From Enterprise Perimeter to Distributed, Virtual Enterprise Security

Ed Amoroso

SVP, CSO – AT&T

eamoroso@att.com

Page 1

Sandbags Piled in Front of AT&T Building – 12/15/41

Page 2

Enterprise Perimeter

Untrusted External

Actor

“Inside the Firewall”

“Outside the Firewall”

Original Perimeter Objective (Circa 1995)

Page 3

Web (External)

Untrusted External

Actor

Enabling Browser Access to Enterprise Website

Page 4

Web (External)

Untrusted External

Actor

Page 5

Rule Added to Firewall to Allow Inbound Access

to TCP/Port 80 (http)

Packets from Browsers “Anywhere” Enter the

Perimeter

“Off the Shelf” Web Software and Tools with Potentially Exploitable Vulnerabilities

FW

SIEM

Proxy A/V

IPS DLP

UTM Firewall Router

Enterprise Access to

Web Server

Admin Access to

Web Server RBAC 2FA Log

“Allowed” A/S

PKI Scan

Perimeter Design

Page 6

Web (External)

Page 7

Web (External)

VPN

Enabling External VPN Access to Enterprise

Page 8

Web (External)

Designed for VPN/RA

Client

FW

SIEM

Proxy A/V

IPS DLP

UTM Firewall Router

Enterprise Access to

Web Server

Admin Access to

Web Server RBAC 2FA Log

“Allowed” A/S

PKI Scan

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW Admin

Access to VPN Server

RBAC 2FA Log

Firewall Router

Enterprise Access to

VPN Server “Allowed”

Integrate into Common Physical

Perimeter

Page 9

Perimeter Design

Web (External)

VPN

Page 10

Web (External)

VPN

Third Party Gateway

Adding Third Party Gateway Access to Enterprise

Page 11

Web (External)

VPN Designed

for Third Party Care, Contact, Support, etc.

FW

SIEM

Proxy A/V

IPS DLP

UTM Admin Access to

Third Party Gateways

A/S

PKI Scan

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW

2FA

Log

RBAC

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW

Typically Source IP-Based Authentication

Enterprise Access to

Third Party Gateways

“Allowed”

Page 12

Web (External)

VPN

Third Party Gateway

Integrate into Common Physical Perimeter

Integrate into Common Physical

Perimeter

Perimeter Design

Enterprise Assets

Page 13

Web (External)

VPN

Third Party Gateway

Enterprise Assets

Email

Page 14

Web (External)

VPN

Third Party Gateway

Adding Inbound Email to Enterprise

FW

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW

Integrate into Common Physical

Perimeter

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW

Enterprise Access to

Mail

“Allowed”

FW

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

Integrate into Common Physical

Perimeter

Allow Exchange with any Sender or

Receiver

Page 15

Email

Integrate into Common Physical Perimeter

Web (External)

VPN

Third Party Gateway

Perimeter Design

Enterprise Assets

Page 16

Web (External)

VPN

Third Party Gateway

Email

Enterprise Assets Additional

Firewall Rule Exceptions

Additional Firewall Rule

Exceptions

Page 17

Web (External)

VPN

Third Party Gateway

Email

“Hundreds” to “Millions” of Rules (1995 – 2015)

Enterprise Assets

Page 18

Web (External)

VPN

Third Party

Email

Expanded Third Party Gateways

Additional Firewall Rule

Exceptions

Additional Firewall Rule

Exceptions

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Enterprise Assets

Additional Remote Access, Employee Telework,

Road Warriors

Page 19

Web (External)

VPN Third Party

Email

Expanded Employee Remote Access

Additional Firewall Rule

Exceptions

Additional Firewall Rule

Exceptions

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Enterprise Assets

Unauthorized Network Connections

(Internet Exposing)

Network Misconfigurations (Internet Exposing)

Page 20

Web (External)

VPN Third Party

Email

Network Vulnerabilities

Additional Firewall Rule

Exceptions

Additional Firewall Rule

Exceptions

Additional Remote Access, Employee Telework,

Road Warriors

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Enterprise Assets

Enterprise Use of Mobility

Page 21

Web (External)

VPN Third Party

Email

Employee Use of Mobile

Additional Firewall Rule

Exceptions

Additional Firewall Rule

Exceptions

Additional Remote Access, Employee Telework,

Road Warriors

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Unauthorized Network Connections

(Internet Exposing)

Network Misconfigurations (Internet Exposing)

Enterprise Assets

Page 22

Web (External)

VPN Third Party

Email

Typical State of the Practice Enterprise Design

Additional Firewall Rule

Exceptions

Additional Firewall Rule

Exceptions

Unauthorized Network Connections

(Internet Exposing)

Network Misconfigurations (Internet Exposing)

Enterprise Use of Mobility

Additional Remote Access, Employee Telework,

Road Warriors

Additional Third Parties, Retail Dealers, Outsourcing,

Offshoring

Enterprise Perimeter

Outside

Page 23

Enterprise Perimeter Reality (Circa 2015)

North/South Exploit (Perimeter)

East/West Exploit (Enterprise)

Successfully attack this . . . and gain access to this . . .

