To give this presentation, please watch ‘How to Position and Sell Database Security 12c Training’ here: http://oukc.oracle.com/static12/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1271896458
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdfKey points about the Verizon Data Breach Investigations Report: Make the case for the importance of database security; 98% of records stolen were directly from database servers. 84% of records breached were accomplished using stolen credentials, these are attackers who have been able to get a hold of usernames and passwords to further compromise additional servers within an organization. Here you can also tie this to using Identity Management solutions. 71% fell within minutes – common attack is to use SQL injections to quickly compromise the web application tier and directly extract data from within the database. Amazingly 92% of the data breaches were discovered by a third part. At this point you can ask the audience, that if they were compromised, how would they know? The final point to emphasize is that 97% of the breaches were avoidable with basic controls. And this sets us up later on to discuss those controls with preventive, detective, and administrative security controls.
http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.htmlUse this slide in EMEA
http://joelbrenner.com/america-the-vulnerable/#excerpthttp://joelbrenner.com/wordpress/wp-content/uploads/2011/09/AMERICA_THE_VULNERABLE_JOEL_BRENNER_EXCERPT.pdfUse this slide in NATO to tie to Embrace the Base Campaign around Joel Brenner book
Encryption prevents database by-pass and provides the foundation on which to build security controls within database(Strong authentication and network encryption now part of the core database for all editions)
Key point to communicate:This new product provides customers the operational flexibility to deploy the monitoring they need based on the sensitivity and security requirements of their databases.Key features includeMonitor and control database activity on the network. Firewall can allow, log, alert, substitute and block on SQL statements on the networkFirewall uses a SQL grammar analysis engine for high performance and accuracy, an approach that is superior to 1st generation database firewalls that relied on regular expressionsPrevent SQL injections, unauthorized database access, misuse of database privilegeCapture and log database interactions on the network for forensic analysis and compliance reportingConsolidate database audit data from Oracle and non-Oracle into secure centralized repositoryConsolidate audit data from MSFT Active directory and SolarisConsolidate application specific audit Detect and alert on suspicious activities, including privileged userOut-of-the box compliance reports for SOX, PCI, and other regulationsStreamline audits: report generation, notification, attestation, archiving
http://www.oracle.com/us/products/database/security/customers-186772.htmlCompany: T-Mobile USA (subsidiary of Germany-based Deutsche Telekom) provideswireless voice and data communications services throughout US;Industry: Telecommunication; Employees: 35,000; Revenue:$21 BillionChallenge: Had biggest phone company breach in 2009 when an employee stole personal details of thousands of mobile phone customers and sold to rivals;Ongoingconcern about insider threat and data breachesSolution: Oracle Database, non-Oracle Databases; Oracle Database Firewall, Oracle Advanced Security, Oracle Data MaskingResult: Detected unauthorized database activity by an insider during DBFW POC; Other solutions did not detect threat, not as accurate or easy to deploy; Developing complete database security strategy based on Oracle productsCompany: Columbia University, Ivy League University; Industry: Education & ResearchChallenge: Internal requirements to protect Oracle’s PeopleSoft dataSolution: Oracle Peoplesoft, Oracle Database 1g and Oracle Advanced SecurityResult: Encrypted sensitive PII in PeopleSoft application, on disk and backupsCompany: ETS develops, administers and scores more than 50 million assessment tests annually in more than 180 countries, at over 9,000 locations worldwide;Industry: Education; Employees: 25,000 worldwide;Revenue: $1 BillionChallenge: Must address PCI DSS and ensure data privacy of student data; Non-profit, needs to keep costs low, and addresses security “just in time”Solution:Oracle Database; OraclePeoplesoft and custom applications; Oracle Advanced Security, Oracle Data Masking, Oracle Database VaultResult: Deployed TDE for sensitive columns with 10g upgrade several years back; Upgrading to 11g and moving to tablespace encryptionDeploying Oracle Data Masking for non-production environments; Starting planning for Database VaultCompany:Diamond Resorts International (DRI) is a vacation ownership,allowing persons to purchase a real estate interest in 71 managed resorts and 137 affiliated resorts in 28 countries with over 27,000 guest beds; Industry: Hospitality; Employees: 4,553 worldwide;Revenue: $30MChallenge:Need to get SOX compliant in preparation of planned IPO; IT auditors need weekly and monthly reports that would be time consumingSolution: Oracle E-Business Suite, Oracle Audit VaultResult: Deployed Oracle Audit Vault in one month; Collecting EBS database audit trail, using client_identifier to report on end-user activity, redo collector for before/after values, scheduled reports get generated and automatically sent to auditors, auditors attest and archiveCompany: Sabre HoldingsChallenge:Solution:Result:Company: BBVA CompassChallenge:Solution:Result:Company: TransUnion InteractiveChallenge:Solution:Result:Company:SquareTwo Financial is a leader in the $100 billion asset recovery and management industry through its award-winning PartnerNetwork used by Fortune 500 companies in banking, credit card, and health care industries; Industry: Financial Services; Employees: 500;Revenue: $230MChallenge:Fast growth, need to scale and accelerate all aspects of business; Need to comply to same regulations as their customers, security criticalSolution:Oracle Exadata and Exalogic; Oracle Database Firewall, Oracle Data Masking, Oracle Advanced Security Result: Addressed compliance and developments quickly with Oracle Database Firewall, Oracle Data Masking and Oracle Advanced Security/TDECompany: St. Jude Medical develops medical technology and services for cardiac rhythm management, atrial fibrillation, cardiovascular and neuromodulation; Industry: Healthcare; Employees: 16,000 worldwide; Revenue: $5.6 BillionChallenge:Global expansion and need for increased security of patient data; Subject to privacy regulations worldwide and concerned about brand; Must limit access to sensitive data and protect data privacy; Need defense-in-depth for all databases globallySolution: Oracle Advanced Security, Oracle Database Vault, Oracle Data Masking,Oracle Audit Vault, Oracle Database FirewallResult: Deployed Oracle Database Firewall with no database/application changes; Deploying all solutions based on Database Security StrategyCompany: Orbitz Worldwide is a leading global online travel company that owns and operates a strong portfolio of consumer and corporatetravel brands world.;Industry: Travel; Employees: 1,600 in 20 countries;Revenue: $767 MillionChallenge: Consolidating Oracle databases on Exadata Database Machines;Subject to PCI DSS compliance – must encrypt credit card data at rest; Must limit privileged database user access to sensitive data;Want to use database realms mitigate risks introduced by consolidationSolution:Oracle Exadata Database Machine;Oracle Advanced Security; Oracle Database VaultResult: Encrypted data at rest with no application change or impact to performance; Limited privileged user access to application data and stored proceduresCompany: National Marrow Donor Program: Be the MatchChallenge:Solution:Result:Company: Cornell University is an Ivy League school serving 20,000 undergraduate and graduate students;Industry: Education & Research; Employees: 14,000;Revenue: $2.8 BillionChallenge: Had highly publicized breach in 2009 due developer’s stolen laptop;Needed to provide regents with a plan to ensure this never happens again;Decided that developers should not test with production dataSolution:Oracle PeopleSoft; Oracle Database,Oracle Data MaskingResult: Used Oracle Data Masking to generate test databases without sensitive data; Data Masking proved accurate enough to enable application testing; Sensitive data never leaves the secure production environment
„Security Inside Out: Latest Innovations in Oracle Database 12c” Marcin Kozak, Architekt bezpieczeństwa informacji, Oracle Polska