Monitor and Audit Your Environment

Enable Cloud Guard for Monitoring

Enterprise Architect, Security Architect

Oracle Cloud Guard allows you to gain a unified view of cloud security posture across Oracle Cloud Infrastructure customer tenants.

Cloud Guard events should be monitored by your security team.

Ensure Cloud Guard is enabled at the root level of your tenancy to monitor all of your compartments. Oracle Cloud Guard detects misconfigured resources and insecure activity across tenants and provides security administrators with the visibility to triage and resolve cloud security issues. Security inconsistencies can be automatically remediated with out-of-the-box security recipes to effectively scale the security operations center. Oracle provides detector recipies (a Cloud Guard component that identifies potential security problems, based on resource configuration or activity) for enabling Instance Security in Cloud Guard.

Instance Security is a Oracle Cloud Guard recipe that monitors compute hosts for suspicious activity. Instance Security provides runtime security for workloads in Compute virtual and bare metal hosts. Instance Security expands Cloud Guard from cloud security posture management to cloud workload protection. Instance Security ensures security needs are met in one place with consistent visibility and holistic understanding of the security state of infrastructure.

Configure Auditing

Enterprise Architect, Security Architect

The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events.

Currently, all services support logging by Oracle Cloud Infrastructure Audit.

Oracle Cloud Infrastructure Object Storage supports logging for bucket-related events, but not for object-related events. Log events recorded by Oracle Cloud Infrastructure Audit include API calls made by the Oracle Cloud Infrastructure console, Command Line Interface (CLI), Software Development Kits (SDK), your own custom clients, or other Oracle Cloud Infrastructure services. Information in the logs includes the following:

Time the API activity occurred.
Source of the activity.
Target of the activity.
Type of action.
Type of response.

Each log event includes a header ID, target resources, timestamp of the recorded event, request parameters, and response parameters. You can view events logged by Oracle Cloud Infrastructure Audit by using the console, API, or the SDK for Java. Data from events can be used to perform diagnostics, track resource usage, monitor compliance, and collect security-related events.

If you have third party tools that need to access Oracle Cloud Infrastructure Audit data, configure a Service Connector Hub to copy Oracle Cloud Infrastructure Audit data to an Object Store, with an appropriate retention period set.

Audit Your Policies

Enterprise Architect, Security Architect

Periodically review your policies to be sure they meet good security practices.

A policy auditor may review IAM policies in an ad-hoc manner using the Oracle Cloud Infrastructure console. There are also several options that can be leveraged to generate policy reports for offline analysis.

Cloud Guard has two configuration detector recipes and one activity detector recipe specifically for IAM policies:

Policy gives too many privileges.
Tenancy admin privilege granted to group.
Security policy modified.

While Oracle-managed recipes can be modified, Oracle recommends cloning the recipes to allow you to alter the objects that are targeted by these rules (through the use of tags or compartments). This allows production environments within a tenancy to have tighter controls, while relaxing the restrictions in non-production environments that reside in a different compartment in the tenancy. If you need to review IAM policies on a more granular level, Oracle recommends using the Security Policy Modified detector to trigger an event that:

Triggers a manual review via the policy.
Invokes a function to perform investigation or remediation.

When you audit your policies, consider the following potential issues:

Where are your policies defined, and do they comply with your organization's standards for compartment usage?
Audit the usage of dynamic groups. Do these groups grant excess privileges?
What services are configured and where are they located? It may be that some services should be limited to certain compartments or groups.
Locate any remove any duplicated statements.
Identify policies that grant privileges to the whole tenancy.
Identify groups that have more privileges than they need.

Oracle Access Governance Cloud Service is a cloud native identity and governance and administration (IGA) solution that provides user provisioning, access reviews, and identity analytics to help you define and govern access privileges. Leverage actionable policy insights from artificial intelligence/machine learning-driven intelligence to help audit your policies.

Monitor VCN Flow Logs

Enterprise Architect, Security Architect

VCN flow logs capture network traffic information to support your monitoring and security needs.

Each resource in a VCN has one or more virtual network interface cards (VNICs). Security lists are used to decide what traffic is allowed through a particular VNIC. The VNIC is subject to all rules in all security lists associated with the VNIC's subnet. To help you troubleshoot security lists, or audit the traffic in and out of VNICs, you can set up VCN flow logs.

Monitor details about traffic that passes through a VCN.
Audit traffic and troubleshoot security lists.
Enable and manage flow logs from the network command center.
Use capture filters to evaluate and select traffic to include in the flow log.
Leverage Oracle Cloud Infrastructure Logging to send log information to a specified log group.
Enable flow logs for all VNICs in a VCN, subnet, target specific instances, network load balancers, or resource VNICs as enablement points.

Continuously Scan for Vulnerabilities

Enterprise Architect, Security Architect

Vulnerability scanners are software tools that help organizations identify and prioritize vulnerabilities in their computer systems, networks, applications, and data stores. These scanners analyze the target system or application for potential weaknesses, such as:

Outdated software, or firmware.
Unpatched flaws (for example: unpatched operating systems, software, or plugins).
Misconfigured settings.
Insecure code, or programming errors.
Weak passwords, or authentication mechanisms.

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud Infrastructure by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

The core capabilities of the Oracle Vulnerability Scanning Service are:

A simple, on by default, prescriptive, and free scanning suite that is tightly integrated with the Oracle Cloud Infrastructure platform.
Default plugins and engines based on Oracle Cloud Infrastructure-created and open-source scanning engines for host and container scanning.
Oracle Cloud Infrastructure manages the deployment, configuration, and upgrade of these engines and agents across the customer fleet.
Problems detected by the scanning suite will be surfaced through Oracle Cloud Guard, with rules and ML to prioritize critical vulnerabilities.
Oracle Cloud Infrastructure will take action (alert, auto-remediate, or quarantine) through responders to shorten the time from detection to remediation, including through maximum security zones.
Integration with third-party vulnerability scanners such as Qualys Vulnerability Management, Detection and Response.

Aggregate Service Logs to SIEM Platforms

Enterprise Architect, Security Architect, Network Architect

You can send your OCI service logs to security information and event management (SIEM) platforms to increase your responsiveness to security attacks.

SIEM platforms enable you to monitor security events from different sources as networks, devices, and identities. You can also analyze these signals in real time using machine learning to correlate various signals and to identify threatening hacking activities and irregular security events traveling through the network.

OCI can send logs and events to several third-party SIEM platforms.