cybersecurity-serverless-graph db
TRANSCRIPT
SolvingCybersecuritychallengeswithServerless ArchitectureandGraphDatabaseTechnologies
SukumarNayakExecutiveAdvisorCloud,Security&BigDataDate:30th Nov,2016
ISACANationalCapitalAreaChapter
Disclaimer: TheOpinionsexpressedinthispresentationaremyownandnotnecessarilythoseofmyemployer.SourcesofmyresearcharefrompubliclyavailablematerialswithappropriatesourceURLnotedontheslides.
Agenda• TopCybersecuritychallengesin2016
• NISTCybersecurityFramework
• Serverless Architecture
• IntroductiontofewAWSServices
• Serverless DemousingAWSLambda
• TheEvolutionofDatabaseTechnologies
• IntroductiontoGraphDatabase
• RelationalDatabase&GraphDatabase
• GraphDatabaseUseCases
• IntegratedCybersecurityArchitecture
• Q&A
Thecostofcybercrimeisprojectedtoreach
$2Trillionby2019
AccordingtoarecentForbesreportin2016:http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#314848a13bb0
TopCybersecurityChallenges2016
Source:http://www2.proficio.com/l/16302/2016-01-11/26hfxb/16302/96677/Proficio2016Survey.pdf
NISTCyberSecurityFramework
Source:https://www.nist.gov/cyberframeworkURL:https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
NISTCyberSecurityFramework
Identify
AssetManagement
BusinessEnvironment
Governance
RiskAssessment
RiskManagementStrategy
Protect
AccessControl
AwarenessandTraining
DataSecurity
InfoProtectionProcessesandProcedures
Maintenance
ProtectiveTechnology
Detect
AnomaliesandEvents
SecurityContinuousMonitoring
DetectionProcesses
Respond
ResponsePlanning
Communications
Analysis
Mitigation
Improvements
Recover
RecoveryPlanning
Improvements
Communications
Wherearethefaultlines…• Identify:
• Hackersinthebasement• State-enabledactors• Notlimitedbygeographicalboundary• LackofvisibilityandLackofcorrelation
• Protect,Detect,Respond&Recover:• Notpreparedtoprotectordetectsophisticatedattacks• PoorlyregulatedInfrastructures• Lackofagility• Lackofpredefinedrelationships/correlation• DisruptionsfromDDoSattacks• Infrastructure’sweakestlinklegacyIndustrialControlSystems(ICS)• OperationalTechnologyisdifferentfromInformationTechnology• InternetofThings(IoT)broadenstheattacksurface• Mobilepaymentsystems
Identify Protect Detect Respond Recover
EvolutionofServerless ComputingDataCenter IaaS PaaS Serverless
Hardwareastheunitofscale.
Abstractsthephysicalhostingenvironment.
Operatingsystemastheunitofscale.
Abstractsthehardware.
Applicationastheunitofscale.
AbstractstheOperatingSystem.
Functionsastheunitofscale.
Abstractsthelanguageruntime.
Serverless computing,alsoknownasFunctionasaService(FaaS),isacloudcomputingcodeexecutionmodelinwhichthecloudproviderfullymanagesstartingandstoppingvirtualmachinesasnecessarytoserverequests,andrequestsarebilledbyanabstractmeasureoftheresourcesrequiredtosatisfytherequest,ratherthanpervirtualmachine,perhour.
Examples:• AWSLambda introducedinNov2014.SupportsNode.js,PythonandJava.ANoOps platform.• GoogleCloudFunctions supportsNode.js.• IBMOpenWhisk announcedin2016.SupportsNode.js,Swift,Python,Java, andanylanguageasblackboxonDockercontainer.•MicrosoftAzureFunctions announcedunder-developmenttechnologyin2016.
