software-defined segmentation - challenges of accelerated enterprise · 2019. 12. 11. · speaker...

Software-Defined Segmentation -

Challenges of Accelerated EnterpriseDecember 11, 2019

Software-Defined Segmentation -Challenges of Accelerated Enterprise

Today’s web conference is generously sponsored by:

https://www.guardicore.com/

Moderator

Robert Martin is a Certified Information Systems Security Professional with over thirteen years of experience in information security. He holds a Master of Science in Network Technology with a concentration in Information Security. He also holds a Cyber Security Masters Certification. He is a Sr. Security Engineer for Cisco Systems, Inc. in RTP, NC. Robert specializes in areas such as risk management, regulatory compliance, security solutions architecture, security audits, vulnerability assessments, and penetration testing. From 2012-2015, Robert served as President of the Raleigh Chapter of the Information Systems Security Association. During that time, the chapter membership grew at a rate of 125%. Currently, Robert serves on the Raleigh ISSA Board as the Sponsorships Director. Robert is committed to serving the community through outreach by expanding the chapter’s mission to students and military. He has held several other IT Security Advisory Board positions over the years with a focus to bring about awareness of information security threats in an ever changing global IT Security economy.

Robert Martin, Sr. Security Engineer for Cisco Systems, Inc


Speaker

At Consilio, Jonathan led the effort to develop, implement, and monitor a rigorous global Information Security Management System to ensure compliance with ISO/IEC 27001 and SOC 2, Type 2 controls. Working in conjunction with the General Counsel and CIO, he currently directs all IT efforts to comply with global, national, and state privacy regulations and frameworks such as GDPR, Privacy Shield, HIPAA, and various U.S. and German state-level privacy regulations.

In a 3-year period, as the company more than quintupled in total revenue, he was responsible for growing the Information Security team from 3 to 10 full-time employees, while managing overall personnel costs and maintaining operational effectiveness by staffing positions in lower cost locations throughout the company.

As part of a comprehensive company-wide metrics initiative, they identified measurable trends in user activity in various departments pertaining to enterprise-wide Data Loss Prevention program that enabled the identification and prevention of sensitive internal corporate data leaving the company.

Jonathan has extensive experience briefing both the senior executive team and board of directors on issues pertaining to Information Security and Cyber Risk Management. Currently, He assists the CIO in global strategic planning, to include technology risk assessments for potential merger/acquisition targets. He leads the company's cross-functional Data Breach Incident Response team and regularly work with leaders of all operational groups to ensure that any security incidents are reported and mitigated in a timely manner.

Jonathan Fowler, CISO, Consilio


Software-Defined Network Segmentation

My Background

ISSA International 6

• Started career as an Intelligence Analyst assisting field agents working on major financial crimes.

• Transitioned to a stint as a corporate investigator working with companies on internal investigations (e.g. theft, harassment)

• In 2002, moved into digital/computer forensics, spent the next 13 years performing investigations and testifying as an expert witness in Federal and state courts.

• Spent last 4 years in various roles in Information Security, leading to current position.• Committed the cardinal sin of saying “Shouldn’t we have someone focused on

security?”

Consilio Background

ISSA International 7

• Founded in 2002 (9 employees) to provide digital/computer forensics consulting services to corporate clients.

• In 2005, moved into the electronic discovery/disclosure space, offering a web-based document review platform and associated services.

• From 2005-2012, expanded operations into Europe (London, Frankfurt), India (Bangalore), and APAC (Tokyo, Hong Kong).

• Currently over 2,000 employees and 30+ locations around the world, managing approx. 5 petabytes of data from our clients.

The Business Issue

➢Multiple business units need dedicated network resources either for compliance purposes (privacy, contractual, financial) or to ensure that work performed on those resources cannot reach the production environment.

➢ Example: Globally-dispersed Digital Forensics group that needs a dedicated network space to conduct investigations that (a) allows them to use tools that will trip most network/endpoint sensors; and, (b) is not accessible from anyone outside of the team.

2017 Annual Membership Meeting 8

Current Solution

➢ Create isolated VLANs for the group in each office location with separate access control policies and network protocols that are in use only by this group.


Current Solution

➢ Solution worked perfectly – each office location had a dedicated isolated VLAN that the group used for their work … what could go wrong???


Current Solution

2017 Annual Memberhip Meeting 11

“I’m gonna need you to go ahead and set up HR, Finance, Project Management, Admin, etc. with their own VLAN …”

The New Business Issue

➢ A small Network team that is now having to actively manage multiple VLANs around the globe; and, an even smaller Information Security team having to audit policies on multiple VLANs around the globe.


