visibility and automation for enhanced security

Visibility and Automation for Enhanced Security

VP, Product Line Management

Ananda Rajagopal

3©2015 Gigamon. All rights reserved.

Pervasive Monitoring for Pervasive VisibilityWHAT IS DRIVING THIS EMERGING NEED?

• Increasing Security Threats

• “Zero Trust” Security model: network traffic monitoring

• Distributed applications create east-west traffic patterns

• Dynamically changing traffic patterns demand better visibility

• Maintain visibility through emerging network architecture changes

• E.g. White Box, SDN, VMware NSX, Cisco ACI, OpenFlow

• Eliminate blind spots due to new encapsulations, encryption*

• E.g. VXLAN, SSL traffic

Security, Distributed Apps, SDN, New Blind Spots Driving Pervasive Monitoring

* ‘Avoid These "Dirty Dozen" Network Security Worst Practices’, Andrew Lerner and Jeremy D'Hoinne, Gartner, January 2015


Gaps in Traditional Security Model

Perimeter or

Endpoint Based

Simple

Trust Model

Static

Environment

• Inside vs. outside

• Focus on prevention

• Trusted vs

Un-trusted

• Corporate vs.

personal asset

• Fixed locations,

zones, perimeters

• Rule based

• Signature based

• Insider-outsider

boundary dissolved

• BYOD

• Mobility of users,

devices and

applications


©2015 Gigamon. All rights reserved.

Gaps in Traditional Security Model

Perimeter or

Endpoint Based

Simple

Trust Model

Static

Environment

• Inside vs. outside

• Focus on prevention

• Trusted vs

Un-trusted

• Corporate vs.

personal asset

• Fixed locations,

zones, perimeters

• Rule based

• Signature based

• Insider-outsider

boundary dissolved

• BYOD

• Mobility of users,

devices and

applications

More importantly …

THE VERY NATURE

OF CYBER THREATS

HAS CHANGED!


Source: RSA

Anatomy of an Advanced Persistent Threat (APT)

65432

In Many Cases the System Stays Breached After Exfiltration!

Phishing & zero

day attackBack door

Lateral

movement

Data

gatheringExfiltrate

1

Reconnaissance


*Trustwave 2014 global security report

**FireEye: Maginot revisited

Current State of Global Security

The mean number of days from

initial intrusion to detection*

The average lifespan of a zero-day

before it is discovered or

disclosed*

of organizations had active Command

& Control (C&C) communications**

of organizations in the study were

breached during the test period**


Internet

Firewall DMZ

IPS

Spine

Leaf

IDS

Server Farm

Core

Switch

What Else Has Changed That Impacts Security?FUNDAMENTAL SHIFT IN TRAFFIC PATTERNS

No visibility into lateral

propagation of threats!


What Else Has Changed That Impacts Security?DISSOLVING BOUNDARIES BETWEEN THE EDGE AND THE DATA CENTER

Internet

Firewall DMZ

IPS

Spine

Leaf

IDS

Server Farm

Core

Switch

Virtual

Desktop


What Else Has Changed That Impacts Security?MOBILITY

Internet

Firewall DMZ

IPS

Spine

Leaf

IDS

Server Farm

Core

Switch

Virtual

Desktop


Visibility: Catalyst for the Right Security ArchitectureWHAT IS NEEDED?

Deliver network

wide view, regardless

of mobility

Take the guesswork

out of where to

place security tools!

Condense large

volumes of data into

manageable data

Peek into

encrypted traffic


• Proliferation of tools

• Contention for access to traffic

• Extraordinary costs

• Inconsistent view of traffic

• Model breaks down during a

network upgrade

The Spaghetti of Today’s Monitoring InfrastructureWHY HAS IT NOT BEEN DONE YET?

