SlideShare a Scribd company logo

Honeypots for Cloud Providers - SDN World Congress

Download as PPTX, PDF
V
Vallie Joseph
1 of 24
Honeypots for Cloud Providers Matthew A Johnson Professional Lecturer of Computing Technology Matthew.Johnson1@marist.edu Daniel Jast Vallie Joseph Piradon Liengtiraphan
Challenges for providers/carriers Networks are moving toward SDN and NFV Adoption/migration presents new challenges Virtualized appliances are software Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH) As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!
Security policy implications Awareness of threats to network resources is critical Actively monitor access attempts Record attack data for future audit or analysis Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures
Traditional defense strategies Corporations often use Patch-and-Pray 1 Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T 1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
Evolving threat landscape Threat landscape is constantly changing Attack technologies evolve alongside new security measures Various types of threats Brute force attackers Botnets Advanced persistent threats Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors Cannot stay ahead of attackers using only traditional defense strategies
“Smart” Defense Using analytics to adjust security protocols as needed Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data Predict attack patterns Patterns drawn from similarities in data Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols Honeypots can collect this data
Cowrie What is a honeypot? A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1 More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2 1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9 2. http://www.honeypots.net/
Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols Additional capabilities Learn not only how attackers get in… but what they do once they get in
Honeypot data collection Honeypots typically provide analytics software with basic information IP address Username/password credentials Time stamps Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data
What can we do with the data? Learn more about attackers Classifying attack patterns Detecting trends Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
Longtail Analytics Open source analytics software Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns Attack Patterns Example: determine if the attack is a botnet attack Identifies and classifies botnets Information has use for the future Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks
Issues with honeypots Vulnerable to fingerprinting Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources
12 Open Ports Found Fingerprinting Examples
Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.) SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed Client honeypot same server type and version same look and feel Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port
Current security products start after network sessions are established. First Packet Authentication stops unauthorized access at the earliest possible time. time Data Packet Flows Session Setup Before caller-ID… must answer to determine identity After caller-ID… only answer known and trusted callers First-Packet Authentication™ Problem with traditional protocols Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session
Cloaking with BlackRidge Hiding critical resources First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc. Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot
Without BlackRidge Open Ports Host Details With BlackRidge Open Ports Host Details BlackRidge examples
Firewall IPS Protection Firewall/IPS allows large number of TCP connection attempts through and information to leak. BlackRidge Protection BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur. BlackRidge in testbed
WDM Node C WDM Node B SDN Controller and Network Hypervisor With cloud orchestrator API Brocade/Vyatta 5600 V-Router/Firewall Ciena Metro Ethernet Marist API code Marist LongTail Honeypots & Analytics SDN Controller and Network Hypervisor With cloud orchestrator API Orchestrator with Application Security Policy Brocade/Vyatta 5600 V-Router/Firewall Marist Remote Management App NetConf NYS CCAC Ecosystem
1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 2015 2. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html 3. https://www.honeynet.org/blog 4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service Honeypot popularity Companies are increasingly interested in this space1,2,3 Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud Providers have an opportunity to enhance their cloud offerings SECurity as a Service “a business model in which a large service provider integrates their security services into a corporate infrastructure on a subscription basis more cost effectively than most individuals or corporations can provide on their own, when total cost of ownership is considered”4
What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics Opportunities for SECaas
Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities
Acknowledgements This work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC- DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud)) Questions?

Recommended

Threat intelligence platform explained
Threat intelligence platform explainedThreat intelligence platform explained
Threat intelligence platform explainedMindy Kam
 
Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)CloudMask inc.
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Network Security
Network SecurityNetwork Security
Network SecurityUnited Nations Development Program
 
Paper1
Paper1Paper1
Paper1SpacSec
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...Jürgen Ambrosi
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Twobackdoor
 

Recommended

Threat intelligence platform explained
Threat intelligence platform explainedThreat intelligence platform explained
Threat intelligence platform explainedMindy Kam
 
Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)Advanced persistent threat (apt) & data centric audit and protection (dacp)
Advanced persistent threat (apt) & data centric audit and protection (dacp)CloudMask inc.
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Network Security
Network SecurityNetwork Security
Network SecurityUnited Nations Development Program
 
Paper1
Paper1Paper1
Paper1SpacSec
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...Jürgen Ambrosi
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Twobackdoor
 
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...Jürgen Ambrosi
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworksJoe Levy
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)idsecconf
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcSecurity Bootcamp
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Ch01
Ch01Ch01
Ch01Joe Christensen
 
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)Security Bootcamp
 
Introduction of cryptography and network security
Introduction of cryptography and network securityIntroduction of cryptography and network security
Introduction of cryptography and network securityNEHA PATEL
 
