Oracle Audit Vault and

Database Firewall

Matteo Galimberti, Solution Account Manager BSC Consulting

Paolo Marchei, Principal Sales Consultant Oracle Italia

 Billions of Database Records Breached Globally
97% of Breaches Were Avoidable with Basic Controls

98% records stolen

from databases
84% records breached
using stolen credentials
71% fell within minutes
92% discovered
by third party

2 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Why are Databases so Vulnerable?
80% of IT Security Programs Dont Address Database Security

Forrester Research Network

Security

Enterprises are taking on risks Authentication

& User Security SIEM

that they may not even be aware

of. Especially as more and more
Email Security Endpoint
attacks against databases exploit Database Security
Security
legitimate access. Web
Application
Firewall

3 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

4 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Database Security Solutions
Detect and Block Threats, Alert, Audit and Report

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

5 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
New Solution for Oracle and Non-Oracle Databases
Database Firewall
Users
Allow
Log
Alert
Applications Substitute
Block

Firewall Events

Auditor
Reports
Audit Data
Alerts !
Security
Manager Policies
OS, Directory, File System &
Custom Audit Logs
Audit Vault

6 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle AVDF Accuracy
Why is understanding SQL critical?

SQL is a language with about 400 key words and a strict grammar
structure (ISO SQL spec 1500+ pages):
SELECT id, username, password, acccount_no FROM tbl_users WHERE
username = Bill AND account_no BETWEEN 1001000 AND 1001012;

KEY WORDS
OPERATORS
SCHEMA
DATA
Unless the grammar and structure of the language is known, then
errors are made when analysing SQL
UPDATE tbl_users SET comments = The user has asked for another
account_no, and wishes to be billed for services between 1/2/2009
and 2/2/2009, and wants to know where the invoice should be sent
to. She will select the new service level agreement to run from
3/7/2009 next month WHERE id = A15431029;
7 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
 False Alarms are too costly

8 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 False Alarms are too costly

9 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 The cost of inaccuracy

10 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle AVDF Accuracy

Oracle AVDF can understand every SQL interaction and correctly

segregate it based on the intent of the transaction.

Uses semantic analysis of the grammar and structure of a SQL

transaction to determine all of the relevant information about a
query.

Can also associate attributes with a SQL transactions such as

who, what, when, from where, by whom, with what and what
happened.

11 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle DB Auditing: Fine-Grained Auditing
Audit Policy AUDIT_CONDITION :
NAME != USER
AUDIT_COLUMN = SALARY

Audit Records
Not audited (FGA_LOG$)
SELECT name, salary
SELECT name, job, FROM emp <timestamp>,
deptno FROM emp <SCN>,
<userid>, etc.

SELECT name, salary

FROM emp

12 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
SQL Injection Protection with Positive Security Model

SELECT * from stock White List

where catalog-no='PHE8131' Allow

Block
Applications SELECT * from stock
where catalog-no= Databases
' union select cardNo,0,0
from Orders --

Allowed behavior can be defined for any user or application

Automated white list generation for any application
Out-of-policy database transaction detected and blocked/alerted

13 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Enforcing Database Activity with Negative Security Model
SELECT * FROM
v$session Black List
Block
DBA activity
from Application?
SELECT * FROM Allow
+ Log
DBA activity from v$session
Approved Workstation

Stop specific unwanted SQL interactions, user or schema access

Blacklisting can be done on factors such as time of day, day of week,
network, application, user name, OS user name etc
Provide flexibility to authorized users while still monitoring activity

14 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Comprehensive Enterprise Audit and Log Consolidation

Databases: Oracle, SQL Server, DB2 LUW, DB2 z/OS*, Sybase ASE

New Audit Sources
Operating Systems: Microsoft Windows, Solaris
Directory Services: Active Directory
File Systems: Oracle ACFS

Audit Collection Plugins for Custom Audit Sources

XML file maps custom audit elements to canonical audit elements
Collect and map data from XML audit file and database tables

* Third party integration by BSC Consulting Spa & AlfaGroup

15 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Solution for DB2 on z/OS
Intercept SQL
Database Firewall Write Recorder
Users
Allow
Log
Alert
Applications Substitute
Block DAEMON
Applies Rules
Generates Alerts
Firewall Events & SQL Statistics

Auditor
Reports
Audit Data
Alerts !
Security
Manager Policies

Audit Vault Integration by

16 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Database Security Solutions
Defense-in-Depth for Maximum Security

