CSPi. A Practical (low cost) Approach to Securing East-West Traffic & Critical Data. December 2018

Transcription

1 CSPi A Practical (low cost) Approach to Securing East-West Traffic & Critical Data December

2 About CSPi Delivering a portfolio of products and consulting solutions singularly focused on securing our customers business critical data from cyber attacks. Breach Detection & Data Capture Purpose-built appliances and network adapters with specialized software that capture traffic in the fight on terror, to detecting breaches in hours with complete detail on what records were exposed. IT Technology & Security Services Support for the entire lifecycle of technology innovation for Security and IT services. Advanced Security Solutions Remediation and forensic evaluation of detected threats; pen-testing, web auditing and social engineering to expose gaps Headquarters, Boston UK & Germany Florida Industries Served 2

3 Our Focus: Critical Data Needs to be Better Protected Two Premises - We Address: Breaches Need to be detected, verified, scoped quickly Breaches will happen it s not if it s when and how often Data needs to be better protected Breaches will happen it s not if it s when and how often Enterprise & Gov t customers need a simpler approach Security capabilities should be offered via a simple service model 3

4 Detecting Breaches How are we doing? 1000 Breaches in the US first 6 Months of 2018 a 20% jump over prior record setting 2017 Big Breaches: Equifax, SEC, IRS, BT, most every major retailor Compliance Laws are tightening Are organizations just incompetent? No today s threat detection solutions are operationally complex AND only as good as the data they ingest plus Don t do much - if anything to stop threats 4

5 PII/PHI Cost per record Average cost / PII data record lost - commercial sector is $230 vs. $400 for PHI 5

6 Compliance laws are changing - to punish the abusers 49 States + Canada have laws on the books Must notify state citizens/state authorities if you exposed their PII data Half of these states impose fines within 30days of the breach if this doesn t happen Texas mandates residents are notified in 30 days if PII is exposed - $10k/day if you miss Compliance with such laws stipulated by breach insurance policies typically required for coverage EU Has GDPR which allows you 3 days to notify Fines are 20M Euros or 4% of Revenue- which ever is greater Judicial Redress Act/Privacy Shield allows EU to file class action law suits against US entities that lose their citizen data 6

7 The Problem Organizations of all sizes struggle to pay for dealing with breach investigation. Compliance rules mandate it must be done in a timely fashion and impose rigorous requirements on how its done Financial, Insurance, Health Care (all forms) Retail, Government, Education All have stricter rules A breaches cost mid sized business over $1,000,000 - each breach 3rd Party Firms typically charge businesses over $500,000 to investigate a breach and it can take at least a month. It goes to the Millions for F1000 sized organizations 7

8 8 We need a better approach Breaches to Critical Data Repositories need to be stopped Yet it appears that s not going to happen with current approaches: 27 66% of breaches took months or even years to discover 60% of breaches have data exfiltrated in first 24 hours 5,000 Avg. number of alerts/day that enterprises are provided by their systems 229 Median number of days advanced attackers present before detection 33% Of organizations discover breaches through their own monitoring Cisco 2017 Report - Based on a survey of over 4600 Enterprises and Gov t organizations

9 #1 - Over reliance on system log data Method: detect threats once they are on systems Likely that s when damage is already being done! That misses network level threats! SIEMs, behavioural detection systems need more data to work effectively They need in-motion data ML detection capabilites: only as good as type and amount of data fed Additional data collected needs to be cost to risk optmized 9

10 What s Needed to Solve this Problem 1. Threats are better detected with live E-W network data information Feeds well into ML based threat detection systems in SIEMS, UEBAs, as well as N-IPS, IDS 2. Yet its too expensive to ingest raw data Systems overwhelmed- and/or can cost $millions per year for solution that charge by bytes ingested (Splunk, Q-Radar others) 3. What if we could feed them just the data needed? Netflow/IPfix flow data provides what these systems need to detect threats Each flow record accounts for 150bits of Splunk Ingest Less than $8K/mo. most enterprises 10

11 Threats now better detected Detect East West Threats in Motion Malware, APTs, Ransomware, DDoS Bruteforce Insider threats, compromised credentials Compromised end points, IOT devices, etc Works best when the right data is sent to the right tools Entire suspect classified traffic flows sent to N-IPS for example 11

12 #2 -Yet we need to stop these threats quickly Need an ability to stop such threats when detected Faster action means less damage and less potential data loss Need ability to enforce connection policies What devices should talk to what & where Relying on network devices to stop such connectivity proven a problem Network devices reconfigured by network guys can blow away ACLs 12

13 How? Packet Intelligence - Definition The ability to break out individual traffic flows and classify The ability to take action on those flows automatically per policy, or as driven by API 13

14 Packet Intelligence with Policy Triggered Actions Window onto the Wire /10G link 1. View into Packets identify and Classify flows Flow 1 MySQL Flow 2 Oracle Subnet Flow 3 FTP Flow 4 Present this meta info to the Analytics Tools Benefit: Does this without adding delay to the packets as they transit 2. Perform real-time line rate operations such as: ID Flow - Apply Policy Match Flow 1 MySQL Policy Action: Forward on to Destination Flow 2 Oracle Policy Action: Forward on Original and Make copy forward to forensic recorder Flow 3 FTP Policy Action: Drop & Alert and Make copy forward to inspection (IDS) service Flow 4 Policy Action: Redirect Original direct for inspection (anti-phish, DLP- lite, etc.. ) Benefit: Allows for service operation chaining Apply a series of actions upon filter matches without adding delay. 14

