Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Cybersecurity-Serverless-Graph DB

976 Aufrufe

Veröffentlicht am

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Cybersecurity-Serverless-Graph DB

  1. 1. Solving Cybersecurity challenges with Serverless Architecture and Graph Database Technologies Sukumar Nayak Executive Advisor Cloud, Security & Big Data Date: 30th Nov, 2016 ISACA National Capital Area Chapter Disclaimer: The Opinions expressed in this presentation are my own and not necessarily those of my employer. Sources of my research are from publicly available materials with appropriate source URL noted on the slides.
  2. 2. Agenda • Top Cybersecurity challenges in 2016 • NIST Cybersecurity Framework • Serverless Architecture • Introduction to few AWS Services • Serverless Demo using AWS Lambda • The Evolution of Database Technologies • Introduction to Graph Database • Relational Database & Graph Database • Graph Database Use Cases • Integrated Cybersecurity Architecture • Q&A
  3. 3. The cost of cyber crime is projected to reach $2 Trillion by 2019 According to a recent Forbes report in 2016: http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#314848a13bb0
  4. 4. Top Cybersecurity Challenges 2016 Source: http://www2.proficio.com/l/16302/2016-01-11/26hfxb/16302/96677/Proficio2016Survey.pdf
  5. 5. NIST Cyber Security Framework Source: https://www.nist.gov/cyberframework URL: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf NIST Cyber Security Framework Identify Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Protect Access Control Awareness and Training Data Security Info Protection Processes and Procedures Maintenance Protective Technology Detect Anomalies and Events Security Continuous Monitoring Detection Processes Respond Response Planning Communications Analysis Mitigation Improvements Recover Recovery Planning Improvements Communications
  6. 6. Where are the fault lines… • Identify: • Hackers in the basement • State-enabled actors • Not limited by geographical boundary • Lack of visibility and Lack of correlation • Protect, Detect, Respond & Recover: • Not prepared to protect or detect sophisticated attacks • Poorly regulated Infrastructures • Lack of agility • Lack of predefined relationships / correlation • Disruptions from DDoS attacks • Infrastructure’s weakest link legacy Industrial Control Systems (ICS) • Operational Technology is different from Information Technology • Internet of Things (IoT) broadens the attack surface • Mobile payment systems Identify Protect Detect Respond Recover
  7. 7. Evolution of Serverless Computing Data Center IaaS PaaS Serverless Hardware as the unit of scale. Abstracts the physical hosting environment. Operating system as the unit of scale. Abstracts the hardware. Application as the unit of scale. Abstracts the Operating System. Functions as the unit of scale. Abstracts the language runtime. Serverless computing, also known as Function as a Service (FaaS), is a cloud computing code execution model in which the cloud provider fully manages starting and stopping virtual machines as necessary to serve requests, and requests are billed by an abstract measure of the resources required to satisfy the request, rather than per virtual machine, per hour. Examples: • AWS Lambda introduced in Nov 2014. Supports Node.js, Python and Java. A NoOps platform. • Google Cloud Functions supports Node.js. • IBM OpenWhisk announced in 2016. Supports Node.js, Swift, Python, Java, and any language as black box on Docker container. • Microsoft Azure Functions announced under-development technology in 2016. Source: https://en.wikipedia.org/wiki/Serverless_computing
  8. 8. Serverless Computing Functions as a Service (FaaS) AWS Lambda AWS APIs Operating Systems High Level Language Assembly Code, Protocols CDN, Database CPU, Memory, Storage Networking Power Building NoOps Event-driven Rules-based Infrastructure
  9. 9. Lambda Serverless Computing Source: https://aws.amazon.com/lambda/ How does AWS Lambda WorkUse Case
  10. 10. Serverless computing benefits • Infrastructure resources such as Compute, Storage, Network are hidden; typically managed by a service provider; specific resources are virtual and decided at the runtime. • Serverless computing frees you from the management of virtual servers, operating systems, load balancers, and the software used to run application code. Eliminates the management of the server stack and any concerns / planning that have to go into the potential scaling up or down of the stack. • Provides significant cost savings if your application traffic is extra bursty. In traditional server architectures, bursty traffic means that you must build your server to handle maximum burst rates. But the rest of the time, you are wasting money with idle CPU cycles. Instead of having to pay for that idleness, a serverless architecture lets you only pay for the CPU cycles you actually consume and code is only run when needed. • Reduces attack surface by reducing the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. • Reduces the amount of time the infrastructure resources are active, running your business functions.
