the goldilocks zone: security and architectural...
TRANSCRIPT
![Page 1: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/1.jpg)
The Goldilocks Zone: Security and Architectural Implications of the SDDC
SEC1959-S
Tom CornSVP, VMware, Inc. – Security Products
![Page 2: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/2.jpg)
Securing the Data Center
2
NETWORK STORAGE
INFRASTRUCTURE MANAGEMENT & ORCHESTRATION
COMPUTE
IT INFRASTRUCTURE
APPLICATION INFRASTRUCTURE
NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS
STORAGEEncryption, Key Management, Tokenization
GOVERNANCE/COMPLIANCEVulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP
COMPUTEAV, HIPS, AMP, Encryption, Execution & Device Control
SOCSIEM, Security Analytics, Forensics
SECURITY INFRASTRUCTURE
IDENTITY CONTROLSIAM, IAG, Authentication, Access Control, Federation/SSO
APP/DATABASE CONTROLSApp/DB Activity Mon, App/DB Encryption, Fraud Analytics
![Page 3: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/3.jpg)
A Picture of Diminishing Returns
3
The Only Thing Outpacing Security Spend… Is Security Losses
IT Spend Security Spend Security Breaches
![Page 4: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/4.jpg)
Kill Chain: Anatomy of a Modern Attack
2
Attack Vector R&D
1
Human Recon
3
Delivery Mechanism
1Prep
2Intrusion
3Recon
4Recovery
5Act on Intent
6Exfiltration
![Page 5: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/5.jpg)
5
Install Command& Control I/F
4
CompromisePrimary Entry Point
Strain BDormant
Strain AActive
2. Intrusion
![Page 6: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/6.jpg)
8
Install C2 I/F Wipe Tracks Escalate Priv
7
Lateral Movement
6
Escalate Privileges onPrimary Entry Point
8
8
Strain AActive
3. Recon
![Page 7: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/7.jpg)
9
Wake Up & ModifyNext Dormant Strain
Attack Identified Response
Strain BActive
Strain AActive
Strain CDormant
Strain DDormant
4. Recovery
![Page 8: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/8.jpg)
11
Parcel &Obfuscate
10
Break into Data Stores
12
Exfiltration
13
Cleanup
5. Act on Intent 6. Exfiltration
![Page 9: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/9.jpg)
Modern Attack: targeted, interactive & stealthy
9
1
Human Recon
2
Attack Vector R&D
3
Delivery Mechanism
5
Install Command& Control I/F
4
CompromisePrimary Entry
Point
Strain BDormant
Strain AActive
8
Install C2 I/F Wipe Tracks Escalate Priv
7
Lateral Movement
6
Escalate Privileges onPrimary Entry Point
8
8
Strain AActive
9
Wake Up & ModifyNext Dormant Strain
Attack Identified Response
Strain BActive
Strain AActive
Strain CDormant
Strain DDormant
11
Parcel &Obfuscate
10
Break into Data Stores
12
Exfiltration
13
Cleanup
Stop Infiltration Lack visibility & control to stop exfiltration
shift from…• Perimeter-centric• In-line prevention• Managing compliance
to...• Application & user-centric• Analytics/Out-of-band mitigation• Managing risk
![Page 10: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/10.jpg)
3 Architectural Issues
10
As a ubiquitous abstraction layer between the applications and the infrastructure it provides the “Goldilocks Zone” for security.
Virtualization is the Key
Logical Segmentation ProblemLack ability to segment around
application boundaries
1. Segmentation
Compound Policy ProblemLack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation TradeoffLack the right telemetry / “handles”
for security controls
3. Context
Common Thread: The Application
![Page 11: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/11.jpg)
The Logical Segmentation Problem
CONFIDENTIAL 11
Hyper-connected Computing Base
Lateral Movement Complex/Comingled Policy
Enforce segmentation around application boundaries
versus the perimeter, physical zones or machines
TheSolution
TheSolution
We have no mechanism thatmaintains the relationship
between the applications & the infrastructure.
TheObstacle
TheObstacle
![Page 12: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/12.jpg)
The Compound Policy Problem
CONFIDENTIAL 12
C1 C2 C3
Right Place Right Order
Share State
Choke Points / Scalability
A mechanism to insert and order security controls and policy around logical boundaries, and
a mechanism for them to publish and share state
TheSolution
TheSolution
No such mechanism exists. We can insert on physical boundaries, and
share state via point integrations and correlation.
