Skip navigation

I've become a huge fan of the Oracle Management Cloud. Why? Because Oracle has broaden it's limit and the OMC doesn't just monitor Oracle based systems and applications, it has plugins for many non Oracle technologies, which makes the OMC very flexible and Enterprise worthy to be used as a complete solution for monitoring.

 

Security Monitoring and Analytics ( SMA)

Oracle also realized customers have great concerns about security in general but even more in the cloud, so they've put up a service in the cloud which has really powerful capabilities.

One of these powerful modules inside the Management Cloud is the Security Monitoring & Analystics, or SMA. With this module any SIEM or SOC can detect, identify and monitor the following:

  • Securiity threats from in and outside the company
  • Fraud detection
  • Compliancy violations

Inside SMA

When you are in SMA it pretty much look like the other OMC components, but it has it's focus on security. Entering the first dashboard you can see immediately an overview of the activity of you users and their possible risky actionsWhen you login into OMC, you can click on the SMA module if you have the proper cloud subscriptions

 

Inhere you will start in the main SMA landing page showing the “Users” Dashboard, but you can configure dashboards for yourself if you want.In this page you see:

1. Users – shows the total number of risky users

2. Threats - shows total, critical, high, medium and low risk threats

3. Assets – shows the total number of risky assetsClicking on the threats you'll can get more details on persons actions which came out of the analysis of the identity management logs or via user data upload. You can see the company, manager, wand specific user details and status such as lockouts, locations, email adresses and so on.To look down deeper you can identify a kill chain. A kill chain is a series of executions which might lead into some kind of destruction or illegal access/actions.

  • Threats by category – Threats are categorized by the SMA engine into different kill-chain steps such as
    • reconnaissance --> research, identification and selection of targets
    • infiltration --> Infiltrate into these targets
    • lateral movement --> move into the system in search for keys/access points

it's obvious that this user is been target of a hostile attack executing this kill chain.

  • Top Risky Assets by Threats – Detects if a cetrtain asset  which can be any system, host or database  is being targeted more usual.

 

Clicking on the threats, you can clearly see what is happening, the killchain is clearly exposed. But how can we see this?

 

Based on the killchain components, we identify:

  • An anomaly (WebAccessAnomaly) is detected by a analytics machine learning model which saw the user going to a  URL that was not expected based on peer group baseline of the websites visited . This User visited a site and downloaded a malware onto his machine which could have triggered this attack.
  • An attack which was detected by  the rule “MultipleFailedLogin”   which gets triggered when five or more failed login attempts on different accounts are seen
  • An infiltration attack which is detected by “TargetedAccountAttack

Furthermore some  infiltration attacks are  captured by the “BruteForceAttackSuccess” rule which gets triggered by 5 failed login attempts on the same account, followed by a successful login in a one-minute period. A conclusion of this is that the attacker has gained the user credentials. But it still not the end.....Again an anomaly is  captured by the rule PrivSQLAnomaly on a database – this is a SQL anomaly detection that shows that attacker is doing some unauthorized or anomalous transactions on the associated asset FINDB. SMA’s SQLAnomaly detection detected thisLooking at the killchain the last action is detected. the lateral movement with the rule MultipleUserCreation –  created 3 or more users in the oracle database within a 5 minute period, by an attackerImmediately you can see that a kill chain (anomaly->recon->infiltration->lateral movement) attack is in progress. Attacker attacked a critical asset (finance host and FINDB) via this user . Ypu can not only see point threats but the entire kill chain view with SMA which gives faster insight what's happening

 

(orginal source : OMC SMA and Configuration and Compliance -DemoScript)

 

 

Machine Learning

Machinelearning in SMA helps identify attacks and threats. If you look at the PrivSQLAnomaly, you see that based on an analysis of logdata a pattern is recognized which is within abnormal ranges. In this example you see an action of a certain user which is not within the normal range, looking at the function of this user.Further investigation shows up that this user has visited a hostile website, from which malware was installed on the users computer. Using the WebAccessAnomaly together with someLog Analytics query results shows that some other user separate from the user we already had an eye on also shows up. In this case we can do some preventive actions to prevent another kill chain such as:

 

  • Force password reset on all the compromised accounts.
  • Cut-off access of the two users from rest of the network.
  • Trigger malware scans/removal from the user machines.
  • Black-list malicious website and add it to your web-filtering solution

Rules and Models

These mechanisms described are based on rules and models The analysis of potential security actions have to be detected and reported. Within SMA you can define rules for that purpose. These rules apply for the systems or applications which needs to be alerted in case of a security breach.

These rules are used to detect any suspicious action and can be configured on any desired level, for instance within a certain time window an event must happen, how many times, and what action has to follow up when detected.

 

Models

To detect anomalies,  machine learning models are used. These models are used along with  the log analysis and can be:

  • Peer Models - based on an organization , group
  • SQL Models - based on analysis of database actions
  • User Models - based on analysis of individual users

In combination with the log and data analysis which come from log or uploaded files, more and more suspicious patterns can be identified and recognized, in order to report, alert, and take the necessary actions to it.

 

 

Based on further analysis the attacker created multiple users in a short period of time, so the security officer can identify what is going on, what kind of attacks have been done on which systems.

 

 

Conclusions

The above is just an example of the broad capabilities the Oracle SMA has. I haven't seen any other product yet which has these powerful capabilities, and even better, it can be positioned enterprise wide, and not only for Oracle systems.

I used the OMC demo site and collateral's, plus some Hands On Labs on Oracle OpenWorld which really amazed me of this powerful solution!

