Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
www.cloudsec.com | #cloudsec
Security for your Applications from the Inside Out
Mick McCluney, ANZ Technical Leader | Trend Micro
Security for your applications from the inside out
Abstract: Traditional security measures are struggling to keep up with the rise of cloud, containerised and serverless workloads. With the majority of traffic now encrypted and thousands of ephemeral instances across multiple clouds, a new approach to application security is required. In this session, we will discuss the challenges traditional security teams are facing then take a look at how enterprises can overcome them by integrating security into the heart of their applications
Copyright 2017 Trend Micro Inc.3
Evolution of Infrastructure & Applications
Copyright 2019 Trend Micro Inc.4
Infrastructure Change…
PhysicalServers
Copyright 2019 Trend Micro Inc.5
Virtual Servers
Virtual Desktops
Infrastructure Change…
PhysicalServers
Copyright 2019 Trend Micro Inc.6
Cloud
Virtual Servers
Virtual Desktops
Infrastructure Change…
PhysicalServers
Copyright 2019 Trend Micro Inc.7
Cloud
Virtual Servers
Virtual Desktops
Application Change…
PhysicalServers
Monoliths
Copyright 2019 Trend Micro Inc.8
Cloud
Virtual Servers
Virtual Desktops
Application Change
PhysicalServers
AWS Lambda Azure Functions
ContainersServerless
Google Functions
Monoliths
Microservices
Copyright 2019 Trend Micro Inc.9
Traditional Applications (Monoliths)
• Monolithic
• Treated as pets
• Hard to scale
• Bloated Windows & Linux OS
Copyright 2019 Trend Micro Inc.10
DevOps Applications
• Microservices:– Fine-grained
– Extremely scalable
– Treated as cattle
• Containers:– Package code and all dependencies
– Lightweight and standalone
• Serverless:– Code with “no” underlying OS
Copyright 2019 Trend Micro Inc.11
Cloud
Virtual Servers
Virtual Desktops
A Challenging Journey Application Change…means
PhysicalServers
AWS Lambda Azure Functions
ContainersServerless
Google Functions
Monoliths
Microservices
Organisational Change
Copyright 2019 Trend Micro Inc.12
5 Emerging technologies for Cloud Security
Host OS Protection
Docker Protection
Container Protection
Full Protection
Kubernetes Protection
Physical, Virtual or Cloud Container Nodes
New
New
New
New
Application Container
(e.g. NGINX)
Docker Engine
Operating System
Deep Security Agent
Kubernetes
Application Container
(e.g.Webapp)
Application Container
(e.g. MySQL)
Application Protection
Transit Gateway
ZDI Network Protection
CI/
CD
-Sm
art
Ch
eck
Pip
elin
e P
rote
ctio
n
New
Copyright 2017 Trend Micro Inc.13
Securing Your Pipeline
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Copyright 2017 Trend Micro Inc.15
Protect the Network
Copyright 2019 Trend Micro Inc.16
The problem with cloud network security today
Today’s network security solutions are complex, expensive and introduce friction• unnatural, not purpose built for the
cloud
• disrupts business, causing friction, slowing down ops & devops
• re-architecting is time consuming and you lose the benefits of the cloud
Network Protection powered by TippingPoint
Security Services VPC VPC
Workloads
VPC
Workloads
Network Protection
Transit Gateway
Transit Gateway
Transit Gateway
Internet
Copyright 2017 Trend Micro Inc.18
Protecting the Host
Copyright 2018 Trend Micro Inc.19
Hybrid Cloud Security Solution
Network Security
Firewall Vulnerability Scanning
Intrusion Prevention
Stop network attacks, shield vulnerable applications &
servers
Anti-MalwareSandbox Analysis
Malware Prevention
Stop malware & targeted attacks
Behavioral Analysis & Machine Learning
System Security
Lock down systems & detect suspicious activity
Application Control
Integrity Monitoring
Log Inspection
Copyright 2017 Trend Micro Inc.20
Securing your Containers
Container Security Challenges
Vendor and tool proliferation
IT thinks they need a container specific product separate from a unified solution which leads to additional tools and environment complexity
Impact on continuous releases
