Companies are losing the cyber war. And it gets worse every year. We have to reprioritize and re-think about how we defend our information. It's got to be our computers versus their computers, said Oracle’s CTO and founder, Larry Ellison at recent OpenWorld 2017 indicating the tech giant’s accelerated focus on security.CSO India had an exclusive interaction with Rohit Gupta, Group Vice President, Cloud Security, Oracle who says, the timelines for security agenda has never been relevant than ever for Oracle in the highly intense threat land space and a number of hacks happening.
The next battle on the cybersecurity frontier via automation and AI isn’t the silver bullet to the hacking world. There will be need for humans at all times as Oracle CEO Larry mentioned at OpenWorld. That’s how the cookie crumbles with the existence of human element?
We will probably never get to the stage where everything is automated. But there will be some scenarios where automation can happen without human oversight. For example, things that are really deterministic in nature like a faulty configuration in an environment, highly privileged credentials and the multi-factor authentication is not turned on. It’s black or white. Encryption turned off which can be turned on. Automation can dramatically eliminate all the vulnerability windows and things of that nature to get the environment back to steady state.
There will be scenarios where the enterprises have to deal with user-centric insights. Using machine learning and artificial intelligence we are able to determine anomalous behavior through an ability to baseline which individual has done over time, assess the normalcy and check the deviation that is abnormal and then compare with their peers and different kinds of user groups. Here there is still a need for human intervention to train the model when you find these things and investigate the same. The other scenario depends on the type of user like a C level exec’s behavior is considered anomalous. It’s highly unlikely the enterprise will have a policy in an automated fashion to suspend users’ access or revoke the access. Here the final remedial action needs one level of approval through a human intervention.
It will not machine versus machine.
Not really. I do believe there will always be a place for human oversight as automation becomes prevalent because of the volume of issues to deal with. Human oversight will come into play with training the model and in specific situations related to user activities, it becomes impractical to blindly trust the machine or system to make changes to the user access.
Quick Glance: Oracle cloud security services
· Identity-based Security Operations Center (SOC): Built on Oracle’s public cloud platform that works across other public, private, and hybrid clouds, as well as on-site datacenters. Strengthen Sophos’ reputation as a leading ‘Channel First’ sales organization.
· CASB Service, Identity Cloud Service, Configuration and Compliance Cloud Service and Security and Monitoring Analytics Cloud Service: Integrated approach to security monitoring, threat detection, analytics, and remediation.
· Oracle Management Cloud: A single, unified model that allows massive raw data ingest and context-based enrichment, as well as automated remediation capabilities.
All the deterministic work will be done in an automated fashion while dealing with hundreds and millions of endpoints or services or applications and there is no reason to essentially do that manually. In many recent vulnerability attacks, the patching is a deterministic action that can be easily automated. You may not patch perhaps because of lack of human entity or some compliance issue. But for interpreting user behavior anomaly, the human component will play a key role.
What is the big chunk of the security conundrum that Oracle is eyeing and why? Which security gear is first on the radar?
Oracle has been in a couple of domains in security close to two decades in the identity and access management (with single sign-on, user provisioning, managing access rights, fraud prevention etc.). We also offer database encryption for a long time being the largest DB manufacturers in the world that includes full-scale DB encryption, auditing, firewalling inside the DB.
With the generational change in the threat landscape since last year, there is an opportunity to take security to another dimension to another level in terms of its maturity as workloads are moving into the cloud. We have called out multiple areas where we believe that there is an opportunity for innovation, for disruption and for adding value to customers.
We have introduced framework oracle identity SOC. It starts with taking in threat analysis built by us which include commercial and open source feeds which are harnessed in SIEM. Oracle now offers a full-fledged cloud-based SIEM. Many SIEM products in the markets face the biggest challenge of dealing with massive manual rules coding issues. We now offer machine learning and heuristic ability to drive detection inside of our SIEM which include application context. SIEMs typically are not app aware. The CASB offering through my former company Pallera acquired by Oracle nearly a year ago. We offer full-fledged CASB Multi-mode using APIs and proxies. The unstructured data world is massive as there is data not only i the file but data in source code, machine images (AWS, IaaS providers, video content). Data security and DLP has become important. And behavioural detection is critical as well.
