secure all your cloud workloads in a modern enterprise · secure all your cloud workloads in a...

Secure All your Cloud Workloads in a Modern EnterpriseHomogenous Security for Heterogenous World

Director of Product Management

Kevin Stultz

Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

Problem: Cloud Breaks Traditional Approaches to Security and Infrastructure Management

Today’s Reality: “Hybrid Cloud” Data Centers

Evolution of Enterprise Data Center Platforms & Orchestration Tools

Public CloudPhysical Data Center Private Cloud

Traditional / IT Ops Managed Modern / DevOps Managed


Problem: Attacks Increasingly Targeting Cloud-based Resources and Infrastructure

Victim: Large Credit Reporting Agency

Target: Customer Database

Method of Attack:

• Unpatched Apache Struts

vulnerability enabled compromise of

corporate web servers

• Hackers drop bots and Bitcoin

miners to steal sensitive data

Losses: Massive PII Data Breach

• Large fines and loss of credibility

• Loss of data integrity requiring

complete restore and rebuild

COMPUTE ATTACK

Victim: Unnamed Military Outfit

Target: Recruiting Applications

Method of Attack:

• Word Docs from military recruits

accepted by front-end containers,

then written to AWS S3 buckets

• Attacker used misconfigured desktop

to access networks and S3 buckets

Losses: Sensitive PII Data Breach

• Military personnel records exposed

• Cleanup of S3 buckets infested with

malware

STORAGE ATTACK

What is Cloud-native Security?


Why Cloud is Different: The DevOps Cycle

Modern / DevOps1. Deploy immutable image.2. Automatically repave image

when problems are detected.

REPAVETraditional / IT Ops1. Deploy software on server.2. Update/remediate software

when problems are detected.

FIX


Traditional Security Tools Can’t Integrate with Modern DevOps Workflows

Why “Lift & Shift” Security Fails in Cloud Native

Traditional tools BREAK immutable workload

requirements

Traditional tools BREAK auto-deployment workflows

I need immutable workloads with baked-in security for

continuous release and auto-scaling.

DevOps

I need secure, auto-deployed apps that enable

agile business planning.

CISO / CIO


Cloud-native Security that Supports Both Traditional and Modern Environments

The Solution: Symantec Cloud Workload Protection

Public CloudPhysical Data Center Private Cloud

Traditional / IT Ops Managed Modern / DevOps Managed

Symantec Cloud Workload Protection


Cloud-native Design Supports DevOps Workflows

How CWP Enables Security for Modern DevOps

CWP security controls are baked into images,

satisfying immutability requirements

CWP single agent integrates into deployment process, enabling auto-deployment workflows

What Protections Are Needed for Cloud Native Security?


• Real-time file integrity monitoring (RT-FIM) prevents unauthorized system changes

• OS hardening stops zero-day threats

• Unique application isolation blocks exploits targeting known and unknown vulnerabilities

• Protection and monitoring for Docker containers

Compute Hardening

Symantec Cloud Workload Protection

For Compute:

• Multilayered cloud-native anti-malware scanning

• Prevents malware from infecting compute instances and servers

For Storage:

• Automatic and scheduled anti-malware scanning for AWS S3 buckets

• Prevents spread of malware between cloud-based applications and users

Anti-malware

SINGLE AGENT SINGLE

CONSOLE

Unique: More Platforms, More Capabilities, More Clouds - Than Anyone Else!


Automatic and Scheduled Anti-malware Scanning for AWS S3 Buckets

Cloud Workload Protection for Storage

Elastic, Scalable Storage Protection

• Threat scanning infrastructure scales elastically for cost optimization

• Enables secure adoption of containers and serverless compute

• Ensures privacy of sensitive data during assessment

• Anti-malware scanning occurs entirely inside of the customers cloud

Customer Data Never Leaves Their Cloud

• Helps to protect against data breaches by discovering and alerting when S3 buckets are misconfigured or exposed to the public internet

Alerts to Prevent Public S3 Exposures


CWP for Storage– Architecture

DLP Detection

Service

DLP Enforce

Assets / Buckets

Events

Alerts

Metering

Dashboards

Customer’s AWS account

Controller

Protection Unit (Scanner)

Discovery

KMS Dynamo DB

S3 Bucket

SQS

SNS

Load Balancer

File download

File MetadataNotifications

Buckets metadata

DLP Managed on Premise

Single Pass multi-scan

Single Pass, Fully Assess• Permissions• Anti-Malware

• Comprehensive• Detection

Meet Regulatory Requirements• PCI• GDPR• HIPPA• Data Residency

• What’s Next:• Data Classification and

enforcement - In Beta• Azure Blob – Customer

Preview Next Month!


Enables DevOps Monitoring and/or Enforcement of Immutable Workloads

Cloud Workload Protection Hardening Controls

Also enables DevOps orchestration tools:

Real-time file integrity monitoring (RT-FIM)• Noise free - if configuration changes, then redeploy

Full Application Control• No shells - mitigates vulnerabilities

Application Isolation• Completely Immutable – no unapproved activity


CWP Comprehensive Hardening Controls

Insure no new applications are introduced into

production

REAL TIME FILE INTEGRITY

MONITORING

APPLICATION LEVEL FIREWALL

SYSTEM MONITORING

OPERATING SYSTEM

HARDENING

APPLICATION CONTROL

APPLICATION ISOLATION

IMMUTABALE WORKLOAD

Insure only approved

changes to critical

infrastructure and application

files

Protect again OS vulnerability exploit– No

patching required

Reduce attack surface and stop

advanced targeted threats

Detect and Respond to abnormal behavior

Protect against application

vulnerabilities

100% Protection – no unauthorized activity

allowed.

Track Record of Stopping Zero Day ZER0 infections since introduced in 2005!

Enabling the Evolution to Immutable Workloads


IT OPS MANAGED

General Purpose

Computing

Patch/Update

Bolt-on Security

DEVOPS MANAGED

Scalable Business Apps

Immutable/Replace

Built-in Security

CONTROLS

Anti-Malware

RT-FIM

App Control

CONTROLS

RT-FIM

OS Hardening

App Control

App Isolation

The Right Controls for BOTH DevOps and IT

Summary: Cloud Workload Protection

15

SINGLE AGENT SINGLE

CONSOLE

Thank you!

secure all your cloud workloads in a modern enterprise · secure all your cloud workloads in a...

Documents