Attackers think in graphs; defenders operate with lists. That’s why attackers win. What if we could have a graph-based, data-driven security and compliance platform that can: · intelligently analyze my environment, · automatically keep up with the constant changes, · help us understand and navigate that complexity, and · manage compliance in a data-driven, continuous way. This presentation describes how my security team built our security operations and automate compliance evidence collection using a graph database. There are also actual screenshots from the JupiterOne platform showing the discovery of thousands of assets from connected AWS accounts and other cloud providers; the configuration analysis of these resources; the query and search with graphs to visualize the relevant relationships; as well as the alerts, findings, and compliance mapping. All without the need for additional 3rd party solutions.

1. Build a Complete Security Operations and
Compliance Program on a Graph DB
ERKANG ZHENG
Founder, JupiterOne | CISO, LifeOmic
October 2019
© 2019 JupiterOne | LifeOmic Security, LLC
Triangle InfoSeCon

2. Pick assessor
Perform gap assessment
Implement remediation
Collect evidences
Assess and certify
Documented data flows
Conducted risk analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEATMonitor, Manage, Optimize
START
Implemented 100+ controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data encryption
WAF + DDoS
protection
Asset inventory
and tagging
Activity and log
monitoring
SEC
COMP
AUDITOR
Our
Security
Program
HIPAA SOC 2
HITRU
ST
FDA FedRAMPCOMPLIANCE

3. Now what?
How? Is 100% visibility possible?
“I don’t need more controls. I need to be able to
effectively and efficiently manage what I have.”
“I need to be able to make decisions
faster, with confidence.”

4. DATA
+
GRAPH
+
QUERY
Pick assessor
Perform gap assessment
Implement remediation
Monitor, Manage, Optimize
Collect evidences
Assess and certify
Documented data flows
Conducted risk analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEAT
START
Implemented 100+ controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data encryption
WAF + DDoS
protection
Asset inventory
and tagging
Activity and log
monitoring
CSEC
AUDITOR
CA / CC
VISIBILITY
GOVERNANCE
ASSURANCE
Our
Security
Program
HIPAA SOC 2
HITRU
ST
FDA FedRAMPCOMPLIANCE

5. DATA

6. What data?
COLLECT AND AGGREGATE

8. GRAPH

9. • A set of vertices (or nodes) and edges
• A data structure for complex
relationships (or context)
What is graph?

10. Did I mention relationships / context?
Why graph?
Defenders think in lists.
Attackers think in graphs.
That’s why attackers win.
https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/

11. QUERY

12. Our graph currently has
• 47,313 nodes
(entities) and
• 134,218 edges
(relationships)
Needle in a Haystack A graph of 1348 nodes

13. • Graph data (Neptune) – relationships
• Raw data (S3) – history and forensic analysis
• Indexed data (Elasticsearch) – speed
• Other data (DynamoDB)
Not just the graph

14. DATA + GRAPH + QUERY = KNOWLEDGE
Knowledge is Power

15. Graph
•Asset inventory
and CMDB
•Cloud
configuration
visibility
•Access analysis
•Network and
application
architecture
diagrams
•Vulnerability
management
•Alerts /
monitoring
•Metrics
reporting
•User training
status
•Incident
correlation
•Policy and
procedure
docs
•Vendor
management
•Compliance
evidence
collection
What can you do with it?
Example use cases:
• Asset inventory and CMDB
• Cloud configuration visibility
• Access analysis
• Network and application
architecture diagrams
• Vulnerability management
• Alerts / monitoring
• Metrics reporting
• User training status
• Policies and procedures documentation
• Vendor management
• Compliance evidence collection

16. AWS Cloud
Security
Which EC2 instances are
exposed to the Internet?
Find aws_subnet with public=true
that HAS aws_instance
that PROTECTS aws_security_group
that ALLOWS Internet
return tree

17. AWS Cloud
Security
Are there Internet-facing EC2
instances that are allowed access
to non-public S3 buckets?
find Internet
that ALLOWS aws_security_group
that PROTECTS aws_instance
with active=true
that USES aws_iam_role
that ASSIGNED AccessPolicy
that ALLOWS (aws_s3|aws_s3_bucket)
with classification!='public’
return tree

18. Cross-Account
Trust
What are the cross-account IAM trust
relationships in my AWS
environment?
Find aws_iam_role as a
that TRUSTS (Account|AccessRole) as b
where
a.tag.AccountName != b.tag.AccountName
return tree

19. S3 Bucket
Access
Are there non-public S3 bucket
access granted to anybody
outside of its account?
Find aws_s3_bucket with
classification!='public' as bucket
that ALLOWS * as grantee
where
bucket.tag.AccountName !=
grantee.tag.AccountName
return tree

20. SSO Access
Which Okta user is assigned what
AWS IAM role?
find okta_user
that ASSIGNED aws_iam_role
return tree

21. App Components
and Data Flow
Show the connections and flow
diagram from:
• CloudFront to API Gateway
• CloudFront to S3
• API GW to Lambda Functions
• Lambda to other resources

22. Which systems or apps are
vulnerable to what CVEs?
Find CVE that RELATES TO
(Host|HostAgent|Application)
return tree
Vulnerability
Management

23. Development
Insight
Which PRs did Adam open this
past week?
'Adam' that OPENED PR
with createdOn > date.now-7days
return tree

24. Vulnerability
in Code
Which PRs / developer
introduced new vulnerability
findings this past week?
Find User that OPENED PR
with createdOn > date.now-7days
that RELATES TO CodeRepo
that HAS (Vulernability|Finding)
with _createdOn > date.now-7days
return tree

25. Org Chart
What’s the reporting structure?
Find Person that manages Person
return tree

26. Use query to create alerts and trigger remediation
Alert rules from query with actions:
• Send Email
• Send Slack message
• Create Jira issue
• Capture Trend
Future remediation automation:
• Trigger Webhook
• Invoke Lambda Function
• etc.

