Rethinking Security CLOUDSEC2016 Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team
Breaches Are The New Normal Only The Scale Surprises Us OPM will send notifications to approximately 22.1 million individuals whose PII may have been compromised. + As many as 80 million customers of the nation's second-largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement. ++ Sony Entertainment CEO Michael Lynton told employees of the embattled studio Saturday that the hack attack that has resulted in the leak of employees personal information and internal business documents is unprecedented in nature. * *http://variety.com/2014/film/news/sony-hack-unparalleled-cyber-security-firm-1201372889/ +http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/ ++http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/ 2
Traditional Security Model Perimeter or Endpoint Based Inside vs. outside Focus on prevention Rule based Signature based Simple Trust Model Trusted vs. Un-trusted Corporate vs. personal asset Insider-outsider boundary dissolved BYOD Static Environment Fixed locations, zones, perimeters Mobility of users, devices and applications 3
Traditional Security Model Perimeter or Endpoint Based Simple Trust Model Static Environment Inside vs. outside Focus on prevention More importantly Trusted vs Un-trusted THE VERY NATURE Corporate vs. personal asset OF CYBER THREATS HAS CHANGED! Fixed locations, zones, perimeters Rule based Signature based Insider-outsider boundary dissolved BYOD Mobility of users, devices and applications Gigamon. All rights reserved. 4
Anatomy of an Advanced Persistent Threat (APT) 1 2 3 4 5 6 Reconnaissance Phishing & zero day attack Back door Lateral movement Data gathering Exfiltrate In Many Cases the System Stays Breached After Exfiltration! Source: RSA 5
Mitigating Risk Remains Difficult *Trustwave Holdings, Inc. "2015 Trustwave Global Security Report." 2015. Accessed July 16, 2015. **FireEye. "MAGINOT REVISITED: More Real-World Results from Real-World Tests." 2015. Accessed July 16, 2015. 6
What Else Has Changed That Impacts Security? FUNDAMENTAL SHIFT IN TRAFFIC PATTERNS Internet Firewall DMZ IPS Core Switch IDS No visibility into lateral propagation of threats! Spine Leaf Server Farm 7
What Else Has Changed That Impacts Security? MOBILITY Internet Firewall DMZ IPS Core Switch IDS No visibility into lateral propagation of threats! Spine Leaf Server Farm 8
What Else Has Changed That Impacts Security? GROWING USE OF SSL 25%-35% of enterprise traffic today is SSL 1 Security and Performance management tools are either blind to SSL traffic or get overloaded if they decrypt SSL Large (2048b) ciphers cause an 81% performance degradation in existing SSL architectures 1 More than 50% of network attacks in 2017 will use encrypted traffic to bypass controls (vs. 5% today) 2 How to ensure security, manage risk, and maintain compliance with growing use of encrypted traffic? 1 NSS Labs 2 Gartner 9
A Perfect Storm: The Need To Rethink Security Architecture Changed Threat Model Fundamentally Unchanged Security Trust Model At Will Security Breaches Rising Use of Encryption Changed Traffic Patterns and Mobility 10
Finding the Threat Within: Challenges with Ad Hoc Security Deployments VISIBILITY LIMITED TO A POINT IN TIME OR PLACE Significant blind spots Intrusion Detection System Internet IPS (Inline) Extraordinary costs Contention for access to traffic Routers Inconsistent view of traffic Data Loss Prevention Spine Switches Anti-Malware (Inline) Blind to encrypted traffic Too many false positives Leaf Switches Email Threat Detection Forensics Virtualized Server Farm It is time the balance of power shifted from attacker to defender! 11
Transformation through Visibility: The Security Delivery Platform Internet IPS (Inline) Anti-Malware (Inline) Data Loss Prevention Intrusion Detection System Forensics Email Threat Detection Routers Spine Switches Security Delivery Platform Leaf Switches A complete network-wide reach: physical and virtual Scalable metadata extraction for improved forensics Isolation of applications for targeted inspection Visibility to encrypted traffic for threat detection Inline bypass for connected security applications Virtualized Server Farm Security Delivery Platform: A foundational building block to effective security. 12
Introducing GigaSECURE THE INDUSTRY S FIRST SECURITY DELIVERY PLATFORM 2015 Gigamon. All All rights reserved. 13
Gaining Complete Network Wide Reach GigaVUE-VM and GIgaVUE Nodes H Series and TA Series Terabit scale visibility nodes with the ability to cluster multiple nodes Traffic aggregation and intelligent filtering using patented Flow Mapping Replicate traffic to multiple security appliances without performance impact GigaVUE VM Non-intrusive access to virtual traffic via a lightweight user-space monitoring VM Follow the VM : Uninterrupted security monitoring during virtual workload migration Enables a physical security appliance to extend the security function to virtual traffic Standalone G-TAP and Embedded TAPs Non-intrusive access to TAP all network traffic from 10 Mb to 100 Gb links Industry-leading TAP density available in a range of split ratios Available as standalone TAPs or embedded into GigaVUE appliances 14
Visibility in VMware ESXi Environments GigaVUE-VM Traffic Policies APM NPM Host-based approach GigaVUE-VM on every ESXi host Traffic of interest extracted from virtual switch VDS, VSS, Nexus 1k Integration with vcenter Approach is admin friendly VDS, VSS, N1k VMware ESXi VDS, VSS, N1k VMware ESXi GigaVUE-FM Security CEM Tunneling 15
Gigamon Visibility Solution for VMware NSX Monitoring Policy GigaVUE-FM Security/Monitor Admin Internet Traffic Copy Tools and Analytics Application Performance Network Management Security 16
OpenStack Cloud Monitoring Tenant Visibility MONITORING FROM WITHIN (MFW) Agent Any vswitch KVM GigaVUE-VM Any vswitch KVM Traffic Policies GigaVUE-FM Glance Horizon Nova Tenant APM NPM Security Agent-based approach Agent on every application VM that needs monitoring GigaVUE-VM aggregates traffic from agents GigaVUE-VM sends traffic to physical Visibility Fabric Agnostic to virtual switch Integration with OpenStack Approach is tenant friendly CEM Tunneling 17
GigaSECURE: Manageability and Automation PROGRAMMABILITY VIA GIGAVUE-FM GigaVUE-FM REST APIs Email Threat Detection Forensics Internet Virtual Workloads Intrusion Detection System Data Loss Prevention Production Network Security Functions 19
Benefits FASTER DETECTION, FASTER CONTAINMENT Consistent network-wide traffic view for all security appliances, all of the time Eliminate departmental and appliance level contention for access to data No disruption to network traffic as security solutions get deployed or upgraded, or when moving from out-of-band to inline deployments Eliminate blind spots associated with encrypted traffic, mobility Significantly offload security appliances through full session offload and full flow metadata Faster identification of malware movement, faster time to containment 20
Summary The security state of today s networks is catalyzing an acute need to shift security architecture from prevention toward detection and response This new security model has a critical reliance on network visibility with which to vet, deploy and scale security applications and devices GigaSECURE, the first offering of a Security Delivery Platform (SDP), is poised to transform the way security services are deployed and leveraged by making them more effective at protection, more dynamic and more cost-effective 21
Q&A