The document discusses how serverless computing and graph database technologies can help solve cybersecurity challenges, providing an overview of AWS Lambda and various AWS services that can be used to build serverless applications, and explaining how graph databases are better suited than relational databases for modeling relationships and can be used for various cybersecurity use cases like threat detection and fraud prevention.

1. Solving Cybersecurity challenges with
Serverless Architecture and
Graph Database Technologies
Sukumar Nayak
Executive Advisor
Cloud, Security & Big Data
Date: 30th Nov, 2016
ISACA National Capital Area Chapter
Disclaimer: The Opinions expressed in this presentation
are my own and not necessarily those of my employer.
Sources of my research are from publicly available
materials with appropriate source URL noted on the slides.

2. Agenda
• Top Cybersecurity challenges in 2016
• NIST Cybersecurity Framework
• Serverless Architecture
• Introduction to few AWS Services
• Serverless Demo using AWS Lambda
• The Evolution of Database Technologies
• Introduction to Graph Database
• Relational Database & Graph Database
• Graph Database Use Cases
• Integrated Cybersecurity Architecture
• Q&A

3. The cost of cyber crime is projected to reach
$2 Trillion by 2019
According to a recent Forbes report in 2016: http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#314848a13bb0

4. Top Cybersecurity Challenges 2016
Source: http://www2.proficio.com/l/16302/2016-01-11/26hfxb/16302/96677/Proficio2016Survey.pdf

5. NIST Cyber Security Framework
Source: https://www.nist.gov/cyberframework
URL: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
NIST Cyber Security Framework
Identify
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management
Strategy
Protect
Access Control
Awareness and Training
Data Security
Info Protection Processes
and Procedures
Maintenance
Protective Technology
Detect
Anomalies and Events
Security Continuous
Monitoring
Detection Processes
Respond
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover
Recovery Planning
Improvements
Communications

6. Where are the fault lines…
• Identify:
• Hackers in the basement
• State-enabled actors
• Not limited by geographical boundary
• Lack of visibility and Lack of correlation
• Protect, Detect, Respond & Recover:
• Not prepared to protect or detect sophisticated attacks
• Poorly regulated Infrastructures
• Lack of agility
• Lack of predefined relationships / correlation
• Disruptions from DDoS attacks
• Infrastructure’s weakest link legacy Industrial Control Systems (ICS)
• Operational Technology is different from Information Technology
• Internet of Things (IoT) broadens the attack surface
• Mobile payment systems
Identify Protect Detect Respond Recover

7. Evolution of Serverless Computing
Data Center IaaS PaaS Serverless
Hardware as the unit
of scale.
Abstracts the
physical hosting
environment.
Operating system as
the unit of scale.
Abstracts the
hardware.
Application as the
unit of scale.
Abstracts the
Operating System.
Functions as the unit
of scale.
Abstracts the
language runtime.
Serverless computing, also known as Function as a Service (FaaS), is a cloud computing code execution model in
which the cloud provider fully manages starting and stopping virtual machines as necessary to serve requests, and
requests are billed by an abstract measure of the resources required to satisfy the request, rather than per virtual
machine, per hour.
Examples:
• AWS Lambda introduced in Nov 2014. Supports Node.js, Python and Java. A NoOps platform.
• Google Cloud Functions supports Node.js.
• IBM OpenWhisk announced in 2016. Supports Node.js, Swift, Python, Java, and any language as black box on Docker container.
• Microsoft Azure Functions announced under-development technology in 2016.
Source: https://en.wikipedia.org/wiki/Serverless_computing

8. Serverless Computing Functions as a Service (FaaS)
AWS Lambda
AWS APIs
Operating Systems
High Level Language
Assembly Code, Protocols
CDN, Database
CPU, Memory, Storage
Networking
Power
Building
NoOps Event-driven Rules-based Infrastructure

9. Lambda Serverless Computing
Source: https://aws.amazon.com/lambda/
How does AWS Lambda WorkUse Case

10. Serverless computing benefits
• Infrastructure resources such as Compute, Storage, Network are hidden; typically managed by a
service provider; specific resources are virtual and decided at the runtime.
• Serverless computing frees you from the management of virtual servers, operating systems, load
balancers, and the software used to run application code. Eliminates the management of the
server stack and any concerns / planning that have to go into the potential scaling up or down of
the stack.
• Provides significant cost savings if your application traffic is extra bursty. In traditional server
architectures, bursty traffic means that you must build your server to handle maximum burst
rates. But the rest of the time, you are wasting money with idle CPU cycles. Instead of having to
pay for that idleness, a serverless architecture lets you only pay for the CPU cycles you actually
consume and code is only run when needed.
• Reduces attack surface by reducing the amount of code running, reduce entry points available to
untrusted users, and eliminate services requested by relatively few users.
• Reduces the amount of time the infrastructure resources are active, running your business
functions.

