Upload
trinhdien
View
222
Download
0
Embed Size (px)
Citation preview
From Enterprise Perimeter to Distributed, Virtual Enterprise Security
Ed Amoroso
SVP, CSO – AT&T
Page 1
Sandbags Piled in Front of AT&T Building – 12/15/41
Page 2
Enterprise Perimeter
Untrusted External
Actor
“Inside the Firewall”
“Outside the Firewall”
Original Perimeter Objective (Circa 1995)
Page 3
Web (External)
Untrusted External
Actor
Enabling Browser Access to Enterprise Website
Page 4
Web (External)
Untrusted External
Actor
Page 5
Rule Added to Firewall to Allow Inbound Access
to TCP/Port 80 (http)
Packets from Browsers “Anywhere” Enter the
Perimeter
“Off the Shelf” Web Software and Tools with Potentially Exploitable Vulnerabilities
FW
SIEM
Proxy A/V
IPS DLP
UTM Firewall Router
Enterprise Access to
Web Server
Admin Access to
Web Server RBAC 2FA Log
“Allowed” A/S
PKI Scan
Perimeter Design
Page 6
Web (External)
Page 7
Web (External)
VPN
Enabling External VPN Access to Enterprise
Page 8
Web (External)
Designed for VPN/RA
Client
FW
SIEM
Proxy A/V
IPS DLP
UTM Firewall Router
Enterprise Access to
Web Server
Admin Access to
Web Server RBAC 2FA Log
“Allowed” A/S
PKI Scan
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW Admin
Access to VPN Server
RBAC 2FA Log
Firewall Router
Enterprise Access to
VPN Server “Allowed”
Integrate into Common Physical
Perimeter
Page 9
Perimeter Design
Web (External)
VPN
Page 10
Web (External)
VPN
Third Party Gateway
Adding Third Party Gateway Access to Enterprise
Page 11
Web (External)
VPN Designed
for Third Party Care, Contact, Support, etc.
FW
SIEM
Proxy A/V
IPS DLP
UTM Admin Access to
Third Party Gateways
A/S
PKI Scan
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW
2FA
Log
RBAC
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW
Typically Source IP-Based Authentication
Enterprise Access to
Third Party Gateways
“Allowed”
Page 12
Web (External)
VPN
Third Party Gateway
Integrate into Common Physical Perimeter
Integrate into Common Physical
Perimeter
Perimeter Design
Enterprise Assets
Page 13
Web (External)
VPN
Third Party Gateway
Enterprise Assets
Page 14
Web (External)
VPN
Third Party Gateway
Adding Inbound Email to Enterprise
FW
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW
Integrate into Common Physical
Perimeter
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW
Enterprise Access to
“Allowed”
FW
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
Integrate into Common Physical
Perimeter
Allow Exchange with any Sender or
Receiver
Page 15
Integrate into Common Physical Perimeter
Web (External)
VPN
Third Party Gateway
Perimeter Design
Enterprise Assets
Page 16
Web (External)
VPN
Third Party Gateway
Enterprise Assets Additional
Firewall Rule Exceptions
Additional Firewall Rule
Exceptions
Page 17
Web (External)
VPN
Third Party Gateway
“Hundreds” to “Millions” of Rules (1995 – 2015)
Enterprise Assets
Page 18
Web (External)
VPN
Third Party
Expanded Third Party Gateways
Additional Firewall Rule
Exceptions
Additional Firewall Rule
Exceptions
Additional Third Parties, Retail Dealers, Outsourcing,
Offshoring
Enterprise Assets
Additional Remote Access, Employee Telework,
Road Warriors
Page 19
Web (External)
VPN Third Party
Expanded Employee Remote Access
Additional Firewall Rule
Exceptions
Additional Firewall Rule
Exceptions
Additional Third Parties, Retail Dealers, Outsourcing,
Offshoring
Enterprise Assets
Unauthorized Network Connections
(Internet Exposing)
Network Misconfigurations (Internet Exposing)
Page 20
Web (External)
VPN Third Party
Network Vulnerabilities
Additional Firewall Rule
Exceptions
Additional Firewall Rule
Exceptions
Additional Remote Access, Employee Telework,
Road Warriors
Additional Third Parties, Retail Dealers, Outsourcing,
Offshoring
Enterprise Assets
Enterprise Use of Mobility
Page 21
Web (External)
VPN Third Party
Employee Use of Mobile
Additional Firewall Rule
Exceptions
Additional Firewall Rule
Exceptions
Additional Remote Access, Employee Telework,
Road Warriors
Additional Third Parties, Retail Dealers, Outsourcing,
Offshoring
Unauthorized Network Connections
(Internet Exposing)
Network Misconfigurations (Internet Exposing)
Enterprise Assets
Page 22
Web (External)
VPN Third Party
Typical State of the Practice Enterprise Design
Additional Firewall Rule
Exceptions
Additional Firewall Rule
Exceptions
Unauthorized Network Connections
(Internet Exposing)
Network Misconfigurations (Internet Exposing)
Enterprise Use of Mobility
Additional Remote Access, Employee Telework,
Road Warriors
Additional Third Parties, Retail Dealers, Outsourcing,
Offshoring
Enterprise Perimeter
Outside
Page 23
Enterprise Perimeter Reality (Circa 2015)
North/South Exploit (Perimeter)
East/West Exploit (Enterprise)
Successfully attack this . . . and gain access to this . . .
