79
1 CASB WORKSHOP SERGIO CASTRO EDUCATION DIRECTOR, CLOUD SECURITY SERGIO_CASTRO@SYMANTEC.COM

CASB WORKSHOP - Government Forums · CASB WORKSHOP SERGIO CASTRO ... Network DLPs do not have visibility into cloud applications ... CASB solutions gain visibility into cloud apps

Embed Size (px)

Citation preview

1

CASB WORKSHOP

SERGIO CASTRO

EDUCATION DIRECTOR, CLOUD SECURITY

[email protected]

2

First Part: lessons 1-6; the risks of cloud applications and the theory behind it

Second part: lessons 7-12; how to mitigate the risk using a CASB solution

WORKSHOP STRUCTURE

3

LESSON 1: INTRODUCTION

4

MIGRATION TO THE CLOUD OFFICE

This shift of workloads into the cloud is rapidly

redefining enterprise IT, and offers significant

opportunities to enterprises.

5

MIGRATION TO THE CLOUD OFFICE

$130B Cloud Apps Market by 2020

6

MIGRATION TO THE CLOUD OFFICE

• Collaboration

• Agility

• Economics

• Choices

New RisksWhat else does it

bring?

7

INFORMATION SECURITY IS CHANGING

Internet

Visibility

Control

Firewall

Perimeter

No Visibility

No Control30%What % of our

data is already in

the cloud?

8

PUBLIC CLOUD vs PRIVATE CLOUD

9

MIGRATION TO THE CLOUD OFFICE

Front end security

Back end security

10

MIGRATION TO THE CLOUD OFFICE

Cloud Application

Cross-site scripting, SQL Injection, etc Provider

Access visibility

Access control

Data loss prevention

You

User

11

MIGRATION TO THE CLOUD OFFICE

• Collaboration

• Agility

• Economics

• Choices

Security and GovernanceWhat are the main

problems we need to

worry about?

12

RETHINKING THE SECURITY STACK FOR THE CLOUD

Next-Gen firewalls

IDS/IPS

Vulnerability Scanning

Network forensics

SIEM

DLP

Not designed to protect corporate data uploaded to third-

party solutions hosted outside the enterprise

13

CLOUD ACCESS SECURITY BROKERS (CASB)

A new Solution for Cloud App Security

1) Identify and evaluate all

the cloud apps in use (Shadow IT)

2) Enforce granular policies to govern

handling of sensitive information, including

compliance-related content

3) Enforce cloud application management

policies in existing web proxies and firewalls

4) Encrypt or tokenize sensitive content

to enforce privacy and security

5) Detect and block unusual account

behavior indicative of malicious activity

6) Integrate cloud visibility and controls

with your existing security solutions

14

WHAT IS SHADOW IT AND SHADOW DATA?

Shadow IT:

Third-party IT solutions, including cloud apps and

services, without oversight from the IT organizationWhat is Shadow IT?

Shadow IT and Shadow Data demo

Shadow Data:

Data you do not know is being shared by your organizationWhat is Shadow Data?

15

CLOUD ACCESS SECURITY BROKERS (CASB)

A new Solution for Cloud App Security

APIs

Gateways

Log data

Agents

16

FUNDAMENTALS OF AN EFFECTIVE CASB SOLUTION

1) Cloud app discovery an analysis

2) Data governance and protection

3) Threat protection and incident response

4) Compliance and data privacy

17

LESSON 2: CLOUD APP DISCOVERY AND ANALYSIS

18

THE PROBLEM OF SHADOW IT

1. Business-ready cloud apps are a strategic part of a company’s IT infrastructure

2. Some employees are adopting cloud services without IT sanction or oversight

3. This movement toward employee-adopted cloud apps is known as Shadow IT

19

1. Do the Shadow IT applications have appropriate security controls?

2. Do they align with compliance requirements?

3. Can they operate as conduits for data exfiltration?

THE PROBLEM OF SHADOW IT

Shadow IT exposes an organization to risk

by creating blind spots

20

• First priority: visibility

• Only way of obtaining visiblity into Shadow IT: a CASB solution

THE PROBLEM OF SHADOW IT

21

WHY DO ORGANIZATIONS REQUIRE

VISIBILITY AND ANALYSIS OF THEIR CLOUD APPS?

Discover Shadow IT

Ensure compliance

Identify riskyapps

Block riskyapps

Identify inefficiencies

Sanction apps

22

WHY DO ORGANIZATIONS REQUIRE

VISIBILITY AND ANALYSIS OF THEIR CLOUD APPS?

