Herman Kwong - Databricks

Herman Kwong

Senior Director of Engineering, Salesforce.com

Herman spent the majority of his 13 years of software engineering career in management roles. His experience with enterprise software ranges from user interface to the back-end, and spans major industries. He currently runs the Kernel group at Salesforce as Senior Director of Engineering, and puts a significant focus of his team on security and threat detection. Herman holds a BSE in Computer Science and a BSE in Computer Engineering from the University of Michigan, Ann Arbor.



A Graph-Based Method For Cross-Entity Threat DetectionSummit 2016

I propose to use a distributed graph-based approach to detect cross-entity attacks via correlating global events on multi-tenant platforms. Detection efforts have mostly focused on detecting each incident individually, while in most attack scenarios, it is a single attacker or attacker group that goes after multiple targets often via stolen credentials within a rather concentrated time window. Coordinated or concurrent attacks seriously impact the trust of the multi-tenant service platform provider when customers get infiltrated on their platform. How can we detect these cross-account attacks by quickly making connections across concurrent incidences? MConnections are often buried under terabytes of data and among tens of millions of legitimate connections. Only a complete graph with a proper level of abstraction of all information and smart algorithms provide us a viable solution. By representing all entities of interest (i.e., an organization or an IP address) in a graph, we can efficiently track the connectivities among these entities that allows us to differentiate unexpected connections that is indicative of cross-account attacks from legitimate cross-account relationship (for example, two accounts belong to the same customer) by identifying correlated threats. Change detection algorithm is proposed to identify unexpected connectivities of accounts with a graph. For example, as we detect suspicious behavior across multiple accounts, how do we know if this is a large-scale account take-over, or just a legitimate license upgrade that results in novel behavior across multiple users. If affected accounts are already densely connected, a suspicious concurrent behavior detected is not as interesting as where it is detected among highly disjoint accounts. A graph provides a holistic view of how components are connected. A graph-based solution is essential to security defense techniques. It gives us a number of opportunities beyond cross-account attack detection such as intuitive context retrieval and interactive visualization,