Deployment Flexibility and Scalability

Oracle Audit Vault & Database Firewall Value Proposition

Oracle Maximum Security Architecture

Q&A

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5

Database Sprawl Makes Attacking Easier!

Sensitive

Data

Outsourced Data DW/Analytics Reports Stand By Test Dev Temp use

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6

Only 35% Can Prevent SQL Injection Attacks

Have you taken steps to prevent SQL injection attacks?

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7

Only 30% Using a Network-Based Database Firewall Solution

Are you using a network-based database firewall solution

for blocking unauthorized database activity?

(Total does not equal 100% due to rounding.)

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8

Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with Basic Controls

98% records stolen

from databases

96% of victims subject to

PCI DSS had not achieved

compliance

71% Breach within minutes

92% discovered

by third party

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9

85% Breached in Minutes or Faster

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10

85% Took Weeks, Months and Even Years to Discover

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11

“Forrester estimates

that although 70%

of enterprises have

an information security plan, only 20%

of enterprises have a

database security plan.”

Are Databases Adequately Protected?

Source: Forrester Research Inc., Creating An Enterprise Database Security Plan, July 2010

Endpoint Security

Vulnerability Management

Network Security

Email Security

Authentication Security

Database

Security

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12

“Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices”.

The Business Response Is Reactive IT has shifted attention away from the applications & data

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13

The Reactive Approach Fails Increased IT Spending & Focused on The Wrong Risks

8.2% IT Budget

2007 14% IT Budget

2010 Endpoint Security

Vulnerability Management

Network Security

Email Security

Other Security

94% against servers

96% Non-compliance PCI

5% Privilege Misuse

32% of hacking involved

stolen login credentials

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14

Focus On The Core Systems

The Experience The Applications The Cloud The Data Center

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15

Security at Every Layer Security between layers and across layers

• Encryption and Masking

• Privileged User Controls

• Database Firewall

• Secure Configuration

Database Security • Trusted OS Extensions

• Virtualization Security

• Cryptographic Acceleration

• Key Storage Built-In

• Secure Storage

Infrastructure Security

• Auditing

• Attestation

• Segregation of Duties

• Process Controls

• Transaction Controls

Risk & Compliance • Privilege Account Management

• User and Role Management

• Entitlements Management

• Risk-Based Access Control

• Directory Services

Identity Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16

Customer Experience Security Challenges

Expanding business requires securing the interaction

Regulatory Compliance

PII, PCI DSS, PIPEDA, EU DPD

Quality of Service

Brand & Reputation

Identity Theft

Fraud Detection & Trust

Data Security & Integrity

Consumer Privacy

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18

Forrester Research

Network Security

SIEM

Endpoint Security

Web Application

Firewall

Email Security

Authentication & User Security

Database Security

Why are Databases so Vulnerable?

“Enterprises are taking on risks

that they may not even be aware

of. Especially as more and more

attacks against databases exploit

legitimate access.”

80% of IT Security Programs Don’t Address Database Security

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19

Why We Care About Auditing?

Applications & Data

Anytime

Anywhere

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20

UNLOCK THE OPPORTUNITIES

PREVENT THE THREATS

MANAGE THE RISKS

Transform IT Security Take an inside out approach

SECURITY INSIDE-OUT

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21

Oracle Database Security Solutions Defense-in-Depth for Maximum Security

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Redaction and Masking

Privileged User Controls

Encryption

PREVENTIVE ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22

Oracle Database Security Solutions Detect and Block Threats, Alert, Audit and Report

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE

Redaction and Masking

Privileged User Controls

Encryption

PREVENTIVE ADMINISTRATIVE

Sensitive Data Discovery

Configuration Management

Privilege Analysis

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23

Oracle Audit Vault and Database Firewall Product Overview

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24

Expands protection beyond Oracle and third party

databases.

New software appliance-based platform accelerates

enterprise-wide deployments.