  11. 11. Lambda Use Cases • Event triggered transcoding of media files • Automated Backup for Disaster Recovery • Security and Compliance • Operational Monitoring and Dashboards • Support for IoT protocols as MQTT, CoAP, and STOMP • Developers will be able to ingest, stream, query, store and analyze sensor data without writing complex code Note: • MQTT: Message Queue Telemetry Transport (http://mqtt.org/faq) • CoAP: Constrained Application Protocol (http://coap.technology/) • STOMP: Simple Text Oriented Messaging Protocol (https://stomp.github.io/)
  12. 12. Security Controls and Compliance Many of these functions can be run as Serverless computing model: • Infrastructure Security • DDoS Mitigation • Inventory and Configuration • Monitoring and Logging • Identity and Access Control • Penetration Testing • Report Vulnerabilities • Fraud Prevention • Security Incident and Event Management (SIEM) and Analytics
  13. 13. Introduction of few AWS Services for the demo Amazon EC2 AWS Lambda Amazon DynamoDB Amazon ElastiCache Amazon Redshift Compute: Elastic Load Balancing Storage & CDN: Content Delivery Network Amazon CloudFront Amazon EFS Amazon S3 Amazon Glacier Database: Networking: Amazon VPC Amazon Route 53 Management Tools: Amazon CloudWatch AWS CloudFormation AWS CloudTrail Security & Identity: AWS IAM Analytics: Amazon Elasticsearch Service Amazon EMR Amazon Kinesis Amazon Machine Learning AWS Data Pipeline AWS Config Discover AWS Products and Services at: https://aws.amazon.com/products/
  14. 14. Introduction to few AWS Services for the demo AWS Lambda An event-driven, serverless computing platform/service that runs code in response to events and automatically manages the compute resources required by that code. Amazon S3 Provides object storage to make data accessible from any Internet location. Amazon DynamoDB A managed NoSQL database that offers extremely fast performance, seamless scalability and reliability. Amazon EMR A managed Hadoop service that allows you to run the latest versions of popular big data frameworks such as Apache Spark, Presto, Hbase, Hive, and more, on fully customizable clusters. Amazon Route 53 A highly available and scalable cloud Domain Name System (DNS) web service. Amazon Elasticsearch Service A popular open-source search and analytics engine for big data use cases such as log and click stream analysis. Amazon Kinesis Firehose A fully-managed service for delivering real-time streaming data to destinations such as Amazon S3, Amazon Redshift, or Amazon ES. Amazon Kinesis Streams A way to collect and process large streams of data records in real time from which you can create data- processing applications. Amazon Kinesis Analytics A way to process streaming data in real time with standard SQL without having to learn new programming languages or processing frameworks. Amazon Redshift A fast, fully managed, petabyte- scale data warehouse that makes it simple and cost-effective to analyze all your data using your existing business intelligence tools. Amazon Machine Learning A managed service for building machine learning models and generating predictions. Amazon EC2 Provides the virtual application servers, known as instances, to host websites or web applications.
  15. 15. Lambda demo
  16. 16. Lambda demo
  17. 17. Lambda demo
  18. 18. Lambda demo Sample Lambda function python
  19. 19. Lambda demo Sample YAML
  20. 20. Lambda demo Amazon Kinesis is a platform for streaming data on AWS, offering powerful services to make it easy to load and analyze streaming data, and also providing the ability for you to build custom streaming data applications for specialized needs.
  21. 21. Lambda demo
  22. 22. Lambda demo
  23. 23. Lambda demo
  24. 24. The Evolution of Database Technologies 1960s 1970s 1980s 1990s 2000+ Traditional files Punch cards Relational Object-Oriented Object-Relational Graph Databases Wide Column Store Document Databases Key-Value Databases Network Hierarchical Note: Logos of the respective companies.
