I just completed a free learning initiative from Oracle MyLearn, on the learning path Discover and Train in CyberSecurity. The learning path comprises 5 modules –
- CyberSecurity Introduction and Terminology
- Cloud Security Drivers and Challenges
- Oracle Cloud Security Services
- Oracle Cloud – Security First Approach
- People and Process in CyberSecurtiy
Oracle Cloud Security Posture is a big part of the learning path. Even though the first two modules are about CyberSecurity Basic Concepts, the rest of the modules, as expected, are about Oracle Cloud Security Service.
If we look at the top cloud infrastructure market share around the world, we can see the results. If someone asks me if they should take the course, I’ll probably tell them to look at the image above or the latest statistics.
Let us delve into what I actually learned from this particular learning path –
Takeaways from Oracle Cloud Cybersecurity
People, processes, and tools all makeup cyber security. It is a wide range of methods and solutions that can be used to reduce the risk and effects of a cybersecurity incident. There are a few different ways to do that –
- Prevention
- Detection
- Remediation
Cybersecurity is about detecting malicious activities. Malicious intentions behind the activities –
- Access to Sensitive Data
- Financial Gain
- Brand Defamation
- Service Interruption
- Coercion/Leverage
- Unauthorized use of Services
Compliance vs. Cybersecurity
Compliance is what the standards are all about. Accredited governing bodies decide what it is. It tells business sectors what the best practices are. And, sets out requirements for measurable controls. Access & Identity, Data Handling, Documentation of SOPs, and Privacy Adherence are all things that may be part of compliance.
On the other hand, controls are put into place by cybersecurity. Asks, “Can I follow the rules and still be at risk for a cybersecurity incident?”
Today
We are now in a new era of the cloud and working from home. The work is done through the Corporate Network, the Cloud, the Multi-Cloud, or a combination of the three. The definition of “perimeter” is changing. The main point of cybersecurity is to make sure that Defense in Depth is set up in a zero-trust mode.
3 Axes of Cyber Defense
- People
- Processes
- Tools
Basics
Concept & Methodology – Zero Trust Security
As new threats come up, the chance that credentials will be lost or stolen keeps going up. Zero-Trust mode can be used to control who has access to systems, networks, and data without giving up control. As Zero Trust grows, organizations can set up security controls that limit access to data based on certain rules.
At the most basic level, access to different resources is decided between the subject and the system through the Policy Decision Point and is enforced in access.
The National Institute of Standards and Technology (NIST) came up with the following rules for zero-trust architecture:
- All sources of data and services for computing are resources.
- All communication is safe, no matter where the network is; the location of the network does not mean that you can trust it.
- Access to enterprise resources is given per connection, and trust in the person asking for access is checked before access is given.
- Access to resources is determined by policy, which takes into account the visible state of the user’s identity and the system making the request, among other things.
- The enterprise makes sure that all systems it owns and systems it works with are in the safest state possible and keeps an eye on systems to make sure they stay in the safest state possible.
- User authentication is dynamic and strictly enforced before access is given. This is a constant cycle of access, scanning and assessing threats, adapting, and continually authenticating.
Reference: https://www.oracle.com/security/what-is-zero-trust/
Concept & Methodology – Defense in Depth
Comprises of Different Security Controls. Which are –
- Identity & Access – Multifactor Authentication and Condition Based Access.
- Edge Security – DDoS Protection
- Network Security – Network Monitoring, Network Segmentation, and Access Controls
- Virtual Network – Security Controls at the Compute level. Such as – Closed Ports to the Virtual Machines
- Instance – Application layer security. Ensuring that the applications are secured and free from all vulnerabilities.
- Data – Access Control Encryption. Encrypting access to different layers of data.
Reference: https://www.oracle.com/a/ocom/docs/security/modern-defense-in-depth.pdf
Concept & Methodology – Shared Responsibility Model
Reference: https://www.oracle.com/a/ocom/docs/dc/final-oracle-and-kpmg-cloud-threat-report-2019.pdf
A Deeper Look into Cloud Security Threats
- Configuration of Server Workloads
- Misconfigured Security Groups
- Over-privileged Accounts
- Object store-resident data not secured
- Lack of multi-factor authentication (MFA)
- Unprotected Cloud Secrets
Concept & Methodology – Threat Intelligence
Refers to the intelligence associated with potential threats. Threat Intelligence relies on –
- Real-world information gathering
- Evidence Collection
- Analysis
OSINT, which stands for “Open Source Intelligence-Public,” and “Closed Source Intelligence” are both ways to get information (Commercial Services). Threat feeds provide up-to-date information about different threats. Threat feeds often include IP addresses, hostnames, domain names, email addresses, URLs, file hashes, file paths, and CVE numbers.
