Presents
Securing NoSQL Clusters
Adrian Lane, CTO
[email protected] Twitter: @AdrianLane
David Mortman
[email protected] Twitter: @
About Securosis
• Independent analysts with backgrounds on
both the user and vendor side.
• Focused on deep technical and industry
expertise.
• We like pragmatic.
The Research
How does big data help with security
analytics?
…
and
…
Encyclopedic
Hutton and the Big
Management: “Get it done!”
• More data of more types
• Need forensics
• Need to determine risk
• Need to detect fraud
• Need to detect intrusions
• Need to protect this data
Shock/Denial
• Security analytics not working!
• My systems won’t do the
forensics
• Bolt-ons not working with my
SIEM or data management systems
• Won’t collect the data types I
Why Doesn't my
SIEM do this?
Isn’t that what I
Not really ...
• Most SIEM’s can’t handle the volume of
data
• Most SIEMs can’t process all data types
• Many based upon RDBMS
No problem!
• I’ll buy a security analytics
platform
• Feed event data in
• Correlate across my SIEM and
data warehouse
• Use my existing policies and
reports!
Anger
SIEM Mashup
An#$Fraud*&* 3rd*Party*Analy#cs*
General*Purpose* Analy#cs* DIY*“Big*Data”*
MSP*&*3rd*Party*
Monitoring*
Threat*Intelligence*
SIEM%
Advanced*Malware* Protec#on*
Security Analytics Platforms
• Each deals with one use case - customers have
several
• Companies need structured, unstructured and
semi-structured data analysis
• Use different platforms internally, some
piggy-back on select SIEM, some are standalone
• Real time _or_ forensic, not both
• Vendors offer one or two analysis approach
Bargaining
The Inevitable Questions:
• Bunch of previously acquired technologies - how
do we fit them together?
• What is the rest of the industry doing?
• Where are the enterprise grade analytics tools?
• Who handles fraud and risk and security
intelligence and threat analytics?
Encyclopedia Hutton Asks
Friends For Advice
DIY Security Analytics!
• Use ‘Big Data’ - it scales
• It handles many types of data
• You can customize as you see
fit
• It’s designed to support
Hadoop let’s you do all this and more - virtually free
analytics tools on commodity hardware!
Big Data Will
Save The
Day!
How does big data help?
• Performance
• Scalability
• Data volume
• Data types
• Fast lookup or fast analysis
Depression
• Build everything from scratch?
• Do you know how much this
will cost?
• All new software
• All new systems
• Data architect, statisticians
and security pro’s
Big Data is Supposed to
Address My Problems
Getting control is not easy
• I don’t know what I don’t know!
• What pieces do I need?
• How do I organize data?
• How will I manage something this
complex?
• How do I secure this critical
It’s all new
…
• Pig? Hive? Flume?
What does it mean?
• What exactly is a
data architect?
• It’s not SQL?
• Can I run queries
across databases?
• How does it scale?
• Key data on what
values?
NoSQL Cluster Architecture
Node% Manager% Node% Manager% Node% Manager% Resource% Manager% Data$ Data$ Data$ Data$ App$ App$ Client$ Client$ Client%Job%Request% Node%Status% Resource%Request% M7R%Status%Talent Gap
http://flic.kr/p/efqfy9
• Early days for big data
• No in-house data scientist
• Programmers needed
• Just figuring out what we can
do with NoSQL
• DIY Analytics
• Today vendors don’t know
Integration Issues
• APIs inconsistent/unavailable
• Log Management & data collection
Acceptance
• Taking on the task that is
security analytics with big data.
• Realizing that platforms like
Hadoop are first step
• Cluster Security can be done
• With the right skills, that can
Applied Big Data
• Start with Metrics
• Build a model (aka have a theory)
• Test it!
GQM
• Goal
• Question
Example - NIST CSF
ID.AM: The data, personnel, devices,
systems, and facilities that enable the
organization to achieve business
purposes are identified and managed
consistent with their relative
importance to business objectives
and the organization’s risk strategy.
Example - NIST CSF
Are network ingress points documented?
Are network egress points mapped?
Example - NIST CSF
# Undocumented Ingress points# Undocumented egress points # of Undocumented Data Flows
% business units/business processes/etc. without data flow diagrams
SIRA - NIST CSF
Different Flavors of NoSQL
• Hadoop - Universal M-R for huge data sets.
Great for search, log analysis, ad-hoc queries.
• Cassandra - Columnar store. Indexed. Best for
writing lots of data quickly, few lookups. Highly distributable.
• CouchDB - General purpose analytics database.
Fast insert/few changes. Pre-defined queries.
• RIAK - Super-fast data lookup - like Dynamo -
but with data management and scalability. Control system logs and fast devices.
Operational Issues
Data at Rest Admin Access
Config. Management Monitoring
Node & App Validation
Big Data Security
Architectures
Model 1: Walled Garden
• Think Mainframe security silo
• Basically hide the cluster behind firewall
• User passwords
Beyond the Status Quo
Model 2: App Protected
• Authenticate Applications
• Authenticate Users
• Authorize data access (roles)
• Filter API requests
Model 3: Data Centric Approach
Securosis Data Breach
Triangle
Data
Expl
oi
t
Eg
res
Model 3: Data Centric Approach
• Protect data before it’s put into cluster
• Can’t steal what’s not there
• Removal: Masking
• Removal: Tokenization
Model 4: Deploy in ‘The
Cloud’
Given general knowledge of
Cloud & NoSQL security,
some of you are thinking this
does not end well
…
Reality is different
u Security Zones u Data Encryption u Built-in SSL
u Authentication
u Hyper-segregation u Logging, monitoring
Model 4: Leverage Cloud Security
• Data encryption (SSL, encrypted storage)
• Key management services
• Security zones
• Authentication services
• Server management (config, patch)
Easy? No.
• Big Data Security is not easy
- Complex environments - No clear definition
- Lots of new research - Pragmatic approach - Many more issues
