This document discusses using behavior-based security to protect cloud servers. It notes that the status quo of usernames/passwords and IP filters is insufficient given challenges like distributed teams and high velocity infrastructure changes. Behavioral security analyzes factors like command history, style, timing and location to create user profiles and assign risk scores. Anomalous behaviors can trigger alerts or second factor authentication. Tools like Apache Spark can analyze behaviors at scale for continuous monitoring and compliance reporting. Behavioral security provides a more adaptive approach than traditional methods.
10. CHALLENGES
▸ Multiple dev teams
▹ Geographically distributed
▹ Shadow IT
▸ High Velocity Changes – IaaS/PaaS via APIs
▹ AWS, Rackspace, Docker
▹ All types of web apps
▸ Employee churn
▸ Compliance and Audits
▸ Attack surface has changed
▸ Horizontal attacker movement
▸ Vertical privilege escalation
14. WHAT TO LOOK
FOR AND WHAT
TO DO
Usually never runs visudo /etc/shadow – high risk
COMMANDS BEING
RUN
Where are you connecting from, time, # of
connections
CONNECTION
STATISTICS
Risk score every command: White, Grey, Black
EVERY COMMAND
IS ANALYZED
Invisible 2FA for Grey, Physical 2FA for Black
TAKE ACTION
Apache Spark, Pykit Sci, SSH proxies
TOOLS
15. COMPLIANCE
▸PCI DSS, HIPAA, FedRamp, FFIEC, SOX,
SOC I,II
▸Legal consequences
▸Provide proof of controls
▸Keep the board informed
▸Use tools for reporting, automate
16. BEHAVIOR
▸What is Behavior
▸What to look for
▸Analyzing behavior
▸Making it actionable
▸Continuous improvement
▸OSS tools and plumbing
18. WHAT TO
LOOK FOR
▸Command history
▸Command Style
▸Mistakes and mistypes
▸Time of day, IP, Geo-location
▸Type of Resource
18
19. WHAT TO
LOOK FOR
▸Frequency analysis ;
▸Type of commands
▹Network
▹Stats
▸Identify patterns
▹Per Server, per user - profile
▹Profiles need to change
19
20. ANALYZING
BEHAVIOR
▸Create Feature sets
▸Feed Feature set to classifier
▸Obtain Score
▸Take Action
20
- What they run
- How they code
- Where from
- When
Source: http://www.cinemablend.com/images/news_img/71655/Bad_Grandpa_71655.jpg
22. MAKING IT
ACTIONABLE
▸Block access, Kill Sessions
▸Send alerts with actions
▸Dealing with FPs is easier
▸Distribute manual auth.
▸Dynamic ACL modification
22
27. Customization
▸No vendor lock in
▸You decide actions
▸You decide on FP mitigation
▸Adaptive 2FA
▸Low Friction – very important
27
28. Making the
Case for C
Level
▸More Compliant, Less Risk
▸Time Savings for IT, SecOps
▸Better Control
▸Protect Customer Data
▸Don’t end up on Techcrunch
28
30. THANK YOU!
Any questions?
You can find more about us at:
Onion ID – Privilege Management in 60 Seconds
www.onionid.com , anirban@onionid.com
Tel: +1-888 315 4745