or distribution for publication great power, great ...off-the-shelf apps. ots. software. database....
TRANSCRIPT
#vmworld
Great Power, Great Responsibility
Least Privilege Security with AppDefense
Chris Corde, Senior Director, Product Management, VMware, Inc.
SAI3219BE
#SAI3219BE
VMworld 2018 Content: Not for publication or distribution
2©2018 VMware, Inc.
To Reach $3.7 Trillion in 2018
An Increase of 4.5% from 2017
Forecasted Growth in Overall Global IT Spend
10.2%(since 2017)
$91.4 Billion in 2018
Growth in Security Spend
$600 Billion in 2017
26% (since 2014)
Increase in Security Losses
Source: Center for Strategic and Int’l Studies, Economic Impact of Cybercrime, February, 2018
Gartner Press Release, Gartner Says Global IT Spending to Reach $3.7 Trillion in 2018, January 16, 2018,
https://www.gartner.com/en/newsroom/press-releases/2018-01-16-gartner-says-global-it-spending-to-reach-37-trillion-in-2018
Source: IDC, Worldwide Semiannual Security Spending Guide, #US42570018, March 2018 VMworld 2018 Content: Not for publication or distribution
3©2018 VMware, Inc.
Security Controls
VMworld 2018 Content: Not for publication or distribution
4©2018 VMware, Inc.
Modernization
Data Center / Cloud Infrastructure
Compute Network Storage
End User Infrastructure
Users Devices Access
Apps Data
Agile
Organized CrimeNation States Hacktivists
Threat Landscape
VMworld 2018 Content: Not for publication or distribution
5©2018 VMware, Inc.
Dynamics of an Attack
Infiltration Propagation Extraction Exfiltration
Attacker
Defender
VMworld 2018 Content: Not for publication or distribution
6©2018 VMware, Inc.
Dynamics of an Attack
Infiltration Propagation Extraction Exfiltration
Attacker
Defender
VMworld 2018 Content: Not for publication or distribution
7©2018 VMware, Inc.
To Gain Advantage on Attackers we Must Protect Critical Applications Through Least Privilege
VMworld 2018 Content: Not for publication or distribution
8©2018 VMware, Inc.
1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101
Changing the Application Security ModelFrom chasing bad to ensuring good
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS75,000,000 75
Chasing Bad Ensuring Good
DevicesUsers AccessCompute Network Data
VMworld 2018 Content: Not for publication or distribution
9©2018 VMware, Inc.
Posture
Threat
VMworld 2018 Content: Not for publication or distribution
10©2018 VMware, Inc.
We Believe We Should Focus More on Core Protection StrategiesGartner Market Guide for Cloud Workload Protection Framework
AV
Deception
HIPS withVulnerability Shielding
Server Workload EDRBehavioral Monitoring
IaaS Data at Rest Encryption
Exploit Prevention / Memory Protection
Application Control / Whitelisting
System Integrity Monitoring / Management
Network Firewalling, Segmentation and Visibility
Hardening, Configuration and Vulnerability Management
Foundational
Less Critical
Optional Server Protection Strategies
Core Server Protection Strategies
Important, but often provided outside of CWPP
Operations HygieneNo arbitrary code
No email, web clientAdmin Privilege
ManagementChange
ManagementLog
Management
Restricted Physical and Logical Perimeter Access
Figure 1. Cloud Workload Protection Controls Hierarchy, © 2018 Gartner, Inc.
Source: Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, March 26th 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Charts/graphics created by VMWare based on Gartner research.
VMworld 2018 Content: Not for publication or distribution
11©2018 VMware, Inc.
Cyber ThreatsResidual Risk
Cyber HygieneAttack Surface
EncryptionMicro-Segmentation
PatchingLeastPrivilege
Multi-FactorAuthentication
Apps Data
VMworld 2018 Content: Not for publication or distribution
12©2018 VMware, Inc.
Uncle Ben
“ With Great Power Comes Great Responsibility”
VMworld 2018 Content: Not for publication or distribution
13©2018 VMware, Inc.
Gartner, How to Plan, Implement and Operate a Successful Application Whitelisting Deployment, Jon Amato, 23 March 2018
“ Organizations with application whitelisting deployed report that greater than 90% of all alerts are the result of legitimate software behaving in unexpected or previously unobserved ways, rather than actual malicious or undesirable user behavior”
So Why Not?
VMworld 2018 Content: Not for publication or distribution
14©2018 VMware, Inc.
Enforcing the Intended State
Detect RespondCapture & Analyze
Learn Protect
&
Apps Data Apps Data
VMworld 2018 Content: Not for publication or distribution
15©2018 VMware, Inc.
Learn
Detect Respond
Learn Protect
&
VM Manifest
VM Manifest
VM Manifest
Intended State Engine
vCenter ESX
AppScope
Off-the-shelf appsOTS
SoftwareDatabase
Custom appsCI/CD pipeline
[Provisioning systems][Automation frameworks]Machine Learning
Capture & Analyze
Apps Data
VMworld 2018 Content: Not for publication or distribution
16©2018 VMware, Inc.
