2. Insider Threats Detection in
Cloud using UEBA
Cloud Threat Analyzer
Lucas Ko, Taiwan
lucasko@iii.org.tw
2
3. Lucas Ko
3
» National Taiwan University of Science and Technology
• Master’s degree in Computer Science
» Institute for Information Industry
• Project Manager
• Responsibilities:
- Penetration test of bank, gov
- Detection system development
- Log analysis
» Zero-day Finder, such as : CVE-2017-5481
4. Outline
» Insider Threats in Cloud
» User and Entity Behavior Analytics
» Anomaly Detection System
» Case Study
4
6. Data Stored in the Cloud
6
44% Email
32% Customer Data
31%
30% Employee Data
26%
Sales &
Marketing Data
Contract, Invoices,
Orders
[1] “Cloud Security 2016 Spotlight Report”, CloudPassage
7. Cloud Management is Hard
7
Work
at home
Mobile
Google Drive
insecure
Company
Office 365
» Cloud storage is more convenient, but
risk.
• Insider could easily collect data who is
not in company.
8. Security Threats in Cloud
8
53% 44% 39% 33%
Unauthorized
Access
Hijacking of
Accounts
Insecure
Interfaces/APIs
External Sharing
of Data
[1] “Cloud Security 2016 Spotlight Report”, CloudPassage
9. Most concerned about insider threats
9
71%
Inadvertent
data leak
[2] “Insider Threat 2016 Spotlight Report”
68%
Ignore
policy
61%
Malicious
data leak
10. How to protect cloud data from
insider threats?
User and Entity Behavior Analytics
10
11. 11
What is UEBA ?
» Expands the definition from UBA. Such as
devices, applications, data, anything
» Integrates machine learning, behavior of
user and entity features
» UEBA is used for insider threat detection.
12. How UEBA protected us ?
12
User Behaviors
Entity Features
Log
Collection
Machine
Learning
Risk
Assessment
Behavior
Model
Clustering
Predict
Anomalies
Risk
Estimator
13. 13
Detection is based on UEBA
» Integrated recommendation system
( collaborative filtering ) with entity.
• Directory Tree Structure
Users access logs
Detect Insider
Threats
Collaborative filtering from
file access behaviors
Drive file proximity score
measuring
Past access
behavior matrix
Structure-oriented risk
propagation
Current access
behavior vector
15. Anomaly Detection System
» Using recommendation system to detect
abnormal behavior.
15
Users
Items
Highly Recommend
Not Recommended
(Abnormal Behavior)
Access Matrix
(Binary Matrix)
Recommendation System
Recommend additional items with similar properties.
16. Abnormal Access Behavior
» Detected cross-group abnormal access behavior.
16
Cross-group
abnormal access
A team’s files
Similar user
Read Recommend
File
B team’s files
Similar user
Read Recommend
File
Recommendation
System
Detect
17. 17
Recommendation System is not
great at all
» Cold Start Problem:
• There is no access behavior in past for
new file.
- Can not predict for current behaviors of
new file.
Users
Item
Access Matrix Cold Start Problem
New file log
Insiders New file
18. Integrated Recommendation System
with entity
» Directory Tree Structure
• Members in the the same project
will have similar behavior and
directory tree structure.
• Averages the nearby similarity
scores to be the new file’s
similarity score .
18
Old files
Highly Similarity Score
New files
19. Steps in the Anomaly Detection
19
Log Collection Model Risk Assessment
» Google Drive
• Access Log
• Directory Tree
Structure
» 150 employees
» Last 6 months logs
» Collaborative
Filtering
• Alternating Least
Squares
» Risk Estimator
• File proximity
score measuring.
21. Types of Access Log
21
Log Collection Model Risk Assessment
change_acl_editors
ACL
Change
Create Trash Remove from folder
Edit View Add to folder
Delete Download Preview rename
Move
Upload
Pint
Access
change_doc_access_scope
change_doc_visbility
change_user_access
22. Data Pre-Processing
22
Log Collection Model Risk Assessment
Google Drive
Access Matrix
» Access Log
» Directory Tree
Structure
Directory Tree Structure
23. To Solved the Sparse Problem
23
Log Collection Model Risk Assessment
Users
Files
Users
Directories
11%
89%
Directories Files
» Accessed different files in the same directory
• They were considered to be the same
behavior.
