This document discusses using behavior-based security to protect cloud servers. It notes that the status quo of usernames/passwords and IP filters is insufficient given challenges like distributed teams and high velocity infrastructure changes. Behavioral security analyzes factors like command history, style, timing and location to create user profiles and assign risk scores. Anomalous behaviors can trigger alerts or second factor authentication. Tools like Apache Spark can analyze behaviors at scale for continuous monitoring and compliance reporting. Behavioral security provides a more adaptive approach than traditional methods.

1. Using Behavior to Protect
Cloud Servers

2. HELLO!
I am Anirban Banerjee.
I am the Founder and
CEO of Onion ID.
anirban@onionid.com
https://calendly.com/anirban/enterprise-demo/

3. THE STATUS QUO
CHALLENGES AND
THREATS
BEHAVIOR BASED
SECURITY

4. THE STATUS QUO
4

5. CLOUD
INFRASTRUCTURE
TODAY
AWS - IaaS
Heroku/GC
Docker
Azure

6. WHO IS
ACCESSING
Devops
IT
Developers
Shadow IT
Bloggers
Marketing
Automated Software
Deploy and Build software
Vendors and 3rd parties

7. THE STATUS
QUO
Usernames/
passwords
SSH Keys
▹ Helps login
automatically
IP filters
▹ Only talk to
certain
computers
VPNs
▹ Some
Security
▹ Encrypted
traffic

8. DIRECTORY
SERVICES
Various Directory Services
- Ties very basic Identity
- IAM solutions, first step
- IAM for infrastructure, way behind

9. CHALLENGES
AND THREATS

10. CHALLENGES
▸ Multiple dev teams
▹ Geographically distributed
▹ Shadow IT
▸ High Velocity Changes – IaaS/PaaS via APIs
▹ AWS, Rackspace, Docker
▹ All types of web apps
▸ Employee churn
▸ Compliance and Audits
▸ Attack surface has changed
▸ Horizontal attacker movement
▸ Vertical privilege escalation

11. THE THREAT
LANDSCAPE
Horizontal and Vertical Attacker Movement

12. GOING FORWARD

13. ACTIVE
AUTHENTICATION
CAN HELP
▸ Concept of least privilege
▸ Risk score everything
▸ Every command is analyzed
▸ Learn, Match, Act, Update

14. WHAT TO LOOK
FOR AND WHAT
TO DO
Usually never runs visudo /etc/shadow – high risk
COMMANDS BEING
RUN
Where are you connecting from, time, # of
connections
CONNECTION
STATISTICS
Risk score every command: White, Grey, Black
EVERY COMMAND
IS ANALYZED
Invisible 2FA for Grey, Physical 2FA for Black
TAKE ACTION
Apache Spark, Pykit Sci, SSH proxies
TOOLS

15. COMPLIANCE
▸PCI DSS, HIPAA, FedRamp, FFIEC, SOX,
SOC I,II
▸Legal consequences
▸Provide proof of controls
▸Keep the board informed
▸Use tools for reporting, automate

16. BEHAVIOR
▸What is Behavior
▸What to look for
▸Analyzing behavior
▸Making it actionable
▸Continuous improvement
▸OSS tools and plumbing

17. WHAT IS
BEHAVIOR
▸Markers for your Identity
▸What commands are used
▸What style is used
▸When do you use what
17

18. WHAT TO
LOOK FOR
▸Command history
▸Command Style
▸Mistakes and mistypes
▸Time of day, IP, Geo-location
▸Type of Resource
18

19. WHAT TO
LOOK FOR
▸Frequency analysis ;
▸Type of commands
▹Network
▹Stats
▸Identify patterns
▹Per Server, per user - profile
▹Profiles need to change
19

20. ANALYZING
BEHAVIOR
▸Create Feature sets
▸Feed Feature set to classifier
▸Obtain Score
▸Take Action
20
- What they run
- How they code
- Where from
- When
Source: http://www.cinemablend.com/images/news_img/71655/Bad_Grandpa_71655.jpg

21. ANALYZING
BEHAVIOR
▸Supervised
▹Classification (Bayes, SVM..)
▹Regression
▸Unsupervised
▹Clustering (expectation maximization,
k-means..)
▹Decomposition (PCA)
▸Gotchas
▹More data is always better – no
▹Bias, noise, beware of feature greed
21

22. MAKING IT
ACTIONABLE
▸Block access, Kill Sessions
▸Send alerts with actions
▸Dealing with FPs is easier
▸Distribute manual auth.
▸Dynamic ACL modification
22

23. CONTINUOUS
IMPROVEMENT
Your system needs to keep
“learning”
Think about rule based
approach, don’t obsess
Follow good login hygiene
Audit shadow IT accounts

24. OSS Tools
and Plumbing
▸Scikit Py,Weka
▸Apache Kafka
▸Apache Spark
▸Twilio
▸Nodejs
▸Try SVM, Ladtree, Stumps
24

25. OSS Tools
and Plumbing
25
Register Servers
Dynamic DNS
Change Keys

26. Why Stop
Here?
▸Tadaaaaa! Browser
Extension
▹How are you using the web app
▹# of actions per second
▹Curvature of mouse movement
▹Typing patterns
▹- not typing speed
▹- do you use tab
26

27. Customization
▸No vendor lock in
▸You decide actions
▸You decide on FP mitigation
▸Adaptive 2FA
▸Low Friction – very important
27

28. Making the
Case for C
Level
▸More Compliant, Less Risk
▸Time Savings for IT, SecOps
▸Better Control
▸Protect Customer Data
▸Don’t end up on Techcrunch
28

29. Thank you
29
▸Anirban@onionid.com
▸1-888-315-4745
▸Twitter - @onion_id
▸Connect with us on FB or Linkedin
▸We will be posting these slides
▸Feedback is very welcome
https://calendly.com/anirban/enterprise-demo/

30. THANK YOU!
Any questions?
You can find more about us at:
Onion ID – Privilege Management in 60 Seconds
www.onionid.com , anirban@onionid.com
Tel: +1-888 315 4745