Luca Martelli - The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era

So good, good morning. I am the last session before lunch, please, to be here today. And we'd like to share with you about what actually we are calling identity centric sock. It's a new concept that we are introducing, but in the regulatory Roomba era, at the end, we are having so many regulations around us.

We saw some just before this presentation, I will focus a little bit more later on, on GDPR also, but the idea is to think about all those regulations that are happening actually every two, three years and are impacting our business and to think about how to be ready systematically, potentially, or how to be supportive and, and reactive. In this context, I'm taking care of identity management and security for Oracle, just a couple of statements. I will also talk about our future products and I'm not illegal.

That's, you know, the, the reason for those two disclaimers, well where actually our business, not the, it is driving it because at the end, it is driven by business is budget by business many cases right now, even more and more. And we know it's about digital disruption. It's about digital, which is happening all the time.

And, you know, it's something that is just happening. Also, we as consumer, we are receiving that and we are happy about that. But sometimes, you know, we started with the on-prem. We started with the historical application years ago, and then the business started to bring in cloud maybe because of they wanted to be faster in deploying solution. And then we had the problem time ago of introducing the mobile devices. So new surfaces of attacks potentially. And now the social login because consumer identity is critical for the business. Okay. What about our IOT?

Also the video cam right now are connected. They are having an identity, they are connected, and we want to know what's happening with those devices. This is just about saying that the phenomenon around us, of proliferation of identities and not just identities, but also object is something that it is not always controlling. And unfortunately I am a security guy like you probably in my daily, my daily life. I'm not always involved when there is a new project, which is starting. So I'm not really sure that those new activities are secured by default or by design. Okay.

But we are talking about personal data. Well, this is quite maybe an impressive state and regulatory requirements. We make data procession of privilege.

Why, because of what they are requesting to manage control and do with all those data at the end. And so this is a huge responsibility for who is running the business because they are the owner of the application, but also for us that are providing service to the application layer and also to the business themselves.

Well, actually, if we have a look to which are the principles that Oracle always pushed, our two main basic principle, one infusing the least privilege concept as good practice across the infrastructure to make sure that, you know, there is proper visibility of who can do what, but also applying defense and death. We've been talking about security by default, but at the end, we have to apply the proper defense at the proper level of our own stack stack. Allow me to say, I'm talking about Silicon, moving up to the application. Okay.

And this is true for any personal information that we have to manage. In addition with new regulation that it's even more important.

Well, in the history, if we think about, you know, which try the things we are dealing with when it comes to it, security to security in general, identities, people, software, applications, and data. Those are the three main themes that are requesting our attention. Actually here you are seeing some keywords of themes where Oracle is playing and well, for sure you're already working on that can help with supporting this regulatory Reba Roomba era in the context of the hybrid cloud.

Well, this is important also to have a visibility across all these three actors that we are working with, and this is important to have proper thread intelligence, proper visibility. If you want, you can call that the capability to see, understand and react when something is happening on any of those layers.

Well, then there is a question Oracle, you know, it's a famous company that was born in the 72 F not wrong and because of the database. So the question is, where is my data? Does anyone have an answer?

Try, okay, it's in the cloud, You were probably thinking about database. That's a good idea for sure. But in many cases we are discussing with it manager and yeah, well actually, yeah, but I'm not adopting cloud. I'm not worrying too much about cloud. And if you have a look to this survey, well, you see that 79% of enterprises are ready today are having some office 365, some email system. For example, some customer data could be a CRM, or maybe it could be, let me say sales and marketing data or human capital management software out there in the cloud. Why?

Because this, the business though thought it was a good way to be innovative fast. So the data actually that we have to start looking at is not the only data for sure is the one which is in the cloud because that's personal information. And in many cases also sensitive data. Are those applications secured by default? That's the question we could ask ourselves even more. What is making that complicated? The fact that we are actually having not one data center to deal with.

