or distribution for publication great power, great ...off-the-shelf apps. ots. software. database....

28
#vmworld Great Power, Great Responsibility Least Privilege Security with AppDefense Chris Corde, Senior Director, Product Management, VMware, Inc. SAI3219BE #SAI3219BE VMworld 2018 Content: Not for publication or distribution

Upload: others

Post on 25-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

#vmworld

Great Power, Great Responsibility

Least Privilege Security with AppDefense

Chris Corde, Senior Director, Product Management, VMware, Inc.

SAI3219BE

#SAI3219BE

VMworld 2018 Content: Not for publication or distribution

Page 2: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

2©2018 VMware, Inc.

To Reach $3.7 Trillion in 2018

An Increase of 4.5% from 2017

Forecasted Growth in Overall Global IT Spend

10.2%(since 2017)

$91.4 Billion in 2018

Growth in Security Spend

$600 Billion in 2017

26% (since 2014)

Increase in Security Losses

Source: Center for Strategic and Int’l Studies, Economic Impact of Cybercrime, February, 2018

Gartner Press Release, Gartner Says Global IT Spending to Reach $3.7 Trillion in 2018, January 16, 2018,

https://www.gartner.com/en/newsroom/press-releases/2018-01-16-gartner-says-global-it-spending-to-reach-37-trillion-in-2018

Source: IDC, Worldwide Semiannual Security Spending Guide, #US42570018, March 2018 VMworld 2018 Content: Not for publication or distribution

Page 3: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

3©2018 VMware, Inc.

Security Controls

VMworld 2018 Content: Not for publication or distribution

Page 4: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

4©2018 VMware, Inc.

Modernization

Data Center / Cloud Infrastructure

Compute Network Storage

End User Infrastructure

Users Devices Access

Apps Data

Agile

Organized CrimeNation States Hacktivists

Threat Landscape

VMworld 2018 Content: Not for publication or distribution

Page 5: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

5©2018 VMware, Inc.

Dynamics of an Attack

Infiltration Propagation Extraction Exfiltration

Attacker

Defender

VMworld 2018 Content: Not for publication or distribution

Page 6: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

6©2018 VMware, Inc.

Dynamics of an Attack

Infiltration Propagation Extraction Exfiltration

Attacker

Defender

VMworld 2018 Content: Not for publication or distribution

Page 7: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

7©2018 VMware, Inc.

To Gain Advantage on Attackers we Must Protect Critical Applications Through Least Privilege

VMworld 2018 Content: Not for publication or distribution

Page 8: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

8©2018 VMware, Inc.

1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101

Changing the Application Security ModelFrom chasing bad to ensuring good

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS75,000,000 75

Chasing Bad Ensuring Good

DevicesUsers AccessCompute Network Data

VMworld 2018 Content: Not for publication or distribution

Page 9: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

9©2018 VMware, Inc.

Posture

Threat

VMworld 2018 Content: Not for publication or distribution

Page 10: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

10©2018 VMware, Inc.

We Believe We Should Focus More on Core Protection StrategiesGartner Market Guide for Cloud Workload Protection Framework

AV

Deception

HIPS withVulnerability Shielding

Server Workload EDRBehavioral Monitoring

IaaS Data at Rest Encryption

Exploit Prevention / Memory Protection

Application Control / Whitelisting

System Integrity Monitoring / Management

Network Firewalling, Segmentation and Visibility

Hardening, Configuration and Vulnerability Management

Foundational

Less Critical

Optional Server Protection Strategies

Core Server Protection Strategies

Important, but often provided outside of CWPP

Operations HygieneNo arbitrary code

No email, web clientAdmin Privilege

ManagementChange

ManagementLog

Management

Restricted Physical and Logical Perimeter Access

Figure 1. Cloud Workload Protection Controls Hierarchy, © 2018 Gartner, Inc.

Source: Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, March 26th 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Charts/graphics created by VMWare based on Gartner research.

VMworld 2018 Content: Not for publication or distribution

Page 11: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

11©2018 VMware, Inc.

Cyber ThreatsResidual Risk

Cyber HygieneAttack Surface

EncryptionMicro-Segmentation

PatchingLeastPrivilege

Multi-FactorAuthentication

Apps Data

VMworld 2018 Content: Not for publication or distribution

Page 12: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

12©2018 VMware, Inc.

Uncle Ben

“ With Great Power Comes Great Responsibility”

VMworld 2018 Content: Not for publication or distribution

Page 13: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

13©2018 VMware, Inc.

Gartner, How to Plan, Implement and Operate a Successful Application Whitelisting Deployment, Jon Amato, 23 March 2018

“ Organizations with application whitelisting deployed report that greater than 90% of all alerts are the result of legitimate software behaving in unexpected or previously unobserved ways, rather than actual malicious or undesirable user behavior”

So Why Not?

VMworld 2018 Content: Not for publication or distribution

Page 14: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

14©2018 VMware, Inc.

Enforcing the Intended State

Detect RespondCapture & Analyze

Learn Protect

&

Apps Data Apps Data

VMworld 2018 Content: Not for publication or distribution

Page 15: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

15©2018 VMware, Inc.

Learn

Detect Respond

Learn Protect

&

VM Manifest

VM Manifest

VM Manifest

Intended State Engine

vCenter ESX

AppScope

Off-the-shelf appsOTS

SoftwareDatabase

Custom appsCI/CD pipeline

[Provisioning systems][Automation frameworks]Machine Learning

Capture & Analyze

Apps Data

VMworld 2018 Content: Not for publication or distribution

Page 16: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

16©2018 VMware, Inc.

