Rethinking Security CLOUDSEC2016
Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team
2 ©2015 Gigamon. All rights reserved.
Breaches Are The New Normal – Only The Scale Surprises Us
*http://variety.com/2014/film/news/sony-hack-unparalleled-cyber-security-firm-1201372889/
+http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/
++http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/
“Sony Entertainment CEO Michael Lynton told employees of the
embattled studio Saturday that the hack attack that has resulted in
the leak of employees’ personal information and
internal business documents is unprecedented in nature.”*
“… OPM will send notifications to
approximately 22.1 million individuals whose PII may have been compromised.”+
“As many as 80 million customers of
the nation's second-largest health
insurance company, Anthem Inc., have
had their account information stolen, the
company said in a statement.”++
3 ©2015 Gigamon. All rights reserved.
Traditional Security Model
Perimeter or
Endpoint Based
Simple
Trust Model
Static
Environment
• Inside vs. outside
• Focus on prevention
• Trusted vs.
Un-trusted
• Corporate vs.
personal asset
• Fixed locations,
zones, perimeters
• Rule based
• Signature based
• Insider-outsider
boundary dissolved
• BYOD
• Mobility of users,
devices and
applications
4 ©2015 Gigamon. All rights reserved.
©2015 Gigamon. All rights reserved.
Traditional Security Model
Perimeter or
Endpoint Based
Simple
Trust Model
Static
Environment
• Inside vs. outside
• Focus on prevention
• Trusted vs
Un-trusted
• Corporate vs.
personal asset
• Fixed locations,
zones, perimeters
• Rule based
• Signature based
• Insider-outsider
boundary dissolved
• BYOD
• Mobility of users,
devices and
applications
More importantly …
THE VERY NATURE
OF CYBER THREATS
HAS CHANGED!
5 ©2015 Gigamon. All rights reserved.
Source: RSA
Anatomy of an Advanced Persistent Threat (APT)
6 5 4 3 2
In Many Cases the System Stays Breached After Exfiltration!
Phishing & zero
day attack Back door
Lateral
movement
Data
gathering Exfiltrate
1
Reconnaissance
6 ©2015 Gigamon. All rights reserved.
*Trustwave Holdings, Inc. "2015 Trustwave Global Security Report." 2015. Accessed July 16, 2015. **FireEye. "MAGINOT REVISITED: More Real-World Results from Real-World Tests." 2015. Accessed July 16, 2015.
Mitigating Risk Remains Difficult
7 ©2015 Gigamon. All rights reserved.
Internet
Firewall DMZ
IPS
Spine
Leaf
IDS
Server Farm
Core
Switch
What Else Has Changed That Impacts Security? FUNDAMENTAL SHIFT IN TRAFFIC PATTERNS
No visibility into lateral
propagation of threats!
8 ©2015 Gigamon. All rights reserved.
What Else Has Changed That Impacts Security? MOBILITY
Internet
Firewall DMZ
IPS
Spine
Leaf
IDS
Server Farm
Core
Switch
No visibility into lateral
propagation of threats!
9 ©2015 Gigamon. All rights reserved.
1 NSS Labs 2 Gartner
What Else Has Changed That Impacts Security? GROWING USE OF SSL
How to ensure security, manage risk, and maintain compliance with growing use of encrypted traffic?
25%-35% of enterprise traffic today is SSL1
Security and Performance management tools are either blind to SSL traffic or get
overloaded if they decrypt SSL
Large (2048b) ciphers cause an 81% performance degradation in existing SSL
architectures1
More than 50% of network attacks in 2017 will use encrypted traffic to bypass controls
(vs. 5% today)2
10 ©2015 Gigamon. All rights reserved.
Fundamentally
Unchanged Security
Trust Model
Rising Use of
Encryption
At Will
Security
Breaches
A Perfect Storm: The Need To Rethink Security Architecture
Changed
Threat Model
Changed Traffic
Patterns and Mobility
11 ©2015 Gigamon. All rights reserved.
• Significant blind spots
• Extraordinary costs
• Contention for access to traffic
• Inconsistent view of traffic
• Blind to encrypted traffic
• Too many false positives
Finding the Threat Within: Challenges with Ad Hoc Security Deployments VISIBILITY LIMITED TO A POINT IN TIME OR PLACE
It is time the balance of power shifted from attacker to defender!
Internet
Routers
“Spine”
Switches
“Leaf”
Switches
Virtualized
Server Farm
Intrusion
Detection
System
Data Loss
Prevention
Email Threat
Detection
IPS
(Inline)
Anti-Malware
(Inline)
Forensics
12 ©2015 Gigamon. All rights reserved.
