rethinking security - cloudsec · visibility to encrypted traffic for threat detection inline...
TRANSCRIPT
Rethinking Security CLOUDSEC 2016
Daniel Poole Senior Security Solutions Engineer – EMEA North
2 ©2016 Gigamon. All rights reserved.
Bad Press
3 ©2016 Gigamon. All rights reserved.
• Significant blind spots
• Extraordinary costs
• Contention for access to traffic
• Inconsistent view of traffic
• Blind to encrypted traffic
• Too many false positives
Trying to Find the Needle ARE YOU LOOKING AT THE RIGHT HAYSTACK?
Poor Architectural Options Have Led To Poor Results!
Forensics
Forensics
Forensics
Anti-Malware
(Inline)
Anti-Malware
(Inline)
Anti-Malware
(Inline)
Email Threat
Detection Email Threat
Detection
Email Threat
Detection
Data Loss
Prevention Data Loss
Prevention Data Loss
Prevention
IPS
(Inline)
IPS
(Inline)
IPS
(Inline)
Intrusion
Detection
System
Intrusion
Detection
System Intrusion
Detection
System
Internet
Routers
“Spine”
Switches
“Leaf”
Switches
Virtualized
Server Farm
4 ©2016 Gigamon. All rights reserved.
Typical Security/Network Deployment
Securit
y Tool Firewall Firewall Router Internet LAN
5 ©2016 Gigamon. All rights reserved.
Inline Networks
Traffic inbound
via route A A B Traffic outbound
via route B
As traffic is routed from route A to
route B the B tool will drop the
packet and the subsequent session
analytics.
GRIP
Traffic inbound
via route A A B Traffic outbound
via route B
1
2
As traffic is routed from route A to route B the HC
ensures that traffic is sent back to the same tool
before it continues out outbound route. No packets
or session information is lost.
6 ©2016 Gigamon. All rights reserved.
Context and Triangulation LEVERAGE NETWORK “METADATA”!
User
Device
Application Cloud
Virtual
Physical
The Network Is The Single Most Content Rich Source of Truth!
NetFlow
Generatio
n
7 ©2016 Gigamon. All rights reserved.
Context and Triangulation LEVERAGE NETWORK “METADATA!”
DNS query and
response
information
User flow
records and
session
information Kerberos and
user login
information
Server,
application
connectivity
information
SSL certificate
information
HTTP request,
response
information
DHCP query
and response
information
URL access
information
NetFlow
Generatio
n
8 ©2016 Gigamon. All rights reserved. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
Context and Triangulation SPEEDING UP THE CYCLE
Intrusion
Detection
System
Data Loss
Prevention
Email Threat
Detection
IPS
(Inline)
Anti-Malware
(Inline)
Forensics
GigaVUE-VM and
GIgaVUE® Nodes
Application
Session Filtering
SSL
Decryption
Inline
Bypass
Context and Intent-based
Big Data Analytics
NetFlow / IPFIX
Generation
Metadata Engine
DNS query and
response
information
DHCP query and
response
information
URL access
Information
HTTP request,
response
information
SSL certificate
information
Kerberos and user
login information
Server, application
connectivity
information
User flow records
and session
information
NetFlow
Generatio
n
9 ©2016 Gigamon. All rights reserved.
The 1-2 Punch: Metadata + ASF EXAMPLE: OPERATIONAL INTELLIGENCE FOR SECURITY ANALYTICS WITH SPLUNK
GigaVUE-VM and
GIgaVUE® Nodes
Application
Session Filtering
SSL
Decryption
Inline
Bypass
NetFlow / IPFIX
(Metadata)
Generation
Splunk App
for Stream
(Packets)
Splunk App for
Enterprise Security
(IPFIX) Gigamon Visibility App
for Splunk DNS query and
response
information
DHCP query and
response
information
URL access
Information
HTTP request,
response
information
SSL certificate
information
Kerberos and user
login information
Server, application
connectivity
information
User flow records
and session
information
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
10 ©2016 Gigamon. All rights reserved.
GigaSECURE®
INDUSTRY’S FIRST SECURITY DELIVERY PLATFORM
Internet
Routers
“Spine”
Switches
“Leaf”
Switches
Virtualized
Server Farm
Intrusion
Detection
System
Data Loss
Prevention
Email Threat
Detection
IPS
(Inline)
Anti-Malware
(Inline)
Forensics
Security Delivery Platform
Isolation of
applications for
targeted inspection
Visibility to
encrypted traffic for
threat detection
Inline bypass for
connected security
applications
A complete
network-wide reach:
physical and virtual
Scalable metadata
extraction for
improved forensics
GigaVUE-VM and
GIgaVUE® Nodes
NetFlow / IPFIX
Generation
Application
Session Filtering
SSL
Decryption
Inline
Bypass
All tools still connected
Fewer network touch points
Enhanced tool efficiency
Decreased OPEX costs
11 ©2016 Gigamon. All rights reserved.
Centralized Management using GigaVUE-FM
Confidential and Proprietary
12 ©2016 Gigamon. All rights reserved.
Applications
Gigamon
Applications
3rd Party Apps (e.g. Splunk, Viavi)
Applications & Tools
Infrastructure, User Community
Unified Visibility Fabric™ Portfolio
Traffic
Intelligence
Visibility
Fabric Nodes (Pervasive visibility across
physical, virtual, remote
sites, and future SDN
production networks)
Fabric
Services Flow Mapping®
Fabric Control
(Management)
Inline Bypass
GigaVUE-HD8 GigaVUE-HB1
GigaVUE-HC2 H S
eri
es
TA
Se
rie
s GigaVUE-TA1 / TA10
GigaVUE-OS
on white box
GigaVUE-TA40
Vir
tua
l V
isib
ilit
y
GigaVUE-VM
TA
Ps
G-TAP
G-TAP A Series
G-TAP BiDi
Embedded TAPs
G S
eri
es
GigaVUE-2404
GigaVUE-420
G-SECURE-0216
GigaVUE-FM
Clustering
GigaVUE-HD4
G-TAP M Series
FabricVUE™ Traffic
Analyzer
De-duplication
Slicing
FlowVUE™
Masking
GTP
Correlation
Header
Stripping Tunneling
SSL Decryption
Adaptive
Packet Filtering
Application
Session Filtering Time Stamping
AP
I
AP
I
AP
I
NetFlow
Generation
AP
I
Confidential and Proprietary