Security should be easier for customers to implement and maintain; this is at the core of Oracle’s approach to cloud security. Customers want more than just a guideline from their cloud provider; they want a proactive approach that allows them to more quickly achieve a stronger security posture for their applications and infrastructure.
This what the Oracle Cloud Infrastructure (OCI) Vulnerability Scanning Service (VSS) provides - a simple, on by default, prescriptive, and free scanning suite that is tightly integrated with the OCI platform. The scanning service provides default plugins based on open-source scanning engines for host and container image scanning (see Oracle Cloud Infrastructure Registry OCIR about enabling container image scanning). The new service will manage the deployment, configuration and upgrade of these engines and agents across the customer fleet. All problems detected by the scanning service will be presented in Oracle Cloud Guard, with rules and ML to prioritize critical vulnerabilities. OCI will take action (alert, auto-remediate or quarantine) using responders to shorten the response time from detection to remediation.
Customers dread the thought of someone exploiting an old package that's running on their hosts or have an attacker figure out that a default password is being used on an open port that was not supposed to be actively running. Customers may also forget to harden hosts once they get past the initial development phase. The new service will help the customer catch these problems early and not allow them to be forgotten.
It only takes 3 steps to get started with OCI Vulnerability Scanning Service.
Figure 1 - Create a scan target using your scan recipe
Figure 2 - Config your Oracle Cloud Guard Detector Recipe with the scanning choices
Development teams don't want to wade through all the hosts in a huge global reporting tool. Instead, they will be able to drill into the hosts for their development compartment in their development region in the Vulnerability Scanning Service reporting and force on making sure that all hosts have no high risk vulnerabilities before promoting them into the production compartments.
Figure 3 - Filter and sort the hosts to find the hosts with the worst or most vulnerabilities
Security operations and compliance users will be able to monitor the security posture of every host in every region by using their global reporting region of Cloud Guard. They will able to configure what risk level of a vulnerability should be a problem in Cloud Guard as well as what open ports should also trigger a problem against a host. In future releases, we will add responders to help the customer close ports or patch hosts. As we build out more findings, we plan to continue to build out more Cloud Guard detectors and responders.
Figure 4 – Oracle Cloud Guard Problems – Open Ports or Vulnerabilities against a host
Our plugin will inspect the host's operating system looking at what packages are installed and then forward that information to our backend servers to compare the install components to a number of open-source vulnerability databases. The vulnerability scanning service plugin will also gather information on open ports and CIS benchmark checks. All of these findings are then stored in the local region for quick reviewing in our reports. The backend servers will also scan ports that are open on your public facing IPs as those are the ones most exposed to the world. In future releases, we plan to continue to expand to bring more findings to help customers make sure that each host has limited the possible attack surfaces.
You can gather all the findings by leveraging the event or logging service and then pipe the information into your other tools such as a SIEM, Syslog or open-source visualization tool like Kibana.
In summary, OCI Vulnerability Scanning Service offers cloud-native vulnerability detection that provides developers, operations and security administrators comprehensive visibility into misconfigured or vulnerable hosts at the regional level while forwarding the findings to a global Oracle Cloud Guard reporting location for everyone to view and respond. OCI Vulnerability Scanning Service can be deployed in an OCI tenancy with minimal setup required. Learn more about OCI Vulnerability Scanning Service and Oracle Cloud Guard today. Also, see Paul Toal's article on Discovering and fixing weak cloud security posture with Oracle Cloud Guard.