Phishing Attack Data Exfiltration

Page 24

Nation State Exfiltration Attacks

North/South Exploit (Perimeter)

East/West Exploit (Enterprise)

Page 25

Nation State Exfiltration Attacks

Inbound Filtering

Outbound Filtering

Many Solutions Exist to Reduce Risk

Inbound

Many Solutions Exist to Reduce Risk

Outbound

No Good Solutions Exist to Reduce Traversal Risk

Page 26

Baseline Perimeter

Page 27

Web

Enabling Browser Access to Web Server

Virtual Micro Perimeter

Page 28

Web

Micro-Perimeter Design (Web Server)

Step 1: Provision Web Server into Integrated Cloud

FW

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

Step 2: Provision Virtual Micro-Perimeter into Run Time System

Page 29

Web

Micro-Perimeter Provisioning to Cloud

Tenant

Security Orchestration

. . .

Hypervisor

FW Proxy A/S FW Web

Cloud

Virtual Appliances

Page 30

East-West Protection for Web

Virtual Perimeter

Sampling of Vendors with

Virtual Appliances

Virtual Micro Perimeter

Page 31

Web

Security C&C

Virtual Micro Perimeter

Virtual Micro Perimeter

Page 32

Web

Adding Security Command & Control – Virtual

Step 1: Provision Security Cmd/Ctrl into Virtual Data Center

Step 2: Provision Virtual Micro-Perimeter into Run Time System

FW

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

FW

SIEM

Proxy A/V

IPS DLP

UTM

A/S

PKI Scan

Integrate into Common Virtual

Perimeter

Security C&C

Page 33

Web

Micro-Perimeter Provisioning to Cloud

Tenant

Security Orchestration

. . .

Hypervisor

Web Server

Tenant

Security Alerting Security Reporting Risk Compliance

Virtual Appliances

Security APIs

SIEM

Tenant

Security Orchestration

. . .

Hypervisor

C&C

Virtual Appliances

FW Proxy A/S FW

FW Proxy A/S FW

Security APIs

Page 34

East-West Protection for Web and C&C

Cloud

Enterprise Assets

Virtual Micro Perimeter

Virtual Micro Perimeter

SOC

Page 35

Web

Enterprise Assets

Gateway

Virtual Micro Perimeter

Virtual Micro Perimeter

Virtual Micro Perimeter

SOC

Page 36

Web

Adding Gateway – Virtual

Tenant

Security Orchestration

. . .

Hypervisor

Web Server

Tenant

Security Alerting Security Reporting Risk Compliance

Cloud

Virtual Appliances

Security APIs

SIEM

Tenant

Security Orchestration

. . .

Hypervisor

SOC

Virtual Appliances

FW Proxy A/S FW

FW Proxy A/S FW

Security APIs

Tenant

Security Orchestration

. . .

Hypervisor

Gate way

Virtual Appliances

FW Proxy A/S FW

Page 37

East-West Protection for Web, C&C, and

Gateway

Enterprise Assets

Gateway

Virtual Micro Perimeter

Virtual Micro Perimeter

Virtual Micro Perimeter

SOC

Page 38

Web

North/South Exploit (Perimeter)

East/West Exploit (Enterprise)

Successfully attack this . . . and gain NO access to this . . .

Page 39

East-West Traversal Mitigated by Virtual Perimeter

Enterprise Assets

Gateway

Legacy Assets

Virtual Micro Perimeter

Virtual Micro Perimeter

Virtual Micro Perimeter

SOC

Page 40

Web

Legacy Assets Dependent on Existing Perimeter

Gateway

Legacy

Enterprise Perimeter

(Legacy Assets)

SOC

Page 41

Web

Legacy Assets Dependent on Existing Perimeter

Gateway

Legacy

Enterprise Perimeter Has Less to Defend

SOC

Page 42

Web

Gateway

Legacy

SOC

Page 43

Web

Gateway

Legacy

Web Back-End

SOC

Page 44

Web

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Page 45

Web

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Page 46

Web

Gateway

Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Page 47

Web

Gateway

Legacy Web

Back-End

SOC (Primary)

SOC (Backup)

Page 48

Web

Gateway Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Page 49

Web

Gateway Legacy

Web Back-End

SOC (Primary)

SOC (Backup)

Page 50

Web

Ring (Gateway)

Ring (Legacy)

Ring (Back-End)

Ring (Web Server)

SOC (Primary)

SOC (Backup)

Page 51

SOC (Primary)

SOC (Backup)

Page 52

Page 53

Page 54

Page 55

Page 56

Security Command and Control (C&C)

Micro-Domain Rings

Micro-Domain Rings

Page 57

Security Command and Control (C&C)

Micro-Domain Rings

Robust, Secure Communication

with Multiple C&C

Micro-Domain Rings

Security Software Drop Locations

Page 58

Botnet Command and Control (C&C)

Bots

Robust, Secure Communication

with Multiple C&C

Botnet Software Drop Locations

Bots

Page 59

ZeroAccess Botnet (Click Fraud)

Massive Industry Botnet Takedown Effort

Resilient!!

Page 60

Resilience of Botnets

Security Command and Control (C&C)

Micro-Domain Rings

Robust, Secure Communication

with Multiple C&C

Security Software Drop Locations

Micro-Domain Rings

Page 61

Distributed, Virtual Enterprise Perimeter Design