Source:https://en.wikipedia.org/wiki/Serverless_computing
Serverless ComputingFunctionsasaService(FaaS)AWSLambda
AWSAPIs
OperatingSystems
HighLevelLanguage
AssemblyCode,Protocols
CDN,Database
CPU,Memory,Storage
Networking
Power
Building
NoOps Event-drivenRules-basedInfrastructure
LambdaServerless Computing
Source:https://aws.amazon.com/lambda/
How
doe
sAWSLambd
aWork
UseCase
Serverless computingbenefits• InfrastructureresourcessuchasCompute,Storage,Networkarehidden;typicallymanagedbyaserviceprovider;specificresourcesarevirtualanddecidedattheruntime.
• Serverless computingfreesyoufromthemanagement ofvirtualservers,operatingsystems,loadbalancers,andthesoftwareusedtorunapplicationcode.Eliminates themanagementoftheserverstackandanyconcerns/planning thathavetogointothepotentialscalingupordownofthestack.
• Providessignificantcostsavings ifyourapplicationtrafficisextra bursty.Intraditionalserverarchitectures,bursty trafficmeansthatyoumustbuildyourservertohandlemaximumburstrates.Buttherestofthetime,youarewastingmoneywithidleCPUcycles.Insteadofhavingtopayforthatidleness,aserverless architectureletsyouonlypayfortheCPUcyclesyouactuallyconsumeandcodeisonlyrunwhenneeded.
• Reducesattacksurface byreducingtheamountofcoderunning,reduceentrypoints availabletountrustedusers,andeliminateservicesrequestedbyrelativelyfewusers.
• Reducestheamountoftime theinfrastructureresourcesareactive,runningyourbusinessfunctions.
LambdaUseCases• Eventtriggeredtranscodingofmediafiles• AutomatedBackupforDisasterRecovery• SecurityandCompliance• OperationalMonitoringandDashboards• SupportforIoT protocolsasMQTT,CoAP,andSTOMP
• Developerswillbeabletoingest,stream,query,storeandanalyzesensordatawithoutwritingcomplexcode
Note:• MQTT:MessageQueueTelemetryTransport(http://mqtt.org/faq)• CoAP:ConstrainedApplicationProtocol(http://coap.technology/)• STOMP:SimpleTextOrientedMessagingProtocol(https://stomp.github.io/)
SecurityControlsandComplianceManyofthesefunctionscanberunasServerless computingmodel:• InfrastructureSecurity• DDoSMitigation• InventoryandConfiguration• MonitoringandLogging
• IdentityandAccessControl• PenetrationTesting• ReportVulnerabilities• FraudPrevention• SecurityIncidentandEventManagement(SIEM)andAnalytics
IntroductionoffewAWSServicesforthedemo
AmazonEC2
AWSLambda
AmazonDynamoDB
AmazonElastiCache
AmazonRedshift
Compute:
ElasticLoadBalancing
Storage&CDN:ContentDeliveryNetwork
AmazonCloudFront
AmazonEFS AmazonS3
AmazonGlacier
Database:
Networking:
AmazonVPC
AmazonRoute53
ManagementTools:Amazon
CloudWatchAWS
CloudFormationAWS
CloudTrail
Security&Identity:
AWSIAM
Analytics:Amazon
ElasticsearchService
AmazonEMR
AmazonKinesis
AmazonMachineLearning
AWSDataPipeline
AWSConfig
DiscoverAWSProductsandServicesat:https://aws.amazon.com/products/
IntroductiontofewAWSServicesforthedemo
AWSLambda
Anevent-driven,serverlesscomputingplatform/servicethatrunscodeinresponsetoeventsandautomaticallymanagesthecomputeresourcesrequiredbythatcode.
AmazonS3
ProvidesobjectstoragetomakedataaccessiblefromanyInternetlocation.
AmazonDynamoDB
Amanaged NoSQLdatabase thatoffersextremelyfastperformance,seamlessscalabilityandreliability.
AmazonEMR
AmanagedHadoopservicethatallowsyoutorunthelatestversionsofpopularbigdataframeworkssuchasApacheSpark,Presto,Hbase,Hive,andmore,onfullycustomizableclusters.
AmazonRoute53
AhighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.
AmazonElasticsearch Service
Apopularopen-sourcesearchandanalyticsengineforbigdatausecasessuchaslogandclickstreamanalysis.
