Security Audit Vault

Oracle Audit Vault Trust-but-Verify

An Oracle White Paper May 2007

Introduction Auditing is playing an increasingly important role in the areas of compliance, privacy, and security. Satisfying compliance regulations such as Sarbanes-Oxley and mitigating the risks associated with the insider threat are among the top security challenges businesses face today. Today, the use of audit data as a security resource remains very much a manual process, requiring IT security and audit personnel to first collect the audit data, and then sift through enormous amounts of dispersed audit data using custom scripts and other methods. Oracle Audit Vault automates the audit collection and analysis process, turning audit data into a key security resource to help address today's security and compliance challenges.

Compliance & Privacy Challenges Governments worldwide have enacted a wide range of regulations relating to financial controls, health care, and privacy.

AMERICAS Sarbanes-Oxley (SOX ) Healthcare Insurance Portability and

Accountability Act (HIPAA) CA SB 1386 and other State Privacy Laws Payment Card Industry Data Security Act FDA CFR 21 Part 11 FISMA (Federal Info Security Mgmt Act) EMEA EU Privacy Directives UK Companies Act of 2006 APAC Financial Instruments and Exchange Law

(J-SOX) CLERP 9: Audit Reform and Corporate

Disclosure Act (Australia) GLOBAL International Accounting Standards Basel II (Global Banking) OECD Guidelines on Corporate

Governance

Figure 1: Compliance & Privacy Challenges

Each regulation has its own characteristics and requirements. Sarbanes-Oxley (SOX) requires executives to certify the accuracy of financial statements. SOX regulations require strong internal controls supporting the financial statement. The Healthcare Insurance Portability and Accountability Act (HIPAA) requires the protection of sensitive healthcare information. The Payment Card Industry (PCI) Data Security Act requires that businesses track and monitor all access to cardholder data.

Key to supporting compliance and privacy regulations are proper security policies and procedures for access control, encryption, reporting, and monitoring. Access control policies are important for enforcing need-to-know policies on application data, especially for highly privileged users such as the DBA. Encryption policies are an important aspect of data protection for privacy

ORACLE AUDIT VAULT - 2 -

related data such as social security numbers or credit cards on the underlying storage media. Numerous high profile cases have been published regarding lost or stolen disk drives and backup tapes. Reporting and monitoring process help enforce the trust-but-verify principle by auditing the activities of all users, especially the privileged users. In addition, such audit data can be used to alert IT security personnel to issues that may violate a specific compliance regulation.

However, leveraging audit data today is an inefficient, time consuming and costly process due to the fact that audit data is distributed across multiple systems. Audit data needs to be consolidated, secured, and easily accessible by IT security and audit personnel.

Insider Threat Challenges The increasingly sophisticated nature of information theft and insider threats requires businesses to not only protect sensitive information, but also monitor access to sensitive information, including access by privileged and powerful users. The CSI/FBI 2005 Computer Crime and Security studies have documented that more than 70% of information system data losses and attacks have been perpetrated by insiders, that is, by those authorized at least some level of access to the system and its data. Insider security breaches can be much more costly than attacks from outside the enterprise.

Examination of numerous incidents has shown that had audit data been examined, the resulting impact could have been substantially reduced. However, leveraging audit data has proven to be a very difficult task due to the fact that audit data is distributed, making analysis, reporting, and alerting difficult.

Information protection has become a top-level issue for the enterprise. In light of the numerous data breaches, many businesses are adopting the principle of trust-but-verify. Trust-by-verify simply means that users are trusted to do their assigned tasks and duties, while ensuring that their actions are monitored for verification and compliance with the policies. Auditing is an important component of the overall defense-in-depth security architecture.

Oracle Audit Vault Businesses need to consolidate, manage, monitor and report on audit data for a complete view of enterprise data access. IT security and audit personnel must have the ability to analyze audit data in a timely fashion across disparate systems. Oracle Audit Vault addresses this requirement by consolidating audit data across all systems into a secure, scalable, and highly available repository.

Oracle Audit Vault collects database audit data from the Oracle database audit trail tables, database audit trails from operating system files, and database transaction logs to capture before/after value changes of transactions from Oracle9i Database Release 2, Oracle Database 10g Release 1, Oracle Database 10g Release 2, and Oracle Database 11g Release 1. Future releases will include the ability to collect audit data from non-Oracle databases sources and build custom audit collectors for other sources.