» According to our statistics:
» Files account for 89% .
» Directories account for 11%
24. Types of Recommendation System
24
Log Collection Model Risk Assessment
Recommendation
System
Content-based
Hybrid-based
(CF + Cotent)
Model-based
Collaborative
Filtering
Neighborhood
-based
User-based
Item-based
25. Collaborative Filtering
» A method of making predictions
about the interests of a user by
collecting preferences.
» Types of preference
• Explicit:Users rate for items.
• Implicit:Observation of user’s
behavior.
- Access Behavior on file.
25
26. Alternating Least Squares
26
Log Collection Model Risk Assessment
Users
Items
Users
latent factors
Item
latent
factors
U IR
» ALS Features:
• Model-based.
• Easy to parallelize.
• Quick to converge.
» Steps:
• Start with random U & I matrix.
• Optimize user vectors based on files.
• Optimize file vectors based on users.
• Repeat until converged.
Prediction
27. Entity
27
» File proximity score measuring.
» User and Entity Behavior
Analytics
• Structure-oriented risk
propagation.
» Measuring Strategy:
• Straight parents.
• All children.
A
B C
D E F
G H
I J
K L M
Log Collection Model Risk Assessment
30. Case:Cross-Group Access
» File link was shared in communication APP.
• Every one clicked link from APP.
30
Insi
er
File Link
Administrator
click
click
Shared
APP
31. Case:High-risk Employee
» We found out the high-risk employee who collects
data before quitting job.
» Collected other teams’ documents on Google Drive.
31
Team A Team B
Abnornal
Access
32. Case:Shared Account
» Using shared account to access the file
document. (Privileged account abused)
32
Shared Account Employee B
No
permission
Frequently used file Infrequently used file
Login to
shared
account
Abnornal
Access
33. Case:Compromised Account
» A account was compromised
• collected documents in secret.
33
Compromised
Account
Abnornal
Access
Insi
er Hacker
Frequently used file Infrequently used file
Login to
compromised
account
34. CloudOrion:Cloud Threat Analyzer
» Demo Site
• https://cloudorion.cyber00rn.org/
» Logs Collection
• Google Drive Audit
» One-Click Authorization
• Google Sign in
» Find Out Insider Threats
• Abnormal behavior detection
» File Permission Management
• Remove all permissions at once
» Third-Party Apps Management
• Identify high-risk applications
34
Google Drive
Insider
G Suite
Administrator
NotificationAbnormal
Behavior
Logs Collection
35. Thanks for your listening
Institute for Information Industry
Lucas Ko
lucasko@iii.org.tw
lucasko.tw@gmail.com
CloudOrion:Cloud Threat Analyzer
https://cloudorion.cyber00rn.org/
35
Editor's Notes
1. An increasing number of companies are beginning to use cloud service
2. There are many cloud service : such as Google Drive, Dropbox , Office365
3. Using cloud service is good for Collaborative working.
4. However ,it is threat to company
1.What types of information do you store in the cloud?
2. According to Cloud Security 2016 Spotlight Report,
why are there many threats in cloud
The reason why unauthorized access is number one is that it was caused by misuse of credentials , improper access controls
1. In addition, Most concerned about insider threats
2. insider threats in cyber security are often associated with malicious users
3. Insider threats is big risk for enterprise
4.1 Insider threats can go undetected for years
4.2 It is hard to distinguish harmful actions from regular work
4.3 It is easy for employees to cover their actions
4.4 It is hard to prove guilt
Risk Assessment is a module to calculate risk.
collaborative filtering is a method of making automatic predictions (filtering) about the interests of a user by collecting preferences
similar user will be grouped together
similar users will access similar files / folders
It is similar if distance between two folders is close
Binary Matrix
What kind of products are you also interested.
Not recommended means that it is not similar between users.
It is a common problem in recommendation system.
1. The members in the the same project will have similar behaviors and similar directory tree structure.
2. The score of new file was averaged by nearby similarity score
1. Focus on google drive
in most situations acl change,when a new account was joined, acl change will be lanuched in each file
Files were decreased 90% . It is very helpful in performance
User-based and item-based are common for recommendation system.