Are you putting your organization at risk?
•Download as PPTX, PDF•
0 likes•823 views
The webinar discusses security risks in Oracle EBS systems and how Panaya helps address these risks. It notes that 70% of EBS systems are at risk of security breaches and describes vulnerabilities in sample organizations' EBS configurations. Panaya analyzes customers' EBS systems and the latest security patches to provide personalized risk assessments and patch recommendation plans to help customers proactively reduce their risk level and improve their time to patch security issues.
Recommended
Recommended
More Related Content
What's hot
What's hot (12)
Viewers also liked
Viewers also liked (11)
Similar to Are you putting your organization at risk?
Similar to Are you putting your organization at risk? (20)
More from Panaya
More from Panaya (8)
Recently uploaded
Recently uploaded (20)
Are you putting your organization at risk?
- 1. © Panaya | An Infosys company PANAYA Oracle EBS is vulnerable to security breaches and hacking Panaya Webinar
- 2. © Panaya | An Infosys company PANAYA Eyal Diamant Director, Oracle Product Management Panaya Rafi Kretchmer Today’s SpeakersPANAYA WEBINAR VP Marketing Panaya 2
- 3. © Panaya | An Infosys company PANAYA AgendaPANAYA WEBINAR Challenges in organizations’ security1 Security risks in your Oracle EBS system2 Changing the paradigm3 3
- 4. © Panaya | An Infosys company PANAYA All phone lines have been muted Please use the Question Panel There will be 3 short polls during the webinar We are recording this webinar Polls results and recording will be provided in a follow-up email as well as any questions we don’t have time to answer HousekeepingPANAYA WEBINAR 4
- 5. © Panaya | An Infosys company PANAYA = Average cost of cyber crime incident for a US company (Source: Ponemon Institute) There were successful cyber attacks in 2015 (Source: Ponemon Institute) 99 $15.4M PANAYA5
- 6. © Panaya | An Infosys company PANAYA ERP security risks – are you liable? PANAYA6
- 7. © Panaya | An Infosys company PANAYA PANAYA POLL 1/3 PANAYA
- 8. © Panaya | An Infosys company PANAYA 70% of EBS systems are at risk Is your EBS system secure? PANAYA8
- 9. © Panaya | An Infosys company PANAYA9 Oracle EBS – Exposure to RiskPANAYA WEBINAR
- 10. © Panaya | An Infosys company PANAYA When you see it, it’s too late. When you see it, it’s too late. PANAYA10
- 11. © Panaya | An Infosys company PANAYA CPU Q3 2015 CVE-2015 4743 CVE-2015 4765 Safe CPU Q3 2014 CVE-2014 4235 CVE-2014 4213 CPU Q4 2014 CVE-2014 6561 CVE-2014 6479 CPU Q1 2015 CVE-2014 0504 CVE-2014 0489 CPU Q2 2015 CVE-2015 0504 CVE-2015 0489 CVE=Common Vulnerabilities and Exposures 11 Org. 1 – Low Exposure to RiskPANAYA WEBINAR
- 12. © Panaya | An Infosys company PANAYA CPU Q3 2015 CVE-2015 4743 CVE-2015 4765 CPU Q3 2014 CVE-2014 4235 CVE-2014 4213 CPU Q4 2014 CVE-2014 6561 CVE-2014 6479 CVE-2014 0504 CVE-2014 0489 CPU Q2 2015 CVE-2015 0504 CVE-2015 0489 CPU Q1 2015 CVE-2015-4743 Description : Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 12.2.3 allows remote authenticated users to affect confidentiality via unknown vectors related to AD Utilities. Link to Bug : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4743 Link to Source: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html 12 Org. 2 – High Exposure to RiskPANAYA WEBINAR
- 13. © Panaya | An Infosys company PANAYA PANAYA POLL 2/3 PANAYA
- 14. © Panaya | An Infosys company PANAYA Modules you don’t use are more vulnerable to security breaches. PANAYA14
- 15. © Panaya | An Infosys company PANAYA Curious how you stand compared to your industry benchmark? 15
- 16. © Panaya | An Infosys company PANAYA Distribution of Oracle EBS customers according to Time-to-Patch 16
- 17. © Panaya | An Infosys company PANAYA PANAYA POLL 3/3 PANAYA
- 18. © Panaya | An Infosys company PANAYA Evaluating the industry standards for MTTP of security and compliance patches 1 Analyzing your code, usage, and patch level of your current system and defining your EBS risk level 2 Lists recommended patches for external risk reduction No more guess work: we will tell you which patches you need to install and their impact 3 4 PANAYA How Panaya helps reduce your risk level 18
- 19. © Panaya | An Infosys company PANAYA RECOMMENDATIONS YOU THE MARKET THE VENDOR How do we do it?Panaya patch recommendation engine 19
- 20. © Panaya | An Infosys company PANAYA Q&A 20
- 21. © Panaya | An Infosys company PANAYA Summary – How Panaya Helps You PANAYA Constantly analyzes the latest security patches for you – so you will know exactly what you need to do 1 Builds a personalized risk base test plan so you will know exactly what will be the impact of this patch on your system 2 Helps you to be more proactive and reduces the time your organization is at risk – Improve MTTP Gives visibility to your executives how you reduce company risk level without adding additional resources 3 4 21