AmazonKinesisFirehose
Afully-managedservicefordeliveringreal-timestreamingdatatodestinationssuchasAmazonS3,AmazonRedshift,orAmazonES.
AmazonKinesisStreams
Awaytocollectandprocesslargestreamsofdatarecordsinrealtimefromwhichyoucancreatedata-processingapplications.
AmazonKinesisAnalytics
AwaytoprocessstreamingdatainrealtimewithstandardSQLwithouthavingtolearnnewprogramminglanguagesorprocessingframeworks.
AmazonRedshift
Afast,fullymanaged,petabyte-scaledatawarehousethatmakesitsimpleandcost-effectivetoanalyzeallyourdatausingyourexistingbusinessintelligencetools.
AmazonMachineLearning
Amanagedserviceforbuildingmachinelearningmodelsandgeneratingpredictions.
AmazonEC2
Providesthevirtualapplicationservers,knownasinstances,tohostwebsitesorwebapplications.
Lambdademo
Lambdademo
Lambdademo
Lambdademo
SampleLambdafunctionpython
Lambdademo
SampleYAML
Lambdademo
AmazonKinesis isaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata,andalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.
Lambdademo
Lambdademo
Lambdademo
TheEvolutionofDatabaseTechnologies
1960s 1970s 1980s 1990s 2000+
Traditionalfiles
PunchcardsRelational
Object-Oriented
Object-Relational
GraphDatabases
WideColumnStore
DocumentDatabases
Key-ValueDatabases
Network
Hierarchical
Note:Logosoftherespectivecompanies.
IntroductiontoGraphDatabase
Graph
GraphDatabase
Paths
Managesa
NodesRecordsDatain Relatio
nships
Connect
Properties
Have
IndexMapsfrom
Have
Order
Traversal
Navigates
Identifies
Agraphdatabase,alsocalledagraph-orienteddatabase,isatypeofNoSQLdatabase thatusesgraph theorytostore,mapandqueryrelationships.
Agraphdatabase isessentiallyacollectionofnodes(vertexes)andrelationships (directededges).
NodesandRelationshipshaveproperties.
Neo4j& TITANareexamplesofgraphdatabase.
Neo4jusesCypher querylanguage.PropertiesofGraphDB: Intuitiveness,Speed,Agility
Source:https://neo4j.com/ Source:http://www.opencypher.org/
KeyValuePair
Have
Have
Label
Describes
Direction
Orients
Is-a
Is-a
RelationalDatabase&GraphDatabase
name:Bobname:
Patty
name:Steve
name:Don
car:Tesla
Marriedto
name:Jaaz
Listensto
Ownsvehicle
name:Linda
Sisterof
Likes
Drivesvehicle
name:AWS
name:Amazon
Shopsat
name:Betty
Sells
RelationalDatabase&GraphDatabaseRelationalDatabases
• Tables:Rows&Columns• Attributes&Relationships• Pre-definedstructureanddatatypes• Pre-computed• Pre-determinedpurpose• Limitedcontext• Static
RDBMS &SQLChallenges:
• Complextomodelandstorerelationships• Performancedegradeswhendatavolumeincreases• Queriesgetlongandcomplex• Maintenanceispainful
GraphDatabases
• Key-Value• Nodes(Vertex),Edges,(Relationship),Properties• Real-time• Dynamicstructure• Highlycontextual• Flexibleandscalable
GraphDatabasesBenefits
• Easytomodelandstorerelationships• Performanceofrelationship traversalremains
constantwithgrowthindatasize• Queriesareshortenedandmorereadable• Adding additionalpropertiesandrelationshipscanbe
doneontheflyi.e.noschemamigrations
Source:https://neo4j.com/
GraphDatabaseUseCases• AdvancedPersistentThreat(APT)Detection
• FraudDetection/Discovery/Prevention
• Network&ITOperations
• MasterDataManagement
• Identity&AccessManagement
• InsiderThreatDetection
• Real-TimeRecommendationEngines
• DataBreachDetection
• MalwareDetection
• AlertTriage
• IncidentInvestigations
• ThreatIntelligenceAnalysis
• CyberSituationalAwareness
• DigitalAssetManagement/RegulatoryCompliance
• SocialNetworkModelsSourcereferences:https://sqrrl.com/company/overview/ andhttps://neo4j.com/use-cases/
GraphDatabaseUseCase:AdvancedPersistentThreat(APT)DetectionAPT:Anetworkattackinwhichanunauthorizedpersongainsaccesstoanetworkandstaysthereundetectedforalongperiodoftime.TheintentionofanAPT attackistostealdataratherthantocausedamagetothenetworkororganization.
