A group of researchers from the US, China, and Saudi Arabia, have demonstrated how artificial intelligence (AI) algorithms can help detect distributed denial-of-Service (DDoS) attacks where other methods fail.

With the number of internet-connected devices growing at an exponential rate and attackers becoming more sophisticated in their methods, finding and filtering out harmful DDoS traffic against web servers is becoming a mounting challenge.

Their method, presented in a paper published on the open science platform Europe PMC, uses deep learning to determine whether network traffic coming from a source is normal or part of a malicious DDoS attack.

The researchers’ findings show that when dealing with large-scale data, deep learning-based detection methods improve speed and accuracy while reducing false alarm rates.

The work focuses on software-defined networks (SDN), a networking paradigm that has gained popularity in recent years.

SDN provides flexible virtualization capabilities that fulfill the growing demands of cloud computing, mobile networks, and internet of things (IoT).

However, SDN and OpenFlow, the protocol often used to enable communications between SDN controllers and network devices such as switches and routers, are vulnerable to DDoS attacks, as many researchers have found.

Rule-based detection failures

The classical way to detect DDoS is to compare incoming network traffic against a predefined set of rules that can separate normal from attack traffic.

But setting rules for DDoS detection is very difficult due to the diversity of DDoS attack schemes and the difficulty of defining thresholds between normal and malicious traffic.

“In practice, there is no clear distinction between normal traffic and attack traffic,” the authors of the paper note, adding that it would practically be impossible for humans to analyze the huge volume of data running through networks to find the correct rules.

Tackling DDoS with deep learning

Instead of manually perusing data, the authors propose to analyze it with deep neural networks (DNNs).

DNNs, which roughly imitate the workings of their biological counterparts, ingest large amounts of data and find relevant patterns, which they transform into complex mathematical representations.

They can then use this model to classify new incoming data or predict the next piece of information in a sequence.

In the case of DDoS, the researchers treat it as a classification problem. The goal of the algorithm is to determine, on a scale of 0 to 1, how likely incoming traffic from a node in the network is malicious, or, as the researchers put it, “judging whether the characteristic data of the OpenFlow flow table is normal or not”.

By analyzing reams of data, a well-trained deep learning model will be able to glean intricate characteristics of safe and malicious traffic that would have otherwise gone undetected to a human analyst.

The neural network was trained on a large dataset comprised of both normal and malicious table entries, and then tested against five different types of DDoS attacks, including various traffic flooding attacks and slow-connection HTTP attacks, where attackers try to bog down a server by sending it very lengthy requests.

As is true for most deep learning uses, developing a reliable DDoS detection model depends largely on gathering enough quality training data.

As the authors note:

In the case of a small data scale, the relevance ratio of the DL model in the face of flooding attacks has a slight advantage [in comparison to traditional detection methods], but it has not shown its detection advantage in other aspects. The detection performance is not outstanding.

But as the system was scaled to larger datasets, the researchers found that the deep learning model eventually became more accurate and made fewer errors than other established DDoS detection tools, including those based on other machine learning algorithms, including support vector machines (SVM) and decision trees.

Human support needed

Deep learning systems are very good at handling classification and prediction tasks, as long as they’re dealing with data that is statistically similar to their training examples.

But as soon as they meet novel situations that vary from what they’ve previously seen, they behave in unexpected ways.

“Although some achievements have been obtained in this research, there are still some shortcomings,” the authors of the paper note. “The DL model of this research also needs a certain degree of human adjustment, and it cannot be completely intelligent.”

The paper has not been peer-reviewed, and the authors have not released the code and data for examination by industry experts, so it’s hard to independently verify the accuracy of their model.

But using machine learning algorithms to address the growing threat of DDoS attacks has become a growing area of interest, and several projects have already shown promising results.

Other efforts in the field range from simple machine learning models that detect compromised IoT devices in networks to SVM models that analyze OpenFlow tables for malicious behavior.

The post Going deep: How advances in machine learning can improve DDoS attack detection appeared first on Artificial Intelligence.