To truly bucketize, our offerings extend across security for cloud applications and data, security for cloud infrastructure and workloads the ability for us to support risk and compliance for everything that is either moving in the cloud or running in the cloud. Then you have sub categories including SIEM, UEBA, identity management, CASB and others.
Which security vendors are Oracle’s friends, enemies or frenemies in the highly competitive world?
We have full-fledged thriving ecosystem of 3000 ISVs on Oracle Cloud marketplace. In security specific, we will continue partnerships with other vendors. We partner in security areas like NGFW with the likes of Palo Alto Networks, Checkpoint today. For endpoint security, we have complete set of relationship with Symantec, McAfee to name a few. For email security it is Proofpoint. But for cloud security our intention is offering full-fledged cloud security platform with coverage across app and data, infra and workloads for our clients.
A healthy paranoia is good for CISOs: Oracle’s Rohit Gupta
· Never assume to have preventative controls that protect all the time.
· Assume that your data has been compromised or will be compromised.
· Monitor, assess, detect and essentially introspect on a continuous basis.
· A mindset shift from preventative control to an ‘always cautious’ mode.
· Embrace automation at the earliest that is beneficial for everybody.
Another interesting area with promise recently is hyper visor security. The needle from micro segmentation of workloads three years ago in terms of policy management of workloads has become more granular with nano segmentation.
Cloud and security surely aren’t chalk and cheese. Has the fear factor lessened globally for CISOs to moving workloads from on prem to cloud?
It is getting reduced with each passing quarter. Shared security responsibility model is tacit agreement between cloud provider and consumer of cloud app has matured as it varies as per the model. In IaaS, the onus is much more on the customer as the provider offers computer, storage etc while the customer is just responsible for data in SaaS model. The customers are getting more comfortable now depending on which layer of cloud stack they are adopting and their posture has got better. But there is still fear factor across few geos may be due to compliance or some verticals which resist move to public cloud. That’s why we offer the alternate as private cloud form factor.
Customers also recognise from a manpower stand point that they are not able to hire skills in their security teams fast enough. That’s a challenge globally because of the automation needed in the domain. Typically a customer running 100-200 SaaS apps has only on average 10 percent of security skills to handle it. It’s not practical on that level of forensics depth. Workforce hiring for forensic is a problem and if we can solve that things will get better.
Does Oracle secure customers’ on prem infra or the big plan is pushing their workloads to the cloud and then plonk Oracle’s cloud security platform on them?
The intention is clearly to offer the flexibility to the customers. Oracle offers the framework known as Oracle Cloud at Customer or Oracle Cloud Machine (OCM) which delivers Public cloud experience in a private cloud environment behind a firewall in the customer’s datacentre. The only requirement being we essentially collaborating with the customer, in the context of keep software updated with latest release, latest versions, patch management etcetera. That provides the agility of new functionality on regular basis as we take over the CISO or CIO headache of updates etc. OCM brings these security offerings to the customers within their firewalls or within their private cloud environment.
“We are pursuing a hybrid approach with conversion of installed base to our cloud suite and approach new customers who haven’t done business with us across any of our security portfolio.”
Group Vice President, Cloud Security, Oracle
From a functional standoff, we intent to offer the ability to do monitoring for customers’ on prem assets as well. Our Cloud SIEM will ingest firewall logs, on prem server logs router logs just like any other SIEM. But if they choose public cloud form factor it will run in cloud while private form factor will behind their firewall.
Besides the historic user identity and database security, how do you intent to create footprint in the new security domains? Especially with hordes of security vendors like IBM, Accenture to throw some names.
From Oracle’s GTM stand point, there will be aspects in our existing product family to convert them into next gen offerings for us. The vast majority of our cloud security customers are Greenfield who haven’t deployed anything from Oracle. CASB market for example that opened in last two years has no dominant vendors. Hence offering our capability and suite where customers have not made investment will be good areas for us. It will be hybrid approach with conversion of installed base to our cloud suite and also approach new customers who haven’t done business with us.