RoutersFirewalls
Switches
WebServers
Printers
DBServers
Legacysystems
AppServers
Storage
MobileDevices
EndUserDevices
Commontraitsforbreachednetworks
• Port basedfirewall;URL Filtering;WildFire
• Static IPS
• ZeroDayMalware usedtomanipulateplatformsinthenetwork
• Identity credentialshijacked
• Lateral movementthroughoutnetwork
• DNS monitoringandsink-holing
Internetendpoints
GraphDatabaseUseCase:FraudDetection/Prevention
TraditionalFraudAnalytics• HardwareMonitoring(endpoint-centric)
• Analyzeuserdevicesandendpoints.
• NavigationTracking(navigation-centric)• Analyzesuspiciouspatterns.
• AccountTargeting(account-centric)• Analyzeanomalieswithinuseraccountactivity.
GraphDatabases• LinkAnalysis(entitylinkanalysis)
• Analyzedatarelationshipstodetectfraudringsandcollusions.
• Multi-Channel(cross-channels)• Analyzesuspiciouspatternscorrelatedacrossaccounts.
GraphDatabaseUseCase:FraudDetection/Prevention
GraphDatabaseDataModelTool:Neo4jBrowser
InteractiveGraphVisualizationTool:Neo4jBrowser/CambridgeIntelligenceKeyLines
Source:Neo4jGraphGist NetworkDependencyGraphURL:http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory
GraphDatabaseUseCase:Network&ITOperations
Requirements KeyChallenges
• Monitor healthofanentirenetwork
• Visualizeandunderstandhoweachcomponent correlate
• Troubleshootissues
• Performimpactanalysis
• Modeloutagescenarios
• Fragmentedmonitoringtools
• Inabilitytocorrelateproblemsindifferent networkdomains
• Stale orunreliabledataintraditionalcorrelationsystems
• Inefficiencies andhighsupportcosts
NetworkOperationsCenter(NOC)Purpose:Manage,Control,andMonitorNetworkReliabilityandPerformance
Source:http://www.slideshare.net/neo4j/network-and-it-operations
SecurityOperationsCenter(SOC)Purpose: Detect,Protect,andInvestigateforSecurityandLossPrevention
Requirements KeyChallenges
• Visualize theentirecyberposture
• Identifyvulnerabilities
• Preventattacks
• Detectattacks
• Investigateandreducezero-daylosses
• Fragmentedsecuritytoolsincludingfirewalls,intrusiondetection,vulnerabilityassessment,SIEMsystems
• Inabilitytovisualizecyberpostures
• Difficulttopredictintrusion impact
• Hardertomodelscenarios
CommonSecurityTools:ManyTools,LotofInformation,LittleContext• SecurityIntelligence• FirewallManager• IntrusionDetectionSystem• VulnerabilityScanner• SecurityIncidentandEventManagement(SIEM)system
NetworkInfrastructure• Segmentation• Topology• Sensors
CyberPosture• Configurations• Vulnerabilities• PolicyRules
CyberThreats• Campaigns• Actors• Incidents• Tactics,Techniques&Procedures
MissionDependencies• Objectives• Activities• Tasks• Information
Source:https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/
GraphDatabaseDataModelTool:Neo4jBrowser
InteractiveGraphVisualizationTool:Neo4jBrowser/CambridgeIntelligenceKeyLines
GraphDatabaseUseCase:Network&ITOperations
Source:Neo4jGraphGist NetworkDependencyGraphURL:http://neo4j.com/graphgist/github-neo4j-contrib%2Fgists%2F%2Fother%2FNetworkDataCenterManagement1.adoc#acme_s_network_inventory
GraphDatabaseUseCase:MasterDataManagement
Employee
Product
Supplier
Partner
Company CustomerWorkat
Has
Has
Produces
Sellsto
Requirements KeyChallenges
• Supporthierarchicalandmatrixdatastructures.
