Welcome to this demo on Oracle Cloud Guard. Oracle Cloud Guard is an OCI service that helps customers monitor, identify, achieve, and maintain a strong security posture on the Oracle Cloud. It falls under the category of services known as cloud security posture management. Let's look at how CloudGuard works. Before we get into the details, I would like to point you to the documentation site and there's a nice Getting Started documentation page. The reason I want to point here is I want to point out couple of things. As we saw in the theory lesson the three key concepts you need to grasp for working with CloudGuard are targets, detectors, and responders. Now, target is basically it defines the scope of what CloudGuard checks, and in case of OCI, you would make a compartment, a target and we'll talk a little bit more about that. Detector basically performs checks to identify potential security problem, and there are two kinds of problems it checks. The first one is activities and the second is configurations, and we'll look into both of them. Then responder specifies action that CloudGuard can take when detectors identify problems. Some of the actions can be manual, and some can be automated as well. You'll hear this term automatic remediation that is enabled by CloudGuard. Keep these three terms in perspective, target, detector, and responder, and just one thing I want to point here is the documentation talks about when you create a target, what are considerations you should have, and so forth. The one thing I want to point out is keep in mind that all of the target compartment inherit the target's configuration. What it means is if you put configuration on a particular target, the detector, and the responder rule, they apply to the top-level compartment and to any of the subordinate compartments below it in the compartment hierarchy. All of them inherit the same rules detector and responder rules and you cannot change that. If you want to exclude some compartments from this kind of monitoring, same one size fit all, then you create target below the root level and do not include the root compartment in any target and you can change that. Another thing you could do is Oracle provides Oracle-managed recipes, and you cannot modify them. But there is something called user-managed recipes which can be created by cloning an Oracle-managed recipe, and you can modify these recipes so you could actually have some kind of customization. With that in consideration, let's look at how CloudGuard works. To access CloudGuard we are on the Homepage. Click on the "Service Navigation Menu" on the left-hand side, click on "Identity and Security", and then click on "CloudGuard" here. Once this comes up, let me quickly show you what the service looks like. This is the Landing Page for the service. As you can see here, we need to specify a target right now we have not specified any target. Before I do that, let me just give a quick tour of what the product does. This is the guided tool, first thing you get is a security score. It measures the number of resources examined, and as you can see, the score goes from 0-100, anything above 80 is considered an excellent score. I have a score of 98 because I haven't enabled CloudGuard right now in this particular compartment I'm looking at. If I look at risk score, it ties to my security score, and it says a lower score is better and it gives me a number here. Then if I look at security recommendations, this is where I would get some recommendations if I have something to act on. Down below, again it starts getting to more details. There is user activity problems. If there is a suspicious IP from which the user is logging in, it will be shown here. For example, it shows that critical issues are the most serious it could show them there. These are the problems identified by compartment, regions, etc. These are user activity problems, and then there is responder status, and that's pretty much it, and there's some more widgets here. With that, let's quickly get started. First thing I need to do, as you can see here, is there is no target which is available. What I'll do is I'll create a new target. We had been using Sandbox compartments, so we'll say Sandbox, and then we'll pick that Sandbox compartment. Like I said, I want resources in only this compartment to be monitored by CloudGuard. I don't want to do the root. As you can see here, I have lots of compartment in my account. I don't want to go through all the other compartments because some of them might have public buckets, for example, and I don't want to flag that as a security issue. But in this one, Sandbox, I definitely want to flag those kind of issues. As you can see here, it says Sandbox and include all child compartments in that. Then I will use the Oracle-provided, Oracle-managed recipes here. There are two kinds of recipes, Configuration Detector Recipe and Activity Detector. I'll pick both Oracle-managed, and then responder recipes also, I will pick Oracle-managed. This is all I need to configure. Again, just going back to the basics, this is the target, Sandbox compartment. These are my detector recipes basically flagging potential security issues, either based on configuration issues or activities, user activities. Then responder recipe basically specifies when a problem happens, what kind of response I can provide. Again, I'm using all Oracle-managed recipe. With that, I've given the basic information on CloudGuard on how to set it up. Now, if I go back to my homepage, I can see that it still shows as no problems. We'll change that just in a minute. But before I do that, let me just quickly go and show you some of the detector recipes. If I click on detector recipes, I created a couple of user managed. That's why these are called clone. I'll show you how that works, but let me just click on configuration detector recipe. These are problems related to configuration. Look at the list here. It can bring up something which is critical. Traffic should not be restricted port. That is a critical configuration, and bucket should not be a public, that's a critical issue, so it's flagged there. Now right here, I have limited ability to edit these. I cannot disable, for example, a bunch of these configurations. But when I clone these and I do my own user-managed recipes, I have more freedom. I