Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security Monitoring in
the Time Series
Domain
Darin Fisher
Security Tools Manager, InfluxData
Who am I and what do I do...
© 2020 InfluxData. All rights reserved. 3
Security Tools Manager
Tech Support
Sys Admin
Network Engineer
Security Director...
Why another security solution?
© 2020 InfluxData. All rights reserved. 5
“The first step in finding anomalies in network and
device behavior is collectin...
© 2020 InfluxData. All rights reserved. 6
The strength of time series modeling is generally not used in almost all current...
Building Security Tools with InfluxDB
© 2020 InfluxData. All rights reserved. 8
“That's another reason I was interested in coming to work at
InfluxData, where w...
What are we doing?
© 2020 InfluxData. All rights reserved. 10
“Everything should be made as simple as possible, but no
simpler.” -- Albert Ei...
Security monitoring is noisy,
focus!
© 2020 InfluxData. All rights reserved. 12
● SaaS first company
● 100 separate providers
● SaaS provider
● Continually cha...
© 2020 InfluxData. All rights reserved. 13
● SaaS Access Activity
○ Compromised accounts are the #1 cause of security
brea...
© 2020 InfluxData. All rights reserved. 14
● Network Attack Surface
○ Public address changes
○ Public port changes
● Accou...
© 2020 InfluxData. All rights reserved. 15
What are we looking at?
● Authentication activity
● Authentication functionalit...
How…?
© 2020 InfluxData. All rights reserved. 17
Data Collection ...
● Telegraf
● InfluxDB with Flux
● FaaS using your favorite ...
What Do We Have Now?
© 2020 InfluxData. All rights reserved. 19
Endpoint Monitoring InfluxDB Template
● General Availability
● Authentication A...
© 2020 InfluxData. All rights reserved. 20
● Google Workspace (G Suite)
● Authentication Failure Spikes
● Source Address C...
© 2020 InfluxData. All rights reserved. 21
© 2020 InfluxData. All rights reserved. 22
Next Up … ?
● Multi-SaaS correlation
● Network availability changes
● Multi-Saa...
Bumps in the road
© 2020 InfluxData. All rights reserved. 24
● Access to event information from the SaaS providers
● Normalizing fields
● Vi...
What else do we need?
© 2020 InfluxData. All rights reserved. 26
Cloud based software services must provide better access to
authentication and ...
Time series data is very well suited for security
analysis, providing anomaly detection, real-
time audit capabilities, an...
© 2020 InfluxData. All rights reserved. 28
Thank you!
Slack: @darin - InfluxDB Community
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

