Contributed By: Alan Zeichick and Laurent Gil
Bad actors want your organization’s wealth. Unfortunately, wealth today means not just the money in your bank accounts, but also your data. Data such as intellectual property, customer files, transaction records, and software source code are the kind of assets that define the wealth of modern businesses.
And while you’d hopefully notice if a load of cash went missing from your vault, data can be too often copied and taken out of a network without a trace. Once stolen, all that corporate data can be sold to criminals, rival companies, or even rival governments.
Often those thieves want much more than a list of credit-card numbers or account passwords. No matter how trivial it may seem, business data has value to someone looking for stock trading tips, developing competitive products, launching spear phishing or blackmail, or even performing large-scale identity theft. (See “.”) A hack of the SEC’s EDGAR financial filing system demonstrates that bad actors are creative and not just looking to hack social security numbers or bank accounts – in this case perpetrators used material non-public information to profit on illegal stock trades.
So, let’s talk data protection, with help from Laurent Gil, Cloud Security Architect for Oracle
- Adopt a zero-trust model and assume everything creates risk. Gil recommends “CARTA” —that is, Gartner’s “” for understanding potential security vulnerabilities, both from a technical and a business perspective. The CARTA approach assumes that every user, device, application, network connection, and transaction have the potential to trigger a security breach or incident. There is never a state where the user is okay, says Gil. We must keep evaluating the risk of what the user is doing — it’s always shades of gray.
- Adopt a unified data model for security. In many of today’s IT systems, information like firewall logs and database logs exist in silos and can be hard to gather and correlate. If there’s an attack that’s been slowly evolving over the past year, you need to correlate all that data, and you can’t do that if it’s in silos,” Gil advises. Make sure your security tooling has strong interoperability and integrations.
- Gather and utilize full context. Much of the information provided today is insufficient to truly understand what’s going on with an attack or a vulnerability. It’s not enough to know that a Linux server has been attacked, Gil advises. You need to know that it’s part of a specific workload and need to understand what’s happening across that entire workload in order to understand what’s going on. Intrusion detection systems, threat analysis tools, and threat intelligence can help so you’re not left scratching your head when an event occurs.”
- Leverage automation wherever possible. Gil points out that there’s simply too much information for a security staff to correlate, because the velocity of data is simply too great to allow human operators to respond in real time. This is why Oracle developed – to automatically apply cutting-edge security controls in the cloud without manual configuration for every resource.
- Take advantage of machine learning. Artificial intelligence algorithms can learn from large samples of data, find correlations, spot outliers, and make predictions. These algorithms improve over time, Gil explains, as they see patterns in the data and also in how the security staff handles incidents. Just as our Autonomous Database is self-repairing, self-securing, and self-driving, the best SIEM and SOAR solutions use AI/ML to help reduce the strain on overwhelmed SOC teams. Use these to your advantage.
- When it comes to fire preparedness in an office building, sprinklers and alarms are better than alarms by themselves. When it comes to security, threat detection is good, but the real focus should be on rapid, automated response and remediation. That might mean disabling compromised user accounts or devices, or stopping malicious application instances, says Gil, even while the security team is conducting its first assessment. Security teams need to have incident response plans and escalation protocols – and the appropriate tooling – in place so when a security event occurs, they’ll be prepared.
- Simple is beautiful. Complexity has always been the enemy of security. Embrace simple tools over complex, hard to use, and hard to configure security systems. At Oracle, we move away from best of breed solutions, and instead focus on simple-to-use, automated systems that will auto-configure and auto-monitor themselves.
When it comes to security, we face a constant battle against opponents that are becoming smarter and more sophisticated. As in a Network World article last year, what happens when attackers begin using AI techniques for DDoS attacks, when IoT devices and botnets can optimize their attacks in real time? That day will surely arrive and the worst is always yet to come, as the bad actors are always improving their tactics.
Fortunately, there is always hope: That’s why we focus on simplicity, unified data model, context, automation, and machine learning to help us prepare for the next escalation of attacks.