SANS Institute Product Review: Oracle Audit Vault March 2012 A SANS Whitepaper Written by: Tanya Baccam Product Review: Oracle Audit Vault PAGE 2 Auditing PAGE 2 Reporting PAGE 4 Alerting PAGE 9 Sponsored by Oracle Introduction The number, scale and severity of successful data theft and espionage attacks rose considerably last year, according to Verizon’s 2011 Data Breach Investigations Report. 1 While 92 percent of these attacks are executed from outside the enterprise, many attacks made their way into databases, accounting for the majority of nancial losses over the history of the report. Loss of records due to insider or outsider breach can have a huge impact on organizations. The average organizational cost of a data breach is $7.2 million, or $214 per compromised record, according to the most recent Ponemon Annual Study: U.S. Cost of Data Breach. 2 When breaches are related to customer personal data, there is no doubt that an investigation is needed to apprise regulators, law enforcement and aected consumers. In the case of espionage against private and government enterprises, investigations are an ongoing part of doing business. Such investigations help close up vulnerabilities and improve overall security of operations. When those investigations get down to the database level, how can auditors and responders determine what databases were impacted, what access and commands were used, and what applications were utilized within the database? Equally important, how can organizations be alerted to this activity occurring within their databases in time to take action and prevent an attack from being successful? This paper is a review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases. With Oracle Audit Vault, investigators and auditors can gather information about who accessed data, what applications were accessed, what was changed, and more. This centralization makes it easier to identify and contain potential compromises before they occur, as well as create reports for compliance and forensics. Oracle Audit Vault can be set to send alerts, which are critical for a fast response to stop risky behavior and attacks, and provide out-of-the-box compliance reports and methods of detecting unauthorized activities. SANS Analyst Program 1 SANS Institute Product Review: Oracle Audit Vault 1 www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf 2 www.symantec.com/about/news/release/article.jsp?prid=20110308_01 Product Review: Oracle Audit Vault Most organizations utilize multiple database types and versions that are dicult and time-consuming to audit and report on individually. Oracle Audit Vault acts as a secure, centralized database audit trail repository. It is able to collect audit trails from a variety of databases, including Microsoft SQL Server 2000, 2005, and 2008; IBM DB2 UDB 8.2 through 9.5 and Sybase ASE 12.5.4 through 15.0.x as well as Oracle databases. These audit trails can be automatically consolidated and reported on for audit and compliance purposes as well as for early threat detection. With unied reporting against their disparate databases, organizations can get more accurate reports and alerts without trying to manually tie events together across database systems. Oracle Audit Vault uses collectors designed to collect data for the database audit trail, operating system audit trail, and redo logs for Oracle to gather logs from multiple databases. Oracle Audit Vault centrally and securely consolidates the audit data, making it easier to search and manage data drawn from multiple databases. The ability to search and manage audit data from multiple databases can be used for alerting, notifying, following trends, and for more comprehensive audit/compliance functionality. For example, a secure repository for logs not only meets specic compliance needs, but also oers more scalability for searching and reporting. In this functional review of the Oracle Audit Vault product, we used Oracle Database 11g to generate the audit data to be collected by Oracle Audit Vault, then conducted the review in three phases: Auditing, Reporting, and Alerting. Auditing In centralizing the audit data, database audit trails are stored in Oracle Audit Vault, which provides a secure repository on a separate server. Leaving audit data on the originating system leaves the data open to alteration. Keeping the repository securely separated from the system is critical to most compliance requirements that dictate that data cannot be altered. By storing the data in Oracle Audit Vault, administrators can be restricted from the data completely, or simply provided a read-only role so they cannot change the data inside the repository. Oracle Audit Vault leverages Oracle Database Vault and Oracle Advanced Security to strictly control access and prevent tampering with the audit data. Oracle Audit Vault includes Oracle Partitioning to enhance manageability and performance and can, optionally, be deployed with Oracle Real Application Clusters (RAC) and Oracle Data Guard for additional scalability and high-availability deployments. Oracle Audit Vault can also be deployed on Oracle Exadata and the Oracle Database Appliance. SANS Analyst Program 2 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) In the rst part of this review, we tested the Audit Policy features against a single Oracle Database 11g. This involved clicking on the Audit Policy tab and then selecting the database being audited. We retrieved the policy by clicking the Audit Settings radio button, which provided the link for the database and a summary of what audit was occurring, as shown in Figure 1. Figure 1: Summary of Audit Settings Audit settings were easy to review. They enable users to easily obtain an understanding of what was being audited and sent to Audit Vault. The In Use column notes the number of active settings from the database sending records to Audit Vault. The Needed column notes the number of required audit settings the auditor has specied. And, the Problem column notes the number of audit settings that require attention from the auditor. Users can follow each of the links to get additional details about how the audit was set up. SANS Analyst Program 3 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Reporting Next, we evaluated the default reports provided. Reports on access, database account management, system management, entitlement, exceptions, alerts and more are provided by default with Audit Vault. Oracle Audit Vault’s default report options are shown in Figure 2. By clicking on the links, we were able to review the log reports, which provided basic audit information that might be required of any centralized logging solution immediately. Figure 2: Default Reports Provided by Audit Vault SANS Analyst Program 4 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Next, we tested what detail the reports would show. For example, to audit specic statements that might indicate employee abuse, we issued the following queries in the database: t update oe.orders set