Recommended
More Related Content
What's hot
What's hot (20)
Similar to Insider Threats Detection in Cloud using UEBA
Similar to Insider Threats Detection in Cloud using UEBA (20)
Recently uploaded
Recently uploaded (20)
Insider Threats Detection in Cloud using UEBA
- 2. Insider Threats Detection in Cloud using UEBA Cloud Threat Analyzer Lucas Ko, Taiwan lucasko@iii.org.tw 2
- 3. Lucas Ko 3 » National Taiwan University of Science and Technology • Master’s degree in Computer Science » Institute for Information Industry • Project Manager • Responsibilities: - Penetration test of bank, gov - Detection system development - Log analysis » Zero-day Finder, such as : CVE-2017-5481
- 4. Outline » Insider Threats in Cloud » User and Entity Behavior Analytics » Anomaly Detection System » Case Study 4
- 5. Insider Threats in Cloud 5
- 6. Data Stored in the Cloud 6 44% Email 32% Customer Data 31% 30% Employee Data 26% Sales & Marketing Data Contract, Invoices, Orders [1] “Cloud Security 2016 Spotlight Report”, CloudPassage
- 7. Cloud Management is Hard 7 Work at home Mobile Google Drive insecure Company Office 365 » Cloud storage is more convenient, but risk. • Insider could easily collect data who is not in company.
- 8. Security Threats in Cloud 8 53% 44% 39% 33% Unauthorized Access Hijacking of Accounts Insecure Interfaces/APIs External Sharing of Data [1] “Cloud Security 2016 Spotlight Report”, CloudPassage
- 9. Most concerned about insider threats 9 71% Inadvertent data leak [2] “Insider Threat 2016 Spotlight Report” 68% Ignore policy 61% Malicious data leak
- 10. How to protect cloud data from insider threats? User and Entity Behavior Analytics 10
- 11. 11 What is UEBA ? » Expands the definition from UBA. Such as devices, applications, data, anything » Integrates machine learning, behavior of user and entity features » UEBA is used for insider threat detection.
- 12. How UEBA protected us ? 12 User Behaviors Entity Features Log Collection Machine Learning Risk Assessment Behavior Model Clustering Predict Anomalies Risk Estimator
- 13. 13 Detection is based on UEBA » Integrated recommendation system ( collaborative filtering ) with entity. • Directory Tree Structure Users access logs Detect Insider Threats Collaborative filtering from file access behaviors Drive file proximity score measuring Past access behavior matrix Structure-oriented risk propagation Current access behavior vector
- 15. Anomaly Detection System » Using recommendation system to detect abnormal behavior. 15 Users Items Highly Recommend Not Recommended (Abnormal Behavior) Access Matrix (Binary Matrix) Recommendation System Recommend additional items with similar properties.
- 16. Abnormal Access Behavior » Detected cross-group abnormal access behavior. 16 Cross-group abnormal access A team’s files Similar user Read Recommend File B team’s files Similar user Read Recommend File Recommendation System Detect
- 17. 17 Recommendation System is not great at all » Cold Start Problem: • There is no access behavior in past for new file. - Can not predict for current behaviors of new file. Users Item Access Matrix Cold Start Problem New file log Insiders New file
- 18. Integrated Recommendation System with entity » Directory Tree Structure • Members in the the same project will have similar behavior and directory tree structure. • Averages the nearby similarity scores to be the new file’s similarity score . 18 Old files Highly Similarity Score New files
- 19. Steps in the Anomaly Detection 19 Log Collection Model Risk Assessment » Google Drive • Access Log • Directory Tree Structure » 150 employees » Last 6 months logs » Collaborative Filtering • Alternating Least Squares » Risk Estimator • File proximity score measuring.