PREVENTIVE DETECTIVE ADMINISTRATIVE

Encryption Activity Monitoring Privilege Analysis

Redaction and Masking Database Firewall Sensitive Data Discovery

Privileged User Controls Auditing and Reporting Configuration Management

17 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Governance & Compliance regulations

18 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Catalog Sensitive Data in Your Enterprise Databases
Person Name Bank Account Number

Maiden Name Card Number (Credit or Debit Card Number)

Business Address Tax Registration Number or National Tax ID
Business-driven

Business Telephone Number Person Identification Number

Business Email Address

Custom Name
Welfare Pension Insurance Number

Unemployment Insurance Number

Criteria:
Employee Number Government Affiliation ID
Violate government
User Global Identifier Military Service ID

Party Number or Customer Number Social Insurance Number regulations

Account Name Pension ID Number

Mail Stop Article Number Violate business regulations

GPS Location Civil Identifier Number

Student Exam Hall Ticket Number Hafiza Number Damage shareholder value
Club Membership ID

Library Card Number

Social Security Number

Trade Union Membership Number

through loss of
Identity Card Number Pension Registration Number
Market capital
Instant Messaging Address National Insurance Number

Web site Health Insurance Number

Valuation
National Identifier Personal Public Service Number

Reputation
Passport Number Electronic Taxpayer Identification Number

Drivers License Number Biometrics Data
Customers

Personal Address Digital ID

Lawsuits
Personal Telephone Number Citizenship Number

Personal Email Address Voter Identification Number
Business-driven

Visa Number or Work Permit Residency Number (Green Card)

19 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Sensitive Data Discovery
Find and Catalog Sensitive Data
Table Name: EMP* Enterprise Data Sources
Data Finder Patterns Column Name *SSN*
1. Data Format ### - ## - ####
2.

Define pattern match rules for Tables, Connect to Databases

columns and data
Search for Data Finder patterns across
databases

Data Privacy Catalog Data Finder Reports

PERSON_SSN, Data
4. EMP_SSN,
SOC_SEC_NUM
3. Finder
Results

New database fields added and then Results rendered by confidence factor
protected Relevant database fields imported into
the Data Privacy Catalog

20 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Auditing and Reporting

Tens of default audit reports

Out-of-the Box Compliance Reporting.

Report with Data from Multiple Source Types

Auditing Stored Procedure Calls Not Visible on the Network

Powerful Alerting Filter Conditions

21 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Increasing auditing value: out-of-the-box Integration

Oracle AVDF is integrated with the following third-party products:

BIG-IP Application Security Manager (ASM): This product from F5 Networks, Inc. is
an advanced Web Application Firewall (WAF) that provides comprehensive edge-of-
network protection against a wide range of Web-based attacks. It analyzes each
HTTP and HTTPS request, and blocks potential attacks before they reach the Web
application server.
ArcSight Security Information Event Management (SIEM): This product is a
centralized system for logging, analyzing, and managing syslog messages from
different sources.

22 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

 Demo AVDF

23 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted
 Oracle Database Security Customers
Customers Worldwide Rely on Oracle

Customer Benefits

Enterprise ready

Security and compliance

Simple and flexible

Speed and scale

Trasparent and accurate

oracle.com/goto/database/security-customers

24 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 T-Mobile
Protecting Customer Data in Oracle and non-Oracle Databases

Challenge

Protect sensitive data PCI, CPNI, SPII in both Oracle and non-
Oracle Databases

Monitor database threats, including SQL injection attacks and data
Provider of wireless voice, harvesting, without having to change application code
messaging, and data

Full visibility into database activity
services throughout the U.S.
Fourth largest wireless

Understand what types of changes are being made to sensitive data
company in the U.S. with Solution
more than 35 million
subscribers
Addresses data security with Database Firewall, TDE, Data Masking
Industry: Telecom as comprehensive database security defense-in-depth strategy

Database activity monitoring prevents insider and external threats

Deployed and setup within a few hours; already protected against a
few compromised accounts that were harvesting data

25 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

26 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
 Oracle Database Security Solutions
Additional Resources
http://www.oracle.com/database/security
Web Sites
http://www.oracle.com/technetwork/database/security
Customer Successes http://www.oracle.com/goto/database/security-customers
Security Inside Out
Newsletters
Database Insider
LindkedIn Group: Database Insider
Social Media
Twitter: Oracle Database
http://blogs.oracle.com/securityinsideout
Blogs
http://blogs.oracle.com/databaseinsider
matteo.galimberti@bsc.it
Email
paolo.marchei@oracle.com

27 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Oracle Confidential Restricted