Lecture 7
Lecture 7Lecture 7
Lecture 7Education
 
Technical seminar on Security
Technical seminar on Security Technical seminar on Security
Technical seminar on Security STS
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Hassan EL ALLOUSSI
 
Select idps
Select idpsSelect idps
Select idpsInfo-Tech Research Group
 
Intercept product
Intercept productIntercept product
Intercept productDavid Pereira
 
Compare cloud service providers with this simple guide
Compare cloud service providers with this simple guideCompare cloud service providers with this simple guide
Compare cloud service providers with this simple guideRedPixie
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingNaveed Farooq
 

More Related Content

What's hot

2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...Jürgen Ambrosi
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworksJoe Levy
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)idsecconf
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcSecurity Bootcamp
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)Security Bootcamp
 
Introduction of cryptography and network security
Introduction of cryptography and network securityIntroduction of cryptography and network security
Introduction of cryptography and network securityNEHA PATEL
 
Technical seminar on Security
Technical seminar on Security Technical seminar on Security
Technical seminar on Security STS
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Hassan EL ALLOUSSI
 

What's hot (20)

2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
2° Ciclo Microsoft Fondazione CRUI 6° Seminario: Classificazione e protezion...
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
IDSECCONF2018 Keynote Speaker - Agung Nugraha, S.IP., M.Si (Han)
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security Suite
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Ch01
Ch01Ch01
Ch01
 
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
SBC 2012 - Dynamic Access Control in Windows Server 2012 (Nguyễn Ngọc Thuận)
 
Introduction of cryptography and network security
Introduction of cryptography and network securityIntroduction of cryptography and network security
Introduction of cryptography and network security
 
Lecture 7
Lecture 7Lecture 7
Lecture 7
 
Technical seminar on Security
Technical seminar on Security Technical seminar on Security
Technical seminar on Security
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
 
Select idps
Select idpsSelect idps
Select idps
 
Intercept product
Intercept productIntercept product
Intercept product
 

Viewers also liked

Compare cloud service providers with this simple guide
Compare cloud service providers with this simple guideCompare cloud service providers with this simple guide
Compare cloud service providers with this simple guideRedPixie
 
opendayight loadBalancer
opendayight loadBalancer opendayight loadBalancer
opendayight loadBalancer Khubaib Mahar
 
Bridging to a hybrid cloud data services architecture
Bridging to a hybrid cloud data services architectureBridging to a hybrid cloud data services architecture
Bridging to a hybrid cloud data services architectureIBM Analytics
 
The Impact of Cloud Computing on IT Service Providers' Business Models
The Impact of Cloud Computing on IT Service Providers' Business Models The Impact of Cloud Computing on IT Service Providers' Business Models
The Impact of Cloud Computing on IT Service Providers' Business Models Treabhair O'Clochasaigh
 
VMware on IBM Cloud Client Presentation
VMware on IBM Cloud Client PresentationVMware on IBM Cloud Client Presentation
VMware on IBM Cloud Client PresentationSumaya Erol
 
Sales performance management and C-level goals
Sales performance management and C-level goalsSales performance management and C-level goals
Sales performance management and C-level goalsIBM Analytics
 
IBM SoftLayer - overview of Cloud Infrastructure
IBM SoftLayer - overview of Cloud Infrastructure IBM SoftLayer - overview of Cloud Infrastructure
IBM SoftLayer - overview of Cloud Infrastructure Avinaba Basu
 

Viewers also liked (9)

Compare cloud service providers with this simple guide
Compare cloud service providers with this simple guideCompare cloud service providers with this simple guide
Compare cloud service providers with this simple guide
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
opendayight loadBalancer
opendayight loadBalancer opendayight loadBalancer
opendayight loadBalancer
 
Bridging to a hybrid cloud data services architecture
Bridging to a hybrid cloud data services architectureBridging to a hybrid cloud data services architecture
Bridging to a hybrid cloud data services architecture
 
SaaS
SaaSSaaS
SaaS
 
The Impact of Cloud Computing on IT Service Providers' Business Models
The Impact of Cloud Computing on IT Service Providers' Business Models The Impact of Cloud Computing on IT Service Providers' Business Models
The Impact of Cloud Computing on IT Service Providers' Business Models
 
VMware on IBM Cloud Client Presentation
VMware on IBM Cloud Client PresentationVMware on IBM Cloud Client Presentation
VMware on IBM Cloud Client Presentation
 
Sales performance management and C-level goals
Sales performance management and C-level goalsSales performance management and C-level goals
Sales performance management and C-level goals
 