Core

Switches

Access

Switches

InternetInternet

Distribution

Switches

ANTI-

MALWARE

SIEM

DLP

IDS

IPS

FORENSICS

APT ANALYTIC

S


Example Security Delivery ArchitectureOFFERED BY GIGAMON TODAY

Leaf switch

Spine

switch

Spine

switch

Core

switch

Core

switch

Leaf switch

APM

IPS (Inline)

Anti-Malware (Inline)

Network Forensics

Web Analytics

SIEM

DLP

IDS

APT Detection

Security

Tool Rack

GigaVUE-VM

InlineBypass

SSLDecryption

NetFlowGeneration

GigaVUE-FM


Third Party Applications,

SDN Controller Integration, etc…

Applications & Tools Infrastructure,

User Community

Unified Visibility Fabric™

FOR PERVASIVE VISIBILITY INTO BUSINESS INFRASTRUCTURE

Traffic

Intelligence

Visibility

Fabric Nodes(Pervasive visibility across

physical, virtual, remote

sites, and future SDN/NFV

production networks)

Fabric

Services Flow Mapping®

Fabric Control

(Management)

Applications

Inline Bypass

GigaVUE-HD8 GigaVUE-HD4 GigaVUE-HB1

GigaVUE-HC2H S

eri

es

TA

Se

rie

s

GigaVUE-TA1

GigaVUE-OS

on white box* Vir

tua

l V

isib

ilit

y

GigaVUE-VM

TA

Ps

G-TAP

G-TAP A Series

G-TAP BiDi

Embedded TAPs

G S

eri

es GigaVUE-2404

GigaVUE-420

G-SECURE-0216

Deduplication

Packet Slicing

FlowVUE™

Masking

GTP Correlation

Header Stripping

NetFlow Generation

Tunneling

SSL Decryption

Adaptive Packet Filtering

GigaVUE-FM

Clustering

AP

I

AP

I

AP

I

AP

I

AP

I


Ph

ysic

al

• Service chain GigaSMART®

applications• Leverage hybrid port capability • Create flexible service chains

Advanced Traffic Intelligence Using GigaSMARTMULTIPLE APPLICATIONS CAN BE SERVICE CHAINED TOGETHER

Flow

Mapping®

Tunnel

Termination

SSL

DecryptionAdaptive

Packet Filtering

Vir

tual

GigaVUE-VM

GigaVUE-VM

Remote site

traffic to DLP

Web Server

Connect Requests

to NPM / CEM

East-West traffic

between virtual

workloads to IDS

Visibility Fabric: A Customer’s JourneyA Programmable Fabric to Detect, React and Respond

16


The Customer Journey

Visibility Enables

Consolidation & Optimization

Cost, Network & Tool Efficiency,

Traffic Productivity

Visibility Fabric:

Physical & Virtual Nodes

Ability to Manage

Fabric Clusters

Themes

Pain Point/

Value

Business

Value

Gigamon

Solutions

Best

Practices

Visibility Assures

Security & Compliance

Risk Management: Compliance,

Security, Privacy, Data Integrity

Visibility

Platform

Ability to Tie

IT Teams Together

Visibility Delivers

Insight & Action

Business Agility to Anticipate,

React, and Respond

Active Visibility:

Detect & Respond

Ability to Have the Platform

Act as a Real-time Sensor

CAPEX

OPEX

ASSURANCE

CAPEX

OPEX

ASSURANCE

CAPEX

OPEX

AGILITY

+ +

Stages of Customer Adoption and Maturity


DAY 1 ROI ASSURED!

