Practical Machine Learning for Cloud Intrusion Detection

Slides:

Advertisements

Similar presentations

The Microsoft Cloud Azure Platform This presentation incorporates some content from Microsoft.

Advertisements

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Website Hardening HUIT IT Security | Sep

Mark Estberg, John Howie Senior Directors Microsoft Corporation SESSION CODE: SIA317.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Datalayer Notebook Allows Data Scientists to Play with Big Data, Build Innovative Models, and Share Results Easily on Microsoft Azure MICROSOFT AZURE ISV.

1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

You will provide oversight, leadership and direction to a group of IT professionals responsible for architecting, implementing and supporting a broad range.

Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

Stop Cyber Threats With Adaptive Micro-Segmentation

DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.

Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.

Journey to Microsoft Secure Cloud

Simplifying Hybrid Cloud Protection with Azure Security Center

Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.

Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.

New Heights by Guiding Them into the Cloud

SMS+ on Microsoft Azure Provides Enhanced and Secure Text Messaging, with Audit Trail, Scalability, End-to-End Encryption, and Special Certifications MICROSOFT.

Insurance Fraud Analytics in the Cloud with Saama and Microsoft Azure

Configuration Management with Azure Automation DSC

Hosted on Azure, LoginRadius’ Customer Identity

Using Microsoft Azure, Crowdnetic Launches Innovative Lending Gateway Platform That Connects Borrowers to Alternative Lenders MICROSOFT AZURE SOLUTION.

Veeam Backup Repository

Language Understanding Intelligent Service and Microsoft Azure Enable Rover, PLEX.AI’s Artificial Intelligence-Powered Virtual Insurance Advisor MICROSOFT.

OpenNebula Offers an Enterprise-Ready, Fully Open Management Solution for Private and Public Clouds – Try It Easily with an Azure Marketplace Sandbox MICROSOFT.

Microsoft Azure Platform Powers New Elements Constellation Software Suite to Deliver Invaluable Insights From Your Data for Marketing and Sales MICROSOFT.

Oscar AP by Massive Analytic: A Precognitive Analytics Platform for Effortless Data-Driven Decisions. Now Available in Azure Marketplace MICROSOFT AZURE.

Securing Cloud-Native Applications Jason Schmitt CEO

Yellowfin: An Azure-Compatible Business Intelligence Platform That Connects People with Their Data for Better Decision Making MICROSOFT AZURE APP BUILDER.

Interlake Hybrid Cloud Management Suite

Intelledox Infiniti Helps Organizations Digitally Transform Paper and Manual Business Processes into Intuitive, Guided User Experiences on Azure MICROSOFT.

Healthcare Cloud Security Stack for Microsoft Azure

Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.

PowerHub on Microsoft Azure Enables Renewable Energy Professionals to Track and Manage Projects from a Centralized Platform Accessible Anywhere MICROSOFT.

Hosted on Microsoft Azure, Seismic is Drastically Changing How Enterprise Sales Teams Utilize Content to Accelerate Sales and Close Deals MICROSOFT AZURE.

Zadara™ Virtual Private Storage Arrays™: High Performance, High Availability NAS & SAN by the Hour, with Private, Dedicated Resources MICROSOFT AZURE.

Data Security for Microsoft Azure

Datacastle RED Delivers a Proven, Enterprise-Class Endpoint Data Protection Solution that Is Scalable to Millions of Devices on the Microsoft Azure Platform.

Druva inSync: A 360° Endpoint and Cloud App Data Protection and Information Management Solution Powered by Azure for the Modern Mobile Workforce MICROSOFT.

Crypteron is a Developer-Friendly Data Breach Solution that Allows Organizations to Secure Applications on Microsoft Azure in Just Minutes MICROSOFT AZURE.

MARMIND’s New Service Delivers a Single Centralized Marketing Plan That Connects Teams, Campaigns and Outcomes by Using the Power of the Azure Platform.

TruRating: Mass Point-of-Payment Customer Rating System Uses the Power of Microsoft Azure to Store and Analyze Millions of Ratings for Business Owners.

