dco cobra and sossec -cyber talk · presents –guidepoint security how to revisit and continue the...
TRANSCRIPT
DCO COBRA and SOSSEC - CYBER TALKJune 3, 2021
Presents – GuidePoint SecurityHow To Revisit And Continue The Zero Trust Journey
Post COVID-19
Presenter:Jean-Paul Bergeaux – Federal Chief Technology Officer
June 3rd , 2021
ZeroTrust Security
Jean-Paul Bergeaux, Federal CTO, GuidePoint SecurityJohn Trojanowski, Federal Account Executive
GuidePoint Security
© Copyrig ht GuidePoint Securit y LLC | 2
• Founded in October 2011 by industry experts
• Headquartered in Herndon, VA
• Certified as a Small Business
• About 500 employees with 65 percent being technical
• Amazon Web Services consulting partner
© Copyright GuidePoint Security LLC | 7
What is ZeroTrust?
“At the most basic level, zero trust is about protecting your applications [and data] by ensuring that only securely authenticated users and devices have access to them.” CSO Online
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust ACT-IAC Report
Graphic Source: Microsoft
In general, Zero Trust:
• provides a consistent security strategy of users accessing data that resides anywhere, from anywhere in any way; • assumes a “‘never trust and always verify” stance when accessing services and/or data; • requires continuous authorization no matter what the originating request location; and • increases visibility and analytics across the network.
Additionally, Zero Trust depends on five fundamental assertions:
• the network is always assumed to be hostile; • external and internal threats exist on the network at all times; • network locality is not sufficient for deciding trust in a network; • every device, user, and network flow is authenticated and authorized; and • policies must be dynamic and calculated from as many sources of data as possible.
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust and COVID ”2020 year in review”
March 2020… Forced remote/virtual worker
• Immediate realization that security perimeters are a limitation. TIC only works if you go through it!• VPN issues. Remote access issues. Cloud access and control issues. • Suddenly the focus is on securing data and resources, not a network.
Sounds like ZeroTrust right??
• ZeroTrust in focus !• Secure the user, secure the data, secure the applications. Yes! • Remote access versions of ZTE: Cloud-based Identity, SASE and Private Access solutions. OK….• IT and security modernization on the MOVE! (thankfully, but wait…)
What happens when we go back in-person?
© Copyright GuidePoint Security LLC | 10
Zero Trust doesn’t end now
Going back to on-premise doesn’t mean ending Zero Trust
Biden Executive Order: Zero Trust plan please?
We skipped Zero Trust basics out of desperation!
EVERY OEM SAYS THEY ARE ZERO TRUST!
Let’s revisit what ZeroTrust really is.
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust Graphic: NIST 800-207
Graphic source: NIST https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust Graphic: ACT-IAC
Graphic ACT-IAC Zero Trust report
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust Graphic: Forrester Research ZTX
Graphic Forrester Research ZTX (eXtended ZeroTrust) Wave Report
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust example architecture: Microsoft
Graphic Source: Microsoft
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust example architecture: Google
Graphic Source: beyondcorp.com
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust example architecture: NIST 800-207
Graphic source: NIST https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust GuidePoint Security
Graphic Source: https://threatpost.com/practical-guide-zero-trust-security/151912/
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust GuidePoint Security – details
Graphic Source: https://threatpost.com/practical-guide-zero-trust-security/151912/
Data and Resource FocusedProtect what matters, not the network, the data and the
application workloads.
Action on Continuous MonitoringKnow the status of your network, your users, your resources
and use that status to make live real time decisions.
Active Integrated Security ArchitectureSecurity tools should be integrated, not silo’d and work
together through integration for an active defense!
.
Security That Works
What is it?
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust workflow simplifiedWhat Network on you on?Have you been validated?
What device and what is the status?
Who are you and what do I know about you?
Assessment of risk?
PEP grants access to Data and Applications?
Analytics + Trust Engine
(SIEM + Automation)
© Copyright GuidePoint Security LLC | 6
WAIT! Trust Engine? PEP?Explain please!
The Trust Engine is the decision maker of access.
A PEP is a Policy Enforcement Point (give access or deny)
A Trust Engine must then feed a PEP, a PEP can BE a TE.
Here’s the problem: THERE IS NO UNIVERSALE TRUST ENGINE
A PEP can be a trust engine if it has processing/automation capabilities.
The reality is that there will be multiple PEPs and likely multiple Trust Engines for different use cases throughout the environment.