order_total=54 where order_id=2458 tselect count (*) from HR.employees where salary>10000 The results appeared in the Data Access report showing all queries that matched the specied parameters, as summarized in Figure 3. Figure 3: Data Access Report under the Audit Reports Tab SANS Analyst Program 5 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Oracle Audit Vault can be used to query for specic data in order to identify signs of malicious intent or policy violations. By clicking on the individual records, we could read each of the queries in order to understand what data had been queried by which users. Figure 4 shows an example of what appears to be an employee querying for specic employee salary information. Figure 4: Observing the SELECT Query The SQL Text in Figure 4 specied the query that was conducted. In this particular case, the user (SYSTEM) had queried for a count of the employees that make over $10,000. Security personnel can use a number of the reports to query the audit data being created. By centralizing all the data in a single location, it makes it easier to investigate and identify potentially suspicious activity. We could also create customized queries based on specic organizational data concerns such as who is viewing credit cards, Social Security numbers and other such sensitive data. Of course, all of this is dependent on how auditing is set up in the source database, because Audit Vault reects data that is sent to it. SANS Analyst Program 6 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Another type of access report provided is Entitlement reports. Entitlement reports are important for organizations wanting to protect regulated data and intellectual property from those with privileged user access to administer systems. We retrieved the entitlement information from our database by going to the Audit Policy tab and selecting the User Entitlement option for the appropriate Audit Store. Then we clicked the Retrieve button, as shown in Figure 5. Figure 5: Retrieving Entitlement Reports Data SANS Analyst Program 7 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Once the entitlement information was retrieved, we needed to view the specic data via the Entitlement reports. We found multiple built-in Entitlement reports for objects, users and systems that cover privileged user accounts, roles, proles, privileges and more. In this case, we selected the User Privileges report and then clicked Go. The data was displayed in Audit Vault as shown in Figure 6. Figure 6: Privileged Users Entitlement Report The Entitlement reports were simply reporting on the data from the databases related to privileges in use when the snapshot was obtained. Reports can be automatically scheduled and generated for management and compliance purposes. Auditors can be alerted when reports are available and an attestation process set in motion for review and approval. SANS Analyst Program 8 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Alerting Reports also provide data on login/logo, startup/shut down, failures, audit settings, changes, system events and user activity, among other data revealed by database logs. These, and other access and system events, provide valuable security intelligence that can be fed into Oracle Audit Vault alert reports, which can be classied based on level of severity. Reports can also create an alert in realtime as the data is analyzed. To review this feature, we created an individual alert whenever a new user was added to the system. To set up the alert, we went to the Audit Policy tab, chose Alerts, and clicked Create. Figures 7 and 8 show how the alert was congured. Figure 7: Setting up an Alert The alert was titled CREATE_USER, and the severity was set to Warning. We selected the audit source type (ORCLDB) and the specic database to alert on. Each of the alerts can also be placed in a category, so we used the Account Management category. The audit event was set to occur when the CREATE USER activity occurs. Additionally, this was done for both Success and Failure activities. SANS Analyst Program 9 SANS Institute Product Review: Oracle Audit Vault [...]... to a given organization Alerts could also be sent via e-mail or even SMS text messages SANS Analyst Program 10 SANS Institute Product Review: Oracle Audit Vault Conclusion Oracle Audit Vault automates the collection and consolidation of database audit data into a central, secure repository so that investigators and auditors can gather information and report on who accessed the data, what applications... occurring SANS Analyst Program 11 SANS Institute Product Review: Oracle Audit Vault About the Author Tanya Baccam is a SANS senior instructor as well as a SANS courseware author She is the current author for the SANS Security 509: Securing Oracle Databases course Tanya works for Baccam Consulting, where she provides many security consulting services for clients, including system audits, vulnerability and risk... accessed, and what actions were taken Oracle Audit Vault can quickly and automatically detect unauthorized activities that violate security and governance policies, thereby stopping perpetrators from covering their tracks Overall, Oracle Audit Vault was easy to use for analyzing the Oracle Database 11g audit data with which it was reviewed By using the reports provided by Audit Vault, organizations can quickly... database audits, and web application audits Today much of her time is spent on the security of databases and applications within organizations Tanya has also played an integral role in developing multiple business applications She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, and OCP DBA certifications SANS would like to thank its sponsors: SANS Analyst Program 12 SANS Institute Product Review: Oracle. .. smoother audit processes Oracle Audit Vault takes a deep approach to collecting and centralizing log data on a variety of database types and schemas As observed during this review, the combined auditing, alerting and reporting in realtime can help address security events quicker This is important to auditors and responders as well security personnel charged with preventing breaches from occurring SANS. . .Product Review: Oracle Audit Vault (CONTINUED) Once the alert was saved and properly set up, two accounts were created in the database Once the accounts had been created, we went to the Audit Reports tab and selected All Alerts to see whether the alerts had been created The alerts included the... applications She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, and OCP DBA certifications SANS would like to thank its sponsors: SANS Analyst Program 12 SANS Institute Product Review: Oracle Audit Vault . the Audit Reports Tab SANS Analyst Program 5 SANS Institute Product Review: Oracle Audit Vault Product Review: Oracle Audit Vault (CONTINUED) Oracle Audit. occurring. SANS Analyst Program 11 SANS Institute Product Review: Oracle Audit Vault SANS Analyst Program 12 SANS Institute Product Review: Oracle Audit Vault About