Since I work with WebLogic, 18 years now already, every year a new road-map appears about the new and coming features of Oracle WebLogic and this is presented during Oracle OpenWorld. While everybody is at this moment already back to business as usual, I'd like to give an overview of the already existing and new coming features discussed last year in San Francisco.

 

 

Everything is "Serverless" - " No SQL" -"Low Code" - "SOA is dead", "Micro-everything and death to the Monolith!"

Of course these terms does not fully represent what they appear to at first sight, but still, when you're from the "old school server/ sys admin" I can understand it sometimes is dazzling and sometimes hard to put them all together.  But when you look down deeper, you will discover the relationships between these terms and more in specific what they mean.

 

WebLogic Server "Current" and "Next"

 

Nowadays, we don't only speak of WebLogic Server anymore but also about the Java Cloud Service, which is WebLogic as PaaS. In this post I will give my view of the new and coming features.

WebLogic Server will still exists as the key Java Application Server from Oracle, however it will be the " next generation " application server where old and new concepts go hand in hand. Especially the move to the cloud which is already happening for a few years will be more and more emphasized by Oracle. How ever, either speaking of WebLogic Server of Java Cloud Service, the features are pretty much the same so I will speak of WebLogic Server, it will also mean it's Java Cloud Service.

 

Current WebLogic Server versions

Generally speaking, current most important and used version are:

  • 10.3.6 ( 11gR1 including all patchlevels ) which came out in 2009
  • 12.1.3 (12cR1 including all patchlevels) which came out in 2011
  • 12.2 (12cR2 including all patchlevels) which came out in 2015

 

12.2 made an important step to continuous availibility and multitenancy:

 

  • Multidatacenter availability with Oracle Traffic Director and Coherence and automated failover with SiteGuard

 

 

  • Cross Domain Transaction Recovery

  • Federated caching with Coherence in Multidatacenters
  • Zero Downtime Deployments with automated rollout and error rollback

  • Auto Scaling features:
    • Automated Elasticity for Clusters with:Manage server life cycle,
    • Rules-based decisions based on capacity, demand or schedule,
    • WLDFWatches, Notifications changed to Policies, Actions

And under the hood more and improved features regarding JDBC, REST, JMS, deployment.

 

WebLogic and Java EE8 Certification

Java EE 8 came out in late 2017, and will be supported within WebLogic in this year, 2018. Where in Java EE 7 the focus was on more productivity, in EE8 the focus is more on simplicity. Some of the most important changes:

  • Servlet 4.0 : Servlet is one of the most used API's with support for the newest HTTP/2 protocol for better web performance
  • JAX RS 2.1 for RESTful WebServices
  • Further "lightweight" web improvements
  • Still Java EE full transactional support ( JMS, JDBC, RMI)
  • Better integration with Microservices technology

 

What does this mean for WebLogic? The current last version is still on Java EE7 and JDK8. The next major version is planned to come out late 2018, my expectation that it will be around september. In the line of some already existing 13c i expect it will be the same on WebLogic, but more important is that it will support full Java EE8 and JDK 9.

 

WebLogic Patchsets

There are several patchsets released in 2017 which are:

  • PS1 – bug fixes and feature completion of Continuous Availability best practices
  • PS2 – bug fixes and feature completion of Docker image updates and  App2Cloud migration tooling
  • PS3 – bug fixes and feature completion of Secured production mode and Zero Downtime patching improvements

 

WebLogic Multitenancy

Although containerized platforms such as Docker supports WebLogic, also the strategy of WebLogic itself will be more on containers instead of a platform

 

WebLogic/JCS, Docker and Kubernetes

 

Already, WebLogic is certified with Docker, and sample dockerfiles are available on GitHub. It supports multiple topologies and can be used either on premise and in the Cloud.

Kubernetes orchestration is on the way to be certified.

Supported versions for Docker are WebLogic 12c R1 and 12c R2 with Docker 1.9, which runs on Linux 6 or 7

 

Supported topologies:

  • Non clustered domain in docker on a single host
  • Clustered domain in Docker on a single host
  • Clustered domain in Docker on multiple hosts

 

wlsdocker.png

 

An announcement was made to the orchestration for Docker technology, the Kubernetes platform which will be supported somewhere during 2018. Samples are already available. Support is including the tools which come with Kubernetes, Prometheus and Grafana for graphical monitoring dashboards. The WebLogic team has developed a tool to export WLDF watches, SmartRules and policies, in order that these metrics can be picked up by Prometheus and represented in a Grafana Dashboard. Also supported will be auto scaling with WLS Dynamic clustering.

 

Coherence "Next"

Coherence, which became an integrated part of WebLogic also got some new and improved features, such as:

  • Docker Support
  • Coherence RX, an addon Open Source API for Coherence
  • Dynamic Active Persistence Quorum Policy, a built in policy to ensure an adequate number of cluster storage members that are available for recovery
  • Federated Cache improvements to support Multidatacenter toplogiies.
  • Improved Proxy Metrics
  • Zero Downtime Patching following WLS
  • Incremental Snapshot
  • HotCache multi-threading, JMX monitoring and MultiTenancy suupport
  • Coherence *JS, JavaScript Support
  • And Coherence is available in the Oracle Cloud, where it can be chose as an extra container in the Java Cloud Service.

 

Conclusion

 

Is it because maybe I get older "   But the world in IT seems to go faster and faster, which makes it more and more interesting and exploring new technologies and methods. I sometimes consider writing a new book, but because of the speed of frquency of innovations, what today's HOT tomorrow its NOT. Still I think this overview doesn't include all the new and improved features but it gives you an idea about which direction we are going.

 

Have an interesting and very good 2018!!