What are some of the current pain points?

➢ Capital and operational costs of managing multiple VLANs in multiple environments

➢Access control management and application access for cross-segment users

➢ Flexibility and agility to scale during M&A activity

➢Most importantly – how to ensure that each isolated segment remains secure!!


How can SDNS Help?

➢Allows the business to quickly and easily define, create, and manage logical network segments based on operational need.

➢Greater protection of critical assets by implementing a more granular segmentation than would be feasible with hardware-based approach – “microperimeters”.

➢ Centralize the deployment and management of policies to all network segments in one location.

➢ Provides solid foundation for a zero trust environment.


Speaker

Dave Klein is the Senior Director of Engineering & Architecture for Guardicore. With more than 21 years of real-world cybersecurity experience he works with Guardicore teams, customers and industry thought leaders to address the challenges of securing modern hybrid cloud environments.

Dave encourages CISOs faced with securing their organizations to adopt security solutions and best practices that work easily and seamlessly across their heterogeneous environments.

Prior to Guardicore, Dave was the Engineering Manager for Forcepoint’s Federal Sector where he drove growth by adapting the company’s behavioral heuristics, Bayesian logic and predictive capabilities to defend US agencies against Insider and Advanced Persistent Threats. Dave also worked with other vendors, government and private sector entities on the NIST response to Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience. Before joining Forcepoint, Dave was a security leader at Cisco Systems. Always a visionary, Dave was responsible for key enhancements in Cisco Network Admission Control, Ironport Web and Mail Gateways and other core Cisco security offerings and led some of the largest sales engagements for US Federal security solutions. In the years preceding his work with Cisco, Dave worked for McAfee. His work there included working with the City of New York post 9/11 for three years, helping shore up cyber defenses and developing a National, State and Local Government engineering and sales team.

Dave has spoken on a wide variety of cybersecurity topics including micro-segmentation, crytpojacking, hybrid cloud

Dave Klein, Senior Director, Engineering & Architecture, Guardicore


Software-Defined Segmentation

Challenges of Accelerated Enterprise

Dave KleinSenior Director of Engineering

& ArchitectureGuardicore

The Paradigm Has Changed…

… but We WILL Succeed!

The Era of Software-Defined Segmentation

Current Challenges

✓ Even in enterprises that haven’t moved to cloud.✓ Even in traditional environments and use cases.


Current ChallengesFor Both…


Current Challenges

For IT…Visibility & Management

Penrose Triangle – The “Impossible Triangle”

FAST INNOVATION

SECURE

The Paradigm Has Changed

Business Demands✓ Accelerated Delivery✓ Essential Competitive Differentiation✓ Efficiencies & Savings✓ Integrations & Access

✓ Playbooks/Scripting✓ Provisioning✓ Automation/Autoscaling✓ Cloud Models*

* Even companies only on-premises

DevOps Model

✓ Speed✓ DevOps Friendly✓ Automatable✓ Works Across Entire Enterprise✓ Visibility & Granular Enforcement✓ Done Once – Done Right

Security Solutions

We WILL Be Successful!


Software-Defined Segmentation

The Solution

Based on this Model…

High Level Checklist

✓ Speed✓ DevOps Friendly✓ Automatable✓ Works Across Entire Enterprise✓ Visibility & Granular Enforcement✓ Done Once – Done Right

Security Solutions

For clearing the path for Software-Defined Segmentation

And for all upcoming other projects as well.

Learning from Traditional Segmentation Fails

Traditional Segmentation

Platform SpecificVLANs for on-premises onlySecurity groups only for cloud Security Groups per VPC per cloud provider

Multiple Segmentation Techniques Have to be Combined.

Management & Resource Intensive

Zero Visibility

Lack of Granularity

VLANs & ACLs Security Groups

Premises Clouds




Zero Visibility

Lack of Granularity

Multiple management platforms means resource and cost intensive“It takes me months to change VLANs”“IP address changes are a nightmare”Delays, stalled or failed projects


Premises Clouds


Can’t easily identify traffic flows & app dependenciesLeads to delays, false positive blocks.Production downtime


Premises Clouds



Zero Visibility

Lack of Granularity



Premises Clouds

Policies are only IP address & port based!

Doesn’t segment enough!Doesn’t reduce risk!Doesn’t lead to compliance!