11. Lambda Use Cases
• Event triggered transcoding of media files
• Automated Backup for Disaster Recovery
• Security and Compliance
• Operational Monitoring and Dashboards
• Support for IoT protocols as MQTT, CoAP, and STOMP
• Developers will be able to ingest, stream, query, store and analyze sensor
data without writing complex code
Note:
• MQTT: Message Queue Telemetry Transport (http://mqtt.org/faq)
• CoAP: Constrained Application Protocol (http://coap.technology/)
• STOMP: Simple Text Oriented Messaging Protocol (https://stomp.github.io/)

12. Security Controls and Compliance
Many of these functions can be run as Serverless computing model:
• Infrastructure Security
• DDoS Mitigation
• Inventory and Configuration
• Monitoring and Logging
• Identity and Access Control
• Penetration Testing
• Report Vulnerabilities
• Fraud Prevention
• Security Incident and Event Management (SIEM) and Analytics

13. Introduction of few AWS Services for the demo
Amazon
EC2
AWS
Lambda
Amazon
DynamoDB
Amazon
ElastiCache
Amazon
Redshift
Compute:
Elastic Load
Balancing
Storage & CDN:
Content Delivery Network
Amazon
CloudFront
Amazon EFS Amazon
S3
Amazon
Glacier
Database:
Networking:
Amazon
VPC
Amazon
Route 53
Management Tools:
Amazon
CloudWatch
AWS
CloudFormation
AWS
CloudTrail
Security & Identity:
AWS
IAM
Analytics:
Amazon
Elasticsearch
Service
Amazon
EMR
Amazon
Kinesis
Amazon Machine
Learning
AWS Data
Pipeline
AWS
Config
Discover AWS Products and Services at: https://aws.amazon.com/products/

14. Introduction to few AWS Services for the demo
AWS Lambda
An event-driven, serverless
computing platform/service that
runs code in response to events
and automatically manages the
compute resources required by
that code.
Amazon S3
Provides object storage to make
data accessible from any Internet
location.
Amazon DynamoDB
A managed NoSQL database that
offers extremely fast performance,
seamless scalability and reliability.
Amazon EMR
A managed Hadoop service that
allows you to run the latest
versions of popular big data
frameworks such as Apache Spark,
Presto, Hbase, Hive, and more, on
fully customizable clusters.
Amazon Route 53
A highly available and scalable
cloud Domain Name System (DNS)
web service.
Amazon Elasticsearch Service
A popular open-source search and
analytics engine for big data use
cases such as log and click stream
analysis.
Amazon Kinesis Firehose
A fully-managed service for
delivering real-time streaming data
to destinations such as Amazon S3,
Amazon Redshift, or Amazon ES.
Amazon Kinesis Streams
A way to collect and process large
streams of data records in real time
from which you can create data-
processing applications.
Amazon Kinesis Analytics
A way to process streaming data in
real time with standard SQL
without having to learn new
programming languages or
processing frameworks.
Amazon Redshift
A fast, fully managed, petabyte-
scale data warehouse that makes it
simple and cost-effective to analyze
all your data using your existing
business intelligence tools.
Amazon Machine Learning
A managed service for building
machine learning models and
generating predictions.
Amazon EC2
Provides the virtual application
servers, known as instances, to
host websites or web applications.

15. Lambda demo

16. Lambda demo

17. Lambda demo

18. Lambda demo
Sample Lambda function python

19. Lambda demo
Sample YAML

20. Lambda demo
Amazon Kinesis is a platform for
streaming data on AWS, offering
powerful services to make it easy to
load and analyze streaming data, and
also providing the ability for you to
build custom streaming data
applications for specialized needs.

21. Lambda demo

22. Lambda demo

23. Lambda demo

24. The Evolution of Database Technologies
1960s 1970s 1980s 1990s 2000+
Traditional files
Punch cards
Relational
Object-Oriented
Object-Relational
Graph Databases
Wide Column Store
Document Databases
Key-Value Databases
Network
Hierarchical
Note: Logos of the respective companies.