  25. 25. Introduction to Graph Database Graph Graph Database Paths Manages a Nodes Records Data in Relatio nships Connect Proper ties Have Index Maps from Have Order Traversal Navigates Identifies A graph database, also called a graph-oriented database, is a type of NoSQL database that uses graph theory to store, map and query relationships. A graph database is essentially a collection of nodes (vertexes) and relationships (directed edges). Nodes and Relationships have properties. Neo4j & TITAN are examples of graph database. Neo4j uses Cypher query language. Properties of Graph DB: Intuitiveness, Speed, Agility Source: https://neo4j.com/ Source: http://www.opencypher.org/ Key Value Pair Have Have Label Describes Direction Orients Is-a Is-a
  26. 26. Relational Database & Graph Database name: Bobname: Patty name: Steve name: Don car: Tesla Married to name: Jaaz Listens to Owns vehicle name: Linda Sister of Likes Drives vehicle name: AWS name: Amazon Shops at name: Betty Sells
  27. 27. Relational Database & Graph Database Relational Databases • Tables: Rows & Columns • Attributes & Relationships • Pre-defined structure and datatypes • Pre-computed • Pre-determined purpose • Limited context • Static RDBMS & SQL Challenges: • Complex to model and store relationships • Performance degrades when data volume increases • Queries get long and complex • Maintenance is painful Graph Databases • Key-Value • Nodes (Vertex), Edges, (Relationship), Properties • Real-time • Dynamic structure • Highly contextual • Flexible and scalable Graph Databases Benefits • Easy to model and store relationships • Performance of relationship traversal remains constant with growth in data size • Queries are shortened and more readable • Adding additional properties and relationships can be done on the fly i.e. no schema migrations Source: https://neo4j.com/
  28. 28. Graph Database Use Cases • Advanced Persistent Threat (APT) Detection • Fraud Detection / Discovery / Prevention • Network & IT Operations • Master Data Management • Identity & Access Management • Insider Threat Detection • Real-Time Recommendation Engines • Data Breach Detection • Malware Detection • Alert Triage • Incident Investigations • Threat Intelligence Analysis • Cyber Situational Awareness • Digital Asset Management / Regulatory Compliance • Social Network Models Source references: https://sqrrl.com/company/overview/ and https://neo4j.com/use-cases/
  29. 29. Graph Database Use Case: Advanced Persistent Threat (APT) Detection APT: A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. RoutersFirewalls Switches Web Servers Printers DB Servers Legacy systems App Servers Storage Mobile Devices End User Devices Common traits for breached networks • Port based firewall; URL Filtering; Wild Fire • Static IPS • Zero Day Malware used to manipulate platforms in the network • Identity credentials hijacked • Lateral movement throughout network • DNS monitoring and sink-holing Internet end points
  30. 30. Graph Database Use Case: Fraud Detection / Prevention Traditional Fraud Analytics • Hardware Monitoring (endpoint-centric) • Analyze user devices and end points. • Navigation Tracking (navigation-centric) • Analyze suspicious patterns. • Account Targeting (account-centric) • Analyze anomalies within user account activity. Graph Databases • Link Analysis (entity link analysis) • Analyze data relationships to detect fraud rings and collusions. • Multi-Channel (cross-channels) • Analyze suspicious patterns correlated across accounts.