I mean, I'm putting myself in your shoes. You know, we are having our on premise, but now we're having many clouds and statistics is revealing that more or less right now we are having to deal with six clouds, six clouds from different service provider, past provider infrastructure as a service provider.

So, okay. I don't want you to create too much paths here, but actually this is the problem we are dealing with. And the modern security, the modern attacks, clearly the attacks are one way that, you know, fraudulent people would like to use to steal our data. And it's quite an interesting market out there.

Well, actually right now, they're not anymore just carried by humans. They are cured by machines. They are cured by, I mentioned IP camera on Papos because IP cameras are right now used to like mobile devices to run, do attacks quite difficult to predict, understand second, actually they're not confined to the network in the past. We thought that the firewall was good enough. It's not anymore like that. They usually begin outside. They are not static. They are there for six months. And also they, we are having the zero day attack.

So there is a huge combination of all these kind of things, which is the typical approach to defend ourselves against this kind of, let me say vectors of attacks is called security operation center. And the traditional security operation center is made of a security information, even management solution, a lot management solution, maybe a configuration management. In some cases, there is an identity layer, which is helping to have some visibility around all the identities, dealing with software and data. And well, in few few cases, we see user entity and behavior analytics.

I will comment about that in a second. What's happening right now, it's that all those solutions are in the existing SOC are usually coming from different vendors built in the past. And actually they are having the typical process of being related to manual processes or not to be proactive, not being able to understand which is the behavior of the users, what they are really doing versus the average behavior.

And well, for sure they are, they started with a perimeter. So they are having an history of being focused on the perimeter. And so they don't have a by default concept of dealing with the hybrid environment on-prem and cloud.

Well, I think I told this already, but actually the perimeter has moved. We call this identity. So because actually the identity is what we want to know. It's us individual that are moving from one place to the other one digital place to the other one, digital means to the other. And that's us that are having control of our own data. We just seen the presentation about consent management. And for sure, that's explaining clearly, which is the importance that the individual is having in this new hero. Okay. So allow me to be very eye level.

Then I can go with some example, what we're talking about here. We're talking about having the capability to know what's happening out there. There are three thread intelligence engines that are describing already where are the threads? So we have to use those information to understand where are the IP that we don't trust. For example, we need to collect all those information with proper security information and even management, including log management, which is our one dashboard that is allowing us to visibil to have visibility across on-prem and cloud applications by default.

Well, we don't, we, we, sometimes we want something more. I dunno, if you are, let me say aware of this acronym, probably most of you are cloud access security broker. We implement office 365. We implement Oracle ACM. We implement, I dunno, something that could be Salesforce or Amazon, a service, which could be SaaS pass.

And yes, and we are putting into this infrastructure, our data. Do we really know what's happening out there in terms of details, in terms of what users are doing, just to make an example, users could, for example, download from salesforce.com and Excel file. Maybe it makes sense. Maybe it does not. It depends.

We, we don't know. It's difficult for us to understand. So tool like CASBY without being interested into, in this example, Salesforce can identify this event, can try to understand if this behavior it's something which is through a common pattern. So all the users in the sales group are doing the same activity at the end of the quarter, or maybe it's strange. It's not true for everybody.

It's true just for this one guy, which by the way, is last 30 day termination of his contract because I know that the human capital management system told me that, well, this is something that the CASPI tool can do, not just for one services, but for all the services or can help us to also prevent some bad usage of the, of the cloud. Imagine someone activating an Amazon instance, maybe to do some coining, do we have the tools to know that in advance and immediately, this is not related to data protection most probably, but that's related to proper management or the infrastructure.

Well, if we know this information and if we correlate that with machine learning with the fact that this user actually also sent out this email by office 365 with a large attachment, well, we're identified for sure, a behavior, which is different from what is the standard behavior, another acronym. This is your user entity and behavior analytics. This should be the default to protect ourself as an infrastructure against all those different kind of attacks. Many of them, we cannot understand what they are.

So that's why actually we need to have a layer of identity, which is of identity, which is identity management. Historically, you know, Oracle has been in this era for quite a long time, that is helping us to understand actually which identity is related to all those activities in this complex environment.

