Oracle’s highly automated cybersecurity
No one wants downtime, but the real problem is data theft, said Larry Ellison, chairman and CTO, Oracle.
In a keynote at the Openworld event 2017, Ellison said that as safety is to the aircraft industry, security must be to the IT industry.
Today’s threats demand more than current solutions can provide, he argued, and in this context Oracle has developed its “complete and integrated management and security cloud”.
The management and security cloud is highly automated, but works in conjunction with humans, to detect threats early, and automate policy-based remediation. The announcement comes on the back of the autonomous database, 18c.
The capabilities of the management and security cloud go far beyond standard log analysis, Ellison argues.
“It is very hard to use standard logs in security analytics,” said Ellison, they only help you to identify problems, they do not remediate.
Security and operations sources
Ellison said the data sources used by the management and security cloud span the security and operations universes, taking in from areas such as database, listeners, cluster ready services, business intelligence publishers, and a host of others.
The Oracle security cloud ingests on-premises and cloud logs to provide complete visibility across all compute assets, said Ellison. The data is gathered and various operations, such as semantic enrichment, event normalisation, anomaly detection, alert computation and event correlation are performed.
Machine learning recognises normal and abnormal, through evolving models, and takes actions based on either human direction or automated policies.
The system uses a complete entity data model and a unified data architecture. Threat intelligence data feeds add to the context, with the ability to subscribe to additional feed and threat intelligence sources.
The system accepts plain language analysis queries, such as “How many failed log-ins did we see for the user MBaker?”, or “Show me high severity threats for my billing app?”
By comparison, log analysis systems tend not to have entity-based models, machine learning toolkits or, critically, remediation capabilities, said Ellison.
The Oracle management and security cloud employs an entity-based model, with topology and associations, providing end to end analysis. It uses ‘out of the box’ applied machine learning for immediate insights, and all with integrated remediation.
User and entity behaviour diagnostic analytics (UEBA) can monitor, aggregate and analyse logs, with free-form text search with complex aggregations. Topology-aware exploration of logs uses knowledge of entities, systems, applications and associations. Purpose built ML for diagnostics “connects the dots”, with clustering of normal data patterns, and log compression of 99% plus. The clustering can accelerate anomaly detection, and correlate end to end events to find outliers. ML can diagnose anomalous business transactions, such as those taking too long or with abnormal elements.
When it is time to take action “instantaneous automated decision making” can remediate, orchestrate or configure accordingly. Automated remediation is based on ML-enabled decision making, covering areas such as identity, where password resets can be prompted, multi-factor authentication enabled, or accounts disabled. Where assets are affected configuration, data collection and patching can be invoked to remediate. Incidents can be created, updated or evidence attached to increase context. There is cloud-scale job scheduling and execution available, with cross-estate configuration drift analysis.
Following the normal elements of a cyberattack, where there are reconnaissance, infiltration, lateral movements and finally exfiltration stages, the system can recognise the actions associated with the various stages and take steps as appropriate or directed.
Ellison said that the nature of today’s threats means that there cannot be a situation where information security professionals are expected to defend against sophisticated hackers, often using automated techniques.
“It’s got to be our computers against their computers,” said Ellison, “and make no mistake – this is a war.”