Security teams are negatively impacted by the limited ways they can protect continuously delivered container applications and allow DevOps to move faster
Unsecured pipeline risks
DevOps teams are focused on application output and uptime overlooking IT Security protocols and early warning threat signals
Challenges With Securing Containers
Copyright 2019 Trend Micro Inc.22
BUILD SECURESecurity fit for DevOps
at the speed of business from the first build
RUN ANYWHERECloud neutral, and multi-
architecture for modern applications
SHIP FASTAutomated security for the
CI/CD pipeline and cloud based container applications
Full Lifecycle, Full Stack Container Security
Copyright 2019 Trend Micro Inc.23
Growing Threats Across Container Environments
Vulnerable codeMalware from public sources
Embedded secretsNon-compliant content
Attacks against running applications
Attacks against container platforms
Attacks against OS hosting containers
Host RuntimeSoftware Build Pipeline
BuildCommit Push Deploy
Copyright 2019 Trend Micro Inc.24
Build Pipeline Scanning/Detection
Protection Deployment
Securing your CI/CD Pipeline & Docker Runtime
Pre-registry Scanning
Registry Scanning
Protection for Container Workload Host
Container Security
Kubernetes & Docker Platform Protection
Full Lifecycle, Full Stack Container Security
Compliance & Configuration
BuildCommit Push Deploy
❑ New Capabilities
Secrets & Keys
Vulnerabilities
CVE Whitelisting
Host Agent
Custom/IoC Sweeping
Inter-Container (E-W) Traffic inspection
Malware
Copyright 2019 Trend Micro Inc.25
Protecting your Application from the Inside
© 2019 Trend Micro Inc.26
• What is App Protect?
• What are the benefits?
• How does it work?
• How is it different from existing tech?
© 2019 Trend Micro Inc.27
What is App Protect?
• RASP Technology – Runtime Application Self-Protection– Self-defending apps
• Secures applications from exploitation of OWASP-style vulnerabilities by simply including a library/module in the application code
• Also includes Deep Security IPS and Anti-malware engines
© 2019 Trend Micro Inc.28
Benefits of App Protect3 major problem areas• App Protect allows you to secure what has been difficult/impossible to secure
– Serverless (Functions-as-a-Service) – AWS Lambda, Azure Functions, Google Functions
• Where the only thing you can control is the code itself
– Fargate (Fully Managed Kubernetes – Cannot manage the host)
• The only thing you can control is the code and the container it runs in
– SSL/TLS encrypted communications
• No need for a decryption appliance
• App Protect sees all application data from the code’s point of view
– Less room for error / rules are fewer and more effective
– Inspects ALL I/O of the application (not just the network traffic)
© 2019 Trend Micro Inc.29
How does App Protect work?
• To use App Protect, all development has to do is include/import the App Protect library/module in their code
• The library/module hooks important I/O functions within the application and applies a set of configurable rules
• Rules can be set to mitigate or report
• The library/module sends important events back to central management
– Includes line-of-code visibility into the threat
© 2019 Trend Micro Inc.30
How is App Protect Different?
• Better visibility than traditional WAF; More accurate
• Works with Functions as a Service (FaaS)
• Works with Fargate
• Also excellent with container based Micro-Services
• Works anywhere you have code
– Apps currently under development
– Apps you’ve inherited/acquired
• Includes IPS and Anti-Malware protection
Copyright 2019 Trend Micro Inc.31
App Protect GA Platform Support
Copyright 2019 Trend Micro Inc.32
Architecture
• Deep Instrumentation at the
runtime, framework, and library
level
• Security Logic runs in embedded,
JIT-compiled runtime(Lua)
• Configuration is updated as
IMMUNIO learns about application
operation.
© 2019 Trend Micro Inc.33
App Protect Demo
© 2019 Trend Micro Inc.34
Application Attack & Prevention on AWS
© 2019 Trend Micro Inc.35
Sample Dockerfile – Java Spring
#cloudsec www.cloudsec.com
THANK YOUMick McCluney, ANZ Technical Leader | Trend Micro