AdQ is Azure-Powered Pre-Roll Ad Management Software That Improves Pre-Roll Ad Performance, Increases Profits, and Optimizes User Experience MICROSOFT.

Cloud Computing and its Implementation

Appcelerator Arrow: Build APIs in Minutes. Connect to Any Data Source

Cloud Analytics for Microsoft Azure

12/8/ :07 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Media365 Portal by Ctrl365 is Powered by Azure and Enables Easy and Seamless Dissemination of Video for Enhanced B2C and B2B Communication MICROSOFT AZURE.

Microsoft Azure, RightsWATCH Help Users Keep Sensitive Information Safe from Security Breaches Resulting from Accidental or Malicious Disclosure MICROSOFT.

Abiquo’s Hybrid Cloud Management Solution Helps Enterprises Maximise the Full Potential of the Microsoft Azure Platform MICROSOFT AZURE ISV PROFILE: ABIQUO.

AIMS for BizTalk, Built on the Microsoft Azure Platform, Empowers Enterprises to Automate Insight and Analytics and Boost Value Creation MICROSOFT AZURE.

Healthcare Cloud Security Stack for Microsoft Azure

Healthcare Cloud Security Stack for Microsoft Azure

Healthcare Cloud Security Stack for Microsoft Azure

Improve Patient Experience with Saama and Microsoft Azure

Harness the competitive advantages of Power BI and obtain business-critical insights with Adastra’s enterprise analytics platform using Microsoft Azure.

BluSync by ParaBlu Offers Secure Enterprise File Collaboration and Synchronization Solution That Uses Azure Blob Storage to Enable Secure Sharing MICROSOFT.

Last.Backend is a Continuous Delivery Platform for Developers and Dev Teams, Allowing Them to Manage and Deploy Applications Easier and Faster MICROSOFT.

Guarantee Hyper-V, System Center Performance and Autoscale to Microsoft Azure with Application Performance Control System from VMTurbo MICROSOFT AZURE.

Computer Science and Engineering

Securely run and grow your business

Healthcare Cloud Security Stack for Microsoft Azure

Healthcare Cloud Security Stack for Microsoft Azure

Presentation transcript:

Practical Machine Learning for Cloud Intrusion Detection Challenges and the Way Forward Ram Shankar Siva Kumar Andrew Wicker Matt Swann (@ram_ssk) (@MSwannMSFT) Hello – My name is Ram, and I am a Senior ML Engineer in Azure Security Data Science. This work was done in collaboration with Andrew Wicker and Matt Swann. This paper draws on our collective knowledge to secure Microsoft’s cloud solution, Azure, focusing more on qualitative experience as opposed to specific algorithms and results. Machine Learning and Computer Security – NIPS 2017

Plug: We are hiring!! Contact: RamK@microsoft.com

Cloud IDS: Why should you care? $5.9B 85% of Enterprise IT organizations will commit to multicloud architecture by 2018 [IDCFutureScape 2017] Security is an important competitive Cloud Differentiator [csoonline2016] Intrusion detection systems are expected to grow to USD 5.93 billion by 2021 at a compound annual growth rate of 12% [Gartner2016] Net-Net: Important Problem for the Industry Source

Anomalous Login Detection System Motivating Example “Detect anomalous security logons from developers to the infrastructure system” Anomalous Login Detection System

Anomalous Login Detection System Motivating Example “Detect anomalous security logons from developers to the infrastructure system” Anomalous Login Detection System

Cloud Setting Cloud Azure Developers Security Analysts Internal Platform

Anomalous Login Detection System Cloud Setting Cloud Azure Developers Security Analysts Internal Platform Anomalous Login Detection System

Anomalous Login Detection System Cloud Setting Cloud Azure Developers Security Analysts Internal Platform Anomalous Login Detection System

