Correlation Identifications
Zetafence provides the following behavioral correlations, and this is continually being grown.Weak IAM, authentication & credentials
Identification of user weakness such as MFA, access keys, SSH keys, and permission bound restrictions, user activity monitoring, etc.Misconfigured policies & roles
Roles, policies that are potentially incorrectly configured, access and usability over a long time, permission bound restrictions, detection of inactive policies, etc.Privilege Escalation
Opening of privilege permissions to wildcard, roles giving untrusted access to policies, etc.Infrastructure vulnerabilities
Instances that are potentially incorrectly configured, instances with large inbound/outbound access, monitoring of instances, public-facing IPs & ports, etc.Monitoring & audit
Whether cloudtrail/cloudwatch/vpcflow enabled for auditingData exfiltration
Instances, and S3 buckets that are vastly exposed to the internet inbound/outbound, bad reputations, etc.Insider Threats
Detection of insider threats by a number of ways such as access/ssh keys not used, Unauthorized Access to Sensitive Data, and Inadequate Monitoring and Auditing, etc.New behavioral correlation engines
Addition of newer behavioral correlation engines are trivial in Zetafence platform, thanks to how dependency graphs can be built, analyzed, and queried using Hypergraphs. To build new Zetafence behavioral models, following steps are typically undertaken.- Observe or design a new attack path end-to-end. Observe the actors, access policies, resources, etc.
- Should the attack path need new variables such as attributes, add them to discovery agents
- Implement a corresponding Cypher query on Hypergraphs using entities, associations, attributes. New attributes can automatically be queried