• Providesupportforcomplexdatarelationships.
• Continuallyaccommodatenewdataandrelationships.
• Maintainfidelitybetweentherealworld,datamodel,andhowthedataisstored.
• InflexiblePre-definedDataStructures.
• Lackofsupportforhierarchicalormatrixdatarelationships.
• Inabilitytomodelcomplexdatastructuresandcomplexrelationships.
• Real worldMasterDataisnothierarchical;Itisgraphmodel.
IntegratedCybersecurityArchitecture
IoT
ComputingDevices
AmazonKinesisFirehose
AWSIoT
AmazonKinesisStreams
SparkonEMR
SiteData SiteDatatobeprocessed
RawSiteData
RawIoT Data
S3bucketwithobjects
RawData
ProcessedData
AmazonRedshift
AWSLambda
AmazonDynamoDB
GraphDB
AmazonQuickSight
IoT Data
ObjectDBDocumentDB
IngestDataStreamsMonitoringDataCollection
ETLDecisionSupport
Analytics VisualizationPrediction
ProcessData
AmazonElasticsearchService
Neo4jBrowser
IntegratedCybersecurityArchitecture
IoT
ComputingDevices
AmazonKinesisFirehose
AWSIoT
AmazonKinesisStreams
SparkonEMR
SiteData SiteDatatobeprocessed
RawSiteData
RawIoT Data
S3bucketwithobjects
RawData
ProcessedData
AmazonRedshift
AWSLambda
AmazonDynamoDB
GraphDB
AmazonQuickSight
IoT Data
ObjectDBDocumentDB
IngestDataStreamsMonitoringDataCollection
ETLDecisionSupport
Analytics VisualizationPrediction
ProcessData
AmazonElasticsearchService
AmazonCloudWatch
AWSCloudTrail
KeyLines
Neo4jBrowser
Conclusion• Serverless Computing• IntroductiontoAWSServices&Products• DemoofServerless Computing• GraphDatabase• UseCases• SolvingCybersecurityChallengesusingServerless andGraphDatabaseTechnologies• IntegratedCybersecurityArchitecture
InspiredbyfollowingReferences• AmazonWebServicesProducts&ServicesURL:https://aws.amazon.com/products/?hp=tile&so-exp=below
• Neo4jProductsURL:https://neo4j.com/product/
• Neo4jGraphGist wikiURL:https://github.com/neo4j-contrib/graphgist/wiki
• VisualizationTool:KeyLines byCambridgeIntelligenceURL:http://cambridge-intelligence.com/keylines/
• Sqrrl ThreatHuntingURL:https://sqrrl.com/
• CyGraph:CybersecuritySituationalAwarenessThat’sMoreScalable,Flexible&ComprehensivebyStevenNoel,CybersecurityResearcher,MITRE• URL:https://neo4j.com/blog/cygraph-cybersecurity-situational-awareness/
• GraphDatabasewikiURL:https://en.wikipedia.org/wiki/Graph_database
• ANTLR(AnotherToolforLanguageRecognition)URL:http://www.antlr.org/
• MITRECAPECCommonAttackPatternEnumerationandClassificationURL:https://capec.mitre.org/
Backup
Foundation:MultipleLayersofSecurity
ComparisonofDatabaseTechnologiesRelational Object-Oriented
Object-RelationalKey-Value Document-
orientedColumnar Graph
Definition
• Relational datamodel.• Tables:Rows&Columns• Unique(primary)keyforrows.RelationshipsdefinedthruForeignkeys.Indexedonattributes&relations.• ProposedbyE.F.Codd in1970
• Informationispresentedintheformofobjectsasusedin object-orientedprogramming.• Properties:Encapsulation,Polymorphism,andInheritance.
