software-defined segmentation - challenges of accelerated enterprise · 2019. 12. 11. · speaker...
TRANSCRIPT
Software-Defined Segmentation -
Challenges of Accelerated EnterpriseDecember 11, 2019
Software-Defined Segmentation -Challenges of Accelerated Enterprise
Today’s web conference is generously sponsored by:
https://www.guardicore.com/
Moderator
Robert Martin is a Certified Information Systems Security Professional with over thirteen years of experience in information security. He holds a Master of Science in Network Technology with a concentration in Information Security. He also holds a Cyber Security Masters Certification. He is a Sr. Security Engineer for Cisco Systems, Inc. in RTP, NC. Robert specializes in areas such as risk management, regulatory compliance, security solutions architecture, security audits, vulnerability assessments, and penetration testing. From 2012-2015, Robert served as President of the Raleigh Chapter of the Information Systems Security Association. During that time, the chapter membership grew at a rate of 125%. Currently, Robert serves on the Raleigh ISSA Board as the Sponsorships Director. Robert is committed to serving the community through outreach by expanding the chapter’s mission to students and military. He has held several other IT Security Advisory Board positions over the years with a focus to bring about awareness of information security threats in an ever changing global IT Security economy.
Robert Martin, Sr. Security Engineer for Cisco Systems, Inc
Software-Defined Segmentation -Challenges of Accelerated Enterprise
Speaker
At Consilio, Jonathan led the effort to develop, implement, and monitor a rigorous global Information Security Management System to ensure compliance with ISO/IEC 27001 and SOC 2, Type 2 controls. Working in conjunction with the General Counsel and CIO, he currently directs all IT efforts to comply with global, national, and state privacy regulations and frameworks such as GDPR, Privacy Shield, HIPAA, and various U.S. and German state-level privacy regulations.
In a 3-year period, as the company more than quintupled in total revenue, he was responsible for growing the Information Security team from 3 to 10 full-time employees, while managing overall personnel costs and maintaining operational effectiveness by staffing positions in lower cost locations throughout the company.
As part of a comprehensive company-wide metrics initiative, they identified measurable trends in user activity in various departments pertaining to enterprise-wide Data Loss Prevention program that enabled the identification and prevention of sensitive internal corporate data leaving the company.
Jonathan has extensive experience briefing both the senior executive team and board of directors on issues pertaining to Information Security and Cyber Risk Management. Currently, He assists the CIO in global strategic planning, to include technology risk assessments for potential merger/acquisition targets. He leads the company's cross-functional Data Breach Incident Response team and regularly work with leaders of all operational groups to ensure that any security incidents are reported and mitigated in a timely manner.
Jonathan Fowler, CISO, Consilio
Software-Defined Segmentation -Challenges of Accelerated Enterprise
Software-Defined Network Segmentation
My Background
ISSA International 6
• Started career as an Intelligence Analyst assisting field agents working on major financial crimes.
• Transitioned to a stint as a corporate investigator working with companies on internal investigations (e.g. theft, harassment)
• In 2002, moved into digital/computer forensics, spent the next 13 years performing investigations and testifying as an expert witness in Federal and state courts.
• Spent last 4 years in various roles in Information Security, leading to current position.• Committed the cardinal sin of saying “Shouldn’t we have someone focused on
security?”
Consilio Background
ISSA International 7
• Founded in 2002 (9 employees) to provide digital/computer forensics consulting services to corporate clients.
• In 2005, moved into the electronic discovery/disclosure space, offering a web-based document review platform and associated services.
• From 2005-2012, expanded operations into Europe (London, Frankfurt), India (Bangalore), and APAC (Tokyo, Hong Kong).
• Currently over 2,000 employees and 30+ locations around the world, managing approx. 5 petabytes of data from our clients.
The Business Issue
➢Multiple business units need dedicated network resources either for compliance purposes (privacy, contractual, financial) or to ensure that work performed on those resources cannot reach the production environment.
➢ Example: Globally-dispersed Digital Forensics group that needs a dedicated network space to conduct investigations that (a) allows them to use tools that will trip most network/endpoint sensors; and, (b) is not accessible from anyone outside of the team.
2017 Annual Membership Meeting 8
Current Solution
➢ Create isolated VLANs for the group in each office location with separate access control policies and network protocols that are in use only by this group.
2017 Annual Membership Meeting 9
Current Solution
➢ Solution worked perfectly – each office location had a dedicated isolated VLAN that the group used for their work … what could go wrong???
2017 Annual Membership Meeting 10
Current Solution
2017 Annual Memberhip Meeting 11
“I’m gonna need you to go ahead and set up HR, Finance, Project Management, Admin, etc. with their own VLAN …”
The New Business Issue
➢ A small Network team that is now having to actively manage multiple VLANs around the globe; and, an even smaller Information Security team having to audit policies on multiple VLANs around the globe.