Zscaler will acquire Cloudneeti for an undisclosed amount in a deal that adds cloud security posture management (CSPM) to its platform.

CSPM companies provide security processes and tools to prevent and fix cloud misconfigurations. This is important because these misconfigurations are the leading cause of data breaches and compliance violations in cloud applications — the Capital One data breach is one recent example. In fact, the most recent Cloud Security Alliance’s threat reports ranks data breaches and cloud misconfigurations as the No. 1 and No. 2 cloud security threats, respectively.

Gartner recommends all cloud security vendors invest in CSPM, and forecasts “through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”

CSPM “is only becoming more important,” said Gartner analyst Neil MacDonald. “It allows organization to identify where they have known or unacceptable risk in their cloud configurations, and there’s been multiple acquisitions in this space.”

Hot M&A Market

Last year Aqua Security purchased CloudSploit, Trend Micro bought Cloud Conformity, and Sophos acquired Avid Secure to add CSPM to their portfolios. And in 2018, CheckPoint acquired Dome9 and Palo Alto Networks bought a couple of CSPM vendors: Evident.io and RedLock. Also that year VMware bought CloudCoreo and CloudHealth to round out its CSPM.

“It does raise the question of what some of the other competitors will do here, like Cisco or Fortinet, as they evolve their offerings,” MacDonald said. “I think this CSPM market will continue to change shape. There will be more acquisitions and more vendors adding this to their portfolio. This won’t be the last change we see in this space.”

Cloudneeti’s CSPM

Cloudneeti’s technology collects actual configurations from cloud service providers, compares them against cloud security best practices, and then analyzes risks and fixes misconfigurations. It works across software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) providers including Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and Microsoft’s Office 365.

The company, which is one of the earlier CSPM vendors, differentiated itself by being “one of the first to focus on Azure because everyone else was focusing on AWS,” MacDonald said. “The other thing they did that was smart: the extended their CSPM capabilities to Office 365. They realized that this problem of misconfiguration and mismanagement is not just a problem in infrastructure-as-a-service, it’s at the SaaS layer as well and there are very few CSPMs that have gone up to the SaaS layer.”

In fact, Cloudneeti’s Microsoft expertise made it an attractive acquisition target, said Punit Minocha, Zscaler SVP of business and corporate development. While many CSPM companies start with AWS before branching out to other public cloud providers, “these guys took a different stance as it relates to cloud of choice. They started with Azure, and we as a company do a fair amount of partnering with Microsoft.”

Boost to CASB, Zero Trust

Zscaler last year added out-of-band cloud access security broker (CASB) capabilities to its platform to provide visibility and enable data protection for SaaS applications. And after adding CASB, “the second piece that started to come up in discussions with customers was ‘we have a fair number of workloads running in public clouds — AWS, Azure, GCP, you name it,’” Minocha said.

Customers expressed concerns about public cloud misconfiguration leading to noncompliance and data breaches. “So to address this need, we went down this path of adding CSPM,” he said. “Think of it as yet another add-on to make sure we are bolstering our data protection services.”

Cloudneeti’s capabilities strengthen Zscaler’s existing data protection capabilities across its internet access and CASB services, Minocha explained. It also expands application protection capabilities in Zscaler Private Access by allowing developers to find and automatically correct misconfigured applications and compliance violations in cloud service provider environments.

Additionally, the Cloudneeti company culture meshed well with Zscaler, Minocha said. “We have been public for two years and going down this path of inorganic growth, and we want to make sure that we acquire companies that are a good cultural fit.”

Zscaler’s Security Strategy

This is Zscaler’s third acquisition. It acquired artificial intelligence (AI) and machine learning (ML) startup TrustPath in August 2018, and browser isolation startup Appsulate in May 2019.

The company’s Cloud Security Platform processes “well over 100 billion transactions daily,” Minocha said. “And the word ‘platform’ I know is used bastardly by almost everyone out there. Ours is a true, in-line, active inspection element. Nothing good leaves the organization and nothing bad comes in. And when you are processing as much traffic as we are, we have to be mindful of in-line inspection abilities we can build in, and then capabilities that we can add inorganically that might be less performance sensitive.”