25. Introduction to Graph Database
Graph
Graph
Database
Paths
Manages a
Nodes
Records Data in
Relatio
nships
Connect
Proper
ties
Have
Index
Maps from
Have
Order
Traversal
Navigates
Identifies
A graph database, also called a graph-oriented database,
is a type of NoSQL database that uses graph theory to
store, map and query relationships.
A graph database is essentially a collection of nodes
(vertexes) and relationships (directed edges).
Nodes and Relationships have properties.
Neo4j & TITAN are examples of graph database.
Neo4j uses Cypher query language.
Properties of Graph DB: Intuitiveness, Speed, Agility
Source: https://neo4j.com/ Source: http://www.opencypher.org/
Key
Value
Pair
Have
Have
Label
Describes
Direction
Orients
Is-a
Is-a

26. Relational Database & Graph Database
name:
Bobname:
Patty
name:
Steve
name:
Don
car:
Tesla
Married to
name:
Jaaz
Listens to
Owns vehicle
name:
Linda
Sister of
Likes
Drives vehicle
name:
AWS
name:
Amazon
Shops at
name:
Betty
Sells

27. Relational Database & Graph Database
Relational Databases
• Tables: Rows & Columns
• Attributes & Relationships
• Pre-defined structure and datatypes
• Pre-computed
• Pre-determined purpose
• Limited context
• Static
RDBMS & SQL Challenges:
• Complex to model and store relationships
• Performance degrades when data volume increases
• Queries get long and complex
• Maintenance is painful
Graph Databases
• Key-Value
• Nodes (Vertex), Edges, (Relationship), Properties
• Real-time
• Dynamic structure
• Highly contextual
• Flexible and scalable
Graph Databases Benefits
• Easy to model and store relationships
• Performance of relationship traversal remains
constant with growth in data size
• Queries are shortened and more readable
• Adding additional properties and relationships can be
done on the fly i.e. no schema migrations
Source: https://neo4j.com/

28. Graph Database Use Cases
• Advanced Persistent Threat (APT) Detection
• Fraud Detection / Discovery / Prevention
• Network & IT Operations
• Master Data Management
• Identity & Access Management
• Insider Threat Detection
• Real-Time Recommendation Engines
• Data Breach Detection
• Malware Detection
• Alert Triage
• Incident Investigations
• Threat Intelligence Analysis
• Cyber Situational Awareness
• Digital Asset Management / Regulatory Compliance
• Social Network Models
Source references: https://sqrrl.com/company/overview/ and https://neo4j.com/use-cases/

29. Graph Database Use Case: Advanced
Persistent Threat (APT) Detection
APT: A network attack in which an unauthorized person gains access to a network and stays there undetected
for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the
network or organization.
RoutersFirewalls
Switches
Web
Servers
Printers
DB
Servers
Legacy
systems
App
Servers
Storage
Mobile
Devices
End User
Devices
Common traits for breached networks
• Port based firewall; URL Filtering; Wild Fire
• Static IPS
• Zero Day Malware used to manipulate
platforms in the network
• Identity credentials hijacked
• Lateral movement throughout network
• DNS monitoring and sink-holing
Internet
end
points

30. Graph Database Use Case: Fraud Detection /
Prevention
Traditional Fraud Analytics
• Hardware Monitoring (endpoint-centric)
• Analyze user devices and end points.
• Navigation Tracking (navigation-centric)
• Analyze suspicious patterns.
• Account Targeting (account-centric)
• Analyze anomalies within user account activity.
Graph Databases
• Link Analysis (entity link analysis)
• Analyze data relationships to detect fraud rings
and collusions.
• Multi-Channel (cross-channels)
• Analyze suspicious patterns correlated across
accounts.

31. Graph Database Use Case: Fraud Detection /
Prevention
Graph Database Data Model
Tool: Neo4j Browser
Interactive Graph Visualization
Tool: Neo4j Browser / Cambridge Intelligence KeyLines
Source: Neo4j GraphGist Network Dependency Graph URL: http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory

