Professional Documents
Culture Documents
Christa Scura
Daniel Hirschberg
Oracle, Inc.
April 14th, 2022
Speakers
Monitoring
& Prevention
Networking
Compute
• DDoS Protection
Identity Data • SD-WAN
• Enhanced WAF
Protection
• Oracle Cloud Guard
- CG Threat Detector
• Threat Intelligence
Service
• Virtual Cloud Network • Security Zones
• Hardware • Interface Segmentation • Vulnerability
• Data Safe Root-Of-Trust • Private Networks Scanning
• OCI Identity &
• Oracle Vault • Signed Firmware • OCI FastConnect • Audit & Flow Logs
Access
- Managed Vault • Off-box Networking • Secure VPN • Compliance
Management
- Managed Keys • Hardened Images • P2P, NAT, and DRG
-Identity Federation
- Custom Keys • Autonomous Linux Gateways
-Role-based Policy
- Cross-Region • HSMs • Bastion Threat
Replication • Certificates
Detection
Indicators Techniques/Tactics
Threat intelligence data often refers to pieces of digital forensics, or indicators, such as IP addresses,
domains, URLs, file hashes, and usernames that have been observed in association with malicious
cyber activity.
Understand scope of
What is it? Understand threat landscape
Threat intelligence- investigation
based detection
• Out of the box integration with Cloud Guard means simple, integrated TI is built into Cloud Guard
detections, reducing configuration complexity and redundancy
• Prescriptive overall confidence assessments based on source, frequency, quality of sightings and
recency help analysts prioritize alerts
• There are a lot of threats in the world, customers need warnings. Transparency into our threat
intelligence backing detections helps customers trust the warnings they get from Oracle
• Access to Oracle intelligence from observed telemetry and our threat research teams provides
unique threat intelligence from our unique POV
Rogue User
Compute
Instance is Stop Instance
Public
Targets set the scope Detectors are Cloud Problems are Responders provide
of resources to be Guard components notifications that a notifications and
examined. For OCI, that identify issues configuration or corrective actions to for
compartments and with resources or user activity is a potential security problems.
their descendent actions and alert when security issue.
structures are used. an issue is found.
New face. Different voice. Strange attire. Running out of the bank. Carrying big bags of
Out of the ordinary purchases on your money. Around the time when new bills are
credit card some time back (makeup)… delivered. And I see you made some
you must be here to rob the bank! uncommon purchases a few weeks ago (gun)!
19 Copyright © 2022, Oracle and/or its affiliates
Conceptually
PROBLEM
Data … Sightings
Features
P E R S IS T E N C E
OCI Audit Logs
…
Threat Intel Feeds Scoring and
OCI Config Correlation SCORE
E V ID E N C E
IM P A C T
Rule-/Statistical-/ML-based
Technique Models aligned with
MITRE Att&ck® framework Regional Global Active Active
Partitioning Risk Score Problem
Sightings Sightings Techniques Tactics
Actionable: Full
understanding of
compromised resources
Evidence based:
Comprehensive view of chain
of events that drive scoring
Global visibility
Large base of tenancies for model training, with global inference and
tenant-level feedback gives us the ability to better detect attacks like
password spraying, which can span multiple tenancies and
regions.
Documentation
• Cloud Guard Threat Detector Documentation
• https://docs.oracle.com/en-us/iaas/cloud-guard/using/threats.htm
• Threat Intelligence Service Documentation
• https://docs.oracle.com/en-us/iaas/Content/threat-intel/home.htm
Launch Blogs
• Cloud Guard Threat Detector Blog
• https://blogs.oracle.com/cloudsecurity/post/cloud-guard-threat-detector-available
• Threat Intelligence Service Blog
• https://blogs.oracle.com/cloudsecurity/post/threat-intelligence-available-in-oci