Zero Visibility

Lack of Granularity



Premises Clouds

NO PROCESS LEVEL POLICIES

Web Server

tomcat

Desired Rule



Zero Visibility

Lack of Granularity

nginx

Proxy ServerPort 443

evil

Web Server

Tomcat



Premises Clouds

Web Server

NO IDENTITY BASED RULES

Alison

Diane

putty

putty

sshd

sshd

diagnostics

accounting

Desired Rule



Zero Visibility

Lack of Granularity jumpbox



Premises Clouds


Alison

Diane

putty

putty

sshd

sshd

diagnostics

accounting

Desired Rule



Zero Visibility




Premises Clouds

Alison

Diane

putty

putty

sshd

sshd

diagnostics

accounting

Actual with VLANs, ACLs & Security Groups


Identity based policies? = NO



Zero Visibility





Premises Clouds

NO FQDN RULES

Port 443

GitHub

Internet

Ubuntu

DevOpsWeb Servers

DevOpsOther Servers

Desired RuleMultiple Segmentation Techniques Have to be Combined.


Zero Visibility

Lack of Granularity



Premises Clouds

NO FQDN RULES

FQDN based policies? = NO

Port 443

GitHub

Web Server

Internet

Ubuntu

DevOpsWeb Servers

DevOpsOther Servers

Actual with VLANs, ACLs & Security GroupsMultiple Segmentation Techniques Have to be Combined.


Zero Visibility

Lack of Granularity


Software-Defined Segmentation – Key Elements

Policy Black Lists

Meta-data IntegrationProduction

ftpd

telnetd

tftpd

Not Possible With Traditional Segmentation

root

any



Zero Visibility

Lack of Granularity

Learning from Firewall Segmentation Fails

Traditional SegmentationFirewalls

Perimeter

Not at the right location.Doesn’t follow the workloadsCost prohibitive

Perimeter Based Firewalls

Traditional SegmentationFirewalls

Perimeter

Not at the right location.Doesn’t follow the workloadsCost prohibitive

Perimeter Based Firewalls

You need to be every where

Learning from First Generation Software-Defined Segmentation Fails

First Gen Software Defined Segmentation Vendors

Means L4 policies – same problems as traditional segmentation methodsNot platform agnostic. Have to have the hypervisor firewall proximityTwo the three vendors in this space have moved on to non-hypervisor methods using agents

Vendors Who Offer Limited Visibility Through a Secondary or Tertiary Package

Vendors who Focus on Hypervisor(s)

Vendors who use agents with enforcement done by native OS firewalls

First Gen SDS Vendors

In Linux means IP Tables – this means the same L4 IP and Port only policies. Just like traditional methodsIn Windows while you have better granularity you are missing important other policy typesNo Black Lists/Deny ListsMeans you are fighting local admins for the policies on the boxMore latency in native OS firewalls

#1 ISSUE FOUND TODAY IN MOST SOLUTIONS




First Gen SDS Vendors

Integrated visibility is essential in order to create appropriate labels and policiesIt accelerates segmentation projectsVisibility means you won’t make mistakes




Use Cases & Name

A Point on the Name

• Also known as Micro Segmentation• But term is often misconstrued/misinterpreted as a

single use case where segmentation is used between the tiers of an application.

• Software-Defined Segmentation• A better term for the solution.

• Hundreds of use cases where Software-Defined Segmentation can be utilized.

Sample Software-Defined Segmentation Use Cases

STRATEGY: - Start With Low Hanging Fruit- What Matters Most- Will Make the Biggest Difference

Digital Crown Jewels

Protection

Compliance

Data Center Transformation

Zero Trust


Point of Sale SystemsMedical DevicesDev/User Acceptance/Production Environment SeparationSeparation of IoT/Building Controls/Users/Data CentersProtection of Legacy Apps/OS’Micro-Segmentation Between Tiers of an Application.

Digital Crown Jewels Protection

Compliance


Zero Trust


PCISWIFTHIPAAGDPRCalifornia PrivacyNY SHIELD


Compliance


Zero Trust



Compliance


Mergers & AcquisitionsCloud MigrationHybrid Cloud Integration

Zero Trust



Protection

Compliance


Zero Trust

Guardicore Infection Monkey- Free, Open Source, Safe Tool

Website: https://www.guardicore.com/2019/10/guardicore-infection-monkey-for-zero-trust

Video: https://www.youtube.com/watch?v=z4FNu3WCd9o



Protection

Compliance


Zero Trust

https://www.guardicore.com/2019/10/guardicore-infection-monkey-for-zero-trust

https://www.youtube.com/watch?v=z4FNu3WCd9o

Who is Involved?