Detective and preventive control to protect against the

abuse of legitimate access.

Expanded Enterprise Auditing: Capabilities to collect,

consolidate, and manage native audit and event logs.

Consolidated Reporting and Alerting: Consolidated,

centralized repository for all audit and event logs to be

analyzed in real-time.

New Product

Oracle Announces Oracle Audit Vault and Database Firewall

Unified

platform to

display

audit

reports

Consolidate audit data from multiple sources

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25

Built-in Reports

Alerts

Custom Reports

!

Oracle Audit Vault and Database Firewall New Solution for Oracle and Non-Oracle Databases

Firewall Events

Users

Applications

Database Firewall Allow

Log

Alert

Substitute

Block

Audit Data

Audit Vault

OS, Directory, File System &

Custom Audit Logs Policies

Security

Analyst

Auditor

SOC

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26

Oracle Audit Vault and Database Firewall SQL Injection Protection with Positive Security Model

White List

Applications Block

Allow

SELECT * from stock

where catalog-no='PHE8131'

SELECT * from stock

where catalog-no=‘

' union select cardNo,0,0

from Orders --’

• “Allowed” behavior can be defined for any user or application

• Automated white list generation for any application

• Out-of-policy database transaction detected and blocked/alerted

Databases

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27

Oracle Audit Vault and Database Firewall Enforcing Database Activity with Negative Security Model

• Stop specific unwanted SQL interactions, user or schema access

• Blacklisting can be done on factors such as time of day, day of week,

network, application, user name, OS user name etc

• Provide flexibility to authorized users while still monitoring activity

SELECT * FROM

v$session

Block

Allow + Log

Black List

DBA activity from Application?

SELECT * FROM

v$session

DBA activity from Approved Workstation

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28

Oracle Audit Vault and Database Firewall

Databases: Oracle, SQL Server, DB2 LUW, Sybase ASE

New Audit Sources

– Operating Systems: Microsoft Windows, Solaris

– Directory Services: Active Directory

– File Systems: Oracle ACFS

Audit Collection Plugins for Custom Audit Sources

– XML file maps custom audit elements to canonical audit elements

– Collect and map data from XML audit file and database tables

Comprehensive Enterprise Audit and Log Consolidation

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29

Oracle Audit Vault and Database Firewall Audit and Event Repository

Based on proven Oracle Database technology

– Includes compression, partitioning, scalability, high availability, etc.

– Open schema for flexible reporting

Information lifecycle management for target specific data retention

Centralized web console for easy administration

Command line utility for automation and scripting

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30

Oracle Audit Vault and Database Firewall Audit and Event Data Security

Software appliance based on hardened OS and pre-configured

database

Fine-grained administrative groups

– Sources can be grouped for access authorization

– Individual auditor reports limited to data from the ‘grouped’ sources

Separation of duties

Powerful multi-event alerting with thresholds and group-by

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31

Oracle Audit Vault and Database Firewall Flexible Deployment Architectures

Inbound

SQL Traffic

Audit Vault

Standby

In-Line Blocking

and Monitoring

HA Mode

Out-of-Band

Monitoring

Audit Vault

Primary

Applications and Users

Remote Monitoring

Software Appliances

Audit Data

Audit Agents

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32

Oracle Audit Vault and Database Firewall Performance and Scalability

Audit Vault

– Supports monitoring and auditing multiple hundreds of heterogeneous

database and non-database targets

– Supports wide range of hardware to meet load requirements

Database Firewall

– Decision time is independent of the number of rules in the policy

– Multi-device / multi-process / multi-core scalability

– 8 core can handle between 30K – 60K transactions/second

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33

Oracle Audit Vault and

Database Firewall

Database Activity Monitoring and Firewall Detective Control for Oracle and non-Oracle Databases

Monitors network traffic, detect and

block unauthorized activity

Highly accurate SQL grammar analysis

Can detect/stop SQL injection attacks

Whitelist approach to enforce activity

Blacklists for managing high risk activity

Scalable secure software appliance

Block

Log

Allow

Alert

Substitute Apps

Whitelist Blacklist

SQL Analysis Policy

Factors

Users

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34

Oracle Audit Vault and

Database Firewall

Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-Oracle Databases

Audit Data & Event Logs

Policies

Built-in Reports

Alerts

Custom Reports

!