can change a few things. Similarly, let me just quickly show the activity detector recipes. These are things again, I'll flag the critical, things like suspicious IP activity. If there's an IP activity which is flagged as a suspicious, it's coming from a country, let's say which is on a block list, I can flag that as part of CloudGuard. Finally, if I go back to my responder recipes, you can see what kind of responder recipes are available. For example, if bucket is public, I can make that bucket private. Again, I have limited ability to change these. I cannot disable these, for example. I have some limited abilities to change this. One thing which also happens when you start with CloudGuard is CloudGuard would require a bunch of policies. In my account, these policies were created beforehand. You can see bunch of these policies here. In fact, all the policies, are read statements. What it's telling is it's allowing the CloudGuard service to act on my behalf, on my account, and do read things, like read the vault, read the keys, read the buckets, the networks and all that, because then it knows if there's a configuration issue or an activity issue and it needs to flag those. If we go back to CloudGuard, in my particular compartment, it still gives me an excellent score. There's no issue. Everything looks good. Says no problem. Let's trigger a problem. I go to Storage, and let's create a public bucket. As you saw, my Sandbox compartment, since it's being monitored by CloudGuard, it will flag this as a critical issue. I'll create this bucket, I'll call this bucket CloudGuard. All the other defaults are fine, and I'll click "Create". At this point, once you create a bucket, first time, the visibility is private, so let me just make it public. As you can see here, I just change that to public. Now, if I go back to CloudGuard, it's constantly monitoring my compartment and all the resources in my compartment. It will be able to capture this and flag this as a problem. You would see that surfaced here, and once this gets surfaced here, then we will go back and we will fix that, we will remediate that. Let me just pause the video for a few minutes because typically it takes anywhere from 10-15 minutes scanning all the resources in a compartment. Sometimes it takes even less than that. We'll come back and we'll proceed with the remaining part of the demo. That took a few minutes. Now I can see that we had no problems earlier. Now it looks like we have three problems, and two of these problems are critical. One problem says as a minor. Now there are two problems here, I shall talk about the suspicious IP activity, but let me first point you to the bucket is public problem. If I go back to the overview page, I can actually bring it up from here as well. If I say a resource type, I can see that the bucket being public is a critical problem. Let me click on that and then we'll try to remediate it. It says this level is critical, it's a configuration detection, of course, because it should be private and it's public and so on, so forth. Right from here I can remediate this problem, or I could dismiss this problem. If I click on "Remediate", basically it's saying that I have to make the bucket private. To do that, this kind of policy needs to be added, because remember in the previous video I just showed you that all the policies which are enabled for CloudGuard, just allow it to read resources. But this one says, manage buckets. This policy we need to add. Let's click on "Add Statement" here, and then click "Remediate". What this will do is it will make the particular bucket which we had put as public, it will make that bucket as private. As that is happening, let me go and point to the other problem we were looking at. You can see here that problem seems to have gone away. Let me just go back to Storage, let me go to my buckets, go to the Sandbox compartment. As you can see here this bucket is now private, it's no more public, and this operation was not done by me, it was done by CloudGuard. That's a quick demo of how CloudGuard would work. Before I complete this demo, let me quickly talk about the other critical issue we saw there. The other critical issue which we see, let me just bring it up, is around a particular user. If I click here it gives me more detail. It says it's a suspicious IP activity. Again, I can remediate this or I can dismiss this. If I click on this link here, it gives me more details. It says that this is me logging in this through the console, and it says that it's a suspicious IP activity. You can see here the IP activity which is getting flagged. This is the IP for my local machine. The reason this problem is happening is, if I go back to my detector recipes and pick the activity detector, because remember this is where the suspicious IP activity would be enabled. If I look at this, and I click on here, this is a custom value I provided when I was playing with this demo. What I did is to simulate this problem I created a blacklist for IP address, and I put my IP for my local machine in here. What it means is when I login to this IP, which is I'm logging in through the console right now, it would also flag it as a suspicious IP. In practice you would not put your own IP. You would put the IPs of addresses you want to block. But those would show up here, they are IPs which are not known. Let's say your corporate environment, you could put them there and then you could disable users who are logging in from that particular IP address. In this case, I don't want to do it because I'm just trying to simulate this problem. Let me just quickly come here and dismiss this. Instead of remediating this, and in case of remediation, what it means is, I would be disabled as an I am user. I don't want to do that because I'm running all my demos as this particular user. I will mark this as resolved, then I will click "Mark as Resolved", and then this should go away, even though I know that was just a simulation. Now you can see here that there is no critical issues. Hopefully this was a quick demo of how CloudGuard works. It has lots of features, and we just covered the basics of how the service works and showed a quick demo of a couple of things on how the service detects these problems, and how you can respond and remediate those issues. I hope you found this demo useful.