- 22. © Panaya | An Infosys company PANAYA Curious how you stand compared to your industry benchmark? 22
- 23. © Panaya | An Infosys company PANAYA USA Germany Israel Japan Australia 23
Editor's Notes
- Nowadays, security is on everyone’s mind. The costs of cyber crimes are increasing yearly. In 2015, a cyber crime incident in the United States costs a company an average of $15.4 million. This is an increase of 20% from 2014. Not only are the costs are rising, the number of successful attacks have also increased by 46% in the past 4 years. In 2015, companies faced to 99 security breaches. As a result, companies spend billions of dollars to protect their system and data from security breaches Especially in public companies that are under regulations, security is mandatory and part of the company’s responsibility Security is complex because it is a moving target, and organizations are having a hard time staying ahead of the game and minimizing ongoing risk In addition to that , We can see 2 major trends that increase security risk Self service – more and more services provided by the organization are becoming digital and self-served And - 2. The move to the Cloud – we are in a time of migrating systems to the cloud. It is transition time, where organization use both on-premise and cloud solutions, increasing exposure as data integrates between different systems
- Roni flow: You may not be aware, but security affects how organizations perceive your role and responsibilities. Not just yours, but everyone’s. Especially in companies that are regulated, if an employee suspects a security issue, he or she must report it. C-level executives have a personal responsibility on any security issue that can impact the organization. After the famous Target breach, both the CEO and CIO resigned. New roles have been created – CSO and CISO, to own security within organizations. The ERP world is not immune to security liability. And this is why we are here today. The purpose of this webinar is to show you how to reduce ERP security risks
- Did your organization assign a C-level role (Like a CSO or CISO) to manage the security effort? Yes No I Don’t Know We will wait a few moments allow everyone to answer the question … Thank you. I will now pass the microphone back to my colleague Eyal.
- Now, let’s cut to the chase: We are here to talk about ERP. Is your ERP secure? External security and compliance vulnerability are becoming a major concern for organizations’ executives – we talked about that And Oracle E-business Suite is not an island - it is exposed to major security and compliance threats throughout its entire lifecycle Having access to many organizations, we at Panaya conducted our own research and found out two amazing facts – Everyone thinks they are 100% covered – at least that’s what they tell us 70% of Oracle EBS shops don’t install security and compliance updates (Patches) that are necessary to keep the EBS safe 5. Yes, you heard me correctly: 70%! 6. Patches should be implemented on an ongoing basis to reduce external risks. Not installing patches is like leaving the door open when you leave your house. 7. We also found out that the 2 main reasons organizations don’t install the patch are Awareness – Some ERP managers look at the ERP as an internal system that doesn’t have major security risk Effort – ERP managers conclude that the risk is not worth the effort associated with an unpatched system. As a result, patch installation is almost always delayed.
- Roni flow: The challenge with security risks is that they are not static. The risk is growing every minute you do not attend to the solution. Oracle realizes that not only there are new security risks every day, but that a solution must be provided fast and on an ongoing basis This is why Oracle provides the Security Patch on a quarterly basis (CPU) An organization that does not install the patch on time, has a growing security gap To emphasize, since this is not a static risk – every day an ERP Manager is late on installing the security patch, he or she is putting their organization in a growing risk
- Roni flow: It’s a challenge – because it is not a problem you can SEE. But you need to remember that it’s there. If you have a problem in production, this will not be solved until you install the needed patches , but with security patch although the gap is growing, it’s not something that you can actually see - until is too late
- Roni flow: 1. Let’s look at an example. This is a good example. You can see here Oracle release CPU ( Security patches ) on a quarterly basis Each patches include the list of Security valuation that the patch will cover , this is called CVE CVE - Common Vulnerabilities and Exposures. It is The Standard for Information Security Vulnerability. In this example the organization installed the needed patch on time so the organization’s risk is low.