Examples: Data, Cloud, Workload, IOT, Network Access
© Copyrig ht Guide Point Securit y LLC | 8
Zero Trust Reset – 5 steps to deploy
Step 1 ZTE Readiness Assessment
-Gap Assessment of Critical Controls
-Potential PEP Solutions Available(Policy Enforcement Points)
-Current Security Controls API / Orch & Automtn
-Governance and Logging maturity
Step 2 Environment Assessment
-HVA and VA Data discovery and mapping
-Map application / workload user access flow
-User and Identity assessment and clean-up
Step 3 Design/Architect ZeroTrust
-Application micro-segmentation plan
-PEP plan & Application/User access monitrg/policy(Data/Resource/Application/Priv Access)(First steps to Adaptive Authentication)
-Automation and Orchestration plan to feed decision engines
Step 4 Execute Cycle Initiatives
-Deploy PEP & application / user policy to maturity
-Map users to applications with contextual dependencies
-Test/Deploy risk scoring trust engine for Adaptive Authentication
Step 5 Assess Effectiveness
-Automated Pen Testing (BAS oriented)
-Crowdsourced Pen Testing / Tailored Pen Testing
-ZTE Maturity Assessment Engagement
-Return to Step 1
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust ALL OF IT
Device
-Managed or Un-ManagedCA/PKI confirmed trusted
-System Assessment Time Since Seen Patch/Vulnerability StatusType of System
-Entity Behavioral Analytics ScorePre-AttemptDevice Network consistent
User/ABAC/RBAC
-Internal or External UserAttributable User to System?(Directory Services)
-User Risk Score (Pre-Attempt)(Insider Threat/UEBA)
-MFA Challenge(Hard Token PKI-CAC/Soft Token)
-User Risk Score (Per Attempt)Geo Acceptable?Geo New to user?Time New to user?Device New to user?Device – Group check
-Biometric challenge available?
-TIC – Security Stack(Ingress-Egress/SaaS)
Analytics / Trust Engine
-Assessment Determination:X High Value Asset (HVA)X Moderate Value Asset (MVA)X Low Value Asset (LVA)
?Normal User or Priv User?(Admin)
-Assessment Factors*Classification
(None/Secret/TS/Compartment)(IL2,IL4,IL6)
*Business Value*Compliance
(PII/PCI/HIPPA/FISMA)
-Application TypeX OnPrem Internal AppX Externally Available Internal App
DMZ/IaaS/SaaSX Externally Available Public App
DMZ/IaaS/SaaS
Network
-Type of Network LocationCore Enterprise NetworkRemote Enterprise NetworkExternal Network (w/VPN)External Network (wo/VPN)Geo Location
© Copyright GuidePoint Security LLC | 6
Products typical inZeroTrust• HVA and IdAM audit• Access Management• MFA• Micro-Segmentation• CA/PKI (on end point) / HSM• Certification Management• UEBA• NAC• Universal Network Inspection Point• Analytics Data Lake/Automation Engine• End Point Mgmt/Patching (MDM for mobile)
• IOT
© Copyrig ht Guide Point Securit y LLC | 8
ZeroTrust OEM mappings
• Access Management – Okta, Ping, Oracle, Quest, Microsoft
• MFA – Okta, Duo, Ping, Microsoft
• Micro-Segmentation – Illumio, (no to VMware/PAN/Cisco)
• Workload Access and Protection – F5, nginX, TrustWave, A10, Imperva
• Universal Network Inspection Point – zScalar, PAN Prisma, traditional TICs.
Policy Enforcement Points(PEPs)
• NAC – Forescout, Cisco, zScalar *(ish)
• IOT – Ordr, Armis
• UEBA – Exabeam, Varonis (AD only)
• HVA and IdAM audit – Varonis, StealthBits, SailPoint
• CA/PKI (on end point) – Entrust, MobileIron / HSM – Thales, SafeNetAT
• Certification Management – Venafi, Symantec, AppViewX
• Analytics Data Lake – Splunk, Elastic, Exabeam, Cribl
• End Point Mgmt/Patching (MDM for mobile) – Tanium, BigFix, MobileIron, AirWatch, BlackBerry, Tachyon, CrowdStrike
© Copyright GuidePoint Security LLC | 3
• Vendor Relationships
• Best-of-Breed Solutions
SOLUTIONSPROVIDER
• Implementation
• Optimization
• Security Architecture
TECHNOLOGYINTEGRATION SERVICES
• deepwatch Detect
• deepwatch Identify VM
• deepwatch Protect
• deepwatch Respond
MANAGEDSECURITY SERVICES
• Application Security
• Governance, Risk, andCompliance (GRC) Services
• Incident Response
• Security Assessments
INFORMATIONASSURANCE SERVICES
About GuidePoint Security
Thanks for listeningWe Will Answer Questions Now
Contact
Jean-Paul Bergeaux
T: 703-627-0776
jp@guidepointsecurity @guidepointsec
Federal CTO
Benefits of Joining the SOSSEC Consortium
ü Opportunity to perform work under seven (7) OTAs for the Air Force, Army and National Geospatial-Intelligence Agency
ü Opportunity to build members’ business base by applying their technologies/expertise to meeting urgent DoD requirements
ü Simple, streamlined process to compete for DoD work
ü Average 60 days from requirements definition to award
ü Flexible treatment of intellectual property
ü OTA access to any DoD user with approval of OTA customer
SOSSEC Membership is Required for Award on PEO EIS, DCO Cyberspace Operations Broad Responsive Agreement (COBRA)
Other Transaction Agreement (OTA)
Go to www.sossecinc.com and click on the JOIN NOW Tab to access the membership application. The process is simple and rapid. There is no joining fee and new members do not pay until January 2022. The yearly fee after that is $500. Membership is open to Industry (traditional, non-traditional, small business), not-for-profit and academic institutions that share the values of the SOSSEC Consortium. For questions about SOSSEC COBRA OTA, contact Jeff Carstairs at [email protected]