2017 Annual Membership Meeting 12
What are some of the current pain points?
➢ Capital and operational costs of managing multiple VLANs in multiple environments
➢Access control management and application access for cross-segment users
➢ Flexibility and agility to scale during M&A activity
➢Most importantly – how to ensure that each isolated segment remains secure!!
2017 Annual Membership Meeting 13
How can SDNS Help?
➢Allows the business to quickly and easily define, create, and manage logical network segments based on operational need.
➢Greater protection of critical assets by implementing a more granular segmentation than would be feasible with hardware-based approach – “microperimeters”.
➢ Centralize the deployment and management of policies to all network segments in one location.
➢ Provides solid foundation for a zero trust environment.
2017 Annual Membership Meeting 14
Speaker
Dave Klein is the Senior Director of Engineering & Architecture for Guardicore. With more than 21 years of real-world cybersecurity experience he works with Guardicore teams, customers and industry thought leaders to address the challenges of securing modern hybrid cloud environments.
Dave encourages CISOs faced with securing their organizations to adopt security solutions and best practices that work easily and seamlessly across their heterogeneous environments.
Prior to Guardicore, Dave was the Engineering Manager for Forcepoint’s Federal Sector where he drove growth by adapting the company’s behavioral heuristics, Bayesian logic and predictive capabilities to defend US agencies against Insider and Advanced Persistent Threats. Dave also worked with other vendors, government and private sector entities on the NIST response to Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience. Before joining Forcepoint, Dave was a security leader at Cisco Systems. Always a visionary, Dave was responsible for key enhancements in Cisco Network Admission Control, Ironport Web and Mail Gateways and other core Cisco security offerings and led some of the largest sales engagements for US Federal security solutions. In the years preceding his work with Cisco, Dave worked for McAfee. His work there included working with the City of New York post 9/11 for three years, helping shore up cyber defenses and developing a National, State and Local Government engineering and sales team.
Dave has spoken on a wide variety of cybersecurity topics including micro-segmentation, crytpojacking, hybrid cloud
Dave Klein, Senior Director, Engineering & Architecture, Guardicore
Software-Defined Segmentation -Challenges of Accelerated Enterprise
Software-Defined Segmentation
Challenges of Accelerated Enterprise
Dave KleinSenior Director of Engineering
& ArchitectureGuardicore
The Paradigm Has Changed…
… but We WILL Succeed!
The Era of Software-Defined Segmentation
Current Challenges
✓ Even in enterprises that haven’t moved to cloud.✓ Even in traditional environments and use cases.
The Era of Software-Defined Segmentation
Current ChallengesFor Both…
The Era of Software-Defined Segmentation
Current Challenges
For IT…Visibility & Management
Penrose Triangle – The “Impossible Triangle”
FAST INNOVATION
SECURE
The Paradigm Has Changed
Business Demands✓ Accelerated Delivery✓ Essential Competitive Differentiation✓ Efficiencies & Savings✓ Integrations & Access
✓ Playbooks/Scripting✓ Provisioning✓ Automation/Autoscaling✓ Cloud Models*
* Even companies only on-premises
DevOps Model
✓ Speed✓ DevOps Friendly✓ Automatable✓ Works Across Entire Enterprise✓ Visibility & Granular Enforcement✓ Done Once – Done Right
Security Solutions
We WILL Be Successful!
The Era of Software-Defined Segmentation
Software-Defined Segmentation
The Solution
Based on this Model…
High Level Checklist
✓ Speed✓ DevOps Friendly✓ Automatable✓ Works Across Entire Enterprise✓ Visibility & Granular Enforcement✓ Done Once – Done Right
Security Solutions
For clearing the path for Software-Defined Segmentation
And for all upcoming other projects as well.
Learning from Traditional Segmentation Fails
Traditional Segmentation
Platform SpecificVLANs for on-premises onlySecurity groups only for cloud Security Groups per VPC per cloud provider
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
VLANs & ACLs Security Groups
Premises Clouds
Traditional Segmentation
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Multiple management platforms means resource and cost intensive“It takes me months to change VLANs”“IP address changes are a nightmare”Delays, stalled or failed projects
VLANs & ACLs Security Groups
Premises Clouds
Traditional Segmentation
Can’t easily identify traffic flows & app dependenciesLeads to delays, false positive blocks.Production downtime
VLANs & ACLs Security Groups
Premises Clouds
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Policies are only IP address & port based!
Doesn’t segment enough!Doesn’t reduce risk!Doesn’t lead to compliance!