  31. 31. Graph Database Use Case: Fraud Detection / Prevention Graph Database Data Model Tool: Neo4j Browser Interactive Graph Visualization Tool: Neo4j Browser / Cambridge Intelligence KeyLines Source: Neo4j GraphGist Network Dependency Graph URL: http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory
  32. 32. Graph Database Use Case: Network & IT Operations Requirements Key Challenges • Monitor health of an entire network • Visualize and understand how each component correlate • Troubleshoot issues • Perform impact analysis • Model outage scenarios • Fragmented monitoring tools • Inability to correlate problems in different network domains • Stale or unreliable data in traditional correlation systems • Inefficiencies and high support costs Network Operations Center (NOC) Purpose: Manage, Control, and Monitor Network Reliability and Performance Source: http://www.slideshare.net/neo4j/network-and-it-operations Security Operations Center (SOC) Purpose: Detect, Protect, and Investigate for Security and Loss Prevention Requirements Key Challenges • Visualize the entire cyber posture • Identify vulnerabilities • Prevent attacks • Detect attacks • Investigate and reduce zero-day losses • Fragmented security tools including firewalls, intrusion detection, vulnerability assessment, SIEM systems • Inability to visualize cyber postures • Difficult to predict intrusion impact • Harder to model scenarios Common Security Tools: Many Tools, Lot of Information, Little Context • Security Intelligence • Firewall Manager • Intrusion Detection System • Vulnerability Scanner • Security Incident and Event Management (SIEM) system Network Infrastructure • Segmentation • Topology • Sensors Cyber Posture • Configurations • Vulnerabilities • Policy Rules Cyber Threats • Campaigns • Actors • Incidents • Tactics, Techniques & Procedures Mission Dependencies • Objectives • Activities • Tasks • Information Source: https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/
  33. 33. Graph Database Data Model Tool: Neo4j Browser Interactive Graph Visualization Tool: Neo4j Browser / Cambridge Intelligence KeyLines Graph Database Use Case: Network & IT Operations Source: Neo4j GraphGist Network Dependency Graph URL: http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory
  34. 34. Graph Database Use Case: Master Data Management Employee Product Supplier Partner Company Customer Work at Has Has Produces Sells to Requirements Key Challenges • Support hierarchical and matrix data structures. • Provide support for complex data relationships. • Continually accommodate new data and relationships. • Maintain fidelity between the real world, data model, and how the data is stored. • Inflexible Pre-defined Data Structures. • Lack of support for hierarchical or matrix data relationships. • Inability to model complex data structures and complex relationships. • Real world Master Data is not hierarchical; It is graph model.
  35. 35. Integrated Cybersecurity Architecture IoT Computing Devices Amazon Kinesis Firehose AWS IoT Amazon Kinesis Streams Spark on EMR Site Data Site Data to be processed Raw Site Data Raw IoT Data S3 bucket with objects Raw Data Processed Data Amazon Redshift AWS Lambda Amazon DynamoDB Graph DB Amazon QuickSight IoT Data Object DB Document DB Ingest Data StreamsMonitoring Data Collection ETL Decision Support Analytics Visualization Prediction Process Data Amazon Elasticsearch Service Neo4j Browser
  36. 36. Integrated Cybersecurity Architecture IoT Computing Devices Amazon Kinesis Firehose AWS IoT Amazon Kinesis Streams Spark on EMR Site Data Site Data to be processed Raw Site Data Raw IoT Data S3 bucket with objects Raw Data Processed Data Amazon Redshift AWS Lambda Amazon DynamoDB Graph DB Amazon QuickSight IoT Data Object DB Document DB Ingest Data StreamsMonitoring Data Collection ETL Decision Support Analytics Visualization Prediction Process Data Amazon Elasticsearch Service Amazon CloudWatch AWS CloudTrail KeyLines Neo4j Browser
  37. 37. Conclusion • Serverless Computing • Introduction to AWS Services & Products • Demo of Serverless Computing • Graph Database • Use Cases • Solving Cybersecurity Challenges using Serverless and Graph Database Technologies • Integrated Cybersecurity Architecture
