The Goldilocks Zone: Security and Architectural ... The Goldilocks Zone: Security and Architectural

  • View
    1

  • Download
    0

Embed Size (px)

Text of The Goldilocks Zone: Security and Architectural ... The Goldilocks Zone: Security and Architectural

  • The Goldilocks Zone: Security and Architectural Implications of the SDDC

    SEC1959-S

    Tom Corn SVP, VMware, Inc. – Security Products

  • Securing the Data Center

    2

    NETWORK STORAGE

    INFRASTRUCTURE MANAGEMENT & ORCHESTRATION

    COMPUTE

    IT INFRASTRUCTURE

    APPLICATION INFRASTRUCTURE

    NETWORK DFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS

    STORAGE Encryption, Key Management, Tokenization

    GOVERNANCE/COMPLIANCE Vulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP

    COMPUTE AV, HIPS, AMP, Encryption, Execution & Device Control

    SOC SIEM, Security Analytics, Forensics

    SECURITY INFRASTRUCTURE

    IDENTITY CONTROLS IAM, IAG, Authentication, Access Control, Federation/SSO

    APP/DATABASE CONTROLS App/DB Activity Mon, App/DB Encryption, Fraud Analytics

  • A Picture of Diminishing Returns

    3

    The Only Thing Outpacing Security Spend… Is Security Losses

    IT Spend Security Spend Security Breaches

  • Kill Chain: Anatomy of a Modern Attack

    2

    Attack Vector R&D

    1

    Human Recon

    3

    Delivery Mechanism

    1 Prep

    2 Intrusion

    3 Recon

    4 Recovery

    5 Act on Intent

    6 Exfiltration

  • 5

    Install Command & Control I/F

    4

    Compromise Primary Entry Point

    Strain B Dormant

    Strain A Active

    2. Intrusion

  • 8

    Install C2 I/F Wipe Tracks Escalate Priv

    7

    Lateral Movement

    6

    Escalate Privileges on Primary Entry Point

    8

    8

    Strain A Active

    3. Recon

  • 9

    Wake Up & Modify Next Dormant Strain

    Attack Identified Response

    Strain B Active

    Strain A Active

    Strain C Dormant

    Strain D Dormant

    4. Recovery

  • 11

    Parcel & Obfuscate

    10

    Break into Data Stores

    12

    Exfiltration

    13

    Cleanup

    5. Act on Intent 6. Exfiltration

  • Modern Attack: targeted, interactive & stealthy

    9

    1

    Human Recon

    2

    Attack Vector R&D

    3

    Delivery Mechanism

    5

    Install Command & Control I/F

    4

    Compromise Primary Entry

    Point

    Strain B Dormant

    Strain A Active

    8

    Install C2 I/F Wipe Tracks Escalate Priv

    7

    Lateral Movement

    6

    Escalate Privileges on Primary Entry Point

    8

    8

    Strain A Active

    9

    Wake Up & Modify Next Dormant Strain

    Attack Identified Response

    Strain B Active

    Strain A Active

    Strain C Dormant

    Strain D Dormant

    11

    Parcel & Obfuscate

    10

    Break into Data Stores

    12

    Exfiltration

    13

    Cleanup

    Stop Infiltration Lack visibility & control to stop exfiltration

    shift from… • Perimeter-centric • In-line prevention • Managing compliance

    to... • Application & user-centric • Analytics/Out-of-band mitigation • Managing risk

  • 3 Architectural Issues

    10

    As a ubiquitous abstraction layer between the applications and the infrastructure it provides the “Goldilocks Zone” for security.

    Virtualization is the Key

    Logical Segmentation Problem Lack ability to segment around

    application boundaries

    1. Segmentation

    Compound Policy Problem Lack mechanisms to orchestrate

    policy across controls

    2. Policy

    Context/Isolation Tradeoff Lack the right telemetry / “handles”

    for security controls

    3. Context

    Common Thread: The Application

  • The Logical Segmentation Problem

    CONFIDENTIAL 11

    Hyper-connected Computing Base

    Lateral Movement Complex/Comingled Policy

    Enforce segmentation around application boundaries

    versus the perimeter, physical zones or machines

    The Solution

    The Solution

    We have no mechanism that maintains the relationship

    between the applications & the infrastructure.