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO PROCESS LEVEL POLICIES
Web Server
tomcat
Desired Rule
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
nginx
Proxy ServerPort 443
evil
Web Server
Tomcat
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Web Server
NO IDENTITY BASED RULES
Alison
Diane
putty
putty
sshd
sshd
diagnostics
accounting
Desired Rule
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity jumpbox
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO IDENTITY BASED RULES
Alison
Diane
putty
putty
sshd
sshd
diagnostics
accounting
Desired Rule
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity jumpbox
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Alison
Diane
putty
putty
sshd
sshd
diagnostics
accounting
Actual with VLANs, ACLs & Security Groups
NO IDENTITY BASED RULES
Identity based policies? = NO
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity jumpbox
Policies are only IP address & port based!
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO FQDN RULES
Port 443
GitHub
Internet
Ubuntu
DevOpsWeb Servers
DevOpsOther Servers
Desired RuleMultiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO FQDN RULES
FQDN based policies? = NO
Port 443
GitHub
Web Server
Internet
Ubuntu
DevOpsWeb Servers
DevOpsOther Servers
Actual with VLANs, ACLs & Security GroupsMultiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Policies are only IP address & port based!
Software-Defined Segmentation – Key Elements
Policy Black Lists
Meta-data IntegrationProduction
ftpd
telnetd
tftpd
Not Possible With Traditional Segmentation
root
any
Multiple Segmentation Techniques Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Learning from Firewall Segmentation Fails
Traditional SegmentationFirewalls
Perimeter
Not at the right location.Doesn’t follow the workloadsCost prohibitive
Perimeter Based Firewalls
Traditional SegmentationFirewalls
Perimeter
Not at the right location.Doesn’t follow the workloadsCost prohibitive
Perimeter Based Firewalls
You need to be every where
Learning from First Generation Software-Defined Segmentation Fails
First Gen Software Defined Segmentation Vendors
Means L4 policies – same problems as traditional segmentation methodsNot platform agnostic. Have to have the hypervisor firewall proximityTwo the three vendors in this space have moved on to non-hypervisor methods using agents
Vendors Who Offer Limited Visibility Through a Secondary or Tertiary Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with enforcement done by native OS firewalls
First Gen SDS Vendors
In Linux means IP Tables – this means the same L4 IP and Port only policies. Just like traditional methodsIn Windows while you have better granularity you are missing important other policy typesNo Black Lists/Deny ListsMeans you are fighting local admins for the policies on the boxMore latency in native OS firewalls
#1 ISSUE FOUND TODAY IN MOST SOLUTIONS
Vendors Who Offer Limited Visibility Through a Secondary or Tertiary Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with enforcement done by native OS firewalls
First Gen SDS Vendors
Integrated visibility is essential in order to create appropriate labels and policiesIt accelerates segmentation projectsVisibility means you won’t make mistakes
Vendors Who Offer Limited Visibility Through a Secondary or Tertiary Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with enforcement done by native OS firewalls
Use Cases & Name
A Point on the Name
• Also known as Micro Segmentation• But term is often misconstrued/misinterpreted as a
single use case where segmentation is used between the tiers of an application.
• Software-Defined Segmentation• A better term for the solution.
• Hundreds of use cases where Software-Defined Segmentation can be utilized.
Sample Software-Defined Segmentation Use Cases
STRATEGY: - Start With Low Hanging Fruit- What Matters Most- Will Make the Biggest Difference
Digital Crown Jewels
Protection
Compliance
Data Center Transformation
Zero Trust
Sample Software-Defined Segmentation Use Cases
Point of Sale SystemsMedical DevicesDev/User Acceptance/Production Environment SeparationSeparation of IoT/Building Controls/Users/Data CentersProtection of Legacy Apps/OS’Micro-Segmentation Between Tiers of an Application.
Digital Crown Jewels Protection
Compliance
Data Center Transformation
Zero Trust
Sample Software-Defined Segmentation Use Cases
PCISWIFTHIPAAGDPRCalifornia PrivacyNY SHIELD
Digital Crown Jewels Protection
Compliance
Data Center Transformation
Zero Trust
Sample Software-Defined Segmentation Use Cases
Digital Crown Jewels Protection
Compliance
Data Center Transformation
Mergers & AcquisitionsCloud MigrationHybrid Cloud Integration
Zero Trust
Sample Software-Defined Segmentation Use Cases
Digital Crown Jewels
Protection
Compliance
Data Center Transformation
Zero Trust
Guardicore Infection Monkey- Free, Open Source, Safe Tool
Website: https://www.guardicore.com/2019/10/guardicore-infection-monkey-for-zero-trust
Video: https://www.youtube.com/watch?v=z4FNu3WCd9o
Sample Software-Defined Segmentation Use Cases
Digital Crown Jewels
Protection
Compliance
Data Center Transformation
Zero Trust
Who is Involved?
Who Drives Software-Defined Segmentation?
CISO/Security Exec Infrastructure DevOps
Who Initiates The Project?
Who Drives Software-Defined Segmentation?
