1 Presents Securing NoSQL Clusters Adrian Lane, CTO David Mortman
2 Independent analysts with backgrounds on both the user and vendor side. Focused on deep technical and industry expertise. We like pragmatic. We are security guys - that s all we do. About Securosis
3 How does big data help with security analytics? and How Do I Protect Data in the Cluster? The Research
4 Encyclopedic Hutton and the Big Data Blues Source: Wikipedia, property of Warner Bros.
5 More data of more types Need forensics Need to determine risk Need to detect fraud Need to detect intrusions Need to protect this data Need to automate Management: Get it done!
6 Security analytics not working! My systems won t do the forensics Bolt-ons not working with my SIEM or data management systems Won t collect the data types I need Shock/Denial
7 Why Doesn't my SIEM do this? Isn t that what I already bought?
8 What SIEM promised
9 Not really... Most SIEM s can t handle the volume of data Most SIEMs can t process all data types Many based upon RDBMS Many can t do complex analysis
10 I ll buy a security analytics platform Feed event data in Correlate across my SIEM and data warehouse Use my existing policies and reports! Image source: No problem!
11 Image Source: nithyananda-cult.blogspot.com Anger
12 SIEM Mashup An#$Fraud*&* 3rd*Party*Analy#cs* MSP*&*3rd*Party* Monitoring* Advanced*Malware* Protec#on* DIY* Big*Data * SIEM% Threat*Intelligence* General*Purpose* Analy#cs*
13 Security Analytics Platforms Each deals with one use case - customers have several Companies need structured, unstructured and semi-structured data analysis Use different platforms internally, some piggyback on select SIEM, some are standalone Real time _or_ forensic, not both Vendors offer one or two analysis approach REST-ful APIs not available
14 Bargaining Image source: larainydays.blogspot.com
15 The Inevitable Questions: Bunch of previously acquired technologies - how do we fit them together? What is the rest of the industry doing? Where are the enterprise grade analytics tools? Who handles fraud and risk and security intelligence and threat analytics? Where do I go to find people?
16 Encyclopedia Hutton Asks Friends For Advice
17 DIY Security Analytics! Use Big Data - it scales It handles many types of data You can customize as you see fit It s designed to support analytics
18 Image courtesy of pragsis.com Hadoop let s you do all this and more - virtually free analytics tools on commodity hardware!
19 Image source: Problogger.net Big Data Will Save The Day!
20 Performance Scalability Data volume Data types Fast lookup or fast analysis Flexibility How does big data help?
21 Image source: monkeysbadmonkeys.wordpress.com Build everything from scratch? Do you know how much this will cost? All new software All new systems Data architect, statisticians and security pro s Depression
22 Big Data is Supposed to Address My Problems
23 I don t know what I don t know! What pieces do I need? How do I organize data? How will I manage something this complex? How do I secure this critical data? Getting control is not easy
24 It s all new Pig? Hive? Flume? What does it mean? What exactly is a data architect? It s not SQL? Can I run queries across databases? How does it scale? Key data on what values? How do I secure it?
25 NoSQL Cluster Architecture Client%Job%Request% Node%Status% M7R%Status% Resource%Request% Node% Manager% Data$ App$ Client$ Client$ Resource% Manager% Node% Manager% App$ Data$ Node% Manager% Data$ Data$
26 Hadoop Stack
27 Early days for big data No in-house data scientist Programmers needed Just figuring out what we can do with NoSQL DIY Analytics Today vendors don t know much more than you Talent Gap
28 Integration Issues APIs inconsistent/unavailable Log Management & data collection Peer to peer queries and results
29 Taking on the task that is security analytics with big data. Realizing that platforms like Hadoop are first step Cluster Security can be done With the right skills, that can be leverage to great effect. Acceptance
30 Building the machine
31 Applied Big Data Start with Metrics Build a model (aka have a theory) Test it! Having a data scientist type helps
32 GQM Goal Question Metric
33 Example - NIST CSF ID.AM: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy.
34 Example - NIST CSF Are network ingress points documented? Are network egress points mapped? Are data flows mapped?
35 Example - NIST CSF # Undocumented Ingress points # Undocumented egress points # of Undocumented Data Flows % business units/business processes/etc. without data flow diagrams % business units/business processes/etc. with data flow diagrams
36 SIRA - NIST CSF
37 Different Flavors of NoSQL Hadoop - Universal M-R for huge data sets. Great for search, log analysis, ad-hoc queries. Cassandra - Columnar store. Indexed. Best for writing lots of data quickly, few lookups. Highly distributable. CouchDB - General purpose analytics database. Fast insert/few changes. Pre-defined queries. RIAK - Super-fast data lookup - like Dynamo - but with data management and scalability. Control system logs and fast devices. Redis - Fast changing data. In memory."
38 Operational Issues Node & App Validation Admin Access Data at Rest Monitoring Config. Management
39 Big Data Security Architectures
40 Model 1: Walled Garden
41 So if I put a firewall around it
42 Model 1: Walled Garden Think Mainframe security silo Basically hide the cluster behind firewall User passwords Network segmentation, SSL
43 Beyond the Status Quo
44 Model 2: App Protected
45 Model 2: App Protected Authenticate Applications Authenticate Users Authorize data access (roles) Filter API requests Audit Activity
46 Model 3: Data Centric Approach Tokenization Encryption Masking
47 Securosis Data Breach Triangle Exploit Egress Data
48 Tokenization, FPE & Masking
49 Model 3: Data Centric Approach Protect data before it s put into cluster Can t steal what s not there Removal: Masking Removal: Tokenization Protection: Encryption
50 Model 4: Deploy in The Cloud
51 Given general knowledge of Cloud & NoSQL security, some of you are thinking this does not end well
53 Reality is different u Security Zones u Data Encryption u Built-in SSL u Authentication u Hyper-segregation u Logging, monitoring u Automated Config Management
54 Model 4: Leverage Cloud Security Data encryption (SSL, encrypted storage) Key management services Security zones Authentication services Server management (config, patch) Logging & monitoring services
55 Big Data Security is not easy - Complex environments - No clear definition - Lots of new research - Pragmatic approach - Many more issues - Ongoing research project Easy? No.
56 Adrian Lane Securosis, L.L.C. David Mortman Dell, Inc.