catch the cloud · security heartbeat™ synchronized security –compromised endpoint servers xg...
TRANSCRIPT
Catch the Cloud
Jorn Lutters
Senior Security Architect
Sophos Public Cloud Security Team
SOPHOS
2
© RawPixels - Pexels
3
"I don't need a hard disk in my computer if I can get to the server faster... carrying around these non-connected computers is byzantine by comparison."
- Steve Jobs, Apple (1997)
Trade capital expense for variable expense
Stop spending money on running and maintaining data
centers
Benefit from massive economies of scale
Stop Guessing Capacity
Increase speed and agility Go global in minutes
“What are your challenges with regards to the cloud?”29%
21%
27%
25%
21%
22%
14%
20%
48%
55%
46%
46%
47%
41%
41%
33%
SECURITY
CLOUD SPEND
LA CK OF RESOURCES
GOV ERNA NCE
COMPLIA NCE
MA NA GING MULTIPLE CLOUD S
PERFORMA NCE
PRIV A TE CLOUD
Source: RightScale 2018 State of the Cloud Report
6
© Kat Jayne
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
Shared Responsibility
Source: Microsoft TechNet – Shared Responsibilities for Cloud Computing
Platform provider is responsible for the
security ‘of’ the Cloud
The Customer isresponsible for
security ‘in’ the Cloud
Cloud provider Cloud customer
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
Data classification
Sophos SafeGuard and Device Encryption
• Always-on device and file level encryption
• Protection at rest and in-flight
• User, Application and System integrity checking
• Cross-platform client support (Windows, OS X, Android, iOS)
• Easy to use, easy to live with
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
Endpoint Protection
Sophos Endpoint and Server protection with Intercept X
• Next generation machine learning enabled endpoint
• Exploit mitigation and prevention
• Cryptographic malware prevention
• Reputation, Signature and Behavioral detection of malware
• HIPS, Device control, Process Lockdown, etc. etc.
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
Endpoint Protection
Sophos Mobile with Intercept X
• Unified Endpoint Management
• Mobile Threat Defence with deep learning
• Device, App, Content and Security enforcement
• Web Protection with traffic filtering, MiTM detection and compliancy enforcement
• Native OS containerization
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
Identity, Application and Network
Sophos XG Firewall and UTM
• All-in-one with built in reporting
• WAF, IPS, VPN, Web filtering, app control and more – all integrated
• Authentication with TOTP 2FA support
• Virtual appliance on Azure and AWS with strong platform integration
• Full API configuration support –ideal for DevOps
10.10.0.0/16Internet Gateway
Availability Zone #1
Private Client Subnet10.10.100.0/24
• WAF• IPS• Inbound NAT• VPN• Logging/ Reporting
EIP
UTM
10.10.1.0/24
Stand Alone UTM DeploymentNorthEast
Region
10.10.0.0/16
Availability Zone #1
Private Client Subnet10.10.100.0/24
Availability Zone #2
Internet Gateway
Availability Zone Failover UTM Deployment
CloudFormationLaunches UTMs and
associated AWS services
EIP
Primary UTM
10.10.1.0/24 10.10.2.0/24
Backup UTM
Auto Scaling Group
Auto ScalingLaunches and
maintains UTM AutoScaling groups
CloudWatchMonitors UTM Health
and collects logs
S3Stores UTM
Controller license, logs, and
configuration
Auto Scaling Group
Availability Zone #1 Availability Zone #2CloudFormation
Launches UTMs and associated AWS services
Auto ScalingLaunches and
maintains UTM AutoScaling groups
CloudWatchMonitors UTM Health
and collects logs
S3Stores UTM
Controller license, logs, and
configuration
Auto Scaling Group
UTM Controller UTM Workers UTM Workers
Internet Gateway
Admin(Controller -> Workers)
Syslog(Controller <- Workers)
Private Client Subnet Private Client Subnet
External ELB
EIP
Auto Scaling UTM Deployment
Internal ELB
Auto Scaling Group
Availability Zone #1 Availability Zone #2
Internal ELB
CloudFormationLaunches UTMs and
associated AWS services
Auto ScalingLaunches and
maintains UTM AutoScaling groups
CloudWatchMonitors UTM Health
and collects logs
S3Stores UTM
Controller license, logs, and
configuration
Auto Scaling Group
UTM Controller UTM Workers UTM Workers
Internet Gateway
Admin(Controller -> Workers)
Syslog(Controller <- Workers)
OGWCan be setup as Active/Active or Active/Passive
Private Client Subnet
GRE Tunnel
OGW Subnet
Private Client Subnet
GRE Tunnel
External ELB
EIP
Auto Scaling UTM with OGW
17
Azure
Ide
nti
ty T
ier
Ap
p a
nd
Dat
a T
ier
Sub
ne
t
Su
bn
et
Se
curi
ty T
ier
Clo
ud
acc
ess
Tie
r
Virtual Network
ExpressRoute Su
bn
et
Sub
ne
t
VM
Active Directory
Traffic ManagerNetwork Security Groups
Sophos XG
Firewall
Internet
VPN Gateway
Virtual Machines Worker roles Web roles Cloud services
Sub
net
To corp network
Stand Alone XG Deployment
18
Active/Active XG Deployment
Responsibility IaaS
Data classification &
accountability
Client & end-point
protection
Identity & access
management
Application level
controls
Network controls
Host infrastructure
Physical security
SaaSPaaSOn-prem
…And the best part? Central
…And the best part? Central
Security ecosystem management made simple
• SaaS solution, hosted by Sophos
• Unified policy management
• Consolidated reporting
• Real time insight and controlo Root cause analysis
o Active Threat Identification
• Dedicated sub-estate management consoles
• End user self service support
• Cloud workload discovery: Attackers take advantage of unused cloud regions to avoid detection
• Risk reduction: Ensure workloads are secured with Sophos Server Protection
• Management simplicity: See instances from multiple accounts in one easy-to-drill-down visualization
Native IaaS Platform Integrations
Synchronized Security
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |Malware Identities | URL Database | Machine Learning | Threat Intelligence | Genotypes | Reputation | Behavioral Rules | APT Rules | App Identities | Anti-Spam | DLP | SophosID | Sandboxing | API Everywhere
Sophos Central
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
In Cloud On Prem
Next-Gen Endpoint
Mobile
Server
Encryption
UTM/XG Firewall
Wireless
Web
Security Heartbeat™
Synchronized Security – compromised endpoint
Security Heartbeat™
Servers
XG Firewall Sophos Central
Security Heartbeat™ links Endpoints with the firewall to monitor health and immediately share the presence of threats.
Instant IdentificationSecurity Heartbeat can instantly share telemetry about the user, systems and process responsible
Automated ResponseAutomatically isolate, or limit network access, and encryption keys for compromised systems until they are cleaned up
Internet
XG Firewall Endpoints
Synchronized App Control
25
What Firewalls See Today What Synchronized App Control Sees
Taking a containers approach to your network
“…made simple.”29%
21%
27%
25%
21%
22%
14%
20%
48%
55%
46%
46%
47%
41%
41%
33%
SECURITY
CLOUD SPEND
LA CK OF RESOURCES
GOV ERNA NCE
COMPLIA NCE
MA NA GING MULTIPLE CLOUD S
PERFORMA NCE
PRIV A TE CLOUD
Source: RightScale 2018 State of the Cloud Report