Cloud security is a large domain with cloud growing and security market twice the traditional IT market growth. We typically don’t see MSSPs out here though they play a role. Accenture for example are partner for us who are not innovating and building new products per se. They are innovating on processes and people and they definitely can outsource from client perspectives and solve their manpower issue/s. Accenture is a strong partner like many other global SIs. We clearly encounter some of large incumbents like Palo Alto and Symantec in some areas of cloud security but the market is large enough to support multiple security vendors.
Who’s your actual buyer amongst C-suite execs at the customer end? Is CFO an influencer for Oracle’s cloud security products?
A vast majority of buyer persona is the executive with the title of CISO. In many companies CISO reports to CIO or essentially CIO assumes function of CISO as per company size. The other persona of buyer is the chief compliance officer or VP of compliance. Depending on whether it is security driven buy or compliance driven buy it is either CISO or compliance officer.
CISOs or CIOs do get the buy –in from the company’s CFO. In general, the CFO definitely plays the role in ensuring right compliance, SOC certified, and things of that nature. But CFO is not typically the persona either for evaluating or running or operating these solutions from our end.
Rohit’s bucket list for CISOs in today’s complex, multi-vector and data-centric world.
Never assume that you have preventative controls that protect you all the time. Assume that your data has been compromised or will be compromised. That healthy paranoia is always helpful. That means you will monitor, assess, detect and essentially introspect on continuous basis. There has to be mindset shift from preventative control that you are safe to be in ‘always on’ mode.
You will not be able to hide away from solving the problem. Sooner that you embrace automation it is better for everybody. It seems a bit alien upfront for CISOs to trust the service for the first time and seek the evidence of the automation actively completing the task. People do get alerts fatigue due to the automation at times. The best alert is to get the alert that the issue was addressed and then fixed rather than an alert highlighting another problem to fix it.
Your prime priorities as global leader of cloud security at Oracle and what according to you will drive this business.
We are absolutely ruthlessly focused on building our security portfolio and delivering the most comprehensive cloud security platform. There are not many players in the industry in cloud security platform that compares with Oracle’s length and depth. Delivering customer value is second big priority. Customers are still evolving maturity model in terms of embracing cloud and cloud security as a function of that. There isn’t best practices over say 10 years or success stories or exact project plan for CIOs and CISOs which they can refer for their cloud journey. Hence our intention is not just build the tech platform but help customers traverse the maturity curve on cloud and get the value from it.
From a strategic standpoint, we are basing a fair amount of investment thesis on two primary anchors AI and machine learning and then automation across which our technologies are built. We recently launched our new block chain service which will play a big role in identity management stack especially in highly regulated industries with regards to attestation policies, user access rights etc.
The egress points from IoT offers another challenge of scale. The various endpoints across devices makes security monitoring a bigger challenge as enterprises adopt new or next gen devices like robotic engines etc. Security monition will go through fair amount of transition. Today we will do cloud security and cloud infra and monitoring of new technologies like IoT will be matter of time. The concept of highly regulated data and data access from security perceptive is changing. And the ability on the fly to access patterns to data, data access, track data moves in cloud offers interesting road ahead.
Let’s talk about the other human element of security world – the bad guys. Will they move to new attacks like cryptocurrency, IP device or they will test the waters with the good old traditional hacking techniques?
The human element is the weakest element in the chain is an overused but a true statement. For an unskilled labour or unsophisticated person in workforce who clicks a suspicious link, there’s malware on endpoint across the company and other issues. I suspect the ability for attackers to prey on that human frailty is not going away soon. Even the changed interaction channel, they will exploit that human weakness. WannaCry attack was an old and tested Microsoft exploit which impacted machines which were not patched on time.
There will be new class of attacks which have shown up which security leaders or CISOs have to take care of which they might not be aware of. Besides Mirai botnet in fall of 2016, there have been rampant recently has been public AWS S3 breaches across various industries which was accidental or some mismanaged S3 buckets which had permissions. I believe cloud with thousands of Apps does opens up the vector dramatically. And the canvas just gets bigger for the bad guys.