Levels of Intelligence –
- Strategic Intelligence – Broad info regarding threats and threat actors
- Tactical Intelligence – More detailed technical and behavioral information
- Operation Intelligence – Refers to specific details of the threats. Where it came from? Who created it? How it was delivered? How to remove and prevent them?
Threat Intelligence Lifecycle: Gathering Feedback > Requirements Gathering > Threat Data Collection > Threat Data Analysis > Threat Intelligence Dissemination
Concept & Methodology – DevSecOps
DevSecOps brings together Development, Security, and Operations under one roof so that they can all work on the same areas to unlock big benefits. DevSecOps broadly refers to integrating security into the design, development, testing, and operational work needed to produce and ship applications and services. This is done by using automated security testing and putting in place the right security practices and tools. Benefits –
- Cost Reduction
- Agility
- Increased Transparency
- Improved overall security
Vulnerabilities & Threat Management – AntiMalware and AntiVirus
AntiMalware and AntiVirus are specialized tools that enforce different security objectives. They can tell when code changes or when something is done. They check the systems for signs that someone is trying to do harm. They depend a lot on instrumenting the environment where the code is run, and the tools look for changes in what the code does.
Vulnerabilities & Threat Management – Vulnerability Scanning
Identify, Prioritize, and Remediate vulnerabilities in the organization before an attacker exploits them in order to undermine their Confidentiality, Integrity, or Availability. Proper Vulnerability Management includes – Scanning the Enterprise Assets, Remediate the Vulnerabilities and Continuously Assessing the systems.
Vulnerability Scanning involves finding the target and figuring out the Scan Frequency and Scan Type. It also involves configuring the Vulnerability Scans and running the Scan.
Types of Vulnerability Scan –
- Active Scan: The tool itself interacts with the hosts being scanned and looks for possible flaws. Among the problems: it’s loud (detectable), and interferes with the way the system works. It may not find systems that are blocked by firewalls or other security controls.
- Passive Scan: Passive scanners mostly keep an eye on the network and report on any old systems or programs they find. Finds security holes that can only be seen in network traffic. Can’t replace active scanning done on a regular basis, but it can help.
Vulnerabilities & Threat Management – Patch Management
Security patches are a group of changes made to a program or its supporting data to update, fix, or make it better. They fix a flaw or weakness that was found after the software or app was released. An important thing to remember is that once a patch is out in the wild, attackers know about it and start looking for vulnerable components.
Patch levels should be sent out and tracked from a central location across the enterprise. All operating systems and applications must have the latest version of this. And it has to be tested before it can be used on real systems or networks.
Security Controls – Network Firewalls
A network firewall sits at the boundaries between networks and provides parameter security. It is typically configured in a triple-homed fashion. They are connecting specifically to the Internal network, the Internet, and the DMZ. It has all the traffic passing through it. These works are based on rules.
When they get a Connection Request, they check the Access Control List (ACL) to see which source and destination ports/IP addresses are allowed. Firewalls follow the “default deny” rule, which means that if there isn’t a rule that says a connection is allowed, the firewall just says “no.”
Types of Firewalls for Networks –
- Packet Filtering Firewall: Packet filtering doesn’t use any extra intelligence. Checks each packet against the rules of the firewall.
- Stateful Firewall: This firewall keeps track of information about the state.
- NextGen Firewalls: Intelligent firewalls. They base their decisions on a lot of information.
- Web Application Firewall: Keeps web applications safe from attacks.
Security Controls – Endpoint Protection
It works for any managed device as a whole. And the security controls may include identity validation, authentication, authorization, role-based access control, access to different points on the network or applications and services, policy management enforcement, anti-malware, antivirus, and others.
End Point Protections include –
- Cloud Security
- Mobile Security
- Server Protection
- Data Protection
- Risk & Compliance
- Desktop Protection
- Network Protection
- Email & Web Protection
Security Controls – Cryptography & Encryption
Cryptography is the process of turning plaintext into a secure, unreadable format that can only be turned back into plaintext with the right authentication and credentials, which is called a key.
Security Controls – Penetration Testing
During a penetration test, the testers pretend to attack the organization using the same information, tools, and methods that real attackers have access to. They try to get into systems and get information, and then they tell management what they found. The results of a pen test can be used to improve the security of an organization.
Penetration testing has distinct phases –
Planning > Discovery > Attack > Reporting and then Additional Discovery.