CISO/Security Exec Infrastructure DevOps
70% 30%
Who Initiates The Project?
Who Drives Software-Defined Segmentation?
CISO/Security Exec Infrastructure DevOps
Who Is Involved In The Project?
What are the Steps?
5 Steps To Software Defined Segmentation
Discover, Visualize &
Map
Label & Group
Define Policies
Monitor & Refine
Enforce
What are the Solution Requirements?
Software-Defined Segmentation – Key Elements
Widest Possible platform Support
Platforms
Bare Metal Hypervisors Clouds Containers
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Enterprises run a very wide array of OS’ imaginableAutomated way to ingest new OS kernels/releases quicklySupport end of life systems as well
Legacy/End of Life Modern
Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Policy Granularity
Alison
Diane
putty
putty
sshd
sshd
diagnostics
accounting
GitHub
Internet
Ubuntu
DevOpsWeb
Servers
DevOpsOther
Servers
By Process
By User
By FQDN
Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
nginx
Proxy Server
evil
Web Server
Tomcat
Software-Defined Segmentation – Key Elements
Policy Black ListsWidest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Production
ftpd
telnetd
tftpd
Not Possible With Traditional Segmentation
root
any
Software-Defined Segmentation – Key Elements
No Contention with Admins for ControlConsistent Policies & Enforcement Across All Platforms & OS’Less Latency
Server
OS Firewall
Agent FW
You have control
Admin/RootSDS
System
You have less latency
Widest Possible platform Support
Meta-data Integration
Broadest OS Support
Agent with Own Firewall (not OS Native)
Software-Defined Segmentation – Key Elements
Real time an historical visibility.Easily allows you to create/apply labelsEasily understand application dependenciesAllows you to sort in a variety of ways that people wish to see the enterprise
Visibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
By PlatformVisibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
By EnvironmentVisibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
By ComplianceVisibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
By Application DependenciesVisibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
Allows for flexible visibility (as shown prior)Allows for dynamic workload automationThus removing the need for manual Move, Adds, Changes & DeletesWithin UI & DevOps Scripting
Visibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
Easy policy creation based on your particular role and need
Visibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Software-Defined Segmentation – Key Elements
Ways to digest additional enterprise data like CMDBWays to to push and pull additional information Automation
Visibility
Flexible Labeling Schema
Policy Wizards
RESTAPI
Case Study – Top 5 Global Bank
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
Restricting Access to Servers From Non Servers
Low Hanging Fruit
Application Segmentation
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
Restricting Access to Servers From Non Servers
Low Hanging Fruit
Application Segmentation
High Priority
Low Priority
URGENTSolve NOW
Critical Solve This Year
Nice to HaveNext Year
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
Restricting Access to Servers From Non Servers
Low Hanging Fruit
Application Segmentation
Bank Thought Software-Defined
Segmentation Would Use Cases
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
Restricting Access to Servers From Non Servers
Low Hanging Fruit
Application Segmentation
Guardicore CentraSoftware-Defined
Segmentation Solved All Use Cases
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
DEVELOPMENT UAT
PRODUCTION
Overlap of 800 VLANs Between EnvironmentsAccidental Transfer of MoneyAuditors & Mandates to Change ASAPTo Change VLANs & IP Addresses Manually Would Take Years
Case Study- Top 5 Global Bank
Segmentation between Dev/Prod/UAT servers
DEVELOPMENT UAT
PRODUCTION
Without any VLAN nor IP Address ChangesUsing Playbooks Pushed Out Guardicore Agents to AllMapped out Three Environments VisuallyCreated & Enforced Policy at Process LevelEnvironments SegmentedFew Weeks not Years
Case Study- Top 5 Global Bank
Restricting Access to Servers From Non Servers
Servers & Applications
Security Cameras
Building Controls
UsersNetworked
Devices
Audits Found Access To Servers Too Permissive10,000 IP CamerasUsersBuilding ControlsNetworked Devices (APs, Printers, etc.)
Case Study- Top 5 Global Bank
Restricting Access to Servers From Non Servers
Servers & Applications
Security Cameras
Building Controls
UsersNetworked
Devices
Without any VLAN nor IP Address ChangesUsing Playbooks Pushed Out Guardicore Agents to AllMapped out VisuallyCreated & Enforced Policy at Process & User LevelEnvironments SegmentedWithin the First Year
Case Study- Top 5 Global Bank
Low Hanging Fruit
Various, Similar to Other User CasesI.e.. Some Swift Isolation & Validation Among Other Things
Case Study- Top 5 Global Bank
Application Segmentation
Similar to Other User CasesGoing After Most Important Ones FirstEtc.
Case Study- Top 5 Global Bank
Fitting Into Bank’s InfrastructureOverall Flexibility of Our Solution Allowed Us To Tie in Easily