Oracle Database 10gR2


Oracle Database 9iR2

(Future)Other Sources,

tabases

Monitor

Figure 2: Oracle Audit Vault Overview

Using Oracle Audit Vault businesses are able to consolidate large volumes of audit data from multiple sources and thereby obtain a complete view of audit data using over one dozen built-in reports for analyzing audit data. In addition, the collected audit data is analyzed for any suspicious activity, and an alert is raised when that event occurs. Oracle Audit Vaults graphical user interface also allows the IT Security Officers and IT Auditors to create and provision auditing policies to the databases.

Central to Oracle Audit Vault is a secure data warehouse built on Oracle's industry leading data warehousing technology and secured with Oracle's industry leading Database security products such as Oracle Database Vault and Oracle Advanced Security. Oracle Audit Vault includes Oracle Partitioning to improve manageability and performance.

Oracle Audit Vault helps businesses improve their ability to comply with regulatory requirements by ensuring the collection and accuracy of the audit data, and by lessening the time and effort to demonstrate that mandated controls are in effect and working.

Simplify Compliance Reporting Oracle Audit Vault provides interfaces to efficiently report on enterprise wide audit information and user activities, and thus simplify and expedite compliance reporting. With Oracle Audit Vault, the dispersed audit data can be consolidated in a single location where the data can be protected, analyzed, and reported upon using predefined or custom reports.

Compliance & Security Reports

IT Auditors, Compliance and IT security officers can utilize built-in reports to monitor user access and activity. Reports relating to privileged user access, failed login attempts, use of system privileges, and changes to database structures are very helpful for SOX reporting and other compliance

Da

Policies

Reports SecurityDetect ThreatsWith Alerts

Provide Secure and Scalable Repository

Simplify ComplianceReporting

Lower Costs With Audit Policies



requirements. The drill-down capability provides full visibility into the details of the what, where, when, and who of the audit events.

Oracle Audit Vault provides standard audit assessment reports on activities associated with account management, roles and privileges, object management, and system management across the enterprise. For example, the account management report can be used to monitor creation of new accounts as it might violate internally or externally mandated security policies.

Figure 3: Oracle Audit Vault Activity Reports

Oracle Audit Vault provides the capability to generate parameter driven reports from the interface as well. For example, a report showing user login activity across multiple sensitive databases can be easily generated. Reports can be defined for specific time frames. For example, a Weekend report could be defined and saved within Oracle Audit Vault based on audit data from a subset of particularly sensitive databases. The report could then be used each Monday morning to monitor the weekend activities. Another report might be defined to help support an internal investigation involving a specific user on specific databases.

The foundation of the Oracle Audit Vault has been developed on a flexible data warehouse infrastructure that provides the ability to consolidate and organize audit data so it can be easily managed, accessed, and analyzed. The Oracle Audit Vault audit data warehouse schema can be accessed from any Oracle Business Intelligence or reporting tools including Oracle BI Publisher and 3rd party reporting tools to build custom reports for compliance and security requirements.


Early Detection with Oracle Audit Vault Alerts Security alerts can be used to rapidly address compliance, privacy, and insider threat issues across the enterprise. Oracle Audit Vault provides IT security personnel with the ability to detect and alert on suspicious activity, attempts to gain unauthorized access, and abuse of system privileges.

Oracle Audit Vault can generate notifications on specific events, acting as an early warning system against insider threats and helping detect changes to baseline configurations or activity that could potentially violate compliance. It provides an alert generation capability to mitigate the insider security threats by generating alerts for system defined and user defined events. Oracle Audit Vault continuously monitors the audit data collected, evaluating the activities against defined alert conditions.

Audit Vault Alerts

Oracle Audit Vaults interface can be used to monitor alerts and audited events across the business. Alerts can be defined on database activity including failed login, suspicious login times, and failed attempts to view or access data. Alerts can be associated with any auditable database event including system events such as changes to application tables and creating privileged users. For instance, the Security Officer could receive an alert when a user attempts to access sensitive corporate information.

The Oracle Audit Vault interface provides graphical summaries of activities causing alerts across the entire enterprise. The Oracle Audit Vault interface provides a summary of the alerts over a specified time period. These graphical summaries include Alert Severity Summary, Summary of Alert Activity, Top Sources by Number of Alerts, and Alert by Audit Event Category frequency. Users can click on the graphics to drill down to a more detailed report.

Figure 4: Oracle Audit Vault Dashboard for Alerts


Oracle Audit Vault continuously monitors inbound audit data, and generates alerts when data in a single audit record matches a custom defined alert rule condition. For example, a rule condition may be defined to raise alerts whenever a privileged user attempts to grant someone access to sensitive data. An alert can also be generated when a privileged user creates another privileged user within the database. When an audit event is evaluated and the rule condition is met, an alert is raised. Alerts for the purpose of reporting are grouped by the sources with which they are associated. Alerts can be grouped by the event category to which the event belongs, and by the severity level of the alert (warning, critical, or informational).