NPM

NPM

NPM

NPM

Edge

Switches

Internet

Routers

Core

Switches

Distribution

Switches

Case Study: Large Utility

18

$6.25M$3.1M

NPM

NPM

NPM

NPM

NPM

NPM

NPM

NPM

NPM

NPM

NPM

NPM

New data center with NPM deployment

Original Quote for NPM: $6.25M

Rejected by Utility’s Budget Approvers

NPM + Gigamon: $3.1M

Results:

1. Better deployment

2. Improved 4-5 additional tools

3. Visibility Fabric architecture now in place

4. 50% savings in CAPEX

Software Defined VisibilityProgrammable Fabric

19


The Case for a Programmable Visibility FabricUSE CASE: SECURITY (PROVISIONING AND NOTIFICATIONS)

‘Suspicious’ Pattern

• Generate NetFlow

• Change Flow Map

• Decrypt SSL

APIs

Software Defined

Data Center

Virtual

Workloads

Production Network

Internet

Security

Tools and Analytics

GigaVUE-FM

APIs to Provision

Visibility Fabric™


The Case for a Programmable Visibility FabricUSE CASE – INVENTORY, ANALYTICS, PROVISIONING AND ADMINISTRATION

Customer / Partner Applications

(Auto Provisioning)

GigaVUE-FM

Production Network Tools and Analytics

Application

Performance

Network

Management

• Configure Network Port

• Create / Update Flow Map

APIsAPIsCustomer Application

(CMDB)

Vendor APIs

(Inventory, Stats)

Use Case 2 (Inventory/Stats):

• Heterogeneous monitoring

• Reporting

• Capacity Planning

Use Case 3 (Ticketing/Provisioning):

• Configure network port

• Monitor new IP subnet / VLANs

• Upgrade SW image

• Get Inventory / Status

• Get Statistics

Security

APIs to Provision

Visibility Fabric


The Case for a Programmable Visibility FabricUSE CASE – PRIVATE CLOUD PROVISIONING

Software Defined

Data Center

Virtual

Workloads

Internet

Use Case 4 (Private Cloud Orchestration):

1. Create new Workloads / VMs

2. Enable Virtual Visibility

vCenter

APIs

vCenter APIs

APIs

• Deploy GigaVUE-VM

• Create Traffic Policies

GigaVUE-FM

Production Network Tools and Analytics

Application

Performance

Network

Management

Security

APIs to Provision

Visibility Fabric™


The Programmable FabricAGILE VISIBILITY FABRIC

Inventory Provisioning Analytics Notifications Administration

Inventory / Orchestration

(OSS, Homegrown)

SDN Controllers

(OpenStack, NSX, ODL)

Monitoring Tools

(NPM, APM, SEIM)

North Bound Integration (NBI) APIs

. . . . . .

GigaVUE-FM

About Gigamon

24


As of Q4 2014

Gigamon Customers TodayA BROAD SPECTRUM OF BRAND-NAME CUSTOMERS

Enterprise

TECHNOLOGY INDUSTRIAL RETAIL

FINANCE HEALTHCARE & INSURANCE GOVERNMENT

50 of the Top 100 Global SPs

Service Providers

1600+ End Customers 67 of the Fortune-100

http://www.3m.com/

http://www.3m.com/

http://www.bjc.org/

http://www.bjc.org/


The Complete Visibility EcosystemINTEROPERABILITY WITH ANY TOOL AND ANY NETWORK


• One architecture, One Software, One Management Platform for all visibility

• Holistic Physical + Virtual Visibility

• Zero packet loss through patented hardware filtering and asymmetric reassembly

• Clustering: Extend scale beyond a single node

• GigaSMART: Common platform for advanced traffic intelligence, service chaining

• Best De-duplication in the market: 100x better

• Only vendor with advanced visibility: SSL Decryption, Adaptive Packet Filtering, …

• High fidelity NetFlow for advanced traffic insight

• Advanced Traffic Visualization and Automation with GigaVUE-FM

• Multi-tiered security architecture vs. standalone bypass

Why Gigamon?PROVEN ACROSS MORE THAN 1600 CUSTOMERS INCLUDING 67 FORTUNE 100


VISIBILITY

MATTERS

visibility and automation for enhanced security

Technology

impacts security

security threats

security tools

applications52015 gigamon

trust security model

global security report

network traffic

traffic patternsno visibility