27. Security Policy and Procedure Documents
github.com/jupiterone/security-policy-templates
• Written in Markdown
• Small, individual files –
“micro-docs” like micro-services
• Linked together via config.json
• Document reviews and approvals via PRs
• Templatized and published in HTML

28. Security Policy and Procedure Documents (HTML)
https://security.lifeomic.com/psp

29. Manual Assessments and Findings
• Covers a variety of testing
• Manual penetration testing
• Risk assessment
• Privacy impact assessment
• Threat modeling
• Assessment objects and findings written in
JSON or YAML
• Publish to graph for report and analysis
Follows the same code deploy process
when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: assessment:prodsec:2019q1
entityType: prodsec_assessment
entityClass: Assessment
properties:
name: internal-pen-test-2019q1
displayName: LifeOmic Internal Penetration Test 2019Q1
summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th
description:
Performed a thorough security assessment of the LifeOmic product line.
Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android.
category: penetration-testing
status: complete
assessors:
- security.team@lifeomic.com
open: false
classification: confidential
completedOn: 2019-04-05
reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src...
...
- entityKey: finding:prodsec:2019q1:app-api-1
entityType: pentest_finding
entityClass: Finding
properties:
name: Some made up issue
displayName: ’[Medium] What it says’
summary: Summary of the made up issue
targets:
- Service API
description: >
Within the application API, ....
stepsToReproduce:
- '1 - Add ...’
- '2 - Use ...’
- '3 - Verify ...’
impact: ...
severity: medium
...

30. Vendors and External Organizations
• Maintain list of vendors as code
• Leverage product management and dev
leads to help maintain
• Trigger third party security review and
approval via PR
• Publish to graph for report and analysis
Follows the same code deploy process
when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: vendor:apple
entityType: apple
entityClass: Vendor
properties:
name: Apple
displayName: Apple
category:
- software
- mobile
- development
description: >
Provides Developer account and App Store Connect account for mobile apps...
validated: true
approved: true
approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2
approvalPRName: security-artifacts/2
website: https://www.apple.com
owners:
- owner.one@lifeomic.com
- owner.two@lifeomic.com
mainContactName:
mainContactEmail:
mainContactPhone:
mainContactAddress:
breachResponseDays:
linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple-
Developer-Agreement-English.pdf
linkToMSA: https://developer.apple.com/programs/whats-included/
linkToSLA:
criticality: 10
risk: 5
tag.PHI: false
tag.PII: true
tag.PCI: false
statusPage:
notes:
...

31. Compliance Evidence
Collection
• Compliance framework and control
requirements defined in JSON
• Map policy procedures to each control
requirement
• Map query questions to each control
requirement
• Write positive case queries and negative
case queries for automated gap analysis
• Include evidence associated with manual
processes
{
"standard": "SOC 2",
"version": "2019",
"sections": [
{
"title": "Access Controls",
"requirements": [
{
"ref": "SOC2-01",
"title": "Single Sign On",
"summary": "SSO for all users ..."
},
...
]
}
]
”domains": [
{
"title": ”Control Domain A",
”controls": [
{
"ref": ”A-01",
"title": ”A technical control",
"summary": ”control description ..."
},
...
]
}
]
}
{
"title": "Which user accounts do not have multi-
factor authentication enabled?",
"description": ”...",
"queries": [
{
"name": "bad",
"query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m
fa_device"
},
{
"name": "good",
"query": "Find User with mfaEnabled = true"
},
{
"name": "goodToo",
"query": "Find User that (ASSIGNED|USES|HAS) mfa_device"
}
],
"compliance": [
{
"standard": "CIS Controls",
"requirements": [
"4.5",
"12.11",
"16.3"
]
},
{
"standard": "HITRUST CSF",
"controls": [
"01.b",
"01.j",
"01.q"
]
},
{
"standard": "PCI DSS",
"requirements": [
"8.2",
"8.3"
]
}
]
}
github.com/jupiterone/security-policy-templates/tree/master/templates/standards

32. Data driven compliance dashboard

33. Metrics and charts built with queries
Users
and Access

34. Metrics and charts built with queries
Development
Insights

35. Metrics and charts built with queries
Cloud
Resources

36. Metrics and charts built with queries
Data
Security

37. Metrics and charts built with queries
Data
Security

38. Metrics and charts built with queries
Risk
Management

39. Knowledge is Power
Knowledge =
Information (data) +
Insights (understanding of that data)
The graph is now the core of my
entire security program.
A knowledgebase, a foundation that
allows me to take actions with
confidence, faster.
GRAPH
•Asset inventory and
CMDB
•Cloud configuration
visibility
•Access analysis
•Network and
application
architecture diagrams
•Vulnerability
management

40. Questions? Live Demo?
jupiterone.com
Contact me for a copy of the presentation. And, I’m hiring!