The cyber house of horrors - securing the expanding attack surface
-
Upload
jason-bloomberg -
Category
Technology
-
view
73 -
download
1
Transcript of The cyber house of horrors - securing the expanding attack surface
The Cyber House of Horrors:Securing the Expanding
Enterprise Attack Surface
WelcomeCertesNetworks.com
2
A Little Housekeeping
• This webinar is being recorded a replay link will be sent to you by email along with the slides.
• You are muted by default, please ask any questions in the Q&A section or the chat window.
• We will have a Q&A section at the end of the webinar.
• If you experience technical difficulties joining the WebEx session please dial: 1-866-229-3239, or you can message the WebEx Producer using the Q&A panel.
Copyright 2016 Certes Networks. Visit CertesNetworks.com
3
Our Speakers
Jason Bloomberg, President of Intellyx & contributor to Forbes - Presenter
Satyam Tyagi, CTO of Certes Networks - Presenter
Adam Boone, CMO of Certes Networks - Moderator
Copyright 2016 Certes Networks. Visit CertesNetworks.com
4
The Original Attack Surface
Exposure
When application traffic and users stayed inside the LAN, the attack surface was minimal
Copyright 2016 Certes Networks. Visit CertesNetworks.com
5
New Exposure
The New Attack Surface
Exposure
Cloud Apps
InternetAccess
RemoteWorkers
Access
Contractor
VPN
Remote Office
Access
AccessBYOD
IoT
As IT has evolved, attack surface has explodedUser & App Sprawl: mess of users accessing mess of applications
Copyright 2016 Certes Networks. Visit CertesNetworks.com
6
New Exposure
But Same Perimeter Defense
FirewalledPerimeter
Cloud Apps
InternetAccess
RemoteWorkers
Access
Contractor
VPN
Remote Office
Access
AccessBYOD
20+ year old perimeter-oriented architecture20+ year old trust model
20+ year old security model tied to enforcing security in infrastructure
Network Sprawl, IT Sprawl, Security Sprawl … creating silos and gaps exploited by attackers in all the major data breaches
IoT
Copyright 2016 Certes Networks. Visit CertesNetworks.com
The Cyber House of HorrorsSecuring the Expanding Enterprise Attack Surface
Jason BloombergPresident
@theebizwizard
Copyright © 2016, Intellyx, LLC
About Jason Bloomberg• President of
industry analyst firm Intellyx
• Latest book The Agile Architecture Revolution
• Recently published the Agile Digital Transformation Roadmap poster
Copyright © 2016, Intellyx, LLC8
Cybersecurity, the Old Days
Copyright © 2016, Intellyx, LLC9
Cybersecurity Today
Copyright © 2016, Intellyx, LLC10
Phot
o Cr
edit:
Bjö
rn S
öder
qvist
http
s://w
ww.fl
ickr.c
om/p
hoto
s/ka
pten
/
The Attack Surface
Copyright © 2016, Intellyx, LLC11
Humans are the weakest link
Phot
o Cr
edit:
Mar
ion
Doss
http
s://w
ww.fl
ickr.c
om/p
hoto
s/oo
ocha
/• The sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment (Wikipedia)
• Attack vectors can be code-centric Buffer overflow, SQL injection, etc.
