Behavioral Security Correlation
Coffee or Whiskey?
Zetafence(TM) platform monitors security risks from the ground-up by mapping attack landscapes and meticulously backtracking through users, identities, policies, their activities, attempting to expose hidden connections that lead to breaches. As described in Dependency, ensuing power of the platform is a result of encapsulating complex relationships using Hypergraphs, enriching graph elements, and constructing relationships that form the Hypergraphs.
When Hypergraphs are discovered, built, and monitored at various times, it results in unmatched visibilities into identifying target attack paths by establishing baseline, working backwards from potential incidents leading to source of problems such as privilege escalations. This enables enterprises to quickly identify true culprits, and lateral movements behind security incidents, and empowering to take decisive actions.
Correlation Identifications
Zetafence provides the following behavioral correlations, and this is continually being grown.
Weak IAM, authentication & credentials
Identification of user weakness such as MFA, access keys, SSH keys, and permission bound restrictions, user activity monitoring, etc.
Misconfigured policies & roles
Roles, policies that are potentially incorrectly configured, access and usability over a long time, permission bound restrictions, detection of inactive policies, etc.
Privilege Escalation
Opening of privilege permissions to wildcard, roles giving untrusted access to policies, etc.
Infrastructure vulnerabilities
Instances that are potentially incorrectly configured, instances with large inbound/outbound access, monitoring of instances, public-facing IPs & ports, etc.
Monitoring & audit
Whether cloudtrail/cloudwatch/vpcflow enabled for auditing
Data exfiltration
Instances, and S3 buckets that are vastly exposed to the internet inbound/outbound, bad reputations, etc.
Insider Threats
Detection of insider threats by a number of ways such as access/ssh keys not used, Unauthorized Access to Sensitive Data, and Inadequate Monitoring and Auditing, etc.
New behavioral correlation engines
Addition of newer behavioral correlation engines are trivial in Zetafence platform, thanks to how dependency graphs can be built, analyzed, and queried using Hypergraphs.
To build new Zetafence behavioral models, following steps are typically undertaken.
- Observe or design a new attack path end-to-end. Observe the actors, access policies, resources, etc.
- Should the attack path need new variables such as attributes, add them to discovery agents
- Implement a corresponding Cypher query on Hypergraphs using entities, associations, attributes. New attributes can automatically be queried