Oracle Cloud Guard helps customers maintain good security posture by detecting weak security configurations and activities that can indicate cloud security risks.
Cloud Guard detects security problems within a customer tenancy by ingesting audit and configuration data about resources in each region, processing it based on detector rules, and correlating the problems at the reporting region. Identified problems will be used to produce dashboards and metrics and may also trigger one or more provided responders to help resolve the problem.
Responders can mitigate, correct, and prevent security issues based on a problem.
Cloud Guard is available by default within your Oracle Cloud Infrastructure (OCI) tenancy and can be accessed from the OCI Security console. Here are the steps for enabling Cloud Guard for the first time:
Pre-Requisites: Cloud Guard is not available for free Oracle Cloud Infrastructure tenancies. Ensure that you have a paid tenancy before you attempt to enable Cloud Guard.
For the complete set of other pre-requisites please refer to https://docs.oracle.com/en-us/iaas/cloud-guard/using/prerequisites.htm
Cloud Guard for OCI Configuration and OCI Activity is provided free of charge for supported OCI services.
Cloud Guard is implemented regionally and aggregates problems to the customer-selected reporting region to provide a global view.
All commercial regions for the tenancy will be monitored regions. Please see here for a list of currently supported regions here: https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm
Yes, the reporting region can be changed by disabling Cloud Guard and re-enabling Cloud Guard in another region. Cloud Guard configuration and data will not be moved if the reporting region is changed.
The reporting region can only be selected during Cloud Guard enablement. So, if a customer needs to change the existing reporting region, they can disable Cloud Guard and choose the same or a different reporting region during the re-enablement process.
Please note that when you try to re-enable Cloud Guard with a different reporting region, there is a wait period of approximately 20 minutes; this is because a resource sync up must happen across regions.
Yes, Cloud Guard provides two key metrics the Risk Score and the Security score as part of the Overview page in the Console. Security Score is a normalized value ranging from 0-100 that uses the number, types, and severity of problems to determine an overall assessment of the strength of security posture. Risk Score complements the Security Score by evaluating the number of total resources being monitored, the sensitivity of each resource type, and the severity of any problems related to the resources to determine the total risk exposure of a tenant. These are used to help assess what could be “small but insecure” and “large but overall secure” environments correctly.
Cloud Guard aligns with the CIS Foundations benchmark standard for OCI. Additional compliance features are expected post-GA.
SIEMs and Cloud Guard are complementary services. Cloud Guard provides security posture assessment and security monitoring of OCI tenancy by ingesting audit/log data and by monitoring the configuration state of resources. OOTB detectors are provided and enabled by default in Cloud Guard that help detect the problems for your resources. SIEM based services ingest log data from resources and applications and provides support for search/analytics engine to perform forensic investigations and potentially identify new indicators of risk or custom event discovery. Cloud Guard’s automated remediation features (aka Responders) can be configured and initiated by Cloud Guard whereas actions should be defined as part of the rules construct for the SIEM tools.
Most customers want cloud security monitoring to integrate with existing processes, procedures, and people. Many InfoSec teams will integrate Cloud Guard problems with their internal SIEM tools to tie Cloud Guard problems with their internal processes. These integrations may use the Cloud Guard APIs, and/or existing OCI Infrastructure services such as OCI Events, OCI Notifications, and OCI Functions. Cloud Guard can be Events to trigger (e.g.) sending problems to email, Slack, and PagerDuty as well as to custom OCI Functions. Customers can also use the Events to OCI Functions to build custom integration or responses based on customers' use-cases.