OS & Storage

Directories

Databases

Oracle Database

Firewall

Custom

Security

Analyst

Auditor

SOC

Centralized secure repository delivered

as secure, scalable software appliance

Powerful alerting - thresholds, group-by

Out-of-the box and custom reports

Consolidated multi-source reporting

Built-in fine grain segregation of duties

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35

Oracle Audit Vault and Database Firewall Summary

• Snapshot view of audit settings for reporting

• Provision audit settings from a centralized interface

• Eliminate the need to wait for the DBA to send you the audit settings

• Automate collection of native database auditing from Oracle, SQL Server, IBM DB2, & Sybase

• Consolidated secure repository

• Reduce manual time to correlate audit data

• Schedule reports to be reviewed automatically by security team

• Continues view of database access

• Save HOURS of time creating reports manually

• Review only out of policy behavior

• Automatic notification means you can proactively review database access

• Disregard the behavior that doesn’t require your attention

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36

Oracle Audit Vault and Database Firewall Value Proposition

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37

Oracle Audit Vault and Database Firewall Value Proposition

Value to the Partners

Ease of deployment & High availability of expertise

Detailed and effective audit controls

Increased competitiveness/revenues by protecting the end user’s data and reputation

Minimize costs of offering security solutions

Complete protection of data from one vendor

Earning customer trust – Security Advisor

Value to the Customers

Eliminate existing manual processes for audit data consolidation and reporting

Out-of-the-box compliance reports

Real-Time notification on out of policy behavior with automated alerts

Centralized database audit setting Management

heterogeneous database security framework

Multiple levels/layers of protection

Enforcing regulations compliance & standards

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38

Database Security Additional Enhancement

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39

Oracle Label Security

Label Based Access Control Preventive Control for Oracle Databases

Transactions

Report Data

Reports

Confidential Sensitive

Sensitive

Confidential

Public

Virtual information partitioning for cloud,

SaaS, hosting environments

Classify users and data using labels

Labels based on business drivers

Automatically enforced row level access

control, transparent to applications

Labels can be factors in other policies

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40

Replace sensitive application data

Extensible template library and formats

Application templates available

Referential integrity detected/preserved

At source masking and sub-setting*

Support for masking data in non-Oracle

databases

Oracle Data Masking

Masking Data for Non-Production Use Preventive Control for Oracle Databases

LAST_NAME SSN SALARY

ANSKEKSL 323—23-1111 60,000

BKJHHEIEDK 252-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production

Non-Production

Dev

Test

Production

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41

Scan Oracle for sensitive data

Built-in, extensible data definitions

Discover application data models

Protect sensitive data appropriately:

encrypt, redact, mask, audit…

Oracle Enterprise Manager 12c

Discover Sensitive Data and Databases Administrative Control for Oracle Database

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42

Oracle Database Lifecycle Management

Configuration Management Administrative Control for Oracle Databases

Discover

Scan & Monitor

Patch

Discover and classify databases

Scan for best practices, standards

Detect unauthorized changes

Automated remediation

Patching and provisioning

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43

Oracle Maximum Security Architecture

Oracle Audit Vault

Oracle Database Firewall

Applications

Procurement

HR

Rebates

HR

Rebates

Auditing

Authorization

Authentication

Sensitive

Confidential

Public

Multi-factor Authorization

DB Consolidation Security

Unauthorized DBA Activity

Oracle Database Vault

Encrypted Database Encrypted Traffic

Oracle Advanced Security Oracle Data Masking Mask For Test and Dev

Enterprise Manager

Secure

Configuration

Scanning

Patch

Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44

Next Steps…

Protect sensitive data and database

infrastructure ASAP!