• Today, most attack vectors are human-centric
Copyright © 2016, Intellyx, LLC12
Human Attack Vectors
• Phishing Bulk emails seeking to
trick people into clicking malicious links or downloading malware
• Spear phishing Targeted emails seeking
to trick people into taking specific action• Other cons
Dropping infected flash drives in parking lots Calls from “help desk”
Confidence Tricks
Pho
to C
redi
t: Jo
int T
ask
Forc
e G
uant
anam
o ht
tps:
//ww
w.fl
ickr
.com
/pho
tos/
jtfgt
mo/
Copyright © 2016, Intellyx, LLC13
Insider Attacks• Rare: Edward Snowden
Privileged user with political or other principled motivation
• Uncommon: Compromised employee Target of blackmail or other
extortion• More common: Disgruntled
employee More likely to do damage than
steal something• Very common: Careless employee
Click on phishing link or open phishing email Using unauthorized cloud storage
Don
keyH
otey
http
s://w
ww
.flic
kr.c
om/p
hoto
s/do
nkey
hote
y/
and
Lau
ra P
oitra
s La
ura
Poi
tras
Advanced Persistent Threats (APTs)
• Professional, technologically advanced attacks
• Typically single out particular target• Take careful, step-by-step approach
Introduce malware (often by spear phishing)
Malware moves around network ‘Phones home’ to establish command
& control link Exfiltrates valuable data/money
Copyright © 2016, Intellyx, LLC14
Phot
o Cr
edit:
Pau
l van
de
Veld
e ht
tps:
//www
.flick
r.com
/pho
tos/
dord
rech
t-hol
land
/
Every Endpoint is Vulnerable
• Computers• Mobile Devices• Network equipment• Anything on the Internet
of Things Thermostats Industrial equipment Appliances Automobiles And many, many more…
Copyright © 2016, Intellyx, LLC15
Phot
o Cr
edit:
tom
emric
h ht
tps:
//www
.flick
r.com
/pho
tos/
9094
1490
@N0
6/
Cyber Assumptions• Every endpoint can
be compromised• Every user can be
compromised• Malware is
everywhere• Attackers have the
run of your organization
Copyright © 2016, Intellyx, LLC16
Mitigation is Essential
Phot
o Cr
edit:
Rob
http
s://w
ww.fl
ickr.c
om/p
hoto
s/ro
b060
/
Jason BloombergPresident, Intellyx
[email protected]@theebizwizard
Download poster at AgileDigitalTransformation.com
Send email NOW to [email protected] to download this presentation
Thank You!
Copyright © 2016, Intellyx, LLC
Thank You!
Wrecking the Cyber House of Horror
with Crypto-Segmentation
Satyam Tyagi, CTO Certes Networks
Infrastructure-Centric Security Mess
Why are we in the House of Horrors?
19
IT has out-evolved IT Security
1990 2000 2010 2016
Enterprise IT
Packet networking
Digitization, networked application
IT SecurityFirewalls, gateways inspecting
packet traffic at perimeter
Internet Smart devices Cloud
MDM/EMM, NAC, IDS,
threat management
VPNs, remote access, network access
Enterprise security continues to be based on inspecting traffic and making security decisions based on packets: ports, IP addresses, header tags, etc.
This means the security model is tied to networks & infrastructure that are already compromised; every major data breaches has exploited this failing
• Borderless• Virtual• Platforms
• Perimeter• Device-based• Point productsIdentity,
authentication
20Copyright 2016 Certes Networks. Visit CertesNetworks.com
The Original Attack Surface
21
Exposure
When application traffic and users stayed inside the LAN, the attack surface was minimal
Copyright 2016 Certes Networks. Visit CertesNetworks.com
New Exposure
The New Attack Surface
22
Exposure
Cloud Apps
InternetAccess
RemoteWorkers
Access
Contractor
VPN
Remote Office
Access
AccessBYOD
IoT
As IT has evolved, attack surface has explodedUser & App Sprawl: mess of users accessing mess of applications
Copyright 2016 Certes Networks. Visit CertesNetworks.com
Humanly Impossible Complexity,Enemy of Security
23
New Exposure
Firewalled Perimeter
Cloud Apps
InternetAccess
RemoteWorkers
Access
Contractor
Remote Office
Access
AccessBYOD
IoT
Security Office
Business Requirements• What are the assets/apps?• Why are they valuable?• Who needs access to them?• Potential negative impact if
confidentiality, integrity or availability breached
CATEGORIZESecurity Policy & Controls• Access Control• Awareness Training• Audit Accountability• Assessment Authorization• Configuration Management• Contingency Planning• Identification Authentication• Incident Response• …
SELECT
CASBIoT Gateways
Software-Defined
Perimeter/VPN
EMM/NAC
Micro-Segmentation
FW/SWG
VPN
Mobility Team Data Center
Team
IoTTeam
Cloud AppTeam
Remote WorkerTeam
InternetNetwork Firewall
Team
IMPLEMENT
Siloed Expensive Work + Slower to Market = $$$ (expensive)
Partner AccessTeam
Copyright 2016 Certes Networks. Visit CertesNetworks.com
24
Facing the House of Horrors
Decoupling Security from Infrastructure
Copyright 2016 Certes Networks. Visit CertesNetworks.com
Business-Driven Infrastructure-Independent Security
Security officer “Implements” security policy and controls to meet business requirements• No dependence on type of
infrastructure• No dependence on multiple
other teams• Simply Categorize &
Segregate Business Assets (Apps)
• Defines Access based on User Roles & Business Needs
25
Security Office
Business Requirements• What are the assets/apps?• Why are they valuable?• Who needs access to them?• Potential negative impact if
confidentiality, integrity or availability breached
CATEGORIZESecurity Policy & Controls• Access Control• Awareness Training• Audit Accountability• Assessment Authorization• Configuration Management• Contingency Planning• Identification Authentication• Incident Response• …
SELECT
IMPLEMENT
Copyright 2016 Certes Networks. Visit CertesNetworks.com
New Exposure
Firewalled Perimeter
Infrastructure to Business,Chaos to Harmony!