Discover Shadow IT

Ensure compliance

Identify risky apps

Block risky apps

Identify inefficiencies

Sanction apps

Shadow IT

Risk Assessment

23

DISCOVERING CLOUD APPS

• Average organization has 800 cloud apps

• Perform Shadow IT risk assessment using firewall or proxy logs

• Determine the business readiness of discovered apps

How many cloud apps are there in an organization?

24

CLOUD APPS ANALYSIS

• Who is accessing the riskiest apps?

• How often are employees accessing these apps?

• How much bandwidth is being consumed by these apps?

• Which departments are driving this usage?

• Which locations are involved?

• Which browsers and platforms are employees using?

What questions should we ask about cloud

applications?

25

BUSINESS READINESS RATING

26

BUSINESS READINESS RATING

27

BUSINESS READINESS RATING

28

BUSINESS READINESS RATING

29

BUSINESS READINESS RATING

30

BUSINESS READINESS RATING

31

BUSINESS READINESS RATING

32

BUSINESS READINESS RATING

33

MITIGATE RISK FROM SHADOW IT

• Make smart app choices

• Review contracts with cloud providers

• Coach users

• Identify cost savings

• Block risky apps

• Monitor continuously

34

LESSON 3: DATA GOVERNANCE AND PROTECTION

35

WHY DO ORGANIZATIONS NEED TO MANAGE SENSITIVE CONTENT?

1. Oversharing of sensitive content

2. Cloud-to-cloud sharing

3. Administrative oversight

4. Compliance regulated data

5. Data sovereignty

36

HOW CAN WE MANAGE SENSITIVE CONTENT?

1. Oversharing of sensitive content

2. Cloud-to-cloud sharing

3. Administrative oversight

4. Compliance regulated data

5. Data sovereignty

1) Cloud-based DLP

2) Data Classification

3) Policy Enforcement

4) Encryption and Tokenization

37

CLOUD-BASED DLP

• Email is being supplanted by link sharing on the cloud

• A new type of Data Loss Prevention (DLP) is needed

• Cloud apps facilitate sharing large volumes of data

• The scalability and accuracy of data governance and control have to be more robust

Network DLPs do not have visibility

into cloud applications

Why can’t we use our network DLP

to solve these problems?

38

DATA CLASSIFICATION

• Many approaches focus solely on keyword and regular expresions

• More advanced techniques such as natural language processing enables a broader

range of content classification

• Advanced solutions can dynamically identify categories of documents

• Create custom classification profiles

39

DATA CLASSIFICATION

40

POLICY ENFORCEMENT

• Rich content classification allows us to define and enforce granular policies

• Rather than block apps, block bad behavior within cloud apps

• Policy criteria:

• Policy actions:

Users

User groups

Applications

Device properties

Locations

User actions

File propertiesUnsharing links

Blocking uploading and unloading of files

Blocking the sharing of files via email

Encrypting and tokenizing information

Messaging users to coach them in proper behavior

Alerting security operations personnel

41

POLICY ENFORCEMENT

42

ENCRYPTION AND TOKENIZATION

• Some compliance requirements force companies not to put personally identifiable

information (PII) and other senstive data on the cloud

• Certain types of data need to remain within a geographic border

• Encryption and tokenization can be used to provide an additional layer of protection

43

ENCRYPTION AND TOKENIZATION

What’s the difference between encryption and

tokenization?

44

DATA LOSS AND EXPOSURE MITIGATION PROCESS

Identify and remediate risky

exposures

Define a data protection strategy

Enforce policies for

sensitive data

Coach users on appropriate

behavior

Enforce compliance regulations

45

LESSON 4: THREAT DETECTION AND INCIDENT RESPONSE

46

USER RISK IN CLOUD APPLICATIONS

1. Proliferation of usernames and passwords increase risk

2. Malicious attackers are more likely to compromise user credentials

3. Attackers can also use cloud apps to disseminate malware

4. Deep visibility into transactional events is required

5. These capabilities are integral to an effective CASB solution

47

THE EVOLVING ROLE OF IDS/IPS

1. Traditional IDS/IPS solutions are covering decreasing amount of risk

2. Cloud apps require deeper visibility

3. CASB solutions focus on monitoring and controlling data regardless the point of entry

4. CASB solutions normalize data across all cloud apps

48

DEEP VISIBILITY OF CLOUD ACTIVITY

CASB solutions gain visibility into cloud apps viaGateways

APIs

49

CLOUD THREAT AND ANOMALY DETECTION

• CASB solutions can identify unusual patterns or anomalies in user behavior

• These patterns can be based on thresholds

• More sophisticated solutions apply data science to user behavior

• A baseline behavioral pattern can be established for each user

50

MALWARE DETECTION

• The cloud can be an effective conduit for malware distribution through SSL connections

• CASB solutions provide early detection of malware within the cloud environment

• Suspicious content can be quarantined

51

• Filtering on attributes

• Time-scale analysis

• Free-form search

CONTINUOUS MONITORING AND INCIDENT ANALYSIS

52

CLOUD ATTACK MITIGATION PROCESS

Manage identities and credentials

Continuously monitor cloud

activity for threats

Identify and prevent malware

Implement strong incident

analysis

53

LESSON 5: COMPLIANCE AND DATA PRIVACY

54

WHAT COMPLIANCE ISSUES SHOULD ORGANIZATIONS CONSIDER?