• Key-Value• SchemalessDB• Data/Value isopaque
• Storesdataindocuments.• TypicallyuseJavaScript ObjectNotation(JSON)structure.• KeyValueCollections
• Tables:Rowsandcolumns• Numberofcolumnsisnotfixedforeachrecord• Columnsare createdforeachrow
• StoresdatainGraphmodels• Nodes,Edges&Properties• Socialnetworkconnections• Traverserelationship
Data
Mod
el RelationalVerticalscalingSQLLanguage
Object-orientedObject-relational(hybridmodel)
CollectionofKey-ValuesMulti-structuredHorizontalScaling
Key-ValueMulti-structuredHorizontalScaling
ColumnfamiliesKeyValue
PropertyGraphMulti-structuredHorizontalScaling
Exam
ple Oracle,MicrosoftSQLServer,
MySQL, IBMDB2,IBMInformix,SAPSybase,Teradata
Objectivity/DB, ObjectStore,JADE,VOD:VersantObjectDatabase,AppleWebObjectsEOF
Riak,RedisAmazonSimpleDB,AmazonDynamoDB
MongoDB,CouchDB AmazonDynamoDB,HPEnterpriseVerticaHbase,Cassandra,SAPHANA
Neo4J,InfiniteGraph,Giraph,InfoGrid
Streng
th • SimpleDataStructure• ACID• Limitduplicationofdata• Transactionalprocessing
• Canstorecomplex dataandrelationships• Easeofcoding• Pointerreferences
• Flexibility, Scalability&SuperiorPerformance• BASE
• IncompleteDataTolerant• Canqueryonanyfieldinthedocument
• FastLook-ups • ClosetoRealworldmodels;Scalability• GraphAlgorithms,Shortestpathetc
Wea
kness • Poorrepresentationofreal
worldentities• LackofFlexibility &Scalability• DifficulttomodelComplexDatatypes
• Performance• Highmemory utilization
• Storeddatahasnoschema
• Queryperformance• NoStandard QuerySyntax
• VeryLowLevelAPI • NoteasytoCluster• Traversewholegraphtogetanswer
ACID:Atomicity,Consistency,Isolation,DurabilityBASE:BasicallyAvailable,Softstate,Eventualconsistency
GraphDatabases• ApacheTinkerPop• InfiniteGraph• Neo4j• OracleSpatialandGraph• SAPHANA• Sqrrl• TeradataAster
APTIntrusionKillChainReconnaissance
Weaponization
Delivery
Exploitation
Installation
Command&Control
ActionsonTarget
HarvestingEmailAddress
SocialNetworking PassiveSearch IPDiscovery PortScans
PayloadCreation Malware Delivery
System Decoys
SpearPhishing InfectedWebsite
ServiceProvider
Activation ExecuteCode EstablishFoothold
3rd PartyExploitation
TrojanorBackdoor
EscalatePrivileges RootKit Establish
Persistence
CommandChannel
LateralMovement InternalRecon Maintain
Persistence
ExpandCompromise
ConsolidatePersistence
DataExfiltration
Research,Identification&
Selectionoftargets
Pairingmalwarewithexploitintopayload
Transmissionofweapontotarget
Triggerweapon’scode
Installbackdoorontargetsystemallowing
persistentaccess
Remotecontrolinternalserversfrom
outside
Achieveobjectivesoftheintrusion
GraphDatabaseUseCase:Identity&AccessManagement
name:Bob
name:Patty
Trusts
Trusts
Role:Admin
Assignedrole
PayrollSystem
Haveaccessto
Havenoaccessto
Account:AC#123
Hasaccount
Account:AC#456
Hasaccount
Account:AC#789
Hasaccount
Haveaccessto
Group:Grp1
Group:Admin
Member_Of
Member_Of
Member_Of
GraphDatabaseUseCase:Real-TimeRecommendationEngines
name:Bob
Searchesfor
Deliveryoptions
Pricerange
Checkproductrecalls
LookforReturnPolicy
LookforBlogs
name:Patty
Friendwith
Bought
Writesat
