dco cobra and sossec -cyber talk · presents –guidepoint security how to revisit and continue the...

DCO COBRA and SOSSEC - CYBER TALKJune 3, 2021

Presents – GuidePoint SecurityHow To Revisit And Continue The Zero Trust Journey

Post COVID-19

Presenter:Jean-Paul Bergeaux – Federal Chief Technology Officer

June 3rd , 2021

ZeroTrust Security

Jean-Paul Bergeaux, Federal CTO, GuidePoint SecurityJohn Trojanowski, Federal Account Executive

GuidePoint Security

© Copyrig ht GuidePoint Securit y LLC | 2

• Founded in October 2011 by industry experts

• Headquartered in Herndon, VA

• Certified as a Small Business

• About 500 employees with 65 percent being technical

• Amazon Web Services consulting partner

© Copyright GuidePoint Security LLC | 7

What is ZeroTrust?

“At the most basic level, zero trust is about protecting your applications [and data] by ensuring that only securely authenticated users and devices have access to them.” CSO Online

© Copyrig ht Guide Point Securit y LLC | 8

ZeroTrust ACT-IAC Report

Graphic Source: Microsoft

In general, Zero Trust:

• provides a consistent security strategy of users accessing data that resides anywhere, from anywhere in any way; • assumes a “‘never trust and always verify” stance when accessing services and/or data; • requires continuous authorization no matter what the originating request location; and • increases visibility and analytics across the network.

Additionally, Zero Trust depends on five fundamental assertions:

• the network is always assumed to be hostile; • external and internal threats exist on the network at all times; • network locality is not sufficient for deciding trust in a network; • every device, user, and network flow is authenticated and authorized; and • policies must be dynamic and calculated from as many sources of data as possible.


ZeroTrust and COVID ”2020 year in review”

March 2020… Forced remote/virtual worker

• Immediate realization that security perimeters are a limitation. TIC only works if you go through it!• VPN issues. Remote access issues. Cloud access and control issues. • Suddenly the focus is on securing data and resources, not a network.

Sounds like ZeroTrust right??

• ZeroTrust in focus !• Secure the user, secure the data, secure the applications. Yes! • Remote access versions of ZTE: Cloud-based Identity, SASE and Private Access solutions. OK….• IT and security modernization on the MOVE! (thankfully, but wait…)

What happens when we go back in-person?


Zero Trust doesn’t end now

Going back to on-premise doesn’t mean ending Zero Trust

Biden Executive Order: Zero Trust plan please?

We skipped Zero Trust basics out of desperation!

EVERY OEM SAYS THEY ARE ZERO TRUST!

Let’s revisit what ZeroTrust really is.


ZeroTrust Graphic: NIST 800-207

Graphic source: NIST https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf


ZeroTrust Graphic: ACT-IAC

Graphic ACT-IAC Zero Trust report


ZeroTrust Graphic: Forrester Research ZTX

Graphic Forrester Research ZTX (eXtended ZeroTrust) Wave Report


ZeroTrust example architecture: Microsoft

Graphic Source: Microsoft


ZeroTrust example architecture: Google

Graphic Source: beyondcorp.com


ZeroTrust example architecture: NIST 800-207

Graphic source: NIST https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf


ZeroTrust GuidePoint Security

Graphic Source: https://threatpost.com/practical-guide-zero-trust-security/151912/


ZeroTrust GuidePoint Security – details

Graphic Source: https://threatpost.com/practical-guide-zero-trust-security/151912/

Data and Resource FocusedProtect what matters, not the network, the data and the

application workloads.

Action on Continuous MonitoringKnow the status of your network, your users, your resources

and use that status to make live real time decisions.

Active Integrated Security ArchitectureSecurity tools should be integrated, not silo’d and work

together through integration for an active defense!

.

Security That Works

What is it?


ZeroTrust workflow simplifiedWhat Network on you on?Have you been validated?

What device and what is the status?

Who are you and what do I know about you?

Assessment of risk?

PEP grants access to Data and Applications?

Analytics + Trust Engine

(SIEM + Automation)


WAIT! Trust Engine? PEP?Explain please!

The Trust Engine is the decision maker of access.

A PEP is a Policy Enforcement Point (give access or deny)

A Trust Engine must then feed a PEP, a PEP can BE a TE.

Here’s the problem: THERE IS NO UNIVERSALE TRUST ENGINE

A PEP can be a trust engine if it has processing/automation capabilities.

The reality is that there will be multiple PEPs and likely multiple Trust Engines for different use cases throughout the environment.

