Including Security Monitoring in Cloud Service Level Agreement (SLA) - - PowerPoint PPT Presentation

Including Security Monitoring in Cloud Service Level Agreement (SLA)

Amir Teshome Supervisors Louis Rilling Christine Morin July 5, 2016

Amir Teshome Including Security Monitoring in Cloud SLA 1 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Contents

Challenges on including security monitoring into SLA

Amir Teshome Including Security Monitoring in Cloud SLA 1 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Contents

Challenges on including security monitoring into SLA IDS evaluation method (used as SLA verification mechanism)

Amir Teshome Including Security Monitoring in Cloud SLA 1 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Introduction

Clients outsource their information system

User Portal VM 1 VM 2 VM 3 VM 4 VM 6 VM 5

Amir Teshome Including Security Monitoring in Cloud SLA 2 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Introduction

Clients outsource their information system Loss of full control

User Portal VM 1 VM 2 VM 3 VM 4 VM 6 VM 5

Amir Teshome Including Security Monitoring in Cloud SLA 2 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Introduction

Clients outsource their information system Loss of full control

User Portal VM 1 VM 2 VM 3 VM 4 VM 6 VM 5

Lack of trust in service providers and security concerns was a reason for 40% of small and medium businesses not to join the cloud.[2014 study]

Amir Teshome Including Security Monitoring in Cloud SLA 2 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Security Monitoring

Security Monitoring 1 Security Monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.

1“Tao of Network Security Monitoring, Beyond Intrusion Detection” by Richard Bejtlich Amir Teshome Including Security Monitoring in Cloud SLA 3 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Security Monitoring

Security Monitoring 1 Security Monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Detect suspicious behaviors and take action before severe damage.

1“Tao of Network Security Monitoring, Beyond Intrusion Detection” by Richard Bejtlich Amir Teshome Including Security Monitoring in Cloud SLA 3 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Security Monitoring

Security Monitoring 1 Security Monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. Detect suspicious behaviors and take action before severe damage. Intrusion Detection Systems (IDS) and logs from firewalls are used as monitoring systems.

1“Tao of Network Security Monitoring, Beyond Intrusion Detection” by Richard Bejtlich Amir Teshome Including Security Monitoring in Cloud SLA 3 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Service Level Agreement (SLA)

SLA: An agreement between cloud providers and customers It describes:

Amir Teshome Including Security Monitoring in Cloud SLA 4 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Service Level Agreement (SLA)

SLA: An agreement between cloud providers and customers It describes: Provided service

Amir Teshome Including Security Monitoring in Cloud SLA 4 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Service Level Agreement (SLA)

SLA: An agreement between cloud providers and customers It describes: Provided service Rights and obligations

Amir Teshome Including Security Monitoring in Cloud SLA 4 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Service Level Agreement (SLA)

SLA: An agreement between cloud providers and customers It describes: Provided service Rights and obligations Penalties

Amir Teshome Including Security Monitoring in Cloud SLA 4 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Security Monitoring

Service Level Agreement (SLA)

SLA: An agreement between cloud providers and customers It describes: Provided service Rights and obligations Penalties But don’t include the security monitoring aspect of an Information System

Amir Teshome Including Security Monitoring in Cloud SLA 4 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement Malleability of virtual infrastructures

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement Malleability of virtual infrastructures Difficulty of expressing security monitoring properties using precise terms

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement Malleability of virtual infrastructures Difficulty of expressing security monitoring properties using precise terms SLA enforcement is done at the lower level

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement Malleability of virtual infrastructures Difficulty of expressing security monitoring properties using precise terms SLA enforcement is done at the lower level Lack of methods to evaluate security monitoring setups

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Challenges

Include security monitoring In Service Level Agreement Malleability of virtual infrastructures Difficulty of expressing security monitoring properties using precise terms SLA enforcement is done at the lower level Lack of methods to evaluate security monitoring setups

Amir Teshome Including Security Monitoring in Cloud SLA 5 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements Given the requirements

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements Given the requirements

Automatically configure and deploy

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements Given the requirements

Automatically configure and deploy Verify if the specified SLA is respected or not

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements Given the requirements

Automatically configure and deploy Verify if the specified SLA is respected or not If not to take action

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Proposed Directions

Specify security monitoring requirements Given the requirements

Automatically configure and deploy Verify if the specified SLA is respected or not If not to take action

Amir Teshome Including Security Monitoring in Cloud SLA 6 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS)

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS) IDS evaluation method, used for SLA verification

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS) IDS evaluation method, used for SLA verification Related works on IDS evaluation

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS) IDS evaluation method, used for SLA verification Related works on IDS evaluation