- Here’s another example. This organization didn’t install the needed patches and the security gap is growing. As you can see in this example, each patch that the organization didn’t install includes the CVE , that are actual security risk that are currently not covered This is not a list of patches that were not installed, but REAL security risks that exist in the EBS system Each CVE that is associated with the patch includes the object that is in risk Some organizations believe that if they don’t use this object, they can ignore this patch But it is actually the opposite, especially in areas that you don’t use, this is where you are most vulnerable for attacks So its doesn't really matter if you use this module or you don’t, you must install any security patch Oracle release
- Would you like to receive a 1-on-1 demo of Panaya CloudQuality Suite™ and see how Panaya can help you improve the way your organization handles EBS Security issues Yes No Thanks We will wait a few moments allow everyone to answer the question … Thank you. I will now pass the microphone back to my colleague Eyal.
- Just to reiterate, if there’s one thing to remember, here it is Do not ignore the patch! You should install it anyway. Your EBS is more vulnerable in modules you don’t use.
- So, we talked about the challenges of keeping your Oracle EBS safe, and how you can reduce the risk by installing the needed patches. We thought what we at Panaya can do to help you get on the fast track – give you a faster way to know what you should be doing first to reduce your EBS security risks. Panaya analyzes hundreds of organizations every month. We are offering you access to this data, which can tell you how your organization stands compared to your industry, and what are the immediate steps you should take in order to be aligned with the industry standards. At the end f the webinar we will give you access to our application which will analyze the status of your organization based on a few questions, andwillshow you how you can quickly reduce your EBS security risks. Stay tuned.
- Until now we talk about the important of installing security patches to reduce security risk Now, with your permission, I would like to cover another topic : the time between the patch release date and the day that you actually install the patch It is a new KPI that is starting to be a standard, called MTTP - Mid Time To Patch , the time its take to the organization to install any security patch But what we actually can see is that the market standard for MTTP is days or even hours but - for Oracle EBS customers its mainly months You can see in the graph we make , that most of the Oracle EBS Shops are lagging behind and most of the are located in the Yellow or Orange area , what mean that its take the, too much time to install the security patches In security topics you are always challenged, so it is advised to know the industry standard – and where you stand compared to the benchmark Staying aligned with the market, improving your MTTP, and minimizing the time its takes your organization to install the needed security patches And this is exactly what Panaya can help you with
- Did your organization implement one of the Oracle cloud solutions and integrate it with the Oracle EBS Yes Yes – With Oracle ERP Cloud Yes- With Oracle HCM Cloud No I Don’t Know We will wait a few moments allow everyone to answer the question … Thank you. I will now pass the microphone back to my colleague Eyal.
- - Panaya evaluates the industry-standards for MTTP (MinTime To Patch) of security and compliance patches, as well as all Oracle’s relevant patches as they are released - Panaya analyzes your code, usage and patch level of your current system and defines your EBS risk level List of recommended patches for external risk reduction is provided & lean work plan to install them with no side-effects on production (what to test and what to install ) - No need to guess anymore Panaya will tell you which patches you need to install and what exactly will be the impact of those patches in your system
- So lets see how we do it In order to know what you need to do in order to keep your EBS system safe we Panaya analyzed 3 main factors The Vendor – what are the latest patched that the vendor release for the different version and what are the risks included in each patch The Market – what is the market behavior regarding security patch installation mainly around the MTTP , what is the recommended gap between the day the vendor release the patch and the day you install this patch Your Organization – Panaya analysis int a generic one each organization is different and the impact of the same patch on different organization can be totally different So Panaya will build a personalized set of Recommendation that will include Which patch you need to install What is the correct time frame you need to act What will be the impact of this specific patch on you existing EBS system
- As we promise In the end of this webinar we will share a with you a web application that will help you to know what you need to do in order improve your EBS security level
- Question #