TheObstacle
TheObstacle
Complex Distributed Policy
??
Sharing State
![Page 13: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/13.jpg)
The Context/Isolation Tradeoff
CONFIDENTIAL 13
Policy Analytics
ContextContext IsolationIsolation
Endpoint
Network
HTTP://192.163.8.10:8080
HTTP://192.159.2.10:8080 HTTP://192.162.5.8:8080
Poor Handles/Telemetryfor Policy/Analytics
10.20.2.1409:00:02:A3:D1:3D
10.18.3.1308:00:03:A4:C2:4C
A ubiquitous mechanism for communicating telemetry with security controls that has the
isolation properties of a network control point and the context of an endpoint agent.
TheSolution
TheSolution
No such mechanism exists. We are forced to make the tradeoff.
TheObstacle
TheObstacle
![Page 14: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/14.jpg)
3 Architectural Issues
CONFIDENTIAL 14
1 Common Thread: The Application
Virtualization is the Goldilocks Zone for Security
• Segment along application boundaries and compliance scopes
• Provision and order controls along those boundaries
• Share context to and among controls
If we could…If we could…• Reduce our attack surface
• Simplify our policies
• Improve the effectiveness of all our controls
…then we candramatically……then we candramatically…
Logical Segmentation ProblemLack ability to segment around
application boundaries
1. Segmentation
Compound Policy ProblemLack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation TradeoffLack the right telemetry/”handles”
for security controls
3. Context
![Page 15: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/15.jpg)
Putting Security Controls into the Virtualization Layer
15
ContextSecurity/Telemetry
ContextSecurity/Telemetry
Security ServiceProvisioning & Orchestration
Security ServiceProvisioning & Orchestration
Built-in ControlsIsolation/Segmentation/Access
Built-in ControlsIsolation/Segmentation/Access
Virtual Infrastructure
NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS
STORAGEEncryption, Key Management, Tokenization
GOVERNANCE/COMPLIANCE Vulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP
COMPUTEAV, HIPS, AMP, Encryption, Execution & Device
Control
SOCSIEM, Security Analytics, Forensics
SECURITY CONTROLS
![Page 16: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/16.jpg)
Micro-segmentation
CONFIDENTIAL 16
Logical segmentation around application boundaries
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
App 1 App 2 App 3
Insidefirewall
![Page 17: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/17.jpg)
Micro-segmentation
CONFIDENTIAL 17
IsolationExplicit Allow Comm.
(Default Deny)Secure
CommunicationsStructured Secure Communications
NGFW
IPS
IPS
NGFW
WAF
IPS
![Page 18: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/18.jpg)
Advanced Context
18
The hypervisor can bridge the context / isolation gap
ContextContext IsolationIsolation
EndpointAgent
Virtualization
NetworkDevice
![Page 19: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/19.jpg)
Policy Orchestration
19
Advanced Malware Protection DEFCON
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
![Page 20: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/20.jpg)
Policy Orchestration
19
Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
![Page 21: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/21.jpg)
Policy Orchestration
19
Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
![Page 22: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/22.jpg)
Case StudyWestJet AirlinesRichard SillitoSolution Architect, IT SecurityWestJet Airlines
![Page 23: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/23.jpg)
The Call to ActionA Once in Wave Opportunity
1st WaveMainframe | TerminalMillions of UsersThousands of Apps
2nd WavePC | Client/Server | LAN/InternetHundreds of Millions of UsersTens of Thousands of Apps
3rd WaveCloud/SDDC | Mobile | Social | Big DataBillions of Users. Millions of Apps.Trillions of Devices
SecurityTeams
SecurityTeams
Security VendorsSecurity Vendors
VirtualizationThe Goldilocks Zone
for Security
![Page 24: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/24.jpg)
Thank You
![Page 25: The Goldilocks Zone: Security and Architectural ...download3.vmware.com/vmworld/2014/downloads/... · The Goldilocks Zone: Security and Architectural Implications of the SDDC SEC1959-S](https://reader030.vdocuments.us/reader030/viewer/2022040105/5e832cc20f2a9a327b5ea98d/html5/thumbnails/25.jpg)
Fill out a surveyEvery completed survey is entered
into a drawing for a $25 VMware company store gift certificate