Lower IT Costs with Oracle Audit Vault Policies Oracle Audit Vault provides centralized management of database audit settings or policies, simplifying the job of the IT security officers and internal auditors. Many businesses are required to actively monitor systems for specific audit events or audit policies. Today, typically the definition and management of these audit events is a manual process where IT security personnel work with internal auditors to define audit settings on databases and other systems across the enterprise. In addition, the IT security personnel must periodically ensure the audit settings have not been altered once the settings have been defined. The collection of audit settings is sometimes referred to as an audit policy.

Oracle Audit Vault provides the ability to define audit policies from a central console that can be used by internal auditors and IT security to demonstrate compliance and repeatable controls to auditors. Oracle Audit Vault eliminates manual scripting of audit settings and reduces the associated maintenance costs. The policy mechanism also allows businesses to define the specific audit policies that can alert administrators to misuse of authorization rights by generating a record of such events.

Oracle Audit Vault Security Enterprise audit data is an important and critical record of business activity. Audit data needs to be protected against modification so that reports and investigations based on audit data have a high level of integrity. Oracle Audit Vault protects audit data during transfer with network encryption, preventing anyone from reading or tampering with the data during transmission. Timely transfer of audit data from source systems to Oracle Audit Vault is critical to close the window on intruders who may attempt to modify audit data and cover their tracks.

Access to the audit data within Oracle Audit Vault is strictly controlled. IT security managers and auditors can be given access for review purposes only. Privileged DBA users cannot view or modify the audit data within the Oracle Audit Vaults audit warehouse due to the protection mechanism provided by Oracle Database Vault. These mechanisms are used to protect audit data from unauthorized access, enforce separation of duty, and prevent unauthorized changes to the audit data.


Oracle Audit Vault Scalability Oracle Audit Vault provides a secure data warehouse environment designed for the storage and analysis of large amounts of audit data. Oracle Audit Vault includes Oracle Partitioning to enhance manageability and performance, enabling audit data to be physically partitioned based on business requirements.

Oracle Audit Vault can optionally be deployed with Oracle Real Application Clusters (RAC), enabling scalability, high availability, and flexibility at low cost. Oracle RAC allows Oracle Audit Vault to scale-out by adding additional server machines to accommodate additional audit sources or audit records rather than having to scale-up by replacing the existing machine with a more powerful machine.

Conclusion Auditing is playing an increasingly important role in helping address global regulatory compliance requirements and insider threats. Today, the use of audit data as a security resource remains very much a manual process, requiring IT security and audit personnel to first collect the audit data, and then sift through enormous amounts of dispersed audit data using custom scripts and other methods. Businesses need to consolidate, manage, monitor, and report on audit data for a complete view of enterprise data access, giving IT security and audit personnel the ability to analyze audit data in a timely fashion.

Oracle Audit Vault provides a powerful audit solution that helps simplify compliance reporting, detect threats with early alerting, lower the cost of compliance, and secure audit data. Oracle Audit Vault automates the consolidation and analysis process, turning audit data into a key security resource to help address today's security and compliance challenges. Numerous built-in reports provide easy compliance reporting and the open data warehouse provides extensible reporting using Oracle BI Publisher or 3rd party business reporting solutions.

Oracle Audit Vault leverages Oracle's proven data warehousing and partitioning capabilities to achieve massive storage scalability. Oracle Audit Vault can be configured with Oracle RAC for high availability and flexibility at low cost. Oracle Audit Vault uses Oracle's industry leading security capabilities to protect audit data end-to-end, encrypting audit data during transmission and enforcing separation of duty within Oracle Audit Vault.

Addressing regulatory compliance requirements and protecting against insider threats in a global economy requires a defense-in-depth approach to security. Auditing is a critical component of the defense-in-depth architecture, enforcing the trust-but-verify principle.


Oracle Audit Vault Trust-but-Verify April 2007 Author: Jack Brinson, Tammy Bednar, Paul Needham, Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2007, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

IntroductionCompliance & Privacy ChallengesInsider Threat Challenges

Oracle Audit VaultSimplify Compliance ReportingCompliance & Security Reports

Early Detection with Oracle Audit Vault AlertsAudit Vault Alerts

Lower IT Costs with Oracle Audit Vault PoliciesOracle Audit Vault SecurityOracle Audit Vault Scalability

Conclusion

Security Audit Vault

Documents

Transcript of Security Audit Vault