Download to read offline

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

  1. 1. Security Monitoring in the Time Series Domain Darin Fisher Security Tools Manager, InfluxData
  2. 2. Who am I and what do I do...
  3. 3. © 2020 InfluxData. All rights reserved. 3 Security Tools Manager Tech Support Sys Admin Network Engineer Security Director Developer ISPs Banks Telcos Pharma OPERATIONS DEVELOPMENT MANAGEMENT Software
  4. 4. Why another security solution?
  5. 5. © 2020 InfluxData. All rights reserved. 5 “The first step in finding anomalies in network and device behavior is collecting the data and organizing it into a collection of time series.” -- Nate Fick Endgame
  6. 6. © 2020 InfluxData. All rights reserved. 6 The strength of time series modeling is generally not used in almost all current intrusion detection and prevention systems. Intrusion Detection Forecasting Using Time Series for Improving Cyber Defence Azween Abdullah Thulasyammal Ramiah Pillai Long Zheng Cai ● Most are noisy and ineffectual ● SaaS access monitoring is generally not available ● Cross SaaS correlation is generally not available
  7. 7. Building Security Tools with InfluxDB
  8. 8. © 2020 InfluxData. All rights reserved. 8 “That's another reason I was interested in coming to work at InfluxData, where we can build our own security tools on top of our own platform.” -- Peter Albert, CISO, InfluxData
  9. 9. What are we doing?
  10. 10. © 2020 InfluxData. All rights reserved. 10 “Everything should be made as simple as possible, but no simpler.” -- Albert Einstein ● Build the tools we need to help keep our services safe ● Share these tools ○ InfluxDB Templates ● Collaborate with the community for more solutions ○ What would help you?
  11. 11. Security monitoring is noisy, focus!
  12. 12. © 2020 InfluxData. All rights reserved. 12 ● SaaS first company ● 100 separate providers ● SaaS provider ● Continually changing attack surface ● Anomaly Detection It can be difficult to determine what to watch with a large number of providers and an ever changing infrastructure.
  13. 13. © 2020 InfluxData. All rights reserved. 13 ● SaaS Access Activity ○ Compromised accounts are the #1 cause of security breaches ○ Increased failure rate ○ Source address and account ID cardinality ● Cloud Access Activity ○ Increased resource utilization ○ Access changes ○ Network changes ○ Increase in costs Do we see activity anomalies …?
  14. 14. © 2020 InfluxData. All rights reserved. 14 ● Network Attack Surface ○ Public address changes ○ Public port changes ● Account Audits ○ Is the terminated account removed from all SaaS providers? ● State of Security Controls ○ Is authentication active and functional? ○ Is there activity from a disabled account? Continuous Auditing
  15. 15. © 2020 InfluxData. All rights reserved. 15 What are we looking at? ● Authentication activity ● Authentication functionality ● Account and source location cardinality changes ● Multi SaaS correlation ● Changes to the attack surface ● State changes ● Service cost increase ● SSL Certificate validation
  16. 16. How…?
  17. 17. © 2020 InfluxData. All rights reserved. 17 Data Collection ... ● Telegraf ● InfluxDB with Flux ● FaaS using your favorite programming language ● Provider API ● Raw log files InfluxDB Cloud for storage and analysis
  18. 18. What Do We Have Now?
  19. 19. © 2020 InfluxData. All rights reserved. 19 Endpoint Monitoring InfluxDB Template ● General Availability ● Authentication Availability ● Authentication Functionality ● Certificate Status
  20. 20. © 2020 InfluxData. All rights reserved. 20 ● Google Workspace (G Suite) ● Authentication Failure Spikes ● Source Address Cardinality SaaS Authentication Anomaly Monitoring
  21. 21. © 2020 InfluxData. All rights reserved. 21
  22. 22. © 2020 InfluxData. All rights reserved. 22 Next Up … ? ● Multi-SaaS correlation ● Network availability changes ● Multi-SaaS account auditing ● Ingress activity tracking ● Geographic usage observability
  23. 23. Bumps in the road
  24. 24. © 2020 InfluxData. All rights reserved. 24 ● Access to event information from the SaaS providers ● Normalizing fields ● Visibility ○ What are good triggers? ○ Other indicators, i.e. provider billing services ● Data collection methods ● Deriving state for faster ongoing reference - "rollup" Ongoing efforts require overcoming a few hurdles
  25. 25. What else do we need?
  26. 26. © 2020 InfluxData. All rights reserved. 26 Cloud based software services must provide better access to authentication and activity data. ● SaaS and Cloud providers activity log access via API ● API access should be standard for all subscriptions levels ● Ability to create “service accounts” or read-only roles for automated API access
  27. 27. Time series data is very well suited for security analysis, providing anomaly detection, real- time audit capabilities, and much more. SaaS account activity and simple endpoint observations is a good start. Better access to SaaS audit data is necessary for better security tools
  28. 28. © 2020 InfluxData. All rights reserved. 28 Thank you! Slack: @darin - InfluxDB Community

Darin Fisher [InfluxData] | Security Monitoring in the Time Series Domain | InfluxDays Virtual Experience NA 2020

Views

Total views

132

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

3

Shares

0

Comments

0

Likes

0

×