Internet
Routers
“Spine”
Switches
“Leaf”
Switches
Virtualized
Server Farm
Transformation through Visibility: The Security Delivery Platform
Security Delivery Platform: A foundational building block to effective security.
Intrusion
Detection
System
Data Loss
Prevention
Email Threat
Detection
IPS
(Inline)
Anti-Malware
(Inline)
Forensics
Security Delivery Platform
Isolation of
applications for
targeted inspection
Visibility to
encrypted traffic for
threat detection
Inline bypass for
connected security
applications
A complete
network-wide reach:
physical and virtual
Scalable metadata
extraction for
improved forensics
13 ©2015 Gigamon. All rights reserved.
Introducing GigaSECURE®
THE INDUSTRY’S FIRST SECURITY DELIVERY PLATFORM
13 © 2015 Gigamon. All rights reserved.
14 ©2015 Gigamon. All rights reserved.
Gaining Complete Network Wide Reach GigaVUE-VM and
GIgaVUE® Nodes
• Terabit scale visibility nodes with the ability to cluster multiple nodes
• Traffic aggregation and intelligent filtering using patented Flow Mapping®
• Replicate traffic to multiple security appliances without performance impact
GigaVUE VM
• Non-intrusive access to virtual traffic via a lightweight user-space monitoring VM
• “Follow the VM”: Uninterrupted security monitoring during virtual workload migration
• Enables a physical security appliance to extend the security function to virtual traffic
Standalone G-TAP
and Embedded TAPs
• Non-intrusive access to “TAP all” network traffic from 10 Mb to 100 Gb links
• Industry-leading TAP density available in a range of split ratios
• Available as standalone TAPs or embedded into GigaVUE appliances
H Series and TA Series
15 ©2015 Gigamon. All rights reserved.
Visibility in VMware ESXi Environments
GigaVUE-FM
Traffic
Policies
APM
NPM
Security
CEM
Tunneling
VDS, VSS, N1k
VMware ESXi VMware ESXi
VDS, VSS, N1k
• Host-based approach ⎻ GigaVUE-VM on
every ESXi host
• Traffic of interest extracted from virtual switch ⎻ VDS, VSS, Nexus 1k
• Integration with vCenter
• Approach is “admin friendly”
GigaVUE-VM
16 ©2015 Gigamon. All rights reserved.
Gigamon Visibility Solution for VMware NSX
Internet
Security/Monitor Admin
Traffic Copy
GigaVUE-FM
Tools and Analytics Application
Performance
Network
Management Security
Monitoring Policy
17 ©2015 Gigamon. All rights reserved.
OpenStack Cloud Monitoring – Tenant Visibility MONITORING FROM WITHIN (MFW)
Traffic
Policies
Horizon Tenant
Nova
Glance
Tunneling
Any vSwitch
KVM
GigaVUE-VM
KVM
Any vSwitch
• Agent-based approach ⎻ Agent on every application
VM that needs monitoring
⎻ GigaVUE-VM aggregates
traffic from agents
⎻ GigaVUE-VM sends traffic
to physical Visibility Fabric™
• Agnostic to virtual switch
• Integration with OpenStack
• Approach is “tenant friendly”
Agent
GigaVUE-FM
APM
NPM
Security
CEM
19 ©2015 Gigamon. All rights reserved.
Email Threat
Detection
Forensics
GigaSECURE: Manageability and Automation PROGRAMMABILITY VIA GIGAVUE-FM
Virtual
Workloads
GigaVUE-FM
Production Network Security Functions
“REST”
APIs
Internet
Intrusion
Detection
System
Data Loss
Prevention
20 ©2015 Gigamon. All rights reserved.
• Consistent network-wide traffic view for all security appliances, all of the time
• Eliminate departmental and appliance level contention for access to data
• No disruption to network traffic as security solutions get deployed or upgraded, or when moving from out-of-band to inline deployments
• Eliminate blind spots associated with encrypted traffic, mobility
• Significantly offload security appliances through full session offload and full flow metadata
• Faster identification of malware movement, faster time to containment
Benefits FASTER DETECTION, FASTER CONTAINMENT
21 ©2015 Gigamon. All rights reserved.
Summary
The security state of today’s networks is catalyzing
an acute need to shift security architecture
from prevention toward detection and response
This new security model has a critical reliance on
network visibility with which to vet, deploy and
scale security applications and devices
GigaSECURE, the first offering of a Security Delivery Platform
(SDP), is poised to transform the way security services
are deployed and leveraged – by making them more effective at
protection, more dynamic and more cost-effective
Top Related