IBM SoftLayer - overview of Cloud Infrastructure
IBM SoftLayer - overview of Cloud Infrastructure IBM SoftLayer - overview of Cloud Infrastructure
IBM SoftLayer - overview of Cloud Infrastructure
 

Similar to Honeypots for Cloud Providers - SDN World Congress

SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...
SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...
SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...VOROR
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical HackingJennifer Wood
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security applicationbharatsvnit
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security applicationbharatsvnit
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentationlaonap166
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Securityxsy
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Data Security And The Security
Data Security And The SecurityData Security And The Security
Data Security And The SecurityRachel Phillips
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...Erin Moore
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptxKnownId
 

Similar to Honeypots for Cloud Providers - SDN World Congress (20)

SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...
SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...
SECURITY TOOLS AND PRACTICES THAT ARE MINIMISING THE SURGE IN SUPPLY CHAIN AT...
 
Cloud Computing & Security
Cloud Computing & SecurityCloud Computing & Security
Cloud Computing & Security
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1
 
IS - Firewall
IS - FirewallIS - Firewall
IS - Firewall
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
information security technology
information security technologyinformation security technology
information security technology
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
NetWitness
NetWitnessNetWitness
NetWitness
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security application
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security application
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentation
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Security
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
 
Data Security And The Security
Data Security And The SecurityData Security And The Security
Data Security And The Security
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Is4560
Is4560Is4560
Is4560
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 