Well, for sure, we also like to have something which is helping have, has to have an automated remediation. Does it mean that we suspended the user immediately?

Well, in the case I was describing before depend on the company policies. In most cases, it doesn't happen, but we have avoided all the noises that usually the traditional sock are generating focusing only on the events that are strange in terms of behavior.

Well, this is what we call identity sock, and it's based on a series of cloud services. So it's a series of component that also are having, let me say they live by themselves, but also they integrate with other existing components. That's the idea from Oracle to, to have a, to have a series of cloud services that can run in the public cloud, but can run also at customer with what, something that we call cloud that customer. And it's actually helping to manage the identity, to have a look about what's happening in terms of analytics and the CASB that I was just describing.

Those are a series of cloud services. Those actually are already delivered and all those ones are happening in those days. And just to make you an example of one famous customer that, you know, this is actually Levi and yeah, they started a journey to the cloud and they decided to have, by default, some tool that were, were helping them extending the, so capabilities versus the cloud within this case, the Casper solution.

So a smart approach to extend the capabilities of the existing SOC and integrating that value to have that thread intelligence and the user behavior analytics and to focus only on those, let me say risks out there. Okay. So then the second question, where is my data?

Part two, obviously the data is in the databases. And as you can imagine at Oracle in terms of security, we're also working on database security as a theme and because of GDPR in particular, well, let me say that we, we had the opportunity to have several conversation. I don't want to comment too much on this slide.

This is just to say the areas were actually data security is working, but you see that the area are mainly evaluating or let me let that means having the possibility to understand where the data is, but also being able to have solution to prevent events related to data leakage to happen, but also to detect what is actually happening inside our infrastructure. Well, for sure when it comes to several activities we are doing right now with the customers, we are starting with a conversation.

I mean, not just Oracle database, customer database users in general, Oracle and non Oracle, exactly. To understand where personal information is and which are the Contra measure that makes sense to put together when it comes to data protection.

Well, I just could make some example and jumping into the conclusion. So we have maybe some time for few and a, or lunches upcoming.

Well, I don't want to go into the details, but think about basic things like protecting against someone which is maybe managing as an outsourcer, our database, where all the personal data, all the sensitive data of our organization are, and maybe they are doing that with a backup, for sure they are doing backup for sure they are good, but is that encrypted maybe? Yes. Maybe not. That's something which is very basic, but if we think about the thing we can do to protect ourself about losing or preventing losing data, that's for sure a first nice step.

Well, we can continue. We can do data sophistication or data reduction or data masking, making sure that when we create a Devon test copy of our production database and the business is always wanting to have that tomorrow or maybe yesterday, well, the developer community, they have to do that as soon as possible.

Well, maybe not all the time we are encrypting or masking those data. We are providing a natural copy or a one-to-one copy of the production data.

Another, we call them most common mistakes that we are seeing happen happening in, let me say the, the database customer community, for sure. This is having a huge impact when it comes to protecting personal data. So those are good steps that we usually see being adopted. Like for example, also having the possibility to collect properly auditing about what's happening in the interior. Genius.

Let me say scenarios of the databases, where the data are stored and having those information to let me say feed that the identity soccer was describing above because that's useful information we can use to really understand the bad behavior. Well also protecting and detecting potentially blocking attacks in real time through a kind of a viral architecture dedicated to, to the, the, the area of databases.

Well, just to summarize about GDPR, because at the end, you know, I was talking about regulatory Roomba on PPOs because at the end, all those controls, we see applies to many, many regulations, and it's impossible to discuss in deep GDPR requirements in actually 50 minutes. But just to summarize, we know actually that it's to defend, to protect ourselves as European citizens at the end. So it's good stuff that is helping in that direction and it's requesting organization to do.