Lock
Protect
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS
AppDefenseMonitor
Protected Zone
VM Manifest
Detect
Snapshot Suspend
Block/Alarm
Quarantine Network Blocking
Service Insertion
Respond&
Compute Network
Capture & Analyze
Learn
Apps Data
VMworld 2018 Content: Not for publication or distribution
17©2018 VMware, Inc.
Snapshot Suspend
Block/Alarm
Quarantine Network Blocking
Service Insertion…
Compute Network
Adapt
VM Manifest
VM Manifest
VM Manifest
Intended State Engine
vCenter ESX
AppScope
Off-the-shelf appsOTS
SoftwareDatabase
Custom appsCI/CD pipeline
[Provisioning systems][Automation frameworks]Machine Learning
Capture & Analyze Detect Respond&
Learn
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS
AppDefenseMonitor
Protected zone
VM Manifest
Protect
Agile
Apps Data
VMworld 2018 Content: Not for publication or distribution
18©2018 VMware, Inc.
Operational Pitfalls of Traditional WhitelistingWhy Customers Can’t Deploy Zero-Trust More Broadly
Limited Server Real Estate for Security Agents
Lack of Isolation – trusting controls running within the attackers domain
Difficulty with behavioral threats
Manual rule creation
Understanding the unknown
DEALING WITH CHANGE!VMworld 2018 Content: Not for publication or distribution
19©2018 VMware, Inc.
• In servers – availability and performance are at a premium and of utmost importance
• Security agents are cumbersome and often times bog down system performance by collecting/monitoring data that is unnecessary
• Security professionals do not typically have direct access to manage security agent lifecycle
• AppDefense is an embedded component in ESX 6.5 and above and runs within VMtools• Avoids separate agent install & lifecycle
management• Optimized performance for virtual environments
Limited Server Real Estate for Security AgentsThey are Avoided at all Cost in the Datacenter
VMworld 2018 Content: Not for publication or distribution
20©2018 VMware, Inc.
Lack of IsolationDifficult to trust protection running within the same domain as the attacker
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS
AppDefenseMonitor
Manifest
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS
AppDefenseMonitor
Manifest
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS
AppDefenseMonitor
Manifest
Protected zone
Traditional Agents AppDefense Integrity
Isolated Detection/ControlRunning within Untrusted Space
Secu
rity
Ag
ent
Pro
cess
es
Pro
cess
es
OS
VMworld 2018 Content: Not for publication or distribution
21©2018 VMware, Inc.
Manual Rule CreationCapture the purpose and intended state of applications and VMs
Intended State Engine
vCenter ESX
AppScope
Off-the-shelf appsOTS
SoftwareDatabase
Custom appsCI/CD pipeline
[Provisioning systems][Automation frameworks]
Manifest
Manifest
Manifest
Machine Learning
Learn
Capture and Analyze
VMworld 2018 Content: Not for publication or distribution
22©2018 VMware, Inc.
Complete Application Behavioral Awareness
VMworld 2018 Content: Not for publication or distribution
23©2018 VMware, Inc.
Adaptive WhitelistingUse Population Analysis to Adjust/Deal with Software and Behavioral Change
Machine Learning
• Machine learning built to understand the behavior of known good applications vs. hunt for malicious behavior
• Distributed consensus for verification
• Gives AppDefense a more authoritative and repeatable set of behaviors to model against
• Allows the system to understand legitimate software change more effectively and adapt the ruleset
• THIS CAPABILITY IS CRITICAL TO OPERATIONIZE ANY ZERO TRUST INITIATIVE!
VMworld 2018 Content: Not for publication or distribution
24©2018 VMware, Inc.
Dealing with ChangeUsing Datacenter Orchestration to Update the Whitelisted Behaviors
DevicesUsers AccessCompute Network Data
Learn Protect
Review
Readiness
Detect
Respond
ContinuousProtection
ContinuousLearning
VMworld 2018 Content: Not for publication or distribution
25©2018 VMware, Inc.
Continuous Integration
Continuous Monitoring
Respond
CreatePlan
Predict
Prevent
Preprod
Verify
DetectContinuous Improvement
Continuous Deployment
Continuous Configuration
Continuous Learning
Continuous Delivery
Sec
Dev Ops
Figure 2: DevSecOps: Secure Development as a Continuous Improvement Process © 2017 Gartner, Inc.
Source: Gartner,10 Things to Get Right for Successful DevSecOps, Neil MacDonald, October 03 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Charts/graphics created by VMWare based on Gartner research.
Dealing with Change
Monitoring and Analytics
Monitoring and Analytics
Adapt
Release
Using Datacenter Orchestration to Update the Whitelisted Behaviors
VMworld 2018 Content: Not for publication or distribution
26©2018 VMware, Inc.
How We Have Changed the GameVs Traditional Whitelisting Solutions
Built-in to VMware – no additional agents to install
Protection offered by the vSphere hypervisor – maintaining system integrity
Combination of process execution and network behavior protection
Automated learning and verification
Machine Learning and Population Consensus
Adaptive WhitelistingVMworld 2018 Content: Not for publication or distribution
DON’T FORGET TO FILL OUT YOUR SURVEY.
#vmworld
VMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld
VMworld 2018 Content: Not for publication or distribution