Honeypots for Cloud Providers - SDN World Congress

  • 1. Honeypots for Cloud Providers Matthew A Johnson Professional Lecturer of Computing Technology Matthew.Johnson1@marist.edu Daniel Jast Vallie Joseph Piradon Liengtiraphan
  • 2. Challenges for providers/carriers Networks are moving toward SDN and NFV Adoption/migration presents new challenges Virtualized appliances are software Typically VMs running familiar OS (Linux, BSD, Windows) May be accessed remotely (e.g., via SSH) As such they have traditional IT vulnerabilities Remote intrusion Denial of service Imagine losing a vrouter, firewall, controller, load balancer!
  • 3. Security policy implications Awareness of threats to network resources is critical Actively monitor access attempts Record attack data for future audit or analysis Defensive measures must be appropriately deployed Block/divert unauthorized access Hide virtual network resources to mitigate DDoS Analytics can transform attack data into threat intelligence Orchestrate/deploy both proactive + reactive measures
  • 4. Traditional defense strategies Corporations often use Patch-and-Pray 1 Patching security software after harmful attacks Keeping security software up to date Find tools to deal specifically with attack types suffered previously These strategies assume that the attacks have already happened By the time a company discovers an attack, it’s usually too late Damage is already done Business now spends additional funds to remedy the situation Examples: Yahoo, Sony, AT&T 1. http://blog.eiqnetworks.com/blog/don-t-rely-on-patch-and-pray-use-vulnerability-management-to-secure-your-network
  • 5. Evolving threat landscape Threat landscape is constantly changing Attack technologies evolve alongside new security measures Various types of threats Brute force attackers Botnets Advanced persistent threats Attackers have the advantage Only one vector needs to work Defenders must account for all attack vectors Cannot stay ahead of attackers using only traditional defense strategies
  • 6. “Smart” Defense Using analytics to adjust security protocols as needed Generated from detailed attacker information collected from honeypots Constantly updated with new attacker data Predict attack patterns Patterns drawn from similarities in data Allow firewalls and other cybersecurity protocols to learn from attacks Data collection and analytics are required for adaptive security protocols Honeypots can collect this data
  • 7. Cowrie What is a honeypot? A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked.1 More generally… “a security resource whose value lies in being probed, attacked, or compromised.”2 1. https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9 2. http://www.honeypots.net/
  • 8. Why do we need honeypots? Honeypots keep systems and information safer by attracting attacks Breaches result from gaps in - or lack of - security Easily accessible resources that appear valuable shift will divert attackers Protected resources with real value might be overlooked Why not simply block all attacks? Plethora of valuable information gained from the attacks to the system Information can be used for auditing as well as analytics Analytics enable predictive security protocols Additional capabilities Learn not only how attackers get in… but what they do once they get in
  • 9. Honeypot data collection Honeypots typically provide analytics software with basic information IP address Username/password credentials Time stamps Analytics can be improved through providing additional details Client information (operating system, web browser, etc.) GeoLocation ISP data
  • 10. What can we do with the data? Learn more about attackers Classifying attack patterns Detecting trends Use what is learned to perform predictive analytics Use dynamically provisioned firewalls to prevent future attacks Blacklist IP addresses Identify harmful geographical groups and areas How do we do this? Longtail Syslog Analyzers (IP Counting functions, Country Counting functions, etc.)
  • 11. Longtail Analytics Open source analytics software Developed at Marist College Crawls through information provided by honeypots Analyzes different types of attacks to sort them into attack patterns Attack Patterns Example: determine if the attack is a botnet attack Identifies and classifies botnets Information has use for the future Could be used to create dynamic firewalls Proactively deploy security protocols to help defend against attacks
  • 12.
  • 13. Issues with honeypots Vulnerable to fingerprinting Scanning a network will reveal identifying characteristics Attackers can find weaknesses specific to the network they fingerprint If a honeypot can be fingerprinted then attackers can avoid it Need to make honeypots hard to fingerprint Original resources are still vulnerable Prone to reconnaissance scans Honeypots effectively fail if attacker finds the real resource Need to also hide the real resources
  • 15. Preventing Fingerprinting A convincing honeypot must mimic fingerprint of the real resource Approach depends on the type of honeypot (SSH, client, application, etc.) SSH honeypot same open ports as the real portal same responses to login attempts same libraries installed Client honeypot same server type and version same look and feel Nearly impossible to mimic real resource exactly Honeypot must always reside on different server or port
  • 16. Current security products start after network sessions are established. First Packet Authentication stops unauthorized access at the earliest possible time. time Data Packet Flows Session Setup Before caller-ID… must answer to determine identity After caller-ID… only answer known and trusted callers First-Packet Authentication™ Problem with traditional protocols Identity of user/device determined only AFTER establishing session Leaves networks vulnerable to several kinds of attacks BlackRidge Transport Access Control (TAC) solves the problem Authenticate identity & enforce policy on first packet before session
  • 17. Cloaking with BlackRidge Hiding critical resources First-packet authentication™ blocks without revealing info to an attacker With BlackRidge we can completely cloak desired devices These devices include but are not limited to: SDN Controllers, ESXI Servers, Virtual Machines, etc. Defense in Depth Combine with honeypots to more effectively divert traffic Optimal data collection requires catching more attacks on the honeypot
  • 18. Without BlackRidge Open Ports Host Details With BlackRidge Open Ports Host Details BlackRidge examples
  • 19. Firewall IPS Protection Firewall/IPS allows large number of TCP connection attempts through and information to leak. BlackRidge Protection BlackRidge does not allow any unauthorized connection attempts or scans (information leakage) to occur. BlackRidge in testbed
  • 20. WDM Node C WDM Node B SDN Controller and Network Hypervisor With cloud orchestrator API Brocade/Vyatta 5600 V-Router/Firewall Ciena Metro Ethernet Marist API code Marist LongTail Honeypots & Analytics SDN Controller and Network Hypervisor With cloud orchestrator API Orchestrator with Application Security Policy Brocade/Vyatta 5600 V-Router/Firewall Marist Remote Management App NetConf NYS CCAC Ecosystem
  • 21. 1. A. Jain, B. Buksh, Advance Trends in Network Security with Honeypot and its Comparative Study with other Techniques, IJETT 29/6 Nov 2015 2. http://www.infoworld.com/article/3128818/security/10-decisions-youll-face-when-deploying-a-honeypot.html 3. https://www.honeynet.org/blog 4. http://searchsecurity.techtarget.com/definition/Security-as-a-Service Honeypot popularity Companies are increasingly interested in this space1,2,3 Seeking more data to support security analytics Setting up honeypots in their networks Tenants might be deploying these technologies in the cloud Providers have an opportunity to enhance their cloud offerings SECurity as a Service “a business model in which a large service provider integrates their security services into a corporate infrastructure on a subscription basis more cost effectively than most individuals or corporations can provide on their own, when total cost of ownership is considered”4
  • 22. What can providers do? Deploy their own honeypots Collect data for historical and predictive analytics Honeypots as a service Offer templates to customers who wish to use honeypots Simplify setup and deployment Security analytics as a service Up-to-date threat intelligence can enable dynamic security policies Offer tenants access to valuable information from honeypot analytics Opportunities for SECaas
  • 23. Conclusion SDN+NFV poses new cybersecurity challenges for providers Adaptive intelligence-driven security measures are needed Honeypots not only add a layer of security… they can also capture vital data Analytics (e.g. “Longtail”) leverages data for prediction and real-time response Pair honeypots with cloaking technologies for Defense in Depth Honeypots and threat analytics also present SECaaS opportunities
  • 24. Acknowledgements This work is supported in part by the National Science Foundation grant 1541384 Campus Cyberinfrastructure - Data, Networking and Innovation Program (CC-DNI), per NSF solicitation 15-534, for the project entitled CC- DNI (Integration (Area 4): Application Aware Software-Defined Networks for Secure Cloud Services (SecureCloud)) Questions?