Database consolidation and private

clouds enable better security at lower

cost and complexity

Secured Oracle Exadata Database

Machines provide the secure database

cloud building block you need

Securing your databases will allow you

to outsource/take advantage of Public

Clouds with less risk

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45

Oracle Database Security Partner Support and Resources

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46

Useful Resources for Partners and Customers

Test your company IT security! : Questions resulting in a diagram assessing your

company’s security readiness

Cost Effective Security and Compliance with Oracle Database 11g Release 2:

http://www.oracle.com/us/products/database/056892.pdf

Oracle Audit Vault and Database Firewall FAQ:

http://www.oracle.com/technetwork/products/audit-vault-and-database-firewall/audit-

vault-database-firewall-faq-1906550.pdf

Introducing Oracle Audit Vault and Database Firewall Web-Cast:

http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.jsp&eventid=541890&sessionid=1&part

nerref=prod_sec_db12122012&key=E38B905176AAA94A27C94F87B829007A&eventuserid=73511945

Audit Vault and Database Firewall Forum

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47

Oracle Database Security Partner Resell Requirements

http://www.oracle.com/partners/en/knowledge-zone/database/database-021468.htm

• OPN member at Gold+ in good standing

• Acceptance into Oracle Database Knowledge Zone

• Valid Oracle Full Use Program Distribution Agreement

• NO competency or specialization requirements

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48

OPN “Security” Specialization

Business Criteria Required

Customer References 3

# Of Transactions *

Resell or

Non-Commission Co-sell or

Referral

2

Competency Criteria Required

•Oracle Database 11g Security Sales Specialist Recommended Training

•Oracle Database 11g Security Sales Specialist 2

•Oracle Database 11g Security PreSales Specialist Recommended Training

•Oracle Database 11g Security PreSales Specialist 2

General Product Support Assessment (v3.0) Or

Oracle Database 11g Security Technology Support Specialist acceptable:

Count before March 1, 2013 - valid until March 1, 2014

•Recommended Training

•Oracle Database 11g Security Technology Support Specialist

1

•Oracle Database 11g Security Certified Implementation Specialist.

Oracle Database 11g Security Essentials (1Z0-528)

•Recommended Training

•Oracle Database 11g Security Implementation Specialist

1

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 49

For More Information Oracle Audit Vault and Database Firewall

http://www.oracle.com/database/security/audit-vault-database-firewall/overview/index.html

http://www.oracle.com/technetwork/products/audit-vault-and-database-firewall/overview/index.html

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 50

Key Take Away &

Next Steps

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 51

Oracle Database

Appliance

Engineered System

Single Box

Consolidated

Manageable

High Performance

Simple Affordable

Reliable

+ DB Options

DB Products

ISV Applications =

Enabling Partners

ORACLE DATABASE APPLIANCE SECURE HA PLATFORM

• to deliver a higher quality of

service at much lower cost in

shorter time.

• to deliver simplified IT

solutions (simplify DBaaS).

• to easily adopt a wider range of

products.

• to rapidly offer endless custom

solutions.

• to expand their services

opportunities

• to increase their solution

competitiveness & revenue

Small To Medium Business

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 52

BETTER PERFORMANCE AT EVERY LEVEL

A HOLISTIC & COMPREHENSIVE APPROACH

SECURITY AT EVERY LAYER & BETWEEN

SECURING BUSINESS AT THE CORE

SECURITY INSIDE-OUT

Inside Out Approach

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 53

Oracle Database Security Solutions Key Benefits

Simple and Flexible

Security and Compliance

Enterprise Ready

Speed and Scale

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 54

Thank You !

tarek.salama@oracle.com

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 55

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 56

CUSTOMER LOGO

“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.”

Name

Title, Company Name

blogs.oracle.com/IMC