26
Cloud Apps
InternetAccess
Access
RemoteWorkers
Contractor
Remote Office
Access
AccessBYOD
IoT
SalesOpsCopyright 2016 Certes Networks. Visit CertesNetworks.com
IT Security Evolution
1990 2000 2010 2016
Enterprise IT
Packet networking
Digitization, networked application
IT SecurityFirewalls, gateways inspecting
packet traffic at perimeter
Internet Smart devices Cloud
Intrusion detection,
traffic inspection.
threat management
VPNs, remote access, network access
Certes redefines security by decoupling it from network devicesSecurity decisions are not based on ports, addresses or other network parameters
• Borderless• Virtual• Platforms
• Borderless• Virtual• PlatformIdentity,
authentication
Software-defined,
application access &
segmentation
27Copyright 2016 Certes Networks. Visit CertesNetworks.com
Cryptography Decouples Security From Infrastructure
28
‘No Trust’ with Micro-segmentation ‘No Trust’ with Crypto-segmentationHow it works What it means for you How it works What it means for you
Basis of Trust
Infrastructure Infrastructure compromised & everything is at risk
Cryptographic credentials, X.509 certificates,Cryptographic keys
All assets are protected unless attacker can break each individual app key (practical impossibility)
Basis of Policy
VM instances, Layer 2 to Layer 7 firewalls,network flows
Compromised machine can be used to laterally move out of micro-segment
X.509 certificatesCryptographic keys and security associations
No credentials, no keys, no lateral movement
Cryptousage
Optional for confidentiality and privacy for interconnecting segments
Privacy and confidentiality are already provided by most apps
Cryptography is the fabric of trust, policy decision and segmentation; consistent privacy is secondary benefit
Non-crypto segmentation is exploited in breach after breach via lateral movement
User aware
Not user role aware Access is granted based on layer 2-7 firewall rules
User identity and role are basis for access
Business roles and strong identity define access
Scope Data-Center or cloud Separate policies inside, outside, user location
True end-to-end from user devices to app workloads
One policy end-to-end
Copyright 2016 Certes Networks. Visit CertesNetworks.com
29
Wrecking the House of Horrors
Certes’ Role based Access to App Segments
Copyright 2016 Certes Networks. Visit CertesNetworks.com
How to Wreck: Certes’ Role-based Access to App Segments
30Copyright 2016 Certes Networks. Visit CertesNetworks.com
Wrecking in Action
31
• Each app isolated in its own crypto-segments
• Users granted access based on roles, applied across all apps consistently
• User is compromised, lateral movement is blocked
• Breach is contained, attack surface shrinks
Copyright 2016 Certes Networks. Visit CertesNetworks.com
Software Defined SecurityNetwork Agnostic | Security overlay across silos
Reduce Security ComplexitySingle point of policy configuration and enforcement
Total Cost ReductionSingle point of policy ownership and operational management
End-to-End SecurityClient to application security | Lateral movement prevention
Benefits of Wrecking
32Copyright 2016 Certes Networks. Visit CertesNetworks.com
33
Q&A Type your questions into the chat panel.
Copyright 2016 Certes Networks. Visit CertesNetworks.com
34
Q&A Please type your questions
into the chat panel.Or contact us at
[email protected] 2016 Certes Networks. Visit CertesNetworks.com
CLICK TO EDIT MASTER TITLE STYLE
Thank you!The slides and webinar replay will be
emailed to you.Visit CertesNetworks.com
Watch CryptoFlow Solutions in Action: https://youtu.be/MDy8x9z7mIc
Copyright 2016 Certes Networks. Visit CertesNetworks.com