Adaptive Trust for Strong Network Security

© Copyright 2014. Aruba Networks, Inc. All rights reserved

It’s a Matter of Trust

Adaptive Trust for Strong Network Security

Alan Ni, Sr. Product Marketing Mgr, Aruba Networks, @AlanJNi

Trent Fierro, Sr. Product Marketing Mgr, Aruba Networks, @Trentf_CA

Mike Raggo, Security Evangelist, MobileIron, @MikeRaggo


The New Enterprise Perimeter - #GenMobile

CORPORATECORPORATEOFFICEOFFICE

HOMEHOMEOFFICEOFFICE

BRANCHBRANCHOFFICEOFFICE

ANYWHEREANYWHEREOFFICEOFFICE


Today’s Emerging Mobility Threats

Increased exposure to data, call charges, lost productivity Hackers deliberately targeting open Wi-Fi networks Rising instances of malicious apps, infections, password theft

Higher Usage of

Unsecured Networks

Mobile App Targeted

Malware

Greater Loss / Theft

Of Devices


Mobile App Usage and Hacker Targeting

telnet

Apps we put up with

Apps needed

Apps ignored

Needed and ignored apps areoften targeted more often

(Only 0.4% of all threats observed)

UDP


Anatomy of Recent Retail Breaches

5

POS devices

Dump Site

POS Update Server

Malware moved to retailers

internal distribution

servers through vulnerability, or

weak contractor account

2

Hacker accesses FTP dump site and

downloads card data to later

transfer of funds from accounts

5

Malware scrapes unencrypted RAM in real-time and sends card information to

Dump Site…for 15-20 DAYS!!!

4

Russian hacker sells BlackPOS malware for

$2,300 on darknet. Attacker uses this to

stage attack.

1

Distribution servers move

malware to legacy POS terminals

3

LEGACY APPROACHES WON’T WORK!!!


Common Mobile Attack Vectors

User Data Leakage

Data exfiltration

Open to vulnerabilities that lead to data exposure

- Weak NAC - Man-in-the-middle

- Untrusted Networks

Jailbroken / Rooted Devices

- Forwarding of data- Cloud Storage

- Social Engineering

Un-protected Networks

Malicious / Risky Apps

Users and networks are now low-hanging fruit


Perimeter Defense

IDS/IPS

Firewalls

Mobility Defense

Firewalls

IDS/IPS/AV Web gateways

EMM/MDM

Physical

Webgateways

A/V

Time for a New Perimeter Defense Model

Policy needed for central point of controlPolicy needed for central point of control

Access Policy Management


Use of Context Awareness

ClearPass

FIREWALLS

IDS/IPS WEB GATEWAYS

EMM/MDM

The Building Blocks of Adaptive Trust

Granular control with user and device data

Identity, IP address

Network controls using device attributes

Highly credible user and device data

Visibility into user and device OS

Enabling Adaptive Trust


Deciphering Context for Policy Decisions

Jailbrokenphone?

BYOD?

Guest?

Office?Device type?

Firewallenabled?

Employee?

Policies must adapt to conditions

Nonfat?


The Heart of an Adaptive Trust Decision

User & role

Ownership -IT or BYOD

Device & type

Usable Context

Device assessment

Location -Secure oropen access

Auth type - credentials or certificate

Session rules

Access type

Time-of-day / Day-of-Week

App traffic & behavior


Sources of Usable Context

DeviceDeviceProfilingProfiling

• Samsung SM-G900• Android• “Jons-Galaxy”

EMM/MDMEMM/MDM

• Personal owned• Registered• OS up-to-date

• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true

IdentityIdentityStoresStores

EnforcementEnforcementPointsPoints

• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London

• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps


Sources of Usable Context

DeviceDeviceProfilingProfiling

• Samsung SM-G900• Android• “Jons-Galaxy”