    The Obstacle

    The Obstacle

  • The Compound Policy Problem

    CONFIDENTIAL 12

    C1 C2 C3

    Right Place Right Order

    Share State

    Choke Points / Scalability

    A mechanism to insert and order security controls and policy around logical boundaries, and

    a mechanism for them to publish and share state

    The Solution

    The Solution

    No such mechanism exists. We can insert on physical boundaries, and

    share state via point integrations and correlation.

    The Obstacle

    The Obstacle

    Complex Distributed Policy

    ??

    Sharing State

  • The Context/Isolation Tradeoff

    CONFIDENTIAL 13

    Policy   Analytics

    ContextContext IsolationIsolation

    Endpoint

    Network

    

     

    HTTP://192.163.8.10:8080

    HTTP://192.159.2.10:8080 HTTP://192.162.5.8:8080

    Poor Handles/Telemetry for Policy/Analytics

    10.20.2.14 09:00:02:A3:D1:3D

    10.18.3.13 08:00:03:A4:C2:4C

    A ubiquitous mechanism for communicating telemetry with security controls that has the

    isolation properties of a network control point and the context of an endpoint agent.

    The Solution

    The Solution

    No such mechanism exists. We are forced to make the tradeoff.

    The Obstacle

    The Obstacle

  • 3 Architectural Issues

    CONFIDENTIAL 14

    1 Common Thread: The Application

    Virtualization is the Goldilocks Zone for Security

    • Segment along application boundaries and compliance scopes

    • Provision and order controls along those boundaries

    • Share context to and among controls

    If we could…If we could… • Reduce our attack surface

    • Simplify our policies

    • Improve the effectiveness of all our controls

    …then we can dramatically… …then we can dramatically…

    Logical Segmentation Problem Lack ability to segment around

    application boundaries

    1. Segmentation

    Compound Policy Problem Lack mechanisms to orchestrate

    policy across controls

    2. Policy

    Context/Isolation Tradeoff Lack the right telemetry/”handles”

    for security controls

    3. Context

  • Putting Security Controls into the Virtualization Layer

    15

    Context Security/Telemetry

    Context Security/Telemetry

    Security Service Provisioning & Orchestration

    Security Service Provisioning & Orchestration

    Built-in Controls Isolation/Segmentation/Access

    Built-in Controls Isolation/Segmentation/Access

    Virtual Infrastructure

    NETWORK DFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS

    STORAGE Encryption, Key Management, Tokenization

    GOVERNANCE/COMPLIANCE Vulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP

    COMPUTE AV, HIPS, AMP, Encryption, Execution & Device

    Control

    SOC SIEM, Security Analytics, Forensics

    SECURITY CONTROLS

  • Micro-segmentation

    CONFIDENTIAL 16

    Logical segmentation around application boundaries

    App

    DMZ

    Services

    DB

    Perimeter firewall

    AD NTP DHCP DNS CERT

    App 1 App 2 App 3

    Inside firewall

  • Micro-segmentation

    CONFIDENTIAL 17

    Isolation Explicit Allow Comm.

    (Default Deny) Secure

    Communications Structured Secure Communications

    NGFW

    IPS

    IPS

    NGFW

    WAF

    IPS

  • Advanced Context

    18

    The hypervisor can bridge the context / isolation gap

    ContextContext IsolationIsolation

    Endpoint Agent

    Virtualization

    

    Network Device  

  • Policy Orchestration

    19

    Advanced Malware Protection  DEFCON

    Security Group = Web Tier

    Policy Definition

    Standard Web Policy Advanced Malware Protection

    DEFCON 1 Policy  Gateway Authentication 1  2 Factor  Ratchet back Access Controls  Increase Logging

  • Policy Orchestration

    19

    Advanced Malware Protection  DEFCON Security Group = DEFCON 1 Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}

    Security Group = Web Tier

    Policy Definition

    Standard Web Policy Advanced Malware Protection

    DEFCON 1 Policy  Gateway Authentication 1  2 Factor  Ratchet back Access Controls  Increase Logging

  • Policy Orchestration

    19

    Advanced Malware Protection  DEFCON Security Group = DEFCON 1 Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}

    Security Group = Web Tier

    Policy Definition

    Standard Web Policy Advanced Malware Protection

    DEFCON 1 Policy  Gateway Authentication 1  2 Factor  Ratchet back Access Controls  Increase Logging

  • Case Study WestJet Airlines Richard Sillito Solution Architect, IT Security WestJet Airlines

  • The Call to Action A Once in Wave Opportunity

    1st Wave Mainframe | Termina