Posted on May 8, 2017 by Erik Benner
The need for Security is changing, no longer can you protect your precious data with basic firewalls that guard your network’s outer perimeter. The next generation of attacks bypass the firewalls and uses your own users as the tool to gain access. This is happening more and more often, with more and more compromised systems than ever in the nightly news. The attacks are not limited to a few special targets, like Federal agencies (The Office of Personnel Management was compromised by contractors repeatedly in 2015), or the Military (in 2016, the Navy has been compromised by an outsourcing partner’s employee). Large commercial organizations are also targets and have recently been hacked, like Yahoo with over a million affected users or even more recently in today's news with Google users being hacked in vast numbers.
These hacks all have something in common, individual users were used through comprised accounts to attack, and compromise more systems getting the hackers the data they were after. Often, as we saw with Snowden, the original system is not even hacked, it is simply compromised by a single user deciding to access data in ways that were not authorized for their job. In today's Google hack, users simply open an attached document which automates the takeover of the account. This is a growing problem, any Mythics clients, whether they are Federal Agencies, Commercial enterprises or even small local governments should be protecting against.
While at a security event this week, a discussion took place about some of the new security technologies, mainly CASB and UEBA. I was surprised at how many people (including other Oracle partners) were getting confused with the technologies, and how they can be combined to protect against these modern security risks, slamming the door closed on the bad guy.
Cloud Access Security Brokers, also known as CASB, is a technology that gathers data from an organization's on-premises infrastructure and multiple cloud provider's infrastructures. The CASB system acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure. With the Oracle CASB solution, this is also extended to gather threat data from other sources, that can include data from hacker data markets, that sell information about your organization. The CASB system then combines all this data and through machine learning technology scores user behavior in the cloud, reporting on the risk that each cloud system exposes the organization to. Oracle's CASB system also can detect Shadow IT system installed from Cloud Marketplaces, that can increase the risk of a data breach. The CASB system focuses on the user activity and interaction with Cloud providers, like Amazon Web Services, SalesForce, Google, Office 365 and more. The system provides not only the scoring of risk but also predictive threat analytics by leveraging data from multiple sources to predict the next attack vector.
Agencies and companies must now provide a flexible security system that can identify anomalous user and system activity to prevent all avenues of breaches. This is done using User and Entity Behavior Analytics (UEBA). UEBA is the process of baselining user activity and behavior, combined with machine learning based analysis, to detect potential intrusions and malicious activity. All the firewalls in the world will not protect against a compromised or disgruntled user that has access to your data. Oracle Management Cloud Security Monitoring and Analytics (OMCSMA) provides this functionality, and protects your data using user activity, not just at the application level, but also deep into the databases that hold the sensitive data. OMCSMA gathers data from, not only your identity management system, but also from the databases that support your applications. An example of how this is used to protect your data is seen in the ability to perform analysis on the actual SQL that developers and administrators use to develop and support the applications. They will detect that the application server JUPITER started running a job that performed a command like "SELECT * from PAYROLL" which would gather all the payroll information from an organization. Once the abnormal behavior is detected, the system can be configured to automatically shut down the systems access. This extends to not only the database, but your content management systems as well, where the system detected that Bubba also started to download all the files in the TopSecretBlueprints folder, instead of the one or two files he normally accesses, and again automatically shuts the user down. This same system provides your Security Operations Center a single pane of glass for the entire environment, combining data from multiple sources for an Enterprise-wide view of both normal and abnormal activity. This also aids in forensics research, allowing analysts to dig into an individual behavior of both systems and people.
Erik Benner, Enterprise Architect, Mythics Inc.