Instance Security now available in Oracle Cloud Guard

May 15, 2024 | 4 minute read
Ugi Urnuntogtokh
Product Manager
Text Size 100%:

Oracle Cloud Infrastructure (OCI) recently added Oracle Cloud Guard Instance Security to provide runtime security for workloads in your OCI Compute virtual machine (VM) and bare metal hosts. Instance Security enhances Cloud Guard with support for cloud workload protection and helps you address your security requirements with a single-pane-of-glass view of your security posture.

What is Cloud Guard Instance Security?

Instance Security collects and aggregates important security information about compute instances, such as security alerts (Cloud Guard problems), vulnerabilities, and open ports to provide actionable guidance for detection and prevention. Customers need the ability to detect suspicious processes, open ports, and run scripts for their workloads, which requires operating system-level visibility. Instance Security provides new Oracle-managed, out-of-the box detections and customer-managed queries that they can use for threat hunting. Plus, customers can connect their own security information and event management (SIEM) or cloud security posture management (CSPM) tools with OCI Logging to ingest data collected by the agents.

Through a new Resource detail view in the Oracle Cloud Console, customers can see all the problems associated with a compute instance in one place. This portal provides a bird-eye view of Cloud Guard problems and operating system-level vulnerabilities and open port issues for individual instances.

Cloud Guard Resource details screen

EBPF-based security solution

Instance Security uses Extended Berkeley Packet Filter (eBPF) technology to detect security events at the kernel. eBPF allows programs to run without changing the kernel source code. Customers can collect data for out-of-the box detections to help detect security anomalies and get deep operating systems insights, without requiring any kernel code modifications.

New MITRE-aligned detector rules

Oracle Cloud Guard now includes an Instance Security detector recipe that continuously monitors your compute hosts for suspicious activity. Oracle-managed and MITRE-aligned, out-of-the box detections reduce manual effort for security analysts to help identify activities of known adversaries. This detector catalog is continuously expanding to align with our customer needs. Recipe details view in the Oracle Cloud Console:

Cloud Guard Instance Security Detector Recipe Enterprise

Run live queries on your hosts for detections and threat hunting

Customers’ security operations center (SOC) teams can run their own queries on the compute instances on periodic or immediate basis. This provides visibility into the state of the fleet.

In the background, Instance Security uses Osquery 5.5.1, which leverages a relational data model to describe an instance. Osquery is a performant, open source, multiplatform software that helps you gain visibility and insights to your fleet. It can collect and normalize data independent of operating system while increasing visibility across your infrastructure.

Osquery has hundreds of ready-to-use tables that provides information about an instance, ranging from running processes to loaded kernel extensions. Instance Security supports most open source osquery tables and custom-built OCI tables. Run queries in Cloud Guard Instance Security:

Cloud Guard Query

Schedule queries on your hosts for your compliance and audit needs

After you have run a query and are happy with the result, you can schedule the query to run at certain frequencies. If you have compliance and audit requirements to inspect your instances and provide evidence of meeting certain security controls, you can use scheduled queries. Instance Security integrates with the OCI Logging service, and you can configure it to send your raw data to be sent to a SIEM or third-party data aggregator from OCI Logging.

How does Cloud Guard Instance Security monitor and protect hosts?

The cloud remains an essential driver of growth and transformation for our customers. As the number of attacks targeting organizations increases, security defenses, such as firewalls and antivirus software, may not be enough. If attackers bypass these measures, near real-time detection for suspicious behavior becomes crucial. Instance Security monitors your compute instances and alerts you of suspicious activities.

Enabling Cloud Guard Instance Security

To get the value of Cloud Guard Instance Security based detections in your tenancy, you must enable Cloud Guard and apply the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) to your target. The target includes the list of instances you want to monitor. The Enterprise recipe enables you to experience full-service functionality, get alerts based on Oracle out-of-the-box detections, and query your fleet using custom and scheduled queries.

To get started, you can evaluate the free recipe, OCI Instance Security Detector Recipe (Oracle managed), which alerts you on vulnerability and open port scanning, so that you can run limited number of queries. To get more information about the service and enable Cloud Guard Instance Security in your tenancy, see the following the steps in our documentation. For more information on pricing, please refer to pricing documentation.

Get started today! Also, check back at the Oracle Cloud Infrastructure blog for more security product announcements and best practices for securing your cloud resources.

Ugi Urnuntogtokh

Product Manager

Ugi Urnuntogtokh is Product Manager for Oracle Cloud Guard Instance Security.

Previous Post

Reach more of your audience with self-service custom return-path and Email Delivery

Allan Yeung | 3 min read

Next Post

OCI network load balancer enhancements for backends support

Lilian Quan | 10 min read