using network security and identity management to empower cisos today: the case for a comprehensive...
DESCRIPTION
A General Session Presentation by Scott Stevens, VP of Technology-WW Systems Engineering at Palo Alto Networks, and Allan Foster, VP Technology & Standards, Office of the CTO at ForgeRock at the 2014 IRM Summit in Phoenix, Arizona.TRANSCRIPT
ForgeRockUsing Network Security and Identity Management to
Empower CISOs TodayThe Case For A Comprehensive Enterprise Security Policy
The Stolen Data EpidemicTarget Replaces CEO Steinhafel Following Massive Holiday Breach- Wall Street Journal
‘Heartbleed Bug Exposes Millions of Web Sites To Security Risks- NBC News April 8, 2014
18 million email addresses and passwords stolen in Germany- ZDNet April 7, 2014
360m newly stolen passwords on the black market - The London Free Press
Data breaches surge with 93,000 passwords stolen every hour- Computer Business Review
Bitcoin miners unearth 30,000 college student SSNs- Next Gov April 24, 2014
To be truly effective,
you need to see all
applications, all user
identities and most
importantly, all threats
But traditional firewalls only
gave you ports, protocols,
and IP addresses – missing
the malware threat completely
Traditional Firewalls Had Limitations
Confidential Data
Command & Control Traffic
Regulated Data
Exploits
Copyrighted Material
Malware
Palo Alto Networks Reinvented Network SecurityIt’s no longer be about Ports and Protocols but instead it’s about User Identity, Applications, and how they communicate
But without User Identity and Context, You Cannot Create a True Comprehensive Security Policy For the End User
5
Modern Security Technologies
■ Users: Understanding users and devices, regardless of location with User-ID
■ Applications: Safe enablement and security begins with application classification by App-ID.
■ Content: Scanning content flowing between Users and Applications and protecting against all threats – both known and unknown; with Content-ID
Palo Alto Networks Next-Generation Threat Cloud
Palo Alto Networks Next-Generation Endpoint
Palo Alto Networks Next-Generation Firewall
Next-Generation Firewall Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats
Next-Generation Threat Cloud Gathers potential threats from
network and endpoints
Analyses and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
Next-Generation Endpoint Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based
Next-Generation Security Platform
• ~500,000 Wildfire samples/day• ~5% determined to be Malware• 1 new Android Malware App every 30 minutes• 1/3 of all portable executables are Malware
7
Next-Generation Identity ManagementHighly Scalable, Modular, Easy To Deploy Architecture
“All-in-One” solution delivered as a single platform
Access to any application – Enterprise, SaaS, Social, Mobile
Flexible and extensible architecture
Social sign-on and one-time mobile password
Architected for consumer scale +100M users
FORGEROCK.COM | CONFIDENTIAL
Combine Capabilities To Reinvent SecurityCreating A Unified Enterprise-wide Security Platform
Next-gen Network Security & Identity Functions Natively Integrated In One Solution
Centralized Management
Access Management
Threat
Prevention
User Identity
Managem
entA
uthe
ntic
atio
n &
Aut
hori
zatio
n
App
Vi
sibi
lity
&
Con
trol
9FORGEROCK.COM | CONFIDENTIAL
The Vision
Deliver the only unified identity security platform that can make hyper intelligent
decisions based on both network security and user identity context.
10
Key Benefits■ Understand more about the user before granting them access to
corporate resources
■ Create a feedback loop to take appropriate action on both ends:
– The network blocks traffic when suspicious identity activity occurs
– The identity platform blocks access when suspicious network activity occurs
■ Real-time, automated remediation of malicious activity
■ Organizations are much, much safer!!!!
11FORGEROCK.COM | CONFIDENTIAL
Security/Identity Feedback Loop
Data Center
Establish Identity
Assert Identity
12FORGEROCK.COM | CONFIDENTIAL
Security/Identity Feedback Loop
Data Center
Legitimate Traffic
As defined by user rights
13FORGEROCK.COM | CONFIDENTIAL
Security/Identity Feedback Loop
Data Center
Malware/Inappropriate Traffic
Block & Alarm
Feedback Identity of Malicious Traffic
14FORGEROCK.COM | CONFIDENTIAL
Security/Identity Feedback Loop
Data Center
Change Identity Rights-Restrict User Traffic to all resources
■ Network violations modify Identity Rights
■ Feedback changes ID state and security state
15
Target data breach – APTs in action
Maintain access
Spearphishing third-party HVAC
contractor
Moved laterally within Target network and
installed POS Malware
Exfiltrated data command-and-control servers
over FTP
Recon on companies
Target works with
Compromised internal server
to collect customer data
Breached Target network with
stolen payment system
credentials
Centralized Management
Any location
All Key Identity & Network Security
Functions Natively Integrated in One
Solution
Innovative Approach To Securing Today’s EnterpriseEliminate Security Silios For A Unified Enterprise-wide Security Policy
Visibility & Control
Threat prevention
Any Infrastructure
Closed Loop Single Enterprise Wide Policy
ProvisioningIdentity Management
Unify Your Enterprise Security Strategy
Protect the enterprise from known threats and zero-day attacks
Gain full control over your identity and network security investments
Make informed decisions based upon correlated events & data points
Adaptable closed loop security policy enforcement
Drive top line business initiatives faster
18FORGEROCK.COM | CONFIDENTIAL
Thank You!