Using Behavior to Protect

Cloud Servers

HELLO!I am Anirban Banerjee.

I am the Founder and

CEO of Onion ID. anirban@onionid.com

https://calendly.com/anirban/enterprise-demo/

THE STATUS QUO

CHALLENGES AND THREATS

BEHAVIOR BASED SECURITY

THE STATUS QUO

4

CLOUD

INFRASTRUCTURE

TODAY

AWS - IaaS

Heroku/GC

Docker

Azure

WHO IS

ACCESSING

Devops

IT

Developers

Shadow IT

Bloggers

Marketing

Automated Software

Deploy and Build software

Vendors and 3rd parties

THE STATUS

QUO

Usernames/

passwords

SSH Keys

▹ Helps login automatically

IP filters

▹ Only talk to certain computers

VPNs

▹ Some Security

▹ Encrypted traffic

DIRECTORY

SERVICES

Various Directory Services

- Ties very basic Identity

- IAM solutions, first step

- IAM for infrastructure, way behind

CHALLENGES

AND THREATS

CHALLENGES

▸ Multiple dev teams

▹ Geographically distributed

▹ Shadow IT

▸ High Velocity Changes – IaaS/PaaS via APIs▹ AWS, Rackspace, Docker

▹ All types of web apps

▸ Employee churn

▸ Compliance and Audits

▸ Attack surface has changed▸ Horizontal attacker movement

▸ Vertical privilege escalation

THE THREAT

LANDSCAPE

Horizontal and Vertical Attacker Movement

GOING FORWARD

ACTIVE

AUTHENTICATION

CAN HELP

▸ Concept of least privilege

▸ Risk score everything

▸ Every command is analyzed

▸ Learn, Match, Act, Update

WHAT TO LOOK

FOR AND WHAT

TO DO

Usually never runs visudo /etc/shadow – high risk

COMMANDS BEING RUN

Where are you connecting from, time, # of connections

CONNECTION STATISTICS

Risk score every command: White, Grey, Black

EVERY COMMAND IS ANALYZED

Invisible 2FA for Grey, Physical 2FA for BlackTAKE ACTION

Apache Spark, Pykit Sci, SSH proxiesTOOLS

COMPLIANCE

▸PCI DSS, HIPAA, FedRamp, FFIEC, SOX,

SOC I,II

▸Legal consequences

▸Provide proof of controls

▸Keep the board informed

▸Use tools for reporting, automate

BEHAVIOR

▸What is Behavior

▸What to look for

▸Analyzing behavior

▸Making it actionable

▸Continuous improvement

▸OSS tools and plumbing

WHAT IS

BEHAVIOR

▸Markers for your Identity

▸What commands are used

▸What style is used

▸When do you use what

17

WHAT TO

LOOK FOR

▸Command history

▸Command Style

▸Mistakes and mistypes

▸Time of day, IP, Geo-location

▸Type of Resource

18

WHAT TO

LOOK FOR

▸Frequency analysis ;

▸Type of commands▹Network

▹Stats

▸Identify patterns▹Per Server, per user - profile

▹Profiles need to change

19

ANALYZING

BEHAVIOR

▸Create Feature sets

▸Feed Feature set to classifier

▸Obtain Score

▸Take Action

20

- What they run

- How they code

- Where from

- When

Source: http://www.cinemablend.com/images/news_img/71655/Bad_Grandpa_71655.jpg

ANALYZING

BEHAVIOR

▸Supervised▹Classification (Bayes, SVM..)

▹Regression

▸Unsupervised▹Clustering (expectation maximization,

k-means..)

▹Decomposition (PCA)

▸Gotchas▹More data is always better – no

▹Bias, noise, beware of feature greed

21

MAKING IT

ACTIONABLE

▸Block access, Kill Sessions

▸Send alerts with actions

▸Dealing with FPs is easier

▸Distribute manual auth.

▸Dynamic ACL modification

22

CONTINUOUS

IMPROVEMENT

Your system needs to keep “learning”

Think about rule based approach, don’t obsess

Follow good login hygiene

Audit shadow IT accounts

OSS Tools

and Plumbing

▸Scikit Py,Weka

▸Apache Kafka

▸Apache Spark

▸Twilio

▸Nodejs

▸Try SVM, Ladtree, Stumps

24

OSS Tools

and Plumbing

25

Register Servers

Dynamic DNS

Change Keys

Why Stop

Here?

▸Tadaaaaa! Browser

Extension▹How are you using the web app

▹# of actions per second

▹Curvature of mouse movement

▹Typing patterns

▹- not typing speed

▹- do you use tab

26

Customization

▸No vendor lock in

▸You decide actions

▸You decide on FP mitigation

▸Adaptive 2FA

▸Low Friction – very important

27

Making the

Case for C

Level

▸More Compliant, Less Risk

▸Time Savings for IT, SecOps

▸Better Control

▸Protect Customer Data

▸Don’t end up on Techcrunch

28

Thank you

29

▸Anirban@onionid.com

▸1-888-315-4745

▸Twitter - @onion_id

▸Connect with us on FB or Linkedin

▸We will be posting these slides

▸Feedback is very welcome

https://calendly.com/anirban/enterprise-demo/

THANK YOU!Any questions?

You can find more about us at:

Onion ID – Privilege Management in 60 Seconds

www.onionid.com , anirban@onionid.com

Tel: +1-888 315 4745