Cloud  Security:  Threat  Detec3on  and  Predic3on          Ganesh  Kir+,  CTO  and  Co-­‐Founder  Palerra      

Agenda

§  Cloud Security Challenges §  Threat Detection and Prediction

§  Summary

2  

§  A leading Cloud Access Security Broker (CASB)

§  Ensures visibility and governance for cloud services

§  Secures cloud applications and infrastructure - all users - from any device - from anywhere / any network

§  Leading Investors include Norwest Venture Partners, Wing Ventures & August Capital

§  Investment Bank – 5,500 Box users

§  IT Infrastructure & Data Center Products Manufacturer – 18,000 Salesforce users

§  National Healthcare Provider – 5,500 O365 users

§  IT Service Provider – 6,000 O365/Salesforce users

Company Customers Accolades Supported Services

About Palerra

3  

Cloud Computing Services Model

SaaS  

§  Business data transaction

§  Sharing documents

§  Sensitive Emails

PaaS  

§  Partner Applications

§  3rd party APIs integration

§  Databases, Web Services

IaaS  

§  VPN/Network ACLs

§  Hosts/Server instances

§  Storage Services

4  

Security: Cloud Computing Services Model §  Protect data from being shared

outside an org

§  Protect user accounts

§  Secure configurations

§  Detect malicious insiders

SaaS   Business

User 3rd Party Apps

Admin

§  Protect Data

§  Protect user accounts

§  Secure API Keys and tokens

§  Audit Activity PaaS  

Business User

Developers

API Key

3rd Party Apps

DevOps

§  Secure Network and Servers

§  Secure SSH Keys

§  Protect against rogue usage

§  Secure configurations

IaaS  

Admin Client

Machines On-Demand Processes

5  

Cloud  Service  Providers  own  the  Cloud  and  you  own  the  security  

Cloud Security: Multi-Step Process

§  Step 1: Visibility §  Get visibility into your cloud services usage

§  Develop plan for monitoring and securing your clouds

§  Step 2: Anomaly Detection/Prediction/Protection

§  Use multiple techniques (supervised and unsupervised) to identify risky users and threats

§  Step 3: Remediate incidents and prevent it in future

§  Automate the process for continuous security

6  

CASB: Reference Architecture

Anomalous Activity Detection

§  Solution should support: •  Supervised Feeds and Rules:

§  Allow the customer to configure specific use cases of interest for their cloud applications:

§  Examples: whitelisting of IP addresses, Tag activities for certain AWS machines, Tag certain users (employee about to be terminated).

•  Machine learning for Anomaly detection: •  User Behavior Analytics. •  Anomaly Detection for IP addresses. •  Anomaly Detection for non-human activities connecting to the

applications: Automated processes, unsanctioned applications. •  Correlation of various threat feeds and contextual data.

9  

Supervised Feeds and Rules : Real use case

§  Trusted IP addresses: §  Detection of any activity outside certain ranges of IP

addresses.

§  Helps security analyst to identify users who work outside office (when they are not supposed to).

§  Helps detect compromised or shared credentials (if the employee is physically located in the office but activity is happening from outside the company IP ranges).

Anomaly Detection: UBA use cases

§  Over time, cloud users build repeatable action patterns. Profiling such patterns helps identify anomalous activity.

§  For example: §  a SFDC user logs daily from two IP addresses (one is the

company, and the other is home). §  This user creates an average of 20 leads a day, changes about 7

lead status, and transfers an average of 3 leads per day to another employee.

§  Profiling the aggregates of actions per user over a long period of time helps identify the user’s expected volume of daily actions.

§  Profiling the IP addresses for this user helps identify any new unseen IP address for this user.

§  Profiling certain sensitive actions such as data export with time of execution helps detect unexpected execution of such sensitive action.

11  

UBA use case: repeatable user actions over time

UBA use case: User coming from a new IP address

Malicious Insiders § Most damaging attacks are more often caused by insiders §  Examples insider threats -

–  Employee negligence –  Fraud, theft by insiders –  Inappropriate sharing of data outside an

enterprise

§ What to protect and monitor - –  Monitor for overly privileged user

accounts –  Monitor transactional activities –  Monitor administrator’ activities –  Detect malicious user activities using

user behavior analytics (UEBA)

Summary

§  Get visibility into your cloud services usage §  Develop plan for monitoring and securing your clouds

§  Find an automated solution to address challenges (threats and risks)

15  

Q&A  

16  Please  send  ques+ons  regarding  this  webinar  to:  info@palerra.com  

hMp://palerra.com/locked_item/white-­‐paper-­‐t12/