EMM/MDMEMM/MDM

• Personal owned• Registered• OS up-to-date

• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true

IdentityIdentityStoresStores

EnforcementEnforcementPointsPoints

• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London

• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps

• Android 4.4, Knox• MDM enabled = true• In-compliance = true• At Bldg 10, floor 3• 21:22GMT, 21/12/14

• Hansen, Jon [Sales]• COO, Executive Office• London• Personal Owned • Samsung SM-G900

Adaptive Trust Identity


Adaptive Policy Driven by Context

Corporate TabletCorporate Tablet BYOD TabletBYOD Tablet

Authentication EAP-TLS

SSID CORP-SECURE

Authentication EAP-TLS

SSID CORP-SECURE

Internet OnlyInternetand Corporate Apps


Time for Policy Management Vs. AAA

Role-based Enforcement - Users and devices

Expandability - BYOD, guest access

Central Context Database - Users, device profiles, location

Per Session Control


POLICY

Profiler

EMM / MDM

NAC

TACACS

RADIUS

Guest

Device Registration

ClearPass

Automated mobile security workflows

Context-based adaptive policy enforcement

Integration with Third Party Solutions

WIRELESS and WIRED SECURITY

Reporting

Exchange

Auto Sign On

Single Sign On

Onboarding

AirGroup

SIEM Support

Network Starting Point: ClearPass

ANY MULTIVENDOR NETWORK


The ClearPass Access Management System

Guest

ClearPass

Onboard OnGuard

Baseline Hardware or VM Appliances(500, 5,000 or 25,000) Remote Location

Expandable Applications


ClearPass Exchange

Mitigating Risks using 3rd Party Integration

Jail-broken device

detected

Helpdesk ticket auto generated

Message to device auto generated

1.

2.3.

ClearPass denies access

to device

RESTful APIs

Syslog Messages

Adaptive TrustIdentity


Device Starting Point: MobileIron EMM

Device configuration and security

Separation between enterprise and personal data

Secure corporate email

Enterprise mobile apps

Device choice

Native user experience

Secure access to enterprise web apps

Secure access to enterprise content

Selective wipe


NAC and EMM Better Together

20

Mobile Device

MobileIron – ClearPass Core

Certificate-based authentication

Network Access Control

Policy enforcement, lockdowns, restrictions

Monitor for out-of-compliance devices, closed-loop compliance actions (online & offline)

Malicious and Risky App Detections

Jailbreak/Root Detection

Quarantine Wipe/Selective Wipe

User and IT notification

Core monitors, alerts, and reports on out-of-compliance devices, ensures closed-loop actions.

4

Core enforces security policies, lockdowns, restrictions.

3

Hacker attempts MITM or targeted attack on mobile device. Brute-force attacks both mitigated through use of certs.

1

ClearPass validates if device is known or registered, and in compliance by checking in with MobileIron.Device blocked.

2

X As Jailbreak/rooting occurs, device is Auto-Quarantined.

6

Quarantine removes Managed Corp App & Data to mitigate exposure, network access is changed to only allow for remediation

7

X EMM identifies malicious app and alerts.

5

X


NAC/AAA to apply appropriate contextual-based policies; Shares

adaptive trust identity with other IT systems

Adaptive Trust Counter-Measure Framework

EMM to apply consistent policy for device, apps and content across all mobile

MD

M

MA

M

MC

M

Device password, encryption, on-going compliance monitoring, and automated remediation

Jailbreak /Root DetectionOnline & offline + quarantine

Identity Certificate-based authentication to prevent MiTM

Best-of-Breed Network Security Systems utilizing adaptive trust identity

Containerized apps- Data-at-rest encryption

- Enterprise App Store- Secure App Eco-system- App-reputation Services

- Restrict Copy/paste and Open-in for DLP- Secure On-device Content repository

- Secure Web-browser

THANK YOUAlan Ni, @AlanJNi

Trent Fierro, @Trentf_CA

Mike Raggo, @MikeRaggo

Technology

Adaptive Trust for Strong Network Security