- 20. Log Collection 20 Log Collection Model Risk Assessment » Collected access logs from Google Drive
- 21. Types of Access Log 21 Log Collection Model Risk Assessment change_acl_editors ACL Change Create Trash Remove from folder Edit View Add to folder Delete Download Preview rename Move Upload Pint Access change_doc_access_scope change_doc_visbility change_user_access
- 22. Data Pre-Processing 22 Log Collection Model Risk Assessment Google Drive Access Matrix » Access Log » Directory Tree Structure Directory Tree Structure
- 23. To Solved the Sparse Problem 23 Log Collection Model Risk Assessment Users Files Users Directories 11% 89% Directories Files » Accessed different files in the same directory • They were considered to be the same behavior. » According to our statistics: » Files account for 89% . » Directories account for 11%
- 24. Types of Recommendation System 24 Log Collection Model Risk Assessment Recommendation System Content-based Hybrid-based (CF + Cotent) Model-based Collaborative Filtering Neighborhood -based User-based Item-based
- 25. Collaborative Filtering » A method of making predictions about the interests of a user by collecting preferences. » Types of preference • Explicit:Users rate for items. • Implicit:Observation of user’s behavior. - Access Behavior on file. 25
- 26. Alternating Least Squares 26 Log Collection Model Risk Assessment Users Items Users latent factors Item latent factors U IR » ALS Features: • Model-based. • Easy to parallelize. • Quick to converge. » Steps: • Start with random U & I matrix. • Optimize user vectors based on files. • Optimize file vectors based on users. • Repeat until converged. Prediction
- 27. Entity 27 » File proximity score measuring. » User and Entity Behavior Analytics • Structure-oriented risk propagation. » Measuring Strategy: • Straight parents. • All children. A B C D E F G H I J K L M Log Collection Model Risk Assessment
- 28. Risk Estimator 28 Log Collection Model Risk Assessment » Reversed score from prediction • High score means more risk.
- 29. Case Study 29
- 30. Case:Cross-Group Access » File link was shared in communication APP. • Every one clicked link from APP. 30 Insi er File Link Administrator click click Shared APP
- 31. Case:High-risk Employee » We found out the high-risk employee who collects data before quitting job. » Collected other teams’ documents on Google Drive. 31 Team A Team B Abnornal Access
- 32. Case:Shared Account » Using shared account to access the file document. (Privileged account abused) 32 Shared Account Employee B No permission Frequently used file Infrequently used file Login to shared account Abnornal Access
- 33. Case:Compromised Account » A account was compromised • collected documents in secret. 33 Compromised Account Abnornal Access Insi er Hacker Frequently used file Infrequently used file Login to compromised account
- 34. CloudOrion:Cloud Threat Analyzer » Demo Site • https://cloudorion.cyber00rn.org/ » Logs Collection • Google Drive Audit » One-Click Authorization • Google Sign in » Find Out Insider Threats • Abnormal behavior detection » File Permission Management • Remove all permissions at once » Third-Party Apps Management • Identify high-risk applications 34 Google Drive Insider G Suite Administrator NotificationAbnormal Behavior Logs Collection
- 35. Thanks for your listening Institute for Information Industry Lucas Ko lucasko@iii.org.tw lucasko.tw@gmail.com CloudOrion:Cloud Threat Analyzer https://cloudorion.cyber00rn.org/ 35
Editor's Notes
- 1. An increasing number of companies are beginning to use cloud service 2. There are many cloud service : such as Google Drive, Dropbox , Office365 3. Using cloud service is good for Collaborative working. 4. However ,it is threat to company
- 1.What types of information do you store in the cloud? 2. According to Cloud Security 2016 Spotlight Report,
- why are there many threats in cloud
- The reason why unauthorized access is number one is that it was caused by misuse of credentials , improper access controls
- 1. In addition, Most concerned about insider threats 2. insider threats in cyber security are often associated with malicious users 3. Insider threats is big risk for enterprise 4.1 Insider threats can go undetected for years 4.2 It is hard to distinguish harmful actions from regular work 4.3 It is easy for employees to cover their actions 4.4 It is hard to prove guilt
- Risk Assessment is a module to calculate risk.
- collaborative filtering is a method of making automatic predictions (filtering) about the interests of a user by collecting preferences similar user will be grouped together similar users will access similar files / folders It is similar if distance between two folders is close
- Binary Matrix What kind of products are you also interested. Not recommended means that it is not similar between users.
- It is a common problem in recommendation system.
- 1. The members in the the same project will have similar behaviors and similar directory tree structure. 2. The score of new file was averaged by nearby similarity score
- 1. Focus on google drive
- in most situations acl change,when a new account was joined, acl change will be lanuched in each file
- Files were decreased 90% . It is very helpful in performance
- User-based and item-based are common for recommendation system.
- Parallelize [ˋpærəlelaiz]
- How it happened