  38. 38. Inspired by following References • Amazon Web Services Products & Services URL: https://aws.amazon.com/products/?hp=tile&so-exp=below • Neo4j Products URL: https://neo4j.com/product/ • Neo4j GraphGist wiki URL: https://github.com/neo4j-contrib/graphgist/wiki • Visualization Tool: KeyLines by Cambridge Intelligence URL: http://cambridge-intelligence.com/keylines/ • Sqrrl Threat Hunting URL: https://sqrrl.com/ • CyGraph: Cybersecurity Situational Awareness That’s More Scalable, Flexible & Comprehensive by Steven Noel, Cybersecurity Researcher, MITRE • URL: https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/ • Graph Database wiki URL: https://en.wikipedia.org/wiki/Graph_database • ANTLR (Another Tool for Language Recognition) URL: http://www.antlr.org/ • MITRE CAPEC Common Attack Pattern Enumeration and Classification URL: https://capec.mitre.org/
  39. 39. Q&A Thank you sukumar.nayak@gmail.com 240.506.2305 linkedin.com/in/sukumarnayak/
  40. 40. Backup
  41. 41. Foundation: Multiple Layers of Security
  42. 42. Comparison of Database Technologies Relational Object-Oriented Object-Relational Key-Value Document- oriented Columnar Graph Definition • Relational data model. • Tables: Rows & Columns • Unique (primary) key for rows. Relationships defined thru Foreign keys. Indexed on attributes & relations. • Proposed by E.F. Codd in 1970 • Information is presented in the form of objects as used in object-oriented programming. • Properties: Encapsulation, Polymorphism, and Inheritance. • Key-Value • Schema less DB • Data/Value is opaque • Stores data in documents. • Typically use JavaScript Object Notation (JSON) structure. • Key Value Collections • Tables: Rows and columns • Number of columns is not fixed for each record • Columns are created for each row • Stores data in Graph models • Nodes, Edges & Properties • Social network connections • Traverse relationship Data Model Relational Vertical scaling SQL Language Object-oriented Object-relational (hybrid model) Collection of Key-Values Multi-structured Horizontal Scaling Key-Value Multi-structured Horizontal Scaling Column families Key Value Property Graph Multi-structured Horizontal Scaling Example Oracle, Microsoft SQL Server, MySQL, IBM DB2, IBM Informix, SAP Sybase, Teradata Objectivity/DB, ObjectStore, JADE, VOD: Versant Object Database, Apple WebObjects EOF Riak, Redis Amazon Simple DB, Amazon Dynamo DB MongoDB, CouchDB Amazon DynamoDB, HP Enterprise Vertica Hbase, Cassandra, SAP HANA Neo4J, InfiniteGraph, Giraph, InfoGrid Strength • Simple Data Structure • ACID • Limit duplication of data • Transactional processing • Can store complex data and relationships • Ease of coding • Pointer references • Flexibility, Scalability & Superior Performance • BASE • Incomplete Data Tolerant • Can query on any field in the document • Fast Look-ups • Close to Real world models; Scalability • Graph Algorithms, Shortest path etc Weakness • Poor representation of real world entities • Lack of Flexibility & Scalability • Difficult to model Complex Data types • Performance • High memory utilization • Stored data has no schema • Query performance • No Standard Query Syntax • Very Low Level API • Not easy to Cluster • Traverse whole graph to get answer ACID: Atomicity, Consistency, Isolation, Durability BASE: Basically Available, Soft state, Eventual consistency
  43. 43. Graph Databases • Apache TinkerPop • InfiniteGraph • Neo4j • Oracle Spatial and Graph • SAP HANA • Sqrrl • Teradata Aster
  44. 44. APT Intrusion Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Target Harvesting Email Address Social Networking Passive Search IP Discovery Port Scans Payload Creation Malware Delivery System Decoys Spear Phishing Infected Website Service Provider Activation Execute Code Establish Foothold 3rd Party Exploitation Trojan or Backdoor Escalate Privileges Root Kit Establish Persistence Command Channel Lateral Movement Internal Recon Maintain Persistence Expand Compromise Consolidate Persistence Data Exfiltration Research, Identification & Selection of targets Pairing malware with exploit in to payload Transmission of weapon to target Trigger weapon’s code Install backdoor on target system allowing persistent access Remote control internal servers from outside Achieve objectives of the intrusion
  45. 45. Graph Database Use Case: Identity & Access Management name: Bob name: Patty Trusts Trusts Role: Admin Assigned role Payroll System Have access to Have no access to Account: AC# 123 Has account Account: AC# 456 Has account Account: AC# 789 Has account Have access to Group: Grp 1 Group: Admin Member_Of Member_Of Member_Of
  46. 46. Graph Database Use Case: Real-Time Recommendation Engines name: Bob Searches for Delivery options Price range Check product recalls Look for Return Policy Look for Blogs name: Patty Friend with Bought Writes at