These inorganic additions to the platform include secure browser isolation via the Appsulate acquisition, he added. Also, processing 100 billion transaction requires “a fair amount of AI and ML,” and the TrustPath purchase plays into that.

The Cloudneeti acquisition advances Zscaler’s security capabilities and “it’s a logical progression,” MacDonald said. “They started with secure web gateway, they they added branch office firewall-as-a-service and Zscaler Private Access — what we call zero-trust network access.”

The vendor also acquired Appsulate and built its own CASB, he added. “This is the latest in a series of capabilities they are building out on top of their global security fabric.”

The post Zscaler Buys Cloud Security Startup Cloudneeti appeared first on Artificial Intelligence.

Tufin today announced the availability of Tufin SecureCloud, which combines two existing offerings to manage cybersecurity policies for both monolithic applications and emerging microservices-based application environments.

Company CTO Reuven Harrison said rather than moving forward with separate products, previously known as Tufin Orca and Tufin Iris, Tufin is aiming to appease IT organizations that prefer a unified approach to managing all their applications.

Tufin SecureCloud provides the single pane of glass that IT organizations require to secure cloud applications regardless of the underlying architecture employed, he said, noting a single offering provides the added benefit of reducing the total cost of securing those cloud applications.

Part of the Tufin Orchestration Suite of cloud security tools, Tufin SecureCloud is planned to support for instances of Kubernetes running in on-premises IT environments. Kubernetes has emerged as the dominant platform for deploying microservices-based applications built using containers. By extending the current support Tufin provides securing Kubernetes instances in the cloud to on-premises IT environments, it will become possible to secure hybrid cloud computing environments as well, added Harrison.

Because Tufin SecureCloud automatically generates, provisions and synchronizes security policy changes across multiple IT environments, Harrison said the platform will enable organizations to more easily further adoption of best DevSecOps processes spanning both application development teams and cybersecurity professionals. Tufin SecureCloud also provides integration with a variety of continuous integration/continuous delivery (CI/CD) platforms to make it easier to attach cybersecurity policies to application workloads as they are developed and deployed, he added.

Tufin is clearly wading into one of the more contentious issues in cybersecurity. Short-handed cybersecurity professionals need to rely on developers to programmatically embed cybersecurity controls into applications. However, many cybersecurity professionals have historically viewed developers as being the root cause of the cybersecurity problem because of all the vulnerabilities that are inadvertently introduced into application code. Tufin SecureCloud provides a mechanism to verify the proper policies and associated controls have been properly implemented by developers. Unfortunately, the adoption of best DevSecOps processes remains uneven at best. Most organizations are still working through their initial transition to DevOps so it may be years before most organizations are able to extend those practices into the realm of cybersecurity.

In the meantime, the amount of application code that needs to be secured will continue to pile up. Thanks to the rise of agile programming techniques and best DevOps practices, there is more application code to secure than ever. Most cybersecurity teams are already struggling to keep pace. The challenge is that as developers embrace microservices, not only will the rate at which applications are being deployed increase, but also will the number of updates being made to existing applications. Clearly, most tools for currently assessing cybersecurity posture are not going to be able to keep pace. In fact, many organizations are likely to find themselves hard-pressed to audit their application environments, much less actually able to secure them.

The post Tufin Unifies Management of Cloud Cybersecurity Policies appeared first on Artificial Intelligence.

Big data analytics and search tools give organizations the ability to analyze information faster than ever before. But too many organizations deploy Elasticsearch, Amazon S3 buckets, MongoDB and other cloud-based databases in a manner that leaves the data being stored exposed to the internet for anyone to see. That’s despite many of these tools explicitly not exposing data by default, meaning administrators must disable built-in security controls.

“What we’re seeing, especially with the advent of cloud computing just making things much easier to access over the internet, [is that] members of organizations spin up new services and they might not be too familiar with them,” James Spiteri, a solutions architect and cybersecurity specialist at Elastic, which offers Elasticsearch, says in an interview with Information Securty Media Group.

Unfortunately, this can lead to administrators inadvertently exposing massive amounts of data to the internet.

