CSA SV Threat detection and prediction
0 likes673 views
The document discusses cloud security challenges and threat detection and prediction techniques. It describes how cloud services like SaaS, PaaS, and IaaS present different security risks. It then discusses a multi-step process for cloud security involving gaining visibility, detecting anomalies and threats using techniques like supervised rules, machine learning, and user behavior analytics, and then remediating incidents. Specific techniques are described like detecting risky users based on anomalous IP addresses, usage patterns, and administrator activities. The summary emphasizes the importance of visibility, automated threat detection, and securing clouds through continuous monitoring.
CSA SV Threat detection and prediction
- 1. Cloud Security: Threat Detec3on and Predic3on Ganesh Kir+, CTO and Co-‐Founder Palerra
- 2. Agenda § Cloud Security Challenges § Threat Detection and Prediction § Summary 2
- 3. § A leading Cloud Access Security Broker (CASB) § Ensures visibility and governance for cloud services § Secures cloud applications and infrastructure - all users - from any device - from anywhere / any network § Leading Investors include Norwest Venture Partners, Wing Ventures & August Capital § Investment Bank – 5,500 Box users § IT Infrastructure & Data Center Products Manufacturer – 18,000 Salesforce users § National Healthcare Provider – 5,500 O365 users § IT Service Provider – 6,000 O365/Salesforce users Company Customers AccoladesSupported Services About Palerra 3
- 4. Cloud Computing Services Model SaaS § Business data transaction § Sharing documents § Sensitive Emails PaaS § Partner Applications § 3rd party APIs integration § Databases, Web Services IaaS § VPN/Network ACLs § Hosts/Server instances § Storage Services 4
- 5. Security: Cloud Computing Services Model § Protect data from being shared outside an org § Protect user accounts § Secure configurations § Detect malicious insiders SaaS Business User 3rd Party Apps Admin § Protect Data § Protect user accounts § Secure API Keys and tokens § Audit Activity PaaS Business User Developers API Key 3rd Party Apps DevOps § Secure Network and Servers § Secure SSH Keys § Protect against rogue usage § Secure configurations IaaS Admin Client Machines On-Demand Processes 5 Cloud Service Providers own the Cloud and you own the security
- 6. Cloud Security: Multi-Step Process § Step 1: Visibility § Get visibility into your cloud services usage § Develop plan for monitoring and securing your clouds § Step 2:Anomaly Detection/Prediction/Protection § Use multiple techniques (supervised and unsupervised) to identify risky users and threats § Step 3: Remediate incidents and prevent it in future § Automate the process for continuous security 6
- 9. AnomalousActivity Detection § Solution should support: • Supervised Feeds and Rules: § Allow the customer to configure specific use cases of interest for their cloud applications: § Examples: whitelisting of IP addresses, Tag activities for certain AWS machines, Tag certain users (employee about to be terminated). • Machine learning forAnomaly detection: • User Behavior Analytics. • Anomaly Detection for IP addresses. • Anomaly Detection for non-human activities connecting to the applications: Automated processes, unsanctioned applications. • Correlation of various threat feeds and contextual data. 9
- 10. Supervised Feeds and Rules : Real use case § Trusted IP addresses: § Detection of any activity outside certain ranges of IP addresses. § Helps security analyst to identify users who work outside office (when they are not supposed to). § Helps detect compromised or shared credentials (if the employee is physically located in the office but activity is happening from outside the company IP ranges).
- 11. Anomaly Detection: UBAuse cases § Over time, cloud users build repeatable action patterns. Profiling such patterns helps identify anomalous activity. § For example: § a SFDC user logs daily from two IP addresses (one is the company, and the other is home). § This user creates an average of 20 leads a day, changes about 7 lead status, and transfers an average of 3 leads per day to another employee. § Profiling the aggregates of actions per user over a long period of time helps identify the user’s expected volume of daily actions. § Profiling the IP addresses for this user helps identify any new unseen IP address for this user. § Profiling certain sensitive actions such as data export with time of execution helps detect unexpected execution of such sensitive action. 11
- 12. UBAuse case: repeatable user actions over time
- 13. UBAuse case: User coming from a new IP address
- 14. Malicious Insiders § Most damaging attacks are more often caused by insiders § Examples insider threats - – Employee negligence – Fraud, theft by insiders – Inappropriate sharing of data outside an enterprise § What to protect and monitor - – Monitor for overly privileged user accounts – Monitor transactional activities – Monitor administrator’ activities – Detect malicious user activities using user behavior analytics (UEBA)
- 15. Summary § Get visibility into your cloud services usage § Develop plan for monitoring and securing your clouds § Find an automated solution to address challenges (threats and risks) 15
- 16. Q&A 16 Please send ques+ons regarding this webinar to: info@palerra.com hMp://palerra.com/locked_item/white-‐paper-‐t12/