Who Drives Software-Defined Segmentation?

CISO/Security Exec Infrastructure DevOps

Who Initiates The Project?



70% 30%

Who Initiates The Project?



Who Is Involved In The Project?

What are the Steps?

5 Steps To Software Defined Segmentation

Discover, Visualize &

Map

Label & Group

Define Policies

Monitor & Refine

Enforce

What are the Solution Requirements?


Widest Possible platform Support

Platforms

Bare Metal Hypervisors Clouds Containers

Meta-data Integration

Broadest OS Support

Agent with Own Firewall (not OS Native)


Orchestration meta-data integration Widest Possible platform Support


Broadest OS Support



Enterprises run a very wide array of OS’ imaginableAutomated way to ingest new OS kernels/releases quicklySupport end of life systems as well

Legacy/End of Life Modern



Broadest OS Support



Policy Granularity

Alison

Diane

putty

putty

sshd

sshd

diagnostics

accounting

GitHub

Internet

Ubuntu

DevOpsWeb

Servers

DevOpsOther

Servers

By Process

By User

By FQDN



Broadest OS Support


nginx

Proxy Server

evil

Web Server

Tomcat


Policy Black ListsWidest Possible platform Support


Broadest OS Support


Production

ftpd

telnetd

tftpd

Not Possible With Traditional Segmentation

root

any


No Contention with Admins for ControlConsistent Policies & Enforcement Across All Platforms & OS’Less Latency

Server

OS Firewall

Agent FW

You have control

Admin/RootSDS

System

You have less latency



Broadest OS Support



Real time an historical visibility.Easily allows you to create/apply labelsEasily understand application dependenciesAllows you to sort in a variety of ways that people wish to see the enterprise

Visibility

Flexible Labeling Schema

Policy Wizards

RESTAPI


By PlatformVisibility


Policy Wizards

RESTAPI


By EnvironmentVisibility


Policy Wizards

RESTAPI


By ComplianceVisibility


Policy Wizards

RESTAPI


By Application DependenciesVisibility


Policy Wizards

RESTAPI


Allows for flexible visibility (as shown prior)Allows for dynamic workload automationThus removing the need for manual Move, Adds, Changes & DeletesWithin UI & DevOps Scripting

Visibility


Policy Wizards

RESTAPI


Easy policy creation based on your particular role and need

Visibility


Policy Wizards

RESTAPI


Ways to digest additional enterprise data like CMDBWays to to push and pull additional information Automation

Visibility


Policy Wizards

RESTAPI

Case Study – Top 5 Global Bank

Case Study- Top 5 Global Bank

Segmentation between Dev/Prod/UAT servers

Restricting Access to Servers From Non Servers

Low Hanging Fruit

Application Segmentation




Low Hanging Fruit


High Priority

Low Priority

URGENTSolve NOW

Critical Solve This Year

Nice to HaveNext Year




Low Hanging Fruit


Bank Thought Software-Defined

Segmentation Would Use Cases




Low Hanging Fruit


Guardicore CentraSoftware-Defined

Segmentation Solved All Use Cases



DEVELOPMENT UAT

PRODUCTION

Overlap of 800 VLANs Between EnvironmentsAccidental Transfer of MoneyAuditors & Mandates to Change ASAPTo Change VLANs & IP Addresses Manually Would Take Years



DEVELOPMENT UAT

PRODUCTION

Without any VLAN nor IP Address ChangesUsing Playbooks Pushed Out Guardicore Agents to AllMapped out Three Environments VisuallyCreated & Enforced Policy at Process LevelEnvironments SegmentedFew Weeks not Years



Servers & Applications

Security Cameras

Building Controls

UsersNetworked

Devices

Audits Found Access To Servers Too Permissive10,000 IP CamerasUsersBuilding ControlsNetworked Devices (APs, Printers, etc.)



Servers & Applications

Security Cameras

Building Controls

UsersNetworked

Devices

Without any VLAN nor IP Address ChangesUsing Playbooks Pushed Out Guardicore Agents to AllMapped out VisuallyCreated & Enforced Policy at Process & User LevelEnvironments SegmentedWithin the First Year


Low Hanging Fruit

Various, Similar to Other User CasesI.e.. Some Swift Isolation & Validation Among Other Things



Similar to Other User CasesGoing After Most Important Ones FirstEtc.


Fitting Into Bank’s InfrastructureOverall Flexibility of Our Solution Allowed Us To Tie in Easily

software-defined segmentation - challenges of accelerated enterprise · 2019. 12. 11. · speaker...

Documents