32. Graph Database Use Case: Network & IT
Operations
Requirements Key Challenges
• Monitor health of an entire
network
• Visualize and understand how each
component correlate
• Troubleshoot issues
• Perform impact analysis
• Model outage scenarios
• Fragmented monitoring tools
• Inability to correlate problems in
different network domains
• Stale or unreliable data in
traditional correlation systems
• Inefficiencies and high support
costs
Network Operations Center (NOC)
Purpose: Manage, Control, and Monitor Network Reliability and Performance
Source: http://www.slideshare.net/neo4j/network-and-it-operations
Security Operations Center (SOC)
Purpose: Detect, Protect, and Investigate for Security and Loss Prevention
Requirements Key Challenges
• Visualize the entire cyber posture
• Identify vulnerabilities
• Prevent attacks
• Detect attacks
• Investigate and reduce zero-day
losses
• Fragmented security tools including
firewalls, intrusion detection,
vulnerability assessment, SIEM
systems
• Inability to visualize cyber postures
• Difficult to predict intrusion impact
• Harder to model scenarios
Common Security Tools:
Many Tools, Lot of Information, Little Context
• Security Intelligence
• Firewall Manager
• Intrusion Detection System
• Vulnerability Scanner
• Security Incident and Event Management (SIEM) system
Network
Infrastructure
• Segmentation
• Topology
• Sensors
Cyber Posture
• Configurations
• Vulnerabilities
• Policy Rules
Cyber Threats
• Campaigns
• Actors
• Incidents
• Tactics, Techniques
& Procedures
Mission
Dependencies
• Objectives
• Activities
• Tasks
• Information
Source: https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/

33. Graph Database Data Model
Tool: Neo4j Browser
Interactive Graph Visualization
Tool: Neo4j Browser / Cambridge Intelligence KeyLines
Graph Database Use Case: Network & IT
Operations
Source: Neo4j GraphGist Network Dependency Graph URL: http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory

34. Graph Database Use Case: Master Data
Management
Employee
Product
Supplier
Partner
Company Customer
Work at
Has
Has
Produces
Sells to
Requirements Key Challenges
• Support hierarchical and matrix data
structures.
• Provide support for complex data
relationships.
• Continually accommodate new data and
relationships.
• Maintain fidelity between the real world,
data model, and how the data is stored.
• Inflexible Pre-defined Data Structures.
• Lack of support for hierarchical or matrix
data relationships.
• Inability to model complex data structures
and complex relationships.
• Real world Master Data is not hierarchical;
It is graph model.

35. Integrated Cybersecurity Architecture
IoT
Computing Devices
Amazon Kinesis
Firehose
AWS IoT
Amazon Kinesis
Streams
Spark on EMR
Site Data Site Data to be processed
Raw Site Data
Raw IoT Data
S3 bucket with
objects
Raw Data
Processed Data
Amazon
Redshift
AWS
Lambda
Amazon
DynamoDB
Graph DB
Amazon
QuickSight
IoT Data
Object DB
Document DB
Ingest Data StreamsMonitoring
Data Collection
ETL
Decision Support
Analytics Visualization
Prediction
Process Data
Amazon Elasticsearch
Service
Neo4j Browser

36. Integrated Cybersecurity Architecture
IoT
Computing Devices
Amazon Kinesis
Firehose
AWS IoT
Amazon Kinesis
Streams
Spark on EMR
Site Data Site Data to be processed
Raw Site Data
Raw IoT Data
S3 bucket with
objects
Raw Data
Processed Data
Amazon
Redshift
AWS
Lambda
Amazon
DynamoDB
Graph DB
Amazon
QuickSight
IoT Data
Object DB
Document DB
Ingest Data StreamsMonitoring
Data Collection
ETL
Decision Support
Analytics Visualization
Prediction
Process Data
Amazon Elasticsearch
Service
Amazon
CloudWatch
AWS
CloudTrail
KeyLines
Neo4j Browser

37. Conclusion
• Serverless Computing
• Introduction to AWS Services & Products
• Demo of Serverless Computing
• Graph Database
• Use Cases
• Solving Cybersecurity Challenges using Serverless and Graph
Database Technologies
• Integrated Cybersecurity Architecture

38. Inspired by following References
• Amazon Web Services Products & Services URL: https://aws.amazon.com/products/?hp=tile&so-exp=below
• Neo4j Products URL: https://neo4j.com/product/
• Neo4j GraphGist wiki URL: https://github.com/neo4j-contrib/graphgist/wiki
• Visualization Tool: KeyLines by Cambridge Intelligence URL: http://cambridge-intelligence.com/keylines/
• Sqrrl Threat Hunting URL: https://sqrrl.com/
• CyGraph: Cybersecurity Situational Awareness That’s More Scalable, Flexible & Comprehensive by Steven
Noel, Cybersecurity Researcher, MITRE
• URL: https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/
• Graph Database wiki URL: https://en.wikipedia.org/wiki/Graph_database
• ANTLR (Another Tool for Language Recognition) URL: http://www.antlr.org/
• MITRE CAPEC Common Attack Pattern Enumeration and Classification URL: https://capec.mitre.org/

