Upload
shannon-park
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
© 2015 VMware Inc. All rights reserved.
Software-Defined Data Center:Security for the new battlefieldRob Randell, CISSPDirector/Principal Architect Security, NSBU
April 2015
2
Where are we today?
The only thing outpacing security spend… is security losses
IT Spend
Security Spend
Security Breaches
What does our battlefieldlook like today?
4
The data center
IT Stack
Network StorageCompute
Application Layer
5
Securing the data center
Security Stack
NetworkFW, IDS/IPS, NGFW, WAF,
AMP, UTM, DDoS
StorageEncryption, Key Management,
Tokenization
ComputeAV, HIPS, AMP, Encryption,
Exec/Device Control
Identity ControlsAdvanced Authentication, SSO, Authorization, User Provisioning
App/Database ControlsVulnerability Management, Storage Security,
Web Services Security, Secure OS
6
Security Policy
People
Applications
Data
App
7
The changing battlefield
UI
APP
Storage
DB
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
Multi-tiered DistributedArchitecture
Monolithic Stack Composed Services on Converged Infrastructure
Service
Service
UI
8CONFIDENTIAL
How do hackers take advantage ofmisalignment
1.Prep
Attack Vector R&D
Human Recon
Delivery Mechanism
21 3
2. Intrusion
Strain BDormant
Strain AActiveCompromise
Primary Entry Point
4
Install Command
& Control I/F
5
Install C2 I/F Wipe Tracks Escalate Priv
Strain AActive
Escalate Privileges onPrimary Entry Point
6
Lateral Movement
7
8
3. Recon
4. Recovery
Strain B Active
Strain C Dormant
Strain AActive
Attack Identified
Response Wake Up & ModifyNext Dormant Strain
9
Strain D Dormant
13
5. Act on intent & Exfiltration
Attack Identified
10
Parcel &Obfuscate
11
Exfiltration
12 13
Cleanup
14
Modern attack: targeted, interactive, stealthy
Why is it so difficult to move security controls inside the datacenter?An architectural challenge.
Stop infiltration Lack visibility, control to stop exfiltration
• Perimeter-centric
• Managing Compliance
• Application and User-centric
• Managing RiskShift to… Shift to…
15
The Impact of Architecture
Distributed application architectures comingled on a common infrastructure
Creates a hyper-connected compute base with little context of how to connect the two layers
Resulting in massive misalignment
1. Lateral Movement
2. Comingled Policy
3. Distributed Policy
4. Chain Alignment
5. Orchestration
6. Context
16
1. Lateral movementMoving from asymmetry to symmetrical concerns inside the data center
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
PerimeterFirewall
InsideFirewall
DataBreach
Composed Services on Converged Infrastructure
Entry Point
17
2. Comingled policyConverged infrastructure means many firewall policies for many comingled applications
Composed Services on Converged Infrastructure
Perimeterfirewall
Insidefirewall
Service Service
Service Service
Service Service
Service Service
Service
WEB
DB
Storage
APP
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
Policy mixing across multiple apps
Mis-aligned over time due to above
18
3. Distributed policyTraversing the network could represent encountering 10,000+ policies
Composed Services on Converged Infrastructure
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
Perimeterfirewall
Insidefirewall
Firewall #1100 rules
Firewall #2700 rules
Firewall #3900 rules
Inconsistent policies create misalignment
19
4. Chain alignment
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
Perimeterfirewall
InsideFirewall
Composed Services on Converged Infrastructure
Blue App: Green App:
Improper sequencing of controls leads to issues
5. OrchestrationEach security service is acting in a silo and not sharing states with each other
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
PerimeterFirewall
InsideFirewall
Composed Services on Converged Infrastructure
Vulnerability Management
Antivirus
Next-gen Firewall
Intrusion Protection
Anti-malware
20
21
APP
UI
WEB
DB
Storage
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
Perimeterfirewall
InsideFirewall
HTTP://192.159.2.10:8080
End Point Agent
HTTP://192.163.8.10:8080
10.20.2.1409:00:02:A3:D1:3D
HTTP://192.162.5.8:8080
10.18.3.13 08:00:03:A4:C2:4C
6. ContextPoor handles for policy and analytics
Composed Services on Converged Infrastructure
Visualization is the key.A ubiquitous abstraction layer between the applications and the infrastructure.