“Sometimes it happens because not many people are fully aware of how the internet functions; other times it happens because they’re rushed into doing something and they just bypass all of the security features,” he says. “So there are many reasons why this happens, and unfortunately it can have catastrophic effects; we see new breaches every single day.”

In this interview (see audio link below photo), Spiteri discusses:

• Preventing inadvertent exposure of data being stored online in cloud-based buckets or databases;
• Essential security controls for safeguarding data being stored in the cloud;
• The growing use of big data tools such as Elasticsearch for security analytics and to perform threat hunting.

Spiteri is a solutions architect for Elastic, where he also serves as the company’s cybersecurity specialist for Europe, the Middle East and Africa. Prior to that he gained extensive experience as an Elasticsearch user, including at RS2 Software, as well as while serving as the security architecture manager for Invinsec. He’s also served as a Linux systems administrator at Arvato Financial Solutions, among other roles.

The post Cloud Security: ‘Big Data’ Leak Prevention Essentials appeared first on Artificial Intelligence.

ClearDATA, the leader in healthcare public cloud security and compliance, announced a new multi-cloud software offering, ClearDATA Locate, enabling healthcare organizations to build a more cohesive and traceable protected health information (PHI) inventory within Kubernetes workloads available on Amazon Web Services, Google Cloud Platform and Microsoft Azure.

Built with ClearDATA’s Healthcare Aware Distributed Tracing technology, this new software solution makes it easier for healthcare industry professionals to observe sensitive data in transit or at rest in any Kubernetes application, allowing for better protection against breaches, improved auditing and significant reductions in potential damages and fines.

“We’ve come a long way since healthcare was at odds with the public cloud. However, the ability to track sensitive data as it moves from point A to Z was missing from the narrative and represented a huge vulnerability for healthcare organizations,” said Matt Ferrari, Chief Technology Officer at ClearDATA.

“Now, with ClearDATA Locate, payers, providers and life science orgs can have more insight into their data to trace PHI when leveraging microservices.”

Today, medical providers and insurance companies gather, store and share a wealth of sensitive personal information on the cloud, from addresses and social security numbers to payment information and patients’ health records, with more than 194 million active patients in the U.S. healthcare system.

Faced with complex privacy, security and compliance frameworks including GDPR’s Right to be Forgotten, the ability to accurately trace vast amounts of distributed patient records through ClearDATA Locate provides healthcare organizations with a full understanding of the systems that patient data passes through.

Further, as the healthcare industry faces an all-time record number of massively expensive security breaches, ClearDATA Locate can greatly reduce damages and penalties by helping isolate and identify the actual records exposed. This allows for an accurate report of how many records were actually compromised, instead of assuming the compromise of all records stored.

With ClearDATA Locate, healthcare and life sciences organizations faced with compromised data can potentially save a tremendous amount in issued fines by the Department of Health and Human Services Office for Civil Rights and reduce damage to reputation.

“Today, if you routinely process tens of thousands of patient records through your application, you would have to notify all those patients of a suspected breach when, in reality, only 200 records may have been impacted. ClearDATA Locate can dramatically change the outcome for healthcare organizations and patients,” said Ferrari.

ClearDATA first launched the Healthcare Aware Distributed Tracing technology earlier this year at HIMSS 2019.

Leveraging machine learning technology, the new service makes it easier for healthcare organizations to observe sensitive data in rest or transit through microservices including containers allowing for deeper analytics while creating a reliable and continually updated inventory.

The post ClearDATA launches SaaS Solution for healthcare orgs to track patient records within Kubernetes appeared first on Artificial Intelligence.

Amazon offers a number of excellent tools to help enterprises keep their data (Read more click here) and applications safe in the cloud. Last year, Amazon unveiled Amazon Inspector, its host-based application vulnerability assessment tool to monitor what is installed and configured on each virtual Instance. This year, it’s Amazon Macie, a security service designed to automatically discover and protect sensitive data stored in AWS.

