Using Behavior to Protect Cloud Servers

Using Behavior to Protect

Cloud Servers

HELLO!I am Anirban Banerjee.

I am the Founder and

CEO of Onion ID. anirban@onionid.com

https://calendly.com/anirban/enterprise-demo/

THE STATUS QUO

CHALLENGES AND THREATS

BEHAVIOR BASED SECURITY

THE STATUS QUO

INFRASTRUCTURE

AWS - IaaS

Heroku/GC

Docker

WHO IS

ACCESSING

Devops

Developers

Shadow IT

Bloggers

Marketing

Automated Software

Deploy and Build software

Vendors and 3rd parties

THE STATUS

Usernames/

passwords

SSH Keys

▹ Helps login automatically

IP filters

▹ Only talk to certain computers

▹ Some Security

▹ Encrypted traffic

DIRECTORY

SERVICES

Various Directory Services

- Ties very basic Identity

- IAM solutions, first step

- IAM for infrastructure, way behind

CHALLENGES

AND THREATS

CHALLENGES

▸ Multiple dev teams

▹ Geographically distributed

▹ Shadow IT

▸ High Velocity Changes – IaaS/PaaS via APIs▹ AWS, Rackspace, Docker

▹ All types of web apps

▸ Employee churn

▸ Compliance and Audits

▸ Attack surface has changed▸ Horizontal attacker movement

▸ Vertical privilege escalation

THE THREAT

LANDSCAPE

Horizontal and Vertical Attacker Movement

GOING FORWARD

ACTIVE

AUTHENTICATION

CAN HELP

▸ Concept of least privilege

▸ Risk score everything

▸ Every command is analyzed

▸ Learn, Match, Act, Update

WHAT TO LOOK

FOR AND WHAT

Usually never runs visudo /etc/shadow – high risk

COMMANDS BEING RUN

Where are you connecting from, time, # of connections

CONNECTION STATISTICS

Risk score every command: White, Grey, Black

EVERY COMMAND IS ANALYZED

Invisible 2FA for Grey, Physical 2FA for BlackTAKE ACTION

Apache Spark, Pykit Sci, SSH proxiesTOOLS

COMPLIANCE

▸PCI DSS, HIPAA, FedRamp, FFIEC, SOX,

SOC I,II

▸Legal consequences

▸Provide proof of controls

▸Keep the board informed

▸Use tools for reporting, automate

BEHAVIOR

▸What is Behavior

▸What to look for

▸Analyzing behavior

▸Making it actionable

▸Continuous improvement

▸OSS tools and plumbing

WHAT IS

BEHAVIOR

▸Markers for your Identity

▸What commands are used

▸What style is used

▸When do you use what

WHAT TO

LOOK FOR

▸Command history

▸Command Style

▸Mistakes and mistypes

▸Time of day, IP, Geo-location

▸Type of Resource

WHAT TO

LOOK FOR

▸Frequency analysis ;

▸Type of commands▹Network

▹Stats

▸Identify patterns▹Per Server, per user - profile

▹Profiles need to change

ANALYZING

BEHAVIOR

▸Create Feature sets

▸Feed Feature set to classifier

▸Obtain Score

▸Take Action

- What they run

- How they code

- Where from

- When

Source: http://www.cinemablend.com/images/news_img/71655/Bad_Grandpa_71655.jpg

ANALYZING

BEHAVIOR

▸Supervised▹Classification (Bayes, SVM..)

▹Regression

▸Unsupervised▹Clustering (expectation maximization,

k-means..)

▹Decomposition (PCA)

▸Gotchas▹More data is always better – no

▹Bias, noise, beware of feature greed

MAKING IT

ACTIONABLE

▸Block access, Kill Sessions

▸Send alerts with actions

▸Dealing with FPs is easier

▸Distribute manual auth.

