cxd techical overview customer...
TRANSCRIPT
The ThreatTrends in Network Security to defend against the outsider, the insider and the over privileged
VPN - It Isn’t Working…
Nation StatesWell Funded Groups
Script Kiddies
The Threat: lions, tigers and bears…OH MY!
OUTSIDERSOver Privileged UsersComplexityLazinessMistakes
INSIDERS
What is a Malicious Insider?
4
Over-Privileged Users and Third-Party User AccessWhat is a Malicious Insider?
Malicious insiders are defined as individuals who are deliberate in their theft, misuse or
destruction of data or systems.
Insider threats are a topic many organizations would prefer to avoid addressing. Attempts to
raise insider threat issues are sometimes countered with arguments that insider threat incidents are urban myths or unlikely events.
Gartner, May 2016
The Threat is REAL…
Percentage of data breaches due to insider threat vary…
5
…but regardless of the number, the threat is real!
Celent (2008)60%
36% CSO Online (2013)
39% Forrester (2012)
Ponemon Institute/Symantec (2012) 39%
Online Trust Alliance (2015) 29%
Central European University's Center for Media, Data and Society (2014)
57%
How are Networks Vulnerable Today?
Yesterday’s network security doesn’t address today’s IT reality
Perimeter security has remained largely unchanged for the past 2 decades.
1996 2019
VPN - It Isn’t Working…
8
• VPNs Do NOT Equal Secure• Over-Privileged and Off To The Races
“60% of enterprises will phase out network VPNs by 2021.” - Gartner
VPNs – They Aren’t Working…
KEY ISSUES:
• Lateral Movement• Horrible User Experience• Not Built for Cloud
CHALLENGES CREATED:
9
Firewalls - It Isn’t Working…Traditional Firewalls – They Aren’t Working...
• Static - Configure and Forget• Ports and Addresses, Not Users
KEY ISSUES:
• Over-Privileged Users • Exceptions Proliferation• Complex, Difficult to Manage• Not Designed for Cloud Architectures
CHALLENGES CREATED:
Its ComplicatedComplicated setup and management
Show Me The MoneyGenerally very expensive and proprietary solutions.
It Takes a VillageLOTS of components and add-on solutions for it to work.
Network Access Control
10
NAC
NACs – They Aren’t Working...
Common Weaknesses of Current Solutions…
Users are NOT IP Addresses or Devices
Connect First, Authenticate Second
Static Controls for Dynamic Environments
The Perimeter has Changed…and Continues to Change
Users are not always People
The Bad Guys are Not Just on the Outside…
We Need a New Approach…
Waving the Wand: What Would We Conjure?
Works Today
• Existing infrastructure
• Existing protocols
Works Everywhere
• Physical Data Centers
• Cloud Providers
Works on Anything
• PCs, Servers,
• Mobile Devices
• IoT Devices
14
“Zero Trust is a fundamental transformation of corporate security from a failed perimeter-centric approach”
“Security Architecture & Operations Playbook”, Forrester, 2018
ZERO-TRUST MODEL
IDENTITY-CENTRIC ACCESS LIVE ENTITLEMENTS MICRO-SEGMENTATION
15
A better approach to network security:Software-Defined Perimeter
1Identity-centric
User- or device- based access control
Integrates with directory services and IAM
Context sensitive
Zero-trust model
Authentication before connection
Dynamically-provisioned 1:1 connectivity
Unauthorized resources completely dark
2Built like cloud, for cloud
Distributed, stateless and highly scalable
Programmable and adaptive
Dynamic and on demand
3
16
SDP: An industry consensus
SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems. It is easier and less costly to deploy than firewalls,VPN concentrators and other bolt-in technologies.”
“
Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”
“
BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user.”
“
The SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat.”
“
How Does a SDP Work?
Software-Defined Perimeter
Traditional TCP/IP
Not Identity Centric – Allows Anyone Access
Identity-Centric – Only Authorized Users
“Connect First,Authenticate Second”
“Authenticate First,Connect Second”
SDP and Zero Trust
“Budget and pilot two zero trust networking projects in 2019 —microsegmentationand a software-defined perimeter —to significantly improve the security posture of the organization. “
A Powerful Combination
Cloud & hybrid nativeResilient and massively scalable
Powerful API and deep business system integrationsFull-featured network security platform
SOFTWARE-DEFINED PERIMETER & MICROSEGMENTATION
Reduce equipment, bandwidth and operating costs by
Decrease network complexity
Leverage existing investments
Reduce firewalls and legacy VPNs
Cloud Migration
Remote & Third-Party Access
Enable Secure DevOps
Powerful feature set supports broad range of use cases
• Automatically secure workloads• Enforce consistent, hybrid controls
• Enforce identity-centric policies• Remove over-privileged access
• Remove onerous management• Grant timely and precise access
Software Defined Perimeter
Operational Benefits of SDP
20
Social healthcare site reduced the number of firewall rules by 90%
Multinational retailer reduced the FTEs managing firewall rules from 52 to 13
Governmental agency reducedFTEs managing access to key systems
from 8 to 1 for over 15,000 users
Financial services reporting body reduced audit prep time from
2.5 months to 17 days
Cyber security consulting firm eliminated redundant firewalls
and VPNs into remote offices
Global 50 financial replaced Cisco ISE to avoid $20K per
switch upgrades as they expand
90%8 1
Summary
Summary
22
Insider threats are in your Network
• The perimeter is not a unbreakable wall, as it was in the past. It is fuzzy (at best) and constantly changing.
• At least a quarter of all data breaches are due to an insider threat.
• The threats are not just on the outside anymore.
Today’s Solutions Do Not Work
• Firewalls, VPNs and NAC solutions are yesterday’s technology, and unable to meet today’s insider threats.
• The dynamic nature of users and cloud infrastructures demand an easier to manage, more flexible, and scalable solution.
A Software-Defined Perimeter Solves!
• Creates a dynamic, individualized perimeter for each user and user-session –a network “segment of one”.
• Entitlements can be modified dynamically as necessary to meet environmental changes.
• One solution to address security and compliance challenges – on premise and in the cloud.
“Complexity is the bane of security” – Brigadier General, USAF (ret) Greg Touhill,President, Cyxtera Federal Group