Examples: Data, Cloud, Workload, IOT, Network Access


Zero Trust Reset – 5 steps to deploy

Step 1 ZTE Readiness Assessment

-Gap Assessment of Critical Controls

-Potential PEP Solutions Available(Policy Enforcement Points)

-Current Security Controls API / Orch & Automtn

-Governance and Logging maturity

Step 2 Environment Assessment

-HVA and VA Data discovery and mapping

-Map application / workload user access flow

-User and Identity assessment and clean-up

Step 3 Design/Architect ZeroTrust

-Application micro-segmentation plan

-PEP plan & Application/User access monitrg/policy(Data/Resource/Application/Priv Access)(First steps to Adaptive Authentication)

-Automation and Orchestration plan to feed decision engines

Step 4 Execute Cycle Initiatives

-Deploy PEP & application / user policy to maturity

-Map users to applications with contextual dependencies

-Test/Deploy risk scoring trust engine for Adaptive Authentication

Step 5 Assess Effectiveness

-Automated Pen Testing (BAS oriented)

-Crowdsourced Pen Testing / Tailored Pen Testing

-ZTE Maturity Assessment Engagement

-Return to Step 1


ZeroTrust ALL OF IT

Device

-Managed or Un-ManagedCA/PKI confirmed trusted

-System Assessment Time Since Seen Patch/Vulnerability StatusType of System

-Entity Behavioral Analytics ScorePre-AttemptDevice Network consistent

User/ABAC/RBAC

-Internal or External UserAttributable User to System?(Directory Services)

-User Risk Score (Pre-Attempt)(Insider Threat/UEBA)

-MFA Challenge(Hard Token PKI-CAC/Soft Token)

-User Risk Score (Per Attempt)Geo Acceptable?Geo New to user?Time New to user?Device New to user?Device – Group check

-Biometric challenge available?

-TIC – Security Stack(Ingress-Egress/SaaS)

Analytics / Trust Engine

-Assessment Determination:X High Value Asset (HVA)X Moderate Value Asset (MVA)X Low Value Asset (LVA)

?Normal User or Priv User?(Admin)

-Assessment Factors*Classification

(None/Secret/TS/Compartment)(IL2,IL4,IL6)

*Business Value*Compliance

(PII/PCI/HIPPA/FISMA)

-Application TypeX OnPrem Internal AppX Externally Available Internal App

DMZ/IaaS/SaaSX Externally Available Public App

DMZ/IaaS/SaaS

Network

-Type of Network LocationCore Enterprise NetworkRemote Enterprise NetworkExternal Network (w/VPN)External Network (wo/VPN)Geo Location


Products typical inZeroTrust• HVA and IdAM audit• Access Management• MFA• Micro-Segmentation• CA/PKI (on end point) / HSM• Certification Management• UEBA• NAC• Universal Network Inspection Point• Analytics Data Lake/Automation Engine• End Point Mgmt/Patching (MDM for mobile)

• IOT


ZeroTrust OEM mappings

• Access Management – Okta, Ping, Oracle, Quest, Microsoft

• MFA – Okta, Duo, Ping, Microsoft

• Micro-Segmentation – Illumio, (no to VMware/PAN/Cisco)

• Workload Access and Protection – F5, nginX, TrustWave, A10, Imperva

• Universal Network Inspection Point – zScalar, PAN Prisma, traditional TICs.

Policy Enforcement Points(PEPs)

• NAC – Forescout, Cisco, zScalar *(ish)

• IOT – Ordr, Armis

• UEBA – Exabeam, Varonis (AD only)

• HVA and IdAM audit – Varonis, StealthBits, SailPoint

• CA/PKI (on end point) – Entrust, MobileIron / HSM – Thales, SafeNetAT

• Certification Management – Venafi, Symantec, AppViewX

• Analytics Data Lake – Splunk, Elastic, Exabeam, Cribl

• End Point Mgmt/Patching (MDM for mobile) – Tanium, BigFix, MobileIron, AirWatch, BlackBerry, Tachyon, CrowdStrike


• Vendor Relationships

• Best-of-Breed Solutions

SOLUTIONSPROVIDER

• Implementation

• Optimization

• Security Architecture

TECHNOLOGYINTEGRATION SERVICES

• deepwatch Detect

• deepwatch Identify VM

• deepwatch Protect

• deepwatch Respond

MANAGEDSECURITY SERVICES

• Application Security

• Governance, Risk, andCompliance (GRC) Services

• Incident Response

• Security Assessments

INFORMATIONASSURANCE SERVICES

About GuidePoint Security

Thanks for listeningWe Will Answer Questions Now

Contact

Jean-Paul Bergeaux

E: [email protected]

T: 703-627-0776

jp@guidepointsecurity @guidepointsec

Federal CTO

Benefits of Joining the SOSSEC Consortium

ü Opportunity to perform work under seven (7) OTAs for the Air Force, Army and National Geospatial-Intelligence Agency

ü Opportunity to build members’ business base by applying their technologies/expertise to meeting urgent DoD requirements

ü Simple, streamlined process to compete for DoD work

ü Average 60 days from requirements definition to award

ü Flexible treatment of intellectual property

ü OTA access to any DoD user with approval of OTA customer

SOSSEC Membership is Required for Award on PEO EIS, DCO Cyberspace Operations Broad Responsive Agreement (COBRA)

Other Transaction Agreement (OTA)

Go to www.sossecinc.com and click on the JOIN NOW Tab to access the membership application. The process is simple and rapid. There is no joining fee and new members do not pay until January 2022. The yearly fee after that is $500. Membership is open to Industry (traditional, non-traditional, small business), not-for-profit and academic institutions that share the values of the SOSSEC Consortium. For questions about SOSSEC COBRA OTA, contact Jeff Carstairs at [email protected]

http://www.sossecinc.com/

dco cobra and sossec -cyber talk · presents –guidepoint security how to revisit and continue the...

Documents