39. Q&A
Thank you
sukumar.nayak@gmail.com
240.506.2305
linkedin.com/in/sukumarnayak/

40. Backup

41. Foundation: Multiple Layers of Security

42. Comparison of Database Technologies
Relational
Object-Oriented
Object-Relational
Key-Value Document-
oriented
Columnar Graph
Definition
• Relational data model.
• Tables: Rows & Columns
• Unique (primary) key for rows.
Relationships defined thru
Foreign keys. Indexed on
attributes & relations.
• Proposed by E.F. Codd in 1970
• Information is presented in
the form of objects as used
in object-oriented
programming.
• Properties: Encapsulation,
Polymorphism, and
Inheritance.
• Key-Value
• Schema less DB
• Data/Value is opaque
• Stores data in
documents.
• Typically use
JavaScript Object
Notation (JSON)
structure.
• Key Value Collections
• Tables: Rows and
columns
• Number of columns is
not fixed for each
record
• Columns are created
for each row
• Stores data in Graph
models
• Nodes, Edges &
Properties
• Social network
connections
• Traverse relationship
Data
Model
Relational
Vertical scaling
SQL Language
Object-oriented
Object-relational (hybrid
model)
Collection of Key-Values
Multi-structured
Horizontal Scaling
Key-Value
Multi-structured
Horizontal Scaling
Column families
Key Value
Property Graph
Multi-structured
Horizontal Scaling
Example
Oracle, Microsoft SQL Server,
MySQL, IBM DB2, IBM Informix,
SAP Sybase, Teradata
Objectivity/DB, ObjectStore,
JADE, VOD: Versant Object
Database, Apple WebObjects
EOF
Riak, Redis
Amazon Simple DB,
Amazon Dynamo DB
MongoDB, CouchDB Amazon DynamoDB, HP
Enterprise Vertica
Hbase, Cassandra, SAP
HANA
Neo4J, InfiniteGraph,
Giraph, InfoGrid
Strength
• Simple Data Structure
• ACID
• Limit duplication of data
• Transactional processing
• Can store complex data and
relationships
• Ease of coding
• Pointer references
• Flexibility, Scalability &
Superior Performance
• BASE
• Incomplete Data
Tolerant
• Can query on any field
in the document
• Fast Look-ups • Close to Real world
models; Scalability
• Graph Algorithms,
Shortest path etc
Weakness
• Poor representation of real
world entities
• Lack of Flexibility & Scalability
• Difficult to model Complex Data
types
• Performance
• High memory utilization
• Stored data has no
schema
• Query performance
• No Standard Query
Syntax
• Very Low Level API • Not easy to Cluster
• Traverse whole graph
to get answer
ACID: Atomicity, Consistency, Isolation, Durability
BASE: Basically Available, Soft state, Eventual consistency

43. Graph Databases
• Apache TinkerPop
• InfiniteGraph
• Neo4j
• Oracle Spatial and Graph
• SAP HANA
• Sqrrl
• Teradata Aster

44. APT Intrusion Kill Chain
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control
Actions on Target
Harvesting
Email Address
Social
Networking
Passive Search IP Discovery Port Scans
Payload
Creation
Malware
Delivery
System
Decoys
Spear Phishing
Infected
Website
Service
Provider
Activation Execute Code
Establish
Foothold
3rd Party
Exploitation
Trojan or
Backdoor
Escalate
Privileges
Root Kit
Establish
Persistence
Command
Channel
Lateral
Movement
Internal Recon
Maintain
Persistence
Expand
Compromise
Consolidate
Persistence
Data
Exfiltration
Research,
Identification &
Selection of targets
Pairing malware with
exploit in to payload
Transmission of
weapon to target
Trigger weapon’s code
Install backdoor on
target system allowing
persistent access
Remote control
internal servers from
outside
Achieve objectives of
the intrusion

45. Graph Database Use Case: Identity & Access
Management
name:
Bob
name:
Patty
Trusts
Trusts
Role:
Admin
Assigned role
Payroll
System
Have access to
Have no access to
Account:
AC# 123
Has account
Account:
AC# 456
Has account
Account:
AC# 789
Has account
Have access to
Group:
Grp 1
Group:
Admin
Member_Of
Member_Of
Member_Of

46. Graph Database Use Case: Real-Time
Recommendation Engines
name:
Bob
Searches for
Delivery options
Price range
Check product recalls
Look for Return Policy
Look for Blogs
name:
Patty
Friend with
Bought
Writes at