Download - Using Behavior to Protect Cloud Servers
Using Behavior to Protect
Cloud Servers
HELLO!I am Anirban Banerjee.
I am the Founder and
CEO of Onion ID. [email protected]
https://calendly.com/anirban/enterprise-demo/
THE STATUS QUO
CHALLENGES AND THREATS
BEHAVIOR BASED SECURITY
THE STATUS QUO
4
CLOUD
INFRASTRUCTURE
TODAY
AWS - IaaS
Heroku/GC
Docker
Azure
WHO IS
ACCESSING
Devops
IT
Developers
Shadow IT
Bloggers
Marketing
Automated Software
Deploy and Build software
Vendors and 3rd parties
THE STATUS
QUO
Usernames/
passwords
SSH Keys
▹ Helps login automatically
IP filters
▹ Only talk to certain computers
VPNs
▹ Some Security
▹ Encrypted traffic
DIRECTORY
SERVICES
Various Directory Services
- Ties very basic Identity
- IAM solutions, first step
- IAM for infrastructure, way behind
CHALLENGES
AND THREATS
CHALLENGES
▸ Multiple dev teams
▹ Geographically distributed
▹ Shadow IT
▸ High Velocity Changes – IaaS/PaaS via APIs▹ AWS, Rackspace, Docker
▹ All types of web apps
▸ Employee churn
▸ Compliance and Audits
▸ Attack surface has changed▸ Horizontal attacker movement
▸ Vertical privilege escalation
THE THREAT
LANDSCAPE
Horizontal and Vertical Attacker Movement
GOING FORWARD
ACTIVE
AUTHENTICATION
CAN HELP
▸ Concept of least privilege
▸ Risk score everything
▸ Every command is analyzed
▸ Learn, Match, Act, Update
WHAT TO LOOK
FOR AND WHAT
TO DO
Usually never runs visudo /etc/shadow – high risk
COMMANDS BEING RUN
Where are you connecting from, time, # of connections
CONNECTION STATISTICS
Risk score every command: White, Grey, Black
EVERY COMMAND IS ANALYZED
Invisible 2FA for Grey, Physical 2FA for BlackTAKE ACTION
Apache Spark, Pykit Sci, SSH proxiesTOOLS
COMPLIANCE
▸PCI DSS, HIPAA, FedRamp, FFIEC, SOX,
SOC I,II
▸Legal consequences
▸Provide proof of controls
▸Keep the board informed
▸Use tools for reporting, automate
BEHAVIOR
▸What is Behavior
▸What to look for
▸Analyzing behavior
▸Making it actionable
▸Continuous improvement
▸OSS tools and plumbing
WHAT IS
BEHAVIOR
▸Markers for your Identity
▸What commands are used
▸What style is used
▸When do you use what
17
WHAT TO
LOOK FOR
▸Command history
▸Command Style
▸Mistakes and mistypes
▸Time of day, IP, Geo-location
▸Type of Resource
18
WHAT TO
LOOK FOR
▸Frequency analysis ;
▸Type of commands▹Network
▹Stats
▸Identify patterns▹Per Server, per user - profile
▹Profiles need to change
19
ANALYZING
BEHAVIOR
▸Create Feature sets
▸Feed Feature set to classifier
▸Obtain Score
▸Take Action
20
- What they run
- How they code
- Where from
- When
Source: http://www.cinemablend.com/images/news_img/71655/Bad_Grandpa_71655.jpg
ANALYZING
BEHAVIOR
▸Supervised▹Classification (Bayes, SVM..)
▹Regression
▸Unsupervised▹Clustering (expectation maximization,
k-means..)
▹Decomposition (PCA)
▸Gotchas▹More data is always better – no
▹Bias, noise, beware of feature greed
21
MAKING IT
ACTIONABLE
▸Block access, Kill Sessions
▸Send alerts with actions
▸Dealing with FPs is easier
▸Distribute manual auth.
▸Dynamic ACL modification
22
CONTINUOUS
IMPROVEMENT
Your system needs to keep “learning”
Think about rule based approach, don’t obsess
Follow good login hygiene
Audit shadow IT accounts
OSS Tools
and Plumbing
▸Scikit Py,Weka
▸Apache Kafka
▸Apache Spark
▸Twilio
▸Nodejs
▸Try SVM, Ladtree, Stumps
24
OSS Tools
and Plumbing
25
Register Servers
Dynamic DNS
Change Keys
Why Stop
Here?
▸Tadaaaaa! Browser
Extension▹How are you using the web app
▹# of actions per second
▹Curvature of mouse movement
▹Typing patterns
▹- not typing speed
▹- do you use tab
26
Customization
▸No vendor lock in
▸You decide actions
▸You decide on FP mitigation
▸Adaptive 2FA
▸Low Friction – very important
27
Making the
Case for C
Level
▸More Compliant, Less Risk
▸Time Savings for IT, SecOps
▸Better Control
▸Protect Customer Data
▸Don’t end up on Techcrunch
28
Thank you
29
▸1-888-315-4745
▸Twitter - @onion_id
▸Connect with us on FB or Linkedin
▸We will be posting these slides
▸Feedback is very welcome
https://calendly.com/anirban/enterprise-demo/
THANK YOU!Any questions?
You can find more about us at:
Onion ID – Privilege Management in 60 Seconds
www.onionid.com , [email protected]
Tel: +1-888 315 4745