- Plan – Time Declaration. Scope Declaration. Proper Authorization.
- Discover – Reconnaissance and gather as much information as possible regarding the targeted network, system, users, applications, and/or data.
- Attack – Bypass organizationsβ security controls and gain access to the systems and applications.
- Report – Prepare a detailed report on the access achieved and the vulnerabilities exploited to gain access.
Cloud Security Posture Management
Continuous cloud security improvement/adaptation to reduce the attacks. Benefits –
- Protection against cloud security breaches due to different misconfigurations.
- Continuous visibility of multi-cloud environments to identify cloud misconfiguration vulnerabilities.
- Automated detection so organizations can make necessary changes on an ongoing basis.
Security Information and Event Management
Actively looking for security events in the network, applications, and services. The analyst will make detection rules, which are often combined with other data feeds, applications, and correlations. When the rule engine in the SIEM system is combined with the log data, alerts are sent out when certain thresholds for the alerts and detection rules that the analyst makes are hit. The console will show these. And, often, automated responses can be set up, and different techniques for enforcing policy can be used to block or enforce different rules to stop an ongoing attack or an attack that is happening right now.
A SIEM Dashboard shows – Status of Rules, Data Sources, Event Stream, Detection, and other Critical Metadata.
A SIEM can perform event correlation to combine info from multiple sources such as – Application Logs, User Activity, Network Activity, and Anomalous Behaviors.
Incident Response
First, let’s figure out what makes an event different from an incident.
A Security Event is any event that has something to do with a security function. It could be: A user opening a file on a server. A shared folder’s permissions are changed by an administrator.
A Security Incident is when security policies, acceptable use policies, or standard security practices are broken or threatened to be broken. It could be things like losing sensitive information by accident; An attack is when someone breaks into a computer system.
Phases of Incident Response –
- Preparation
- Detection & Analysis
- Containment Eradication & Recovery
- Post-Incident Activity
An Incident Response program consists of –
- Policy – Guides efforts at a high level. Provides authorities for incident response.
- Procedures & Playbook – Operational plan to follow for incident response.
Classifying Incidents –
- Threat Classification
- Severity Classification
Worlds Biggest Data Breaches & Hacks
CISO Challenges & Goals
Reference: https://www.oracle.com/a/ocom/docs/cloud/mission-of-the-cloud-centric-ciso-report.pdf
The CISO should focus on being seen:
- Needs to be proactive about getting involved in Public Cloud projects. It is important to be proactive instead of reacting after a security problem has already happened.
- Join the project from the start (during the planning of new initiatives).
- Get a set of skills for cloud security.
- Keep an eye on changing cyber risks and report on them in real-time.
- Teach the executives and directors about cyber risk in an active way.
Challenges and Goals:
- Implementing DevSecOps, so that security can be integrated at the time of Development and Operations.
- Establish and enforce policies for the least privileges.
- Rationalize and integrate the Security Stack
- Implement a cybersecurity mandate with lines of businesses and integrate a security culture into the business.
Oracle Cloud Security Services
From the shared responsibility model, in light of Oracle Cloud Infra –
Customer manages:
- Data
- Devices
- Account & Identities
- Applications
- Network Controls
- Operating System
Oracle Manages:
- Virtualization
- Physical Hosts
- Physical Network
- Physical Datacenter
Security Services
- Infrastructure Protection
- Network Security Controls
- Filter malicious web traffic
- DDoS Protection
Service: DDoS Protection, WAF, Security Lists
Operating System & Workload Protection
- Patch Management
- Workload Isolation
- Managed Bastion
Service: Dedicated Host, Bastion, OS Management
Detection & Remediation
- Security Posture Management
- Security Advisor
- Secure Enclave
- Automated Security Assessment
Service: Cloud Guard, Max Security, Vulnerability, Security Advisor
Data Protection
- Encryption for Data at rest and in-transit
- Discover, Classify and Protect Data
- Key Storage and management
- Rotate, manage and retrieve secrets
Service: Encryption, Key Management, Key Vault, Data Safe
Identity and Access Management
- Manage user access and policies
- Manage multi-factor authentication
- Single sign-on to identity providers
Service: IAM
Defensive & Offensive Security
In the context of the OCI,
- Defensive Security relates to –
- Collecting Security Infrastructure related information.
- Detecting malicious intents and doing security analytics.
- Remediating through proper vulnerability management.
- Responding to different incidents
- Offensive Security
- Conduct Hardware Hacking
- Researching day-to-day rising security concepts
- Penetration Testing
- Red Teaming