Actually we don't have too much time to act, but actually to, to, to take actions, the reason for which it's a board level topic at not anymore as let me say an it topic. It's because of the defines that, that the regulatory organization put together and actually they needed to notify the breach if it's happening. So security in this case is having a role also to prevent because of this, the needed to go out and declare the breach.

Let's make the example data protection by design and by default are the requirements that are there recommendations in the regulation and well, in, in many cases you can do that at application level, or if you want, you can do one step down and you do that for all the applications. For, for example, working at the database level, same stuff for the cloud. You can do that inside any single cloud application, not necessarily depends on the cloud application. You're dealing with another example that is coming from data breach notification.

It's not required that to do data breach notification to individuals, if security controls prevent breaches from occurring, if someone stole our data store, which is encrypted at the end, it's not intelligible. So probably we have the possibility to, to, to skip about this, this requirement.

Well, you see on the right, the area in which for sure, let me say Oracle can help. You can Google and find quite some interesting resources which is describing in details, the regulation. And now Oracle is actually let me say sharing with his own prospect and customers about his own view, how to support and help them, but how actually to start well, the way we usually start our conversation with our customer on the topic. And it's always a journey when it comes to cloud security, when it comes to GDPR, or let me say the need to have a road to, to GDPR compliance for the customer.

We usually do a conversation, a risk assessment with our customer.

And this is something that we are dealing together with our customer to really understand, you know, and to work together, to provide our own view, because at the end, the decision still stand in the customer side about what could be the proper roadmap to, to let me say, to have the proper security measure in place, just to make a couple of example, we had an important activity in healthcare in institution, and it was an assessment we've been dealing with the CIO we've been dealing with the general manager at that time, because there were some few things to put together.

And to let me say, align with the, with the requirement, from a specific regulation, what was interesting that yeah, we were providing our own view customer was taking decisions, but customer decided that was very difficult to have all the vendors from an application perspective to modify their existing application, to be compliant with specific requirements they put together.

It was quite interesting to identify with the application vendor and for example, the data security vendor or the cloud security vendor like we are, which were the security by design measures that could have been put together to support the customers in this journey, but also to support the application developers in this journey, because it was quite difficult for them to do all those modifications. So that was the outcome of the assessment. That was a joint investment that we did together with the customer.

And we are very happy to let me say, propose that as a way to go forward with, with our customers in light of those regulatory Roomba HIRA. Thank you very much. Thank you, Luca. That was really interesting presentation. I like the term of the identity based or identity oriented.

So if we, one question from my side, if you, if you had S I E M cm on the slides, and if we think back some five years, eight years, seam systems were highly capable, but slow. What you're talking about here is needs to be real time security because you want to implement adaptive methods that really can react in real time. How real time gets this?

Well, there are two things I would say. One is real time about understanding what's happening and the capability to react. For sure. That's one imperative to reach that. I would say three things. One is where you are having this seem deployed because it could be on 20 boxes, 30 boxes, 40 boxes around the whole infrastructure, or it could be leveraging the power of cloud in terms of also resources. That's one of the approach we are actually having. This is the approach we are actually having. That's going to be a cloud services.

Secondly, well, historical SIM head, what we call correlation rules that are helping to understand, which are the user, the known bad behaviors allow me to say, well, that is good and it's still needed, but we need to have machine learning, which is the other piece that actually Oracle is introducing in order to understand from the behavior, what's the differences from the standard behavior of all my users said, maybe user that are, let me say in the same business unit.

So user for which I can understand, which is the right or expected behavior that helping me in addition to the other to avoid the noise that SIM historical SIM is now generating with all those threats. And so to be faster in reacting, it's not just about technology is also about supporting the organization to be faster in this case, the SOC team, to be faster in reacting to those, to those threats. Okay. Thank you. That looks really promising because we are now no longer collecting logs, but we are really communicating directly on in the cloud.

Are there any other questions that we could raise here now towards Luca regarding that concept? I know it's getting close to lunchtime, so no further questions from that side.

So, and we are right on time. So that's perfect. Thank you very much for that presentation, Luca. Thank you very much.