Phishing Attack Data Exfiltration
Page 24
Nation State Exfiltration Attacks
North/South Exploit (Perimeter)
East/West Exploit (Enterprise)
Page 25
Nation State Exfiltration Attacks
Inbound Filtering
Outbound Filtering
Many Solutions Exist to Reduce Risk
Inbound
Many Solutions Exist to Reduce Risk
Outbound
No Good Solutions Exist to Reduce Traversal Risk
Page 26
Baseline Perimeter
Page 27
Web
Enabling Browser Access to Web Server
Virtual Micro Perimeter
Page 28
Web
Micro-Perimeter Design (Web Server)
Step 1: Provision Web Server into Integrated Cloud
FW
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
Step 2: Provision Virtual Micro-Perimeter into Run Time System
Page 29
Web
Micro-Perimeter Provisioning to Cloud
Tenant
Security Orchestration
. . .
Hypervisor
FW Proxy A/S FW Web
Cloud
Virtual Appliances
Page 30
East-West Protection for Web
Virtual Perimeter
Sampling of Vendors with
Virtual Appliances
Virtual Micro Perimeter
Page 31
Web
Security C&C
Virtual Micro Perimeter
Virtual Micro Perimeter
Page 32
Web
Adding Security Command & Control – Virtual
Step 1: Provision Security Cmd/Ctrl into Virtual Data Center
Step 2: Provision Virtual Micro-Perimeter into Run Time System
FW
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
FW
SIEM
Proxy A/V
IPS DLP
UTM
A/S
PKI Scan
Integrate into Common Virtual
Perimeter
Security C&C
Page 33
Web
Micro-Perimeter Provisioning to Cloud
Tenant
Security Orchestration
. . .
Hypervisor
Web Server
Tenant
Security Alerting Security Reporting Risk Compliance
Virtual Appliances
Security APIs
SIEM
Tenant
Security Orchestration
. . .
Hypervisor
C&C
Virtual Appliances
FW Proxy A/S FW
FW Proxy A/S FW
Security APIs
Page 34
East-West Protection for Web and C&C
Cloud
Enterprise Assets
Virtual Micro Perimeter
Virtual Micro Perimeter
SOC
Page 35
Web
Enterprise Assets
Gateway
Virtual Micro Perimeter
Virtual Micro Perimeter
Virtual Micro Perimeter
SOC
Page 36
Web
Adding Gateway – Virtual
Tenant
Security Orchestration
. . .
Hypervisor
Web Server
Tenant
Security Alerting Security Reporting Risk Compliance
Cloud
Virtual Appliances
Security APIs
SIEM
Tenant
Security Orchestration
. . .
Hypervisor
SOC
Virtual Appliances
FW Proxy A/S FW
FW Proxy A/S FW
Security APIs
Tenant
Security Orchestration
. . .
Hypervisor
Gate way
Virtual Appliances
FW Proxy A/S FW
Page 37
East-West Protection for Web, C&C, and
Gateway
Enterprise Assets
Gateway
Virtual Micro Perimeter
Virtual Micro Perimeter
Virtual Micro Perimeter
SOC
Page 38
Web
North/South Exploit (Perimeter)
East/West Exploit (Enterprise)
Successfully attack this . . . and gain NO access to this . . .
Page 39
East-West Traversal Mitigated by Virtual Perimeter
Enterprise Assets
Gateway
Legacy Assets
Virtual Micro Perimeter
Virtual Micro Perimeter
Virtual Micro Perimeter
SOC
Page 40
Web
Legacy Assets Dependent on Existing Perimeter
Gateway
Legacy
Enterprise Perimeter
(Legacy Assets)
SOC
Page 41
Web
Legacy Assets Dependent on Existing Perimeter
Gateway
Legacy
Enterprise Perimeter Has Less to Defend
SOC
Page 42
Web
Gateway
Legacy
SOC
Page 43
Web
Gateway
Legacy
Web Back-End
SOC
Page 44
Web
Gateway
Legacy
Web Back-End
SOC (Primary)
SOC (Backup)
Page 45
Web
Gateway
Legacy
Web Back-End
SOC (Primary)
SOC (Backup)
Page 46
Web
Gateway
Legacy
Web Back-End
SOC (Primary)
SOC (Backup)
Page 47
Web
Gateway
Legacy Web
Back-End
SOC (Primary)
SOC (Backup)
Page 48
Web
Gateway Legacy
Web Back-End
SOC (Primary)
SOC (Backup)
Page 49
Web
Gateway Legacy
Web Back-End
SOC (Primary)
SOC (Backup)
Page 50
Web
Ring (Gateway)
Ring (Legacy)
Ring (Back-End)
Ring (Web Server)
SOC (Primary)
SOC (Backup)
Page 51
SOC (Primary)
SOC (Backup)
Page 52
Page 53
Page 54
Page 55
Page 56
Security Command and Control (C&C)
Micro-Domain Rings
Micro-Domain Rings
Page 57
Security Command and Control (C&C)
Micro-Domain Rings
Robust, Secure Communication
with Multiple C&C
Micro-Domain Rings
Security Software Drop Locations
Page 58
Botnet Command and Control (C&C)
Bots
Robust, Secure Communication
with Multiple C&C
Botnet Software Drop Locations
Bots
Page 59
ZeroAccess Botnet (Click Fraud)
Massive Industry Botnet Takedown Effort
Resilient!!
Page 60
Resilience of Botnets
Security Command and Control (C&C)
Micro-Domain Rings
Robust, Secure Communication
with Multiple C&C
Security Software Drop Locations
Micro-Domain Rings
Page 61
Distributed, Virtual Enterprise Perimeter Design