Successfully reported this slideshow.
Your SlideShare is downloading. ×

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 28 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020 (20)

Advertisement

More from InfluxData (20)

Recently uploaded (20)

Advertisement

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

  1. 1. Security Monitoring in the Time Series Domain Darin Fisher Security Tools Manager, InfluxData
  2. 2. Who am I and what do I do...
  3. 3. © 2020 InfluxData. All rights reserved. 3 Security Tools Manager Tech Support Sys Admin Network Engineer Security Director Developer ISPs Banks Telcos Pharma OPERATIONS DEVELOPMENT MANAGEMENT Software
  4. 4. Why another security solution?
  5. 5. © 2020 InfluxData. All rights reserved. 5 “The first step in finding anomalies in network and device behavior is collecting the data and organizing it into a collection of time series.” -- Nate Fick Endgame
  6. 6. © 2020 InfluxData. All rights reserved. 6 The strength of time series modeling is generally not used in almost all current intrusion detection and prevention systems. Intrusion Detection Forecasting Using Time Series for Improving Cyber Defence Azween Abdullah Thulasyammal Ramiah Pillai Long Zheng Cai ● Most are noisy and ineffectual ● SaaS access monitoring is generally not available ● Cross SaaS correlation is generally not available
  7. 7. Building Security Tools with InfluxDB
  8. 8. © 2020 InfluxData. All rights reserved. 8 “That's another reason I was interested in coming to work at InfluxData, where we can build our own security tools on top of our own platform.” -- Peter Albert, CISO, InfluxData
  9. 9. What are we doing?
  10. 10. © 2020 InfluxData. All rights reserved. 10 “Everything should be made as simple as possible, but no simpler.” -- Albert Einstein ● Build the tools we need to help keep our services safe ● Share these tools ○ InfluxDB Templates ● Collaborate with the community for more solutions ○ What would help you?
  11. 11. Security monitoring is noisy, focus!
  12. 12. © 2020 InfluxData. All rights reserved. 12 ● SaaS first company ● 100 separate providers ● SaaS provider ● Continually changing attack surface ● Anomaly Detection It can be difficult to determine what to watch with a large number of providers and an ever changing infrastructure.
  13. 13. © 2020 InfluxData. All rights reserved. 13 ● SaaS Access Activity ○ Compromised accounts are the #1 cause of security breaches ○ Increased failure rate ○ Source address and account ID cardinality ● Cloud Access Activity ○ Increased resource utilization ○ Access changes ○ Network changes ○ Increase in costs Do we see activity anomalies …?
  14. 14. © 2020 InfluxData. All rights reserved. 14 ● Network Attack Surface ○ Public address changes ○ Public port changes ● Account Audits ○ Is the terminated account removed from all SaaS providers? ● State of Security Controls ○ Is authentication active and functional? ○ Is there activity from a disabled account? Continuous Auditing
  15. 15. © 2020 InfluxData. All rights reserved. 15 What are we looking at? ● Authentication activity ● Authentication functionality ● Account and source location cardinality changes ● Multi SaaS correlation ● Changes to the attack surface ● State changes ● Service cost increase ● SSL Certificate validation
  16. 16. How…?
  17. 17. © 2020 InfluxData. All rights reserved. 17 Data Collection ... ● Telegraf ● InfluxDB with Flux ● FaaS using your favorite programming language ● Provider API ● Raw log files InfluxDB Cloud for storage and analysis
  18. 18. What Do We Have Now?
  19. 19. © 2020 InfluxData. All rights reserved. 19 Endpoint Monitoring InfluxDB Template ● General Availability ● Authentication Availability ● Authentication Functionality ● Certificate Status
  20. 20. © 2020 InfluxData. All rights reserved. 20 ● Google Workspace (G Suite) ● Authentication Failure Spikes ● Source Address Cardinality SaaS Authentication Anomaly Monitoring
  21. 21. © 2020 InfluxData. All rights reserved. 21
  22. 22. © 2020 InfluxData. All rights reserved. 22 Next Up … ? ● Multi-SaaS correlation ● Network availability changes ● Multi-SaaS account auditing ● Ingress activity tracking ● Geographic usage observability
  23. 23. Bumps in the road
  24. 24. © 2020 InfluxData. All rights reserved. 24 ● Access to event information from the SaaS providers ● Normalizing fields ● Visibility ○ What are good triggers? ○ Other indicators, i.e. provider billing services ● Data collection methods ● Deriving state for faster ongoing reference - "rollup" Ongoing efforts require overcoming a few hurdles
  25. 25. What else do we need?
  26. 26. © 2020 InfluxData. All rights reserved. 26 Cloud based software services must provide better access to authentication and activity data. ● SaaS and Cloud providers activity log access via API ● API access should be standard for all subscriptions levels ● Ability to create “service accounts” or read-only roles for automated API access
  27. 27. Time series data is very well suited for security analysis, providing anomaly detection, real- time audit capabilities, and much more. SaaS account activity and simple endpoint observations is a good start. Better access to SaaS audit data is necessary for better security tools
  28. 28. © 2020 InfluxData. All rights reserved. 28 Thank you! Slack: @darin - InfluxDB Community

×