Lock

Protect

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS

AppDefenseMonitor

Protected Zone

VM Manifest

Detect

Snapshot Suspend

Block/Alarm

Quarantine Network Blocking

Service Insertion

Respond&

Compute Network

Capture & Analyze

Learn

Apps Data

VMworld 2018 Content: Not for publication or distribution

Page 17: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

17©2018 VMware, Inc.

Snapshot Suspend

Block/Alarm

Quarantine Network Blocking

Service Insertion…

Compute Network

Adapt

VM Manifest

VM Manifest

VM Manifest

Intended State Engine

vCenter ESX

AppScope

Off-the-shelf appsOTS

SoftwareDatabase

Custom appsCI/CD pipeline

[Provisioning systems][Automation frameworks]Machine Learning

Capture & Analyze Detect Respond&

Learn

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS

AppDefenseMonitor

Protected zone

VM Manifest

Protect

Agile

Apps Data

VMworld 2018 Content: Not for publication or distribution

Page 18: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

18©2018 VMware, Inc.

Operational Pitfalls of Traditional WhitelistingWhy Customers Can’t Deploy Zero-Trust More Broadly

Limited Server Real Estate for Security Agents

Lack of Isolation – trusting controls running within the attackers domain

Difficulty with behavioral threats

Manual rule creation

Understanding the unknown

DEALING WITH CHANGE!VMworld 2018 Content: Not for publication or distribution

Page 19: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

19©2018 VMware, Inc.

• In servers – availability and performance are at a premium and of utmost importance

• Security agents are cumbersome and often times bog down system performance by collecting/monitoring data that is unnecessary

• Security professionals do not typically have direct access to manage security agent lifecycle

• AppDefense is an embedded component in ESX 6.5 and above and runs within VMtools• Avoids separate agent install & lifecycle

management• Optimized performance for virtual environments

Limited Server Real Estate for Security AgentsThey are Avoided at all Cost in the Datacenter

VMworld 2018 Content: Not for publication or distribution

Page 20: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

20©2018 VMware, Inc.

Lack of IsolationDifficult to trust protection running within the same domain as the attacker

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS

AppDefenseMonitor

Manifest

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS

AppDefenseMonitor

Manifest

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS

AppDefenseMonitor

Manifest

Protected zone

Traditional Agents AppDefense Integrity

Isolated Detection/ControlRunning within Untrusted Space

Secu

rity

Ag

ent

Pro

cess

es

Pro

cess

es

OS

VMworld 2018 Content: Not for publication or distribution

Page 21: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

21©2018 VMware, Inc.

Manual Rule CreationCapture the purpose and intended state of applications and VMs

Intended State Engine

vCenter ESX

AppScope

Off-the-shelf appsOTS

SoftwareDatabase

Custom appsCI/CD pipeline

[Provisioning systems][Automation frameworks]

Manifest

Manifest

Manifest

Machine Learning

Learn

Capture and Analyze

VMworld 2018 Content: Not for publication or distribution

Page 22: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

22©2018 VMware, Inc.

Complete Application Behavioral Awareness

VMworld 2018 Content: Not for publication or distribution

Page 23: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

23©2018 VMware, Inc.

Adaptive WhitelistingUse Population Analysis to Adjust/Deal with Software and Behavioral Change

Machine Learning

• Machine learning built to understand the behavior of known good applications vs. hunt for malicious behavior

• Distributed consensus for verification

• Gives AppDefense a more authoritative and repeatable set of behaviors to model against

• Allows the system to understand legitimate software change more effectively and adapt the ruleset

• THIS CAPABILITY IS CRITICAL TO OPERATIONIZE ANY ZERO TRUST INITIATIVE!

VMworld 2018 Content: Not for publication or distribution

Page 24: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

24©2018 VMware, Inc.

Dealing with ChangeUsing Datacenter Orchestration to Update the Whitelisted Behaviors

DevicesUsers AccessCompute Network Data

Learn Protect

Review

Readiness

Detect

Respond

ContinuousProtection

ContinuousLearning

VMworld 2018 Content: Not for publication or distribution

Page 25: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

25©2018 VMware, Inc.

Continuous Integration

Continuous Monitoring

Respond

CreatePlan

Predict

Prevent

Preprod

Verify

DetectContinuous Improvement

Continuous Deployment

Continuous Configuration

Continuous Learning

Continuous Delivery

Sec

Dev Ops

Figure 2: DevSecOps: Secure Development as a Continuous Improvement Process © 2017 Gartner, Inc.

Source: Gartner,10 Things to Get Right for Successful DevSecOps, Neil MacDonald, October 03 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Charts/graphics created by VMWare based on Gartner research.

Dealing with Change

Monitoring and Analytics

Monitoring and Analytics

Adapt

Release

Using Datacenter Orchestration to Update the Whitelisted Behaviors

VMworld 2018 Content: Not for publication or distribution

Page 26: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

26©2018 VMware, Inc.

How We Have Changed the GameVs Traditional Whitelisting Solutions

Built-in to VMware – no additional agents to install

Protection offered by the vSphere hypervisor – maintaining system integrity

Combination of process execution and network behavior protection

Automated learning and verification

Machine Learning and Population Consensus

Adaptive WhitelistingVMworld 2018 Content: Not for publication or distribution

Page 27: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

DON’T FORGET TO FILL OUT YOUR SURVEY.

#vmworld

VMworld 2018 Content: Not for publication or distribution

Page 28: or distribution for publication Great Power, Great ...Off-the-shelf apps. OTS. Software. Database. Custom apps. CI/CD pipeline [Provisioning systems] Machine Learning [Automation frameworks]

THANK YOU!

#vmworld

VMworld 2018 Content: Not for publication or distribution