• Personally Identifiable Information (PII)

• Payment Card Details or Personal Financial Data

• Personal Health Information (PHI)

• Family Educational Rights and Privacy Act (FERPA)

• International Traffic in Arms Regulations (ITAR)

• Criminal Justice Information Service (CJIS)

Name compliance frameworks

55

THREE AREAS WHERE CASB PLAYS A CRITICAL ROLE

1) Cloud apps and services have the appropriate security certifications

2) Certain cloud applications are blocked from receiving specific types of regulated data

3) Regulated data, that does legitimately need to be placed in the cloud,

is secured per compliance guidelines

56

SECURE AND MONITOR REGULATED DATA

• Customer support applications

• Medical collaboration portals

• Consumer lending applications

• Human resources applications

• Financial analytics applications

57

SECURE AND MONITOR REGULATED DATA

• Customer support applications

• Medical collaboration portals

• Consumer lending applications

• Human resources applications

• Financial analytics applications

1. Secure all regulated data with additional protection

techniques

2. Limit access to all regulated data types

3. Monitor and log all interactions with regulated data

58

MONITOR AND LOG INTERACTIONS WITH REGULATED DATA

• Audit and log application transactions that contain regulated data

• Most SaaS services do not have an inherent notion of a log

• Organizations need to create independent transaction logs

• CASB solutions can be used to implement these logs

59

CLOUD COMPLIANCE AND DATA PRIVACY PROCESS

Ensure cloud apps have necessary certifications and

functionality

Understand if regulated data is

being placed in the cloud

Make sure the right policies are in

place

60

LESSON 6: THE CLOUD ACCESS SECURITY MATURITY MODEL

1. Cloud Access Security Maturity Model

2. Cloud Access Security Plan Template

3. CASB Solution Selector

Email me to get the files: [email protected]

61

LESSON 7: USING A CASB SOLUTION

62

Data Science Powered™

CLOUD APP SECURITY

be

fore

du

rin

ga

fte

r

Elastica CloudSOC

SECURLETS

63

63

SIMILITUDES BETWEEN CLOUDSOC AND

NETWORK SECURITY SYSTEMS

Audit

Detect

Protect

Investigate

Risk Assessment

IDS/IPS

DLP & Firewall

SIEM

64

64

CloudSOC

Cloud

App

API

API and gateway

65

65

CloudSOC

Cloud

App

Google Drive

Box

Dropbox

Office 365

API

API and gateway

66

66

Browser

CloudSOC

Cloud

AppGateway

API

API and gateway

67

67

CloudSOC

Cloud

AppGateway

API

API and gateway

Content inspection

=

Data exposure policies

File transfers

File sharing

Access enforcement

Threat Score

Browser

68

LESSON 8: THE AUDIT MODULE

69

69

AUDIT USE CASES

1) Detect cloud applications being used in our company

2) Determine the level of risk of each cloud application

3) Determine what users are using those applications

4) Select risky cloud applications to block

5) Consolidate redundant cloud applications

Audit Demo

70

LESSON 9: THE DETECT MODULE

71

71

DETECT USE CASES

1) Detect anomalous user actions based on thresholds

2) Detect anomalous user actions based on behavior

3) Detect anomalous user actions based on event sequences

Detect Demo

72

LESSON 10: THE PROTECT MODULE

73

73

PROTECT USE CASES

1) Create policies to prevent data exposure

2) Create policies to apply access enforcement

3) Create policies to block file sharing

4) Create policies to prevent file transfer

5) Create policies to block users based on Threat Score level

Protect Demo

74

LESSON 11: THE INVESTIGATE MODULE

75

75

INVESTIGATE USE CASES

1) Monitor activity based on:

a. Service

b. User

c. Object

d. Activity

e. Severity

f. Location

g. Browser

h. Device

Investigate Demo

76

LESSON 12: THE SECURLET MODULE

77

77

SECURLET USE CASES

1) Detect exposed files

2) Detect exposed users

3) Detect files with sensitive information

4) Detect third party apps that have read/write access to our cloud apps

5) Monitor activity in specific cloud apps

Securlet Demo

78

78

ELASTICA CLOUDSOC WORKFLOW

79

QUESTIONS

Q&A

[email protected]