15 ARIA Packet Intelligence Offerings ARIA Enhanced Network Security & Remediation: Packet Intelligence Application Real-time examination of packets on the wire. Generates NetFlow or IPFIX data DPI used to ID applications Acts as a Network flow level Policy Enforcement function Includes intelligent policy actions such as dropping, redirection, replication, shunting, etc.. Performs all acts without impacting forwarding performance of the data Can be Deployed as a Bump-in-the-wire or as end point NIC - on Servers Intelligent Feeds to 3 rd Party Security Applications IDS, WAFs, Anti-phish etc And forensic recorders for Complaince Verification Fed by ARIA Filter match directed packet streams SNF Packet Capture Application Captures Packets and Load balances them for efficient hand off into host applications - Such as IDS/IPS applications, DLP, etc Runs at rates to 40Gbps 15

16 Uncompromised Enterprise-wide Security See into the Wire Take action on Traffic flows Off-load CPU intensive security applications e.g. Encryption, Tokenization Deploy as much or as little as needed to achieve desired level of security Tremendous Server Performance Boost up to 10x Orchestrator to automatically discover instances and set policies Multiport 10/25G Secure Intelligent Adapter (when needed) Services: Micro Segmentation, Capture, Advanced filtering File Encrypt, VPN Encrypt, Tokenization Threat & Breach Detection PUBLIC CLOUD ARIA SDS Offers Secure DevOps Across Any Enterprise PREMISES ENTERPRISE DATA CENTER C EC2 SIA NSX VM VM VM VM SIA APP1 C APP2 16 C = SDSi Secured Container or Pod Symmetric Encrypted VPN Path SDS ORCHESTRATOR Highly Encrypted Data-at-Rest Path

17 Threats now better detected/prevented Works best when the right data is sent to the right tools Entire suspect classified traffic flows sent to a VM based N-IPS for example Run entire traffic stream through filters looking for advanced threats, or critical data loss Costs only 10s of thousands per year vs 100s of thousands Especially good detecting threats involving unprotected server applications PII Files and data bases, POS, Industrial systems, IOT devices, etc When coupled with the nvoy Breach detection appliance Simple to Deploy Cost Effective Threat Detection and Prevention 17

18 ARIA Network Security Probe & Security Appliance Probe: Simple network insertion Small form factor High availability solution Passive monitoring Generates flows, Active measures redirect/copies select traffic streams Enforces policies including adding select stream protection or prohibiting communication Zero-touch provisioning API driven control Security Appliance: Centralized threat detection/control Provides data protection as required High compute capacity Deploys VM based threat detection From any vendor As well as from CSPi Orchestrates the entire solution Controls the Probes and SIAs Scales to high network capacities + 18

19 Myricom SIA (Security Intelligent Adapter) Next-generation Intelligent NIC Addition of Multicore processing and onboard memory allows for 1-40G Packet capture/manipulation and other services Extends life of existing server infrastructure while offering network upgrade to 25G PCIe gen3 x8 < 70W GHz 32GB DDR4 memory GB Flash memory Dual SFP+/SFP28 ports; 10/25G Runs our ARIA application Services Suite- including PBaaS, FlowaaS, Crypto as a service etc. 19

20 #3 Better protect your critical applications and their Data What s the 1 thing you could do that has the most impact to stopping exposure and loss of critical data That you are likely NOT doing today???? Answer Individually Encrypt your data as it produced and sent to on a per VM, application instance basis Why: if its exposed/taken but not readable = no harm Regulatory bodies agree: HIPPA, GDPR, PCI. No need to report if you can prove it 20

21 21 ARIA Crypto Applications

22 ARIA : Simplifies Crypto Application Deployments ARIA KMS - Key Management KMIP Key Server that can securely serve 1000s keys per second with zero footprint Works to protect VMware VMs, VSAN data etc ARIA - Crypto Services Protects services in transit Protects data at rest ARIA KMS 22

23 Myricom nvoy Threat Visibility Solution: Compliance Assurance Automated Breach Detection with Compliance Verification Quickly verifies if a threat has exposed PII/PHI On-demand access to captured data for analysis 10Gbit Packet Recorder Capture and extract for compliance, regulatory threat verification. AIR Extract specific threat conversations Extractions are driven by FW/IDS/IPS events Creates files of conversations associated with these threat events for analysis. TAP in Packet Broker Isolate critical data through replication, load balancing and filtering. 23

24 Standard Use case: Verifying Threats to PII/PHI Record critical asset conversations without impacting the production network 1. Build a passive continuously recording threat visibility and investigative system 2. Trigger it from Firewall or IDS/IPS events 3. Analyze the output Firewall or IDS ALERT: Potential Intrusion Detected Laptop & Mobile Myricom nvoy Packet Recorder Desktops & Phones TAP or SIA Analysis with tools such as Wireshark, ELK stack, Splunk Automatic Extract of Detailed Data Server Farm High Value Assets PII, PHI, Credit Card, Employee Records

25 Why nvoy for Breach Detection Assures Compliance with latest Laws and Rules 1. Provides forensic details including which PII/PHI records were exposed. 2. Provides evidence if such records were properly encrypted 3. Automated to generate such reports as the breach is happening 4. Allows Provider to help enterprises meet all compliance deadlines All State Law notification deadlines & EUs GDPR 3 Day deadline 26