Upload
vmworld
View
291
Download
2
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL 2
Disclaimer• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
CONFIDENTIAL 3
Traditional Data Center
Any Application
L2/L3 or Proprietary Network
Guidance from GiantsModern SaaSData Center
Custom Application
IP Network
SecurityFault IsolationService ChainingDiscoveryLoad balancing
SecurityFault IsolationService ChainingDiscoveryLoad balancing
Opex/Capex = $$$$Innovation = HW design cycle
Opex/Capex = $Innovation = SW design cycle
CONFIDENTIAL 9
VMware NSX Momentum: Customers
4of 5top investment banks enterprises & service providers
Leading global
CONFIDENTIAL 10
Three Reasons Companies Virtualize Their Network…
Speed – On Demand Apps and Services11
Economics – Opex Efficiency & Capex Cost Savings22
Security – Re-Architect Datacenter Security33
CONFIDENTIAL 12
2010 2011 2012 2013IT Spend Security Spend Security Breaches
A Picture of Diminishing ReturnsThe only thing outpacing security spend is security losses
CONFIDENTIAL 13
A Modern AttackMalware/attack vectors tested against known signatures & are often VM-aware
11Human Recon
22Attack Vector R&D
33Primary Attack
1 PREP
CONFIDENTIAL 14
44CompromisePrimary Entry Point(Phishing, Waterholes, etc.)
55Install Command& Control I/F
Strain BDormant
Strain AActive
2 INTRUSION
Leverage endpoints that circumvent perimeter controls
CONFIDENTIAL 15
66Escalate Privileges onPrimary Entry Point
3 RECON
Strain AActive 77
Lateral Movement
88Install C2 I/FWipe TracksEscalate Priv
88
88
Leverage hyper-connected computing base, accessible topology info & shared components
CONFIDENTIAL 16
99Wake Up & ModifyNext Dormant Strain
Strain AActive
4 RECOVERY
Attack Identified Response
Strain BActive
Strain CDormant
Sensor, alerts and logs easily accessible
CONFIDENTIAL 17
5 ACT ON INTENT
1010Break into Data Stores
1111Parcel &Obfuscate
1212Exfiltrate
1313Cleanup
6 EXFILTRATION
Exploit weak visibility and limited internal control points
CONFIDENTIAL 19
A Modern Kill Chain… is highly targeted, interactive and stealthy
INTRUSION2 RECOVERY4 ACT ON INTENT5 EXFILTRATION6RECON3IPREP18
Install C2 I/FWipe TracksEscalate Priv.
9Wake Up & Modify Next Dormant Strain
10Break into Data Stores
11Parcel & Obfuscate
12Exfiltrate
13Cleanup5
Install Command & Control (C2) I/F
6Escalate Privileges on Primary Entry Point
7Lateral Movement
8
8
1Recon
2Attack Vector R&D
3Primary Attack
4Compromise Primary Entry Point
Strain AActive
Strain BDormant Strain B
Active
Strain CDormant
Attack Identified
Response
Perimeter-Centric80% of resources focusedon preventing intrusion
Limited visibility and controlinside the datacenterto detect and respond to attacks
CONFIDENTIAL 22
Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or nolateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
CONFIDENTIAL 23
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 24
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 25
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 26
Using Network Virtualization For Micro-Segmentation
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 27
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 28
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 29
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 30
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter Firewalls
CloudManagementPlatform
CONFIDENTIAL 33
Trading Off Context and Isolation
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context Low Isolation
High IsolationLow Context
No Ubiquitous Enforcement
Traditional Approach
CONFIDENTIAL 34
Delivering Both Context and Isolation
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High ContextHigh IsolationUbiquitous Enforcement
Secure Host Introspection
CONFIDENTIAL 35
Broad Impact Across Many Security Verticles
Gain previously impossible vulnerability intelligence based on application purpose, data class and user roles to drive rich, policy driven response, including in-place quarantine.
Vulnerability Management Malware Protection Network ProtectionReal-time, dynamic threat response that follows applications as they migrate between hosts, data centers and cloud environments.
Leverages platform to move IPS features from dedicated edge function to distributed enforcement with rich, policy-driven response, including in-place quarantine.
Fill out a surveyEvery completed survey is entered
into a drawing for a $25 VMware company store gift certificate