Challenge: The Cloud Infrastructure hosts both platform and customers The first challenge when building cloud IDS systems, is that the infrastructure that keeps the Cloud up and running is massive Azure is supported by 300+ services – ranging from Resource manager that enables deploying and managing VMs to Storage to Compute. Azure is architected in a way, such that the same backend services support different flavors of the cloud -> Whether public or private or hybrid, it is the same code So, net-net: The telemetry generated by these logs are in the order for pBs To add to the challenge, the cloud is also dynamic – the cloud as it is now, is very different from -> VMs are constantly deployed -> Developers constantly push out new features

Customer administrator Customer Storage Account Anomalous Login Detection System Customer logs External Customers Central Repository Anomalous Login Detection System Azure Developers Cloud Service logs The data center that supports Azure infrastructure, has two personnas interacting with it: The External customers who pay Azure, to host services or rent infrastructure. The Azure Developers who maintain and develop Azure’s infrastructure The logs from the data center, is collected by Azure Monintoring system, and depending on the situation it is piped in one of two ways: -> Customer’s activity logs goes to their storage account, where detection systems monitor for compromise. The end consumer of this alert, are admin’s of the -> The internal developer’s activity are collected to a central repository where detection systems monitor for malicious activity. The end consumer of this alert are Microsoft’s Security Analyst Remove any Customer Identifiable Information Internal Security Analyst + Appropriate Service team Attacker Data Center generate logs

Challenge: The Cloud Backend is built on different, composite services Microsoft Azure Microsoft Azure 300+ Services The first challenge when building cloud IDS systems, is that the infrastructure that keeps the Cloud up and running is massive Azure is supported by 300+ services – ranging from Resource manager that enables deploying and managing VMs to Storage to Compute. Azure is architected in a way, such that the same backend services support different flavors of the cloud -> Whether public or private or hybrid, it is the same code So, net-net: The telemetry generated by these logs are in the order for pBs 300+ different backend infrastructure services to ensure correct functionality Same backend service, supports many “flavors” of cloud Infrastructure as a Service vs. Platform as a Service Private Cloud vs. Public Cloud vs. Hybrid Cloud Each service architected differently Backend Service for Storage different from Backend service for Compute Logging for each service is different To add to the challenge, the cloud is also dynamic – the cloud as it is now, is very different from -> VMs are constantly deployed -> Developers constantly push out new features Encryption Encryption Storage Storage Identity Identity Compute Compute ….and many many more! ….and many many more!

Storage Service Anomalous Login Detection System Data Center 1 Storage Dev Storage Service Logs Storage Service Anomalous Login Detection System Central Repository Internal Security Analyst + Appropriate Service team Compute Service Logs Compute Service Anomalous Login Detection System Compute Dev Identity Service Logs Identity Service Anomalous Login Detection System Data Center 2 Encryption Service Logs Identity Dev Encyption Service Anomalous Login Detection System Data Center 3 Encryption Dev Attacker

Challenge: The Cloud Backend is Geo-distributed

Geo-distributed = Compliance and Localization Building Privacy compliant Models has three challenges Privacy Laws vary across regions IP address is treated as EII in some regions vs. not EII in other region Privacy Laws now ask for “retroactive modification” Privacy laws are not static Model Localization is important Weekend in Middle East != Weekend in Americas Product adoption happens at different rate across different regions Data distribution is different!

Storage Service Anomalous Login Detection System - AMERICAS Central Repository Scrubbed per US Policy Internal Security Analyst + Storage Service Team Storage Service Anomalous Login - AUSTRALIA Scrubbed per EU Policy Storage Dev Storage Service Anomalous Login - EUROPE World Map source: http://upload.wikimedia.org/wikipedia/commons/9/95/World_map_green.png

Other Challenges… Vertically and Horizontally Siloed Model Compliance Dynamic Environment Model Compliance Vertically and Horizontally Siloed Tribal/Domain Knowledge Driven Model Evaluation Explainability

The Way Forward

Future is Attack Disruption “Compromises are measured in minutes 98% of time…median time for detection is in the order of months” [Verizon2017] Call to focus from Attack Detection to Attack Disruption Open Question: Is there a place for intelligence across the blue team kill chain? Can Machine Learning help towards automatic remediation? Can Natural Language processing help analysts triage alerts better? Can recommender engines guide the next steps in investigations?