▸Dynamic ACL modification

CONTINUOUS

IMPROVEMENT

Your system needs to keep “learning”

Think about rule based approach, don’t obsess

Follow good login hygiene

Audit shadow IT accounts

OSS Tools

and Plumbing

▸Scikit Py,Weka

▸Apache Kafka

▸Apache Spark

▸Twilio

▸Nodejs

▸Try SVM, Ladtree, Stumps

OSS Tools

and Plumbing

Register Servers

Dynamic DNS

Change Keys

Why Stop

▸Tadaaaaa! Browser

Extension▹How are you using the web app

▹# of actions per second

▹Curvature of mouse movement

▹Typing patterns

▹- not typing speed

▹- do you use tab

Customization

▸No vendor lock in

▸You decide actions

▸You decide on FP mitigation

▸Adaptive 2FA

▸Low Friction – very important

Making the

Case for C

▸More Compliant, Less Risk

▸Time Savings for IT, SecOps

▸Better Control

▸Protect Customer Data

▸Don’t end up on Techcrunch

Thank you

▸Anirban@onionid.com

▸1-888-315-4745

▸Twitter - @onion_id

▸Connect with us on FB or Linkedin

▸We will be posting these slides

▸Feedback is very welcome

https://calendly.com/anirban/enterprise-demo/

THANK YOU!Any questions?

You can find more about us at:

Onion ID – Privilege Management in 60 Seconds

www.onionid.com , anirban@onionid.com

Tel: +1-888 315 4745

Using Behavior to Protect Cloud Servers

Documents

Servers and Processes: Behavior and Analysis

Trend Micro PROTECT YOUR ORGANIZATION FROM THE … · ransomware to your endpoints, including: • Behavior Monitoring: for suspicious behavior associated with ransomware, such as

Unit 2 Political Behavior: Government by the Peoplemsd.marlboro.k12.sc.us/UserFiles/Servers/Server_2725118/File/Tar H… · Unit 2 Political Behavior: Government by the People Chapter

HP Red Hat Enterprise Linux Securitywhp-hou9.cold.extweb.hp.com/.../servers/linux/LinuxSecurity_SELinux… · SELinux can also protect items such as system calls, sockets, network

Activities Handbookfhsdfhhs.sharpschool.net/UserFiles/Servers/Server... · concept of sportsmanship as follows: "The ideals of good sportsmanship, ethical behavior, and integrity

Citrix Cisco DC Tech Days ACI · PCRF, OCS, SPR, AAA, DNS and SIP servers protect against Scale performance of web servers, in-line proxies and data bases Balance load across data

Networking:! UDP&!DNS! · 2018-06-27 · Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com

Protect Your Servers And Find out how. - Sweetssweets.construction.com/swts_content_files/41774/276978.pdf · Protect Your Servers And Data By Using ASM. ... major problems and shut

Corporate IT Buying Behavior and Customer Satisfaction Study x86-based Servers

Tough Kids: Practical Behavior Managementp1cdn4static.sharpschool.com/UserFiles/Servers/Server...Tough Kids: Practical Behavior Management “Sure I Will” A Pro-social Behavior for

we protect digital worlds · NOD32 for Linux Servers Installation Manual and User’s documentation we protect digital worlds

Rack and Cooling Brochure 200912113 953111 English · Organize and protect rackmount servers, storage and network/telecom equipment quickly and conveniently • Organize and protect

Corporate IT Buying Behavior & Customer …...Corporate IT Buying Behavior & Customer Satisfaction Study x86-based Servers Fourth Quarter 2014 T B R 2 ©4Q14 | TBR — x86-based Servers

Protecting Utility Mission Critical Systems From ... · PDF filehackers also attempted to delay the restoration by wiping SCADA servers after ... •Protect external ... •Keep investing

Protect Your Manufacturing Company by Adding Business ...€¦ · recovery. A true business continuity solution will protect data on-premises (in physical and virtual servers) and

Salem High School Emergency Management Plansalemnj.sharpschool.net/UserFiles/Servers/Server... · 1. Take immediate action to protect students, staff, faculty, and property 2. Notify

WordPress.com - 7 Security Measures to Protect your Servers | … · 2015-08-07 · your Servers Mar 5, 2015 Security, Firewall, Networking, VPN Introduction When setting up infrastructure,

HP Servers Vs. Dell Servers

Security of Soft Targets and Crowded Places Resource Guide · No Reservations: Suspicious Behavior in Hotels Video. Suspicious Behavior Advisory Posters. Protect, Screen, and Allow

IBM Spectrum Protect Suite Front End: Licensing Guide · 2016-12-15 · IBM Spectrum Protect for SAN 8.1 Maximizes storage network connections for IBM Spectr um Pr otect servers and