Herman spent the majority of his 13 years of software engineering career in management roles. His experience with enterprise software ranges from user interface to the back-end, and spans major industries. He currently runs the Kernel group at Salesforce as Senior Director of Engineering, and puts a significant focus of his team on security and threat detection. Herman holds a BSE in Computer Science and a BSE in Computer Engineering from the University of Michigan, Ann Arbor.
I propose to use a distributed graph-based approach to detect cross-entity attacks via correlating global events on multi-tenant platforms. Detection efforts have mostly focused on detecting each incident individually, while in most attack scenarios, it is a single attacker or attacker group that goes after multiple targets often via stolen credentials within a rather concentrated time window. Coordinated or concurrent attacks seriously impact the trust of the multi-tenant service platform provider when customers get infiltrated on their platform. How can we detect these cross-account attacks by quickly making connections across concurrent incidences? MConnections are often buried under terabytes of data and among tens of millions of legitimate connections. Only a complete graph with a proper level of abstraction of all information and smart algorithms provide us a viable solution. By representing all entities of interest (i.e., an organization or an IP address) in a graph, we can efficiently track the connectivities among these entities that allows us to differentiate unexpected connections that is indicative of cross-account attacks from legitimate cross-account relationship (for example, two accounts belong to the same customer) by identifying correlated threats. Change detection algorithm is proposed to identify unexpected connectivities of accounts with a graph. For example, as we detect suspicious behavior across multiple accounts, how do we know if this is a large-scale account take-over, or just a legitimate license upgrade that results in novel behavior across multiple users. If affected accounts are already densely connected, a suspicious concurrent behavior detected is not as interesting as where it is detected among highly disjoint accounts. A graph provides a holistic view of how components are connected. A graph-based solution is essential to security defense techniques. It gives us a number of opportunities beyond cross-account attack detection such as intuitive context retrieval and interactive visualization,