23
A traditional data center starts with compute capacity
24
Then you network systems together
Internet
25
Then you virtualize your compute
vSw
itchHypervisor vS
witchH
ypervisor vSw
itchHypervisor vS
witchH
ypervisorvS
witchH
ypervisor vSw
itchHypervisor vS
witchH
ypervisor vSw
itchHypervisor
26
And create “virtual data centers”
vSw
itchHypervisor vS
witchH
ypervisor vSw
itchHypervisor vS
witchH
ypervisorvS
witchH
ypervisor vSw
itchHypervisor vS
witchH
ypervisor vSw
itchHypervisor
Virtual NetworksSoftware Containers, Like VMs
Virtual Network Topology
27
Micro-segmentation
More than a barrier: a policy primitive
Assess
• Capture and expose application structural context to policy management (how do things connect together)
• Demonstrate the security posture of a service, in any state into which it may be driven (understand security posture)
Align
• Align investment to risk—align controls to what they are protecting and to each other.
• Align candidate mitigations/remediation across an application topology
3
Isolate
• Compartmentalize the environment so a breach of one thing isn’t a breach of everything
• Provide a mechanism for structuring the right controls at the right position in the app topology
28
Take those comingled distributed applications…
App
Services
DB
AD NTP DHCP DNS CERT
DMZ
W
APP
W
APP
DB
W
APP
DB
W
APP
DB
W
APP
DB
W
APP
DBDB
VM VM VM VM VM
29
And can create a zero trust model
Isolation Explicit Allow Comm. Secure Communications Structured Secure Comms.
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
NGFW
IPS
IPS
NGFW
WS
VM VM VM
DB DB
IPS
WAF
And align your controls to what you are protecting
30
Implementing Security in the Virtualization Layer
SECURITY SERVICES MANAGEMENTSecurity Service Insertion and Orchestration
SECURITY SERVICES MANAGEMENTVisibility, Provisioning, and Orchestration
SOCSIEM, Security Analytics, Forensics
GOVERNANCE/COMPLIANCEVul Management, Log Management, GRC, Posture Management,
DLP
NETWORKFW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS
STORAGEEncryption, Key Management, Tokenization
COMPUTEAV, HIPS, AMP, Encryption, Exec/Device Control
SECURITY INFRASTRUCTURE
IDENTITY CONTROLSAdvanced Authentication, SSO, Authorization, User Provisioning
APP/DATABASE CONTROLSVulnerability Management, Storage Security, Web Services Security, Secure OS
ISOLATIONCONTEXT
31
Virtualization: making your security controls better
1UbiquityPlace controlseverywhere
2ContextVisibility intoapp/user/data
3MitigationLeverage the I/Fand the ecosystem
4IsolationProtect your controlsfrom attackers
5 Orchestrationand state distribution
SECURITY SERVICES MANAGEMENTVisibility, Provisioning, and Orchestration
SOCSIEM, Security Analytics, Forensics
GOVERNANCE/COMPLIANCEVul Management, Log Management, GRC, Posture Management,
DLP
NETWORKFW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS
STORAGEEncryption, Key Management, Tokenization
COMPUTEAV, HIPS, AMP, Encryption, Exec/Device Control
SECURITY INFRASTRUCTURE
IDENTITY CONTROLSAdvanced Authentication, SSO, Authorization, User Provisioning
APP/DATABASE CONTROLSVulnerability Management, Storage Security, Web Services Security, Secure OS
32
Summary
We’re experiencing a changing battlefield
We must re-align controls to what they are protecting
Virtualization/SDDC holds the key to solving this
The real value is not in simply looking at how to secure an SDDCbut in how you can leverage an SDDC to secure the things that matter?
Thank you