As organizations move more of their data to Amazon’s various cloud offerings, security teams have the unenviable task of continuously tracking the data to identify, classify and protect sensitive pieces of information such as personally identifiable information (PII), personal health information (PHI), regulatory documents, API keys, secret key material and intellectual property.

Amazon Macie automates what has traditionally been a labor-intensive task by using machine learning to understand where sensitive information is stored and how it is accessed. Macie dynamically analyzes all attempts to access data and flags anomalies, such as large amounts of data being downloaded, uncommon login patterns, or data showing up in an unexpected location. Macie can alert when someone accidentally makes sensitive data externally accessible or stored credentials insecurely.

“Amazon Macie is a service powered by machine learning that can automatically discover and classify your data stored in Amazon S3. But Macie doesn’t stop there, once your data has been classified by Macie, it assigns each data item a business value, and then continuously monitors the data in order to detect any suspicious activity based upon access patterns,” Tara Walker, AWS tech evangelist, wrote on the Amazon Web Services blog.

Currently only available for S3 customers, Macie support for other AWS data stores will come later in the year.

Understanding Macie

Amazon Macie applies predictive analytics algorithms on authentication data such as location, times of access and historical patterns to develop a baseline for how each piece of data is used. To use Macie, administrators have to enable appropriate IAM (identity and access management) roles created for the service. Amazon has created sample templates for cloud formation to set up the necessary IAM roles and policies.

Instead of continuously scanning S3 buckets to find new data which needs to be classified, Macie uses event data from AWS CloudTrail to check for all PUT requests into S3 buckets. This way data is classified automatically as they are added into the buckets. Macie uses the file metadata, file contents and what it has learned about similar files in the past to properly classify the data. It doesn’t rely on patterns to just recognize known data, such as PII, but can also look at things like source code. After classifying the data, Macie assign a risk level between 1 and 10, with 10 being the highest risk and 1 being the lowest data risk.

“Since we started using Amazon Macie, we’ve found that it is flexible enough to solve a range challenges that would have previously required us to write custom code or build internal tools, such as securing PII and alerting us to access anomalies, helping us move fast with confidence,” says Patrick Kelley, senior cloud security engineer at Netflix. The video streaming service is no stranger to building custom tools when necessary.

Macie can also be integrated with AWS CloudWatch Events and Lambda. For example, organizations have to comply with the European Union’s strict privacy regulation–The General Protection Data Regulation (GDPR)–by May 2018. As Amazon Macie recognizes personally identifiable information (PII), organizations can use the Macie dashboard to show compliance with GDPR regulations around encryption and pseudonymization of data. Macie can be combined with Lambda queries to remediate GDPR issues.

Catching up on security

Despite dominating the cloud services market, Amazon has lagged behind Microsoft and Google in security. Amazon Web Services provides a comprehensive set of security tools, but they are effective only if the administrators actually take advantage of them to secure their instances. In contrast, Microsoft has integrated management tools in its Azure platform and Google offers many security offerings by default in Google Cloud Platform. Amazon’s latest moves help close some of the gap.

Turning on AWS CloudTrail, a governance, compliance and auditing service for AWS accounts, by default is a particularly welcome change. CloudTrail provides visibility in everything that happens under the account, and is extremely helpful for understanding what changes were made, by whom, and when. The problem was that too many administrators found out too late that CloudTrail was not turned on; it doesn’t collect data if not enabled at the time the instance is created. With the change, all customers by default now get visibility into the last seven days of account activity without having to configure the service.

Amazon is adding rules to its AWS Config Service to evaluate AWS configurations to help secure S3 buckets. Considering the number of data exposures this year alone which arose because the S3 buckets were not configured correctly, these rules would help identify buckets that allow global read/write access before they become problems.

Amazon Elastic File system now offers encryption of data while at rest. Amazon also did a complete rewrite of CloudHSM (Hardware Security Module) so that provisioning, patching, high availability and backups are now built into the managed service. FIPS 142-2 Level 3 support is included, along with security mechanisms designed to detect and respond to physical attempts to access or modify the HSM.

The post Amazon Macie automates cloud data protection with machine learning appeared first on Artificial Intelligence.