Oracle Cloud Guard helps customers maintain good security posture by detecting weak security configurations and activities that can indicate cloud security risks.
Cloud Guard detects security problems within a customer tenancy by ingesting audit and configuration data about resources in each region, processing it based on detector rules, and correlating the problems at the reporting region. Identified problems will be used to produce dashboards and metrics and may also trigger one or more provided responders to help resolve the problem.
Responders can mitigate, correct, and prevent security issues based on a problem.
Cloud Guard is available by default within your Oracle Cloud Infrastructure (OCI) tenancy and can be accessed from the OCI Security console. Here are the steps for enabling Cloud Guard for the first time:
Pre-Requisites: Cloud Guard is not available for free Oracle Cloud Infrastructure tenancies. Ensure that you have a paid tenancy before you attempt to enable Cloud Guard.
For the complete set of other pre-requisites please refer to https://docs.oracle.com/en-us/iaas/cloud-guard/using/prerequisites.htm
Cloud Guard for OCI Configuration and OCI Activity is provided free of charge for supported OCI services.
Cloud Guard is implemented regionally and aggregates problems to the customer-selected reporting region to provide a global view.
All commercial regions for the tenancy will be monitored regions. Please see here for a list of currently supported regions here: https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm
No, the reporting region cannot be changed. Reporting region can be chosen during the Cloud Guard enablement, once assigned this setting cannot be changed even upon disable and enable of Cloud Guard.
The reporting can only be enabled during the Cloud Guard enablement. So, if customer needs to change the existing reporting region they can disable Cloud Guard and during the re-enablement process they can choose the same or a different reporting region.
Please note that when you try to re-enable with a different reporting region, there is a wait period of approximately 20 min, this is because of the resource sync up that needs to happen across regions.
Yes, Cloud Guard provides two key metrics the Risk Score and the Security score as part of the Overview page in the Console. Security Score is a normalized value ranging from 0-100 that uses the number, types, and severity of problems to determine an overall assessment of the strength of security posture. Risk Score complements the Security Score by evaluating the number of total resources being monitored, the sensitivity of each resource type, and the severity of any problems related to the resources to determine the total risk exposure of a tenant. These are used to help assess what could be “small but insecure” and “large but overall secure” environments correctly.
Cloud Guard aligns with the CIS Foundations benchmark standard for OCI. Additional compliance features are expected post-GA.
SIEMs and Cloud Guard are complementary services. Cloud Guard provides security posture assessment and security monitoring of OCI tenancy by ingesting audit/log data and by monitoring the configuration state of resources. OOTB detectors are provided and enabled by default in Cloud Guard that help detect the problems for your resources. SIEM based services ingest log data from resources and applications and provides support for search/analytics engine to perform forensic investigations and potentially identify new indicators of risk or custom event discovery. Cloud Guard’s automated remediation features (aka Responders) can be configured and initiated by Cloud Guard whereas actions should be defined as part of the rules construct for the SIEM tools.
Most customers want cloud security monitoring to integrate with existing processes, procedures, and people. Many InfoSec teams will integrate Cloud Guard problems with their internal SIEM tools to tie Cloud Guard problems with their internal processes. These integrations may use the Cloud Guard APIs, and/or existing OCI Infrastructure services such as OCI Events, OCI Notifications, and OCI Functions. Cloud Guard can be Events to trigger (e.g.) sending problems to email, Slack, and PagerDuty as well as to custom OCI Functions. Customers can also use the Events to OCI Functions to build custom integration or responses based on customers' use-cases.