Securing NoSQL Clusters

Transcription

1 Presents Securing NoSQL Clusters Adrian Lane, CTO David Mortman

2 Independent analysts with backgrounds on both the user and vendor side. Focused on deep technical and industry expertise. We like pragmatic. We are security guys - that s all we do. About Securosis

3 How does big data help with security analytics? and How Do I Protect Data in the Cluster? The Research

4 Encyclopedic Hutton and the Big Data Blues Source: Wikipedia, property of Warner Bros.

5 More data of more types Need forensics Need to determine risk Need to detect fraud Need to detect intrusions Need to protect this data Need to automate Management: Get it done!

6 Security analytics not working! My systems won t do the forensics Bolt-ons not working with my SIEM or data management systems Won t collect the data types I need Shock/Denial

7 Why Doesn't my SIEM do this? Isn t that what I already bought?

8 What SIEM promised

9 Not really... Most SIEM s can t handle the volume of data Most SIEMs can t process all data types Many based upon RDBMS Many can t do complex analysis

10 I ll buy a security analytics platform Feed event data in Correlate across my SIEM and data warehouse Use my existing policies and reports! Image source: No problem!

11 Image Source: nithyananda-cult.blogspot.com Anger

12 SIEM Mashup An#$Fraud*&* 3rd*Party*Analy#cs* MSP*&*3rd*Party* Monitoring* Advanced*Malware* Protec#on* DIY* Big*Data * SIEM% Threat*Intelligence* General*Purpose* Analy#cs*

13 Security Analytics Platforms Each deals with one use case - customers have several Companies need structured, unstructured and semi-structured data analysis Use different platforms internally, some piggyback on select SIEM, some are standalone Real time _or_ forensic, not both Vendors offer one or two analysis approach REST-ful APIs not available

14 Bargaining Image source: larainydays.blogspot.com

15 The Inevitable Questions: Bunch of previously acquired technologies - how do we fit them together? What is the rest of the industry doing? Where are the enterprise grade analytics tools? Who handles fraud and risk and security intelligence and threat analytics? Where do I go to find people?

16 Encyclopedia Hutton Asks Friends For Advice

17 DIY Security Analytics! Use Big Data - it scales It handles many types of data You can customize as you see fit It s designed to support analytics

18 Image courtesy of pragsis.com Hadoop let s you do all this and more - virtually free analytics tools on commodity hardware!

19 Image source: Problogger.net Big Data Will Save The Day!

20 Performance Scalability Data volume Data types Fast lookup or fast analysis Flexibility How does big data help?

21 Image source: monkeysbadmonkeys.wordpress.com Build everything from scratch? Do you know how much this will cost? All new software All new systems Data architect, statisticians and security pro s Depression

22 Big Data is Supposed to Address My Problems

23 I don t know what I don t know! What pieces do I need? How do I organize data? How will I manage something this complex? How do I secure this critical data? Getting control is not easy

24 It s all new Pig? Hive? Flume? What does it mean? What exactly is a data architect? It s not SQL? Can I run queries across databases? How does it scale? Key data on what values? How do I secure it?

25 NoSQL Cluster Architecture Client%Job%Request% Node%Status% M7R%Status% Resource%Request% Node% Manager% Data$ App$ Client$ Client$ Resource% Manager% Node% Manager% App$ Data$ Node% Manager% Data$ Data$

26 Hadoop Stack

27 Early days for big data No in-house data scientist Programmers needed Just figuring out what we can do with NoSQL DIY Analytics Today vendors don t know much more than you Talent Gap

28 Integration Issues APIs inconsistent/unavailable Log Management & data collection Peer to peer queries and results

29 Taking on the task that is security analytics with big data. Realizing that platforms like Hadoop are first step Cluster Security can be done With the right skills, that can be leverage to great effect. Acceptance

30 Building the machine

31 Applied Big Data Start with Metrics Build a model (aka have a theory) Test it! Having a data scientist type helps

32 GQM Goal Question Metric

33 Example - NIST CSF ID.AM: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy.

34 Example - NIST CSF Are network ingress points documented? Are network egress points mapped? Are data flows mapped?

35 Example - NIST CSF # Undocumented Ingress points # Undocumented egress points # of Undocumented Data Flows % business units/business processes/etc. without data flow diagrams % business units/business processes/etc. with data flow diagrams

36 SIRA - NIST CSF

37 Different Flavors of NoSQL Hadoop - Universal M-R for huge data sets. Great for search, log analysis, ad-hoc queries. Cassandra - Columnar store. Indexed. Best for writing lots of data quickly, few lookups. Highly distributable. CouchDB - General purpose analytics database. Fast insert/few changes. Pre-defined queries. RIAK - Super-fast data lookup - like Dynamo - but with data management and scalability. Control system logs and fast devices. Redis - Fast changing data. In memory."

38 Operational Issues Node & App Validation Admin Access Data at Rest Monitoring Config. Management

39 Big Data Security Architectures

40 Model 1: Walled Garden

41 So if I put a firewall around it

42 Model 1: Walled Garden Think Mainframe security silo Basically hide the cluster behind firewall User passwords Network segmentation, SSL

43 Beyond the Status Quo

44 Model 2: App Protected

45 Model 2: App Protected Authenticate Applications Authenticate Users Authorize data access (roles) Filter API requests Audit Activity

46 Model 3: Data Centric Approach Tokenization Encryption Masking

47 Securosis Data Breach Triangle Exploit Egress Data

48 Tokenization, FPE & Masking

49 Model 3: Data Centric Approach Protect data before it s put into cluster Can t steal what s not there Removal: Masking Removal: Tokenization Protection: Encryption

50 Model 4: Deploy in The Cloud

51 Given general knowledge of Cloud & NoSQL security, some of you are thinking this does not end well

52

53 Reality is different u Security Zones u Data Encryption u Built-in SSL u Authentication u Hyper-segregation u Logging, monitoring u Automated Config Management

54 Model 4: Leverage Cloud Security Data encryption (SSL, encrypted storage) Key management services Security zones Authentication services Server management (config, patch) Logging & monitoring services

55 Big Data Security is not easy - Complex environments - No clear definition - Lots of new research - Pragmatic approach - Many more issues - Ongoing research project Easy? No.

56 Adrian Lane Securosis, L.L.C. David Mortman Dell, Inc.