• T. Probst et al: two phase approach:

Analysis of network access control phase IDS evaluation phase

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS) IDS evaluation method, used for SLA verification Related works on IDS evaluation

• T. Probst et al: two phase approach:

Analysis of network access control phase IDS evaluation phase

Cloning is required & the cloned infrastructure is measured

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

State of the art

Focus on specific monitoring probe (IDS) IDS evaluation method, used for SLA verification Related works on IDS evaluation

• T. Probst et al: two phase approach:

Analysis of network access control phase IDS evaluation phase

Cloning is required & the cloned infrastructure is measured Used metrics don’t describe efficiency of an IDS correctly

Amir Teshome Including Security Monitoring in Cloud SLA 7 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN.

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

IDS1: <TPR=0.9 , FPR=0.2 > & IDS2: <TPR=0.8 , FPR=0.1 >

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

ROC (Receiver Operating Characteristic) curve

Source: https://docs.eyesopen.com/toolkits/cookbook/python/plotting/roc.html

Figure : ROC curve example

Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

ROC (Receiver Operating Characteristic) curve Positive Predictive Value (PPV) = P(I|A)1 and Negative Predictive Value (NPV) = P(¬I|¬A)

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

ROC (Receiver Operating Characteristic) curve Positive Predictive Value (PPV) = P(I|A)1 and Negative Predictive Value (NPV) = P(¬I|¬A) PPV and NPV are dependent on the Base Rate (B) = P(I).

CID = I: Mutual Information & H: Entropy i: input packets : part of attack or legitimate packet a = IDS output : detected as intrusive or nonintrusive

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

ROC (Receiver Operating Characteristic) curve Positive Predictive Value (PPV) = P(I|A)1 and Negative Predictive Value (NPV) = P(¬I|¬A) PPV and NPV are dependent on the Base Rate (B) = P(I). Single unified metric: Intrusion Detection Capability(CID)

CID = I: Mutual Information & H: Entropy i: input packets : part of attack or legitimate packet a = IDS output : detected as intrusive or nonintrusive

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Evaluation Metrics

Basic metrics of IDS include TP, FP, TN and FN. True Positive Rate =

TP TP+FN , FP Rate (FPR) = FP FP+TN

ROC (Receiver Operating Characteristic) curve Positive Predictive Value (PPV) = P(I|A)1 and Negative Predictive Value (NPV) = P(¬I|¬A) PPV and NPV are dependent on the Base Rate (B) = P(I). Single unified metric: Intrusion Detection Capability(CID)

CID = I: Mutual Information & H: Entropy i: input packets : part of attack or legitimate packet a = IDS output : detected as intrusive or nonintrusive

1I: presence of intrusion & A: Presence of Alarm Amir Teshome Including Security Monitoring in Cloud SLA 8 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

Attacker

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

Target VM Attacker

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

Attacker Target VM

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

Controller Host 1 Host 2

VM1 VM2 VM3 VM4 IDS IDS

logging logging logging Attacker Target VM

Figure : Attack Running Method

Amir Teshome Including Security Monitoring in Cloud SLA 9 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

More than one target VM could be used

Amir Teshome Including Security Monitoring in Cloud SLA 10 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

More than one target VM could be used Attacks executed based on a given base rate (statistically proposed)

Amir Teshome Including Security Monitoring in Cloud SLA 10 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work Evaluation Metrics IDS Evaluation Method

Attack Running Method

More than one target VM could be used Attacks executed based on a given base rate (statistically proposed) Care should be taken, since we are using the production environment network infrastructure (Not to create an

• verhead)

Amir Teshome Including Security Monitoring in Cloud SLA 10 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS In situ evaluation of production IDSs

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS In situ evaluation of production IDSs Future Work: Evaluation of the methodology (Ongoing)

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS In situ evaluation of production IDSs Future Work: Evaluation of the methodology (Ongoing) Extend this work to other monitoring probes

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS In situ evaluation of production IDSs Future Work: Evaluation of the methodology (Ongoing) Extend this work to other monitoring probes Definition of security monitoring SLA terms

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11

Introduction SLAs & Security Monitoring Challenges IDS Evaluation Conclusion and Future Work

Conclusion and Future Work

Conclusion: There is a need to include security monitoring into SLAs Presented the challenges to include security monitoring terms into SLA CID, usable metric to describe the efficiency of an IDS In situ evaluation of production IDSs Future Work: Evaluation of the methodology (Ongoing) Extend this work to other monitoring probes Definition of security monitoring SLA terms Enforcement of security monitoring SLAs

Amir Teshome Including Security Monitoring in Cloud SLA 11 / 11