Security for your Applications from the Inside Out Trend Micro_Mick McCluney.pdf · 2019-10-01 · Security for your applications from the inside out Abstract: Traditional security

www.cloudsec.com | #cloudsec

Security for your Applications from the Inside Out

Mick McCluney, ANZ Technical Leader | Trend Micro

Security for your applications from the inside out

Abstract: Traditional security measures are struggling to keep up with the rise of cloud, containerised and serverless workloads. With the majority of traffic now encrypted and thousands of ephemeral instances across multiple clouds, a new approach to application security is required. In this session, we will discuss the challenges traditional security teams are facing then take a look at how enterprises can overcome them by integrating security into the heart of their applications

Copyright 2017 Trend Micro Inc.3

Evolution of Infrastructure & Applications


Infrastructure Change…

PhysicalServers


Virtual Servers

Virtual Desktops


PhysicalServers


Cloud

Virtual Servers

Virtual Desktops


PhysicalServers


Cloud

Virtual Servers

Virtual Desktops

Application Change…

PhysicalServers

Monoliths


Cloud

Virtual Servers

Virtual Desktops

Application Change

PhysicalServers

AWS Lambda Azure Functions

ContainersServerless

Google Functions

Monoliths

Microservices


Traditional Applications (Monoliths)

• Monolithic

• Treated as pets

• Hard to scale

• Bloated Windows & Linux OS


DevOps Applications

• Microservices:– Fine-grained

– Extremely scalable

– Treated as cattle

• Containers:– Package code and all dependencies

– Lightweight and standalone

• Serverless:– Code with “no” underlying OS


Cloud

Virtual Servers

Virtual Desktops

A Challenging Journey Application Change…means

PhysicalServers

AWS Lambda Azure Functions

ContainersServerless

Google Functions

Monoliths

Microservices

Organisational Change


5 Emerging technologies for Cloud Security

Host OS Protection

Docker Protection

Container Protection

Full Protection

Kubernetes Protection

Physical, Virtual or Cloud Container Nodes

New

New

New

New

Application Container

(e.g. NGINX)

Docker Engine

Operating System

Deep Security Agent

Kubernetes


(e.g.Webapp)


(e.g. MySQL)

Application Protection

Transit Gateway

ZDI Network Protection

CI/

CD

-Sm

art

Ch

eck

Pip

elin

e P

rote

ctio

n

New


Securing Your Pipeline

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.


Protect the Network


The problem with cloud network security today

Today’s network security solutions are complex, expensive and introduce friction• unnatural, not purpose built for the

cloud

• disrupts business, causing friction, slowing down ops & devops

• re-architecting is time consuming and you lose the benefits of the cloud

Network Protection powered by TippingPoint

Security Services VPC VPC

Workloads

VPC

Workloads

Network Protection

Transit Gateway

Transit Gateway

Transit Gateway

Internet


Protecting the Host


Hybrid Cloud Security Solution

Network Security

Firewall Vulnerability Scanning

Intrusion Prevention

Stop network attacks, shield vulnerable applications &

servers

Anti-MalwareSandbox Analysis

Malware Prevention

Stop malware & targeted attacks

Behavioral Analysis & Machine Learning

System Security

Lock down systems & detect suspicious activity

Application Control

Integrity Monitoring

Log Inspection


Securing your Containers

Container Security Challenges

Vendor and tool proliferation

IT thinks they need a container specific product separate from a unified solution which leads to additional tools and environment complexity

Impact on continuous releases

Security teams are negatively impacted by the limited ways they can protect continuously delivered container applications and allow DevOps to move faster

Unsecured pipeline risks

DevOps teams are focused on application output and uptime overlooking IT Security protocols and early warning threat signals

Challenges With Securing Containers


BUILD SECURESecurity fit for DevOps

at the speed of business from the first build

RUN ANYWHERECloud neutral, and multi-

architecture for modern applications

SHIP FASTAutomated security for the

CI/CD pipeline and cloud based container applications

Full Lifecycle, Full Stack Container Security


Growing Threats Across Container Environments

Vulnerable codeMalware from public sources

Embedded secretsNon-compliant content

Attacks against running applications

Attacks against container platforms

Attacks against OS hosting containers

Host RuntimeSoftware Build Pipeline

BuildCommit Push Deploy


Build Pipeline Scanning/Detection

Protection Deployment

Securing your CI/CD Pipeline & Docker Runtime

Pre-registry Scanning

Registry Scanning

Protection for Container Workload Host

Container Security

Kubernetes & Docker Platform Protection

Full Lifecycle, Full Stack Container Security

Compliance & Configuration

BuildCommit Push Deploy

❑ New Capabilities

Secrets & Keys

Vulnerabilities

CVE Whitelisting

Host Agent

Custom/IoC Sweeping

Inter-Container (E-W) Traffic inspection

Malware


Protecting your Application from the Inside

© 2019 Trend Micro Inc.26

• What is App Protect?

• What are the benefits?

• How does it work?

• How is it different from existing tech?


What is App Protect?

• RASP Technology – Runtime Application Self-Protection– Self-defending apps

• Secures applications from exploitation of OWASP-style vulnerabilities by simply including a library/module in the application code

• Also includes Deep Security IPS and Anti-malware engines


Benefits of App Protect3 major problem areas• App Protect allows you to secure what has been difficult/impossible to secure

– Serverless (Functions-as-a-Service) – AWS Lambda, Azure Functions, Google Functions

• Where the only thing you can control is the code itself

– Fargate (Fully Managed Kubernetes – Cannot manage the host)

• The only thing you can control is the code and the container it runs in

– SSL/TLS encrypted communications

• No need for a decryption appliance

• App Protect sees all application data from the code’s point of view

– Less room for error / rules are fewer and more effective

– Inspects ALL I/O of the application (not just the network traffic)


How does App Protect work?

• To use App Protect, all development has to do is include/import the App Protect library/module in their code

• The library/module hooks important I/O functions within the application and applies a set of configurable rules

• Rules can be set to mitigate or report

• The library/module sends important events back to central management

– Includes line-of-code visibility into the threat


How is App Protect Different?

• Better visibility than traditional WAF; More accurate

• Works with Functions as a Service (FaaS)

• Works with Fargate

• Also excellent with container based Micro-Services

• Works anywhere you have code

– Apps currently under development

– Apps you’ve inherited/acquired

• Includes IPS and Anti-Malware protection


App Protect GA Platform Support


Architecture

• Deep Instrumentation at the

runtime, framework, and library

level

• Security Logic runs in embedded,

JIT-compiled runtime(Lua)

• Configuration is updated as

IMMUNIO learns about application

operation.


App Protect Demo


Application Attack & Prevention on AWS


Sample Dockerfile – Java Spring

#cloudsec www.cloudsec.com

THANK YOUMick McCluney, ANZ Technical Leader | Trend Micro

Documents

Security for your Applications from the Inside Out Trend Micro_Mick McCluney.pdf · 2019-10-01 · Security for your applications from the inside out Abstract: Traditional security