Validating the Security of the Borderless Infrastructure

Similar documents
Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

STATE OF THE NETWORK STUDY

Securing Your Microsoft Azure Virtual Networks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Rethinking Security: The Need For A Security Delivery Platform

DDoS MITIGATION BEST PRACTICES

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

Copyright 2011 Trend Micro Inc.

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Gladiator Incident Alert

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Service Mesh and Microservices Networking

Securing Your Amazon Web Services Virtual Networks

Security Gap Analysis: Aggregrated Results

Changing face of endpoint security

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Paloalto Networks PCNSA EXAM

Security in Cloud Environments

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

All-in one security for large and medium-sized businesses.

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

AWS Reference Design Document

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

AKAMAI CLOUD SECURITY SOLUTIONS

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

HOSTED SECURITY SERVICES

haltdos - Web Application Firewall

Automating Security Practices for the DevOps Revolution

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

DDoS Detection&Mitigation: Radware Solution

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

External Supplier Control Obligations. Cyber Security

Evaluating the Security of Software Defined Networking

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Datacenter Security: Protection Beyond OS LifeCycle

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Distributed Denial of Service

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

DELL EMC VSCALE FABRIC

Mastering The Endpoint

DDoS: Evolving Threats, Solutions FEATURING: Carlos Morales of Arbor Networks Offers New Strategies INTERVIEW TRANSCRIPT

FIREWALL BEST PRACTICES TO BLOCK

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Business Strategy Theatre

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

SONICWALL SECURITY HEALTH CHECK SERVICE

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Teradata and Protegrity High-Value Protection for High-Value Data

Proactive Approach to Cyber Security

SONICWALL SECURITY HEALTH CHECK SERVICE

Arbor White Paper Keeping the Lights On

Comprehensive datacenter protection

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Supporting The Zero Trust Model Of Information Security: The Important Role Of Today s Intrusion Prevention Systems

Enterprise D/DoS Mitigation Solution offering

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

Maximum Security with Minimum Impact : Going Beyond Next Gen

Reducing Cybersecurity Costs & Risk through Automation Technologies

Hybrid Network present & future

Distributing Applications for Disaster Planning and Availability

akamai s [state of the internet] / security

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Contents. Background. Use Cases. Product Introduction. Product Value

A Modern Framework for Network Security in Government

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Cisco ASA 5500 Series IPS Edition for the Enterprise

You Might Know Us As. Copyright 2016 TierPoint, LLC. All rights reserved.

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

SECURITY PRACTICES OVERVIEW

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Future-ready security for small and mid-size enterprises

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

ANATOMY OF AN ATTACK!

Check Point DDoS Protector Introduction

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Seceon s Open Threat Management software

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Transcription:

SESSION ID: CDS-R01 Validating the Security of the Borderless Infrastructure David DeSanto Director, Product Management Spirent Communications, Inc. @david_desanto

Agenda 2

The Adversary

The Adversary Three Main Types of Attacks DDoS Attacks Volumetric Consume all bandwidth Protocol Consume all state (i.e., TCP state table) Application Consume or exploit application layer Exploits Targeting public facing services for vulnerabilities Used as the delivery mechanism for command and control channels (data exfiltration) Malware Advanced Persistent Threats / Targeted Persistent Threats Mobile malware for gaining traction for accessing sensitive data 4

The Adversary DDoS Attack Statistics SOURCE: Arbor Networks Tenth Annual Worldwide Infrastructure Security Report 5

The Adversary Application DDoS Attack Example R.U.D.Y. (R-U-Dead-Yet) HTTP Slow POST DoS attack Targets web forms with never ending POST values Easily scalable into an application DDoS attack With little effort, website becomes unavailable 6

The Adversary Exploit and Malware Statistics SOURCE: Cisco 2015 Annual Security Report, Mandiant M-Trends 2015: A view from the front lines, McAfee Labs Threats Report June 2014 7

The Adversary Malware Example Duqu 2.0 - Cyberespionage Advanced Persistent Threat (APT) Known to have exploited three different zero-day vulnerabilities Highly sophisticated anti-detection techniques Command-and-control (C&C) mechanisms masked within image files Known targets Kaspersky Lab Iranian Nuclear Talks (P5+1 events) European Telecoms Operator 8

The Borderless Infrastructure

The Borderless Infrastructure In the early years of this market, most data virtualization was focused primarily on the financial services, telecom and government sectors. In the past three years, however, Forrester has seen significantly increased adoption in other verticals, such as insurance, retail, health care, manufacturing and e-commerce. The Forrester Wave : Enterprise Data Virtualization, Q1 2015 Forrester Research, Inc. 10

Server and Application to Virtual Deployments Deployments within data centers as well as migration to the cloud 11

Application Delivery Controllers Network Firewalls Network IPS Virtual Security and Content Delivery Deployments Deployments within data centers as well as migration to the cloud 12

The Borderless Infrastructure North / South Traffic Traffic entering from an external source into the virtual environment This traffic may or may not go through other physical security equipment Limit access to public facing applications and services Only allow access on the protocols / ports needed Inspect incoming requests for security risks and block any malicious traffic Alert on malicious traffic 13

The Borderless Infrastructure East / West Traffic Communications between virtual machines in different port groups or security zones Virtual machines can reside on the same virtual host or different virtual hosts Limit what applications or services can communicate between security zones Confirm this traffic is the actual application Inspect this traffic for security risks 14

Validating the Security of This New Infrastructure

Validating the Security of This New Infrastructure Confirm only allowed traffic enters protected zones Confirm unwantedd traffic, whether by policy or malicious, is blocked from entering protected zones Measure impact of different types of policies Time to first byte QoS impacts in deployment Test how performance is impacted by the hypervisor deployment Configuration of hypervisor Different hypervisors 16

Validating the Security of This New Infrastructure North / South Testing 17

Validating the Security of This New Infrastructure East / West Testing 18

Validating the Security of This New Infrastructure Security Testing Lifecycle Upgrade component Upgrade Infrastructure Component Confirm policy is still working as expected Apply Patches From Vendor Confirm Security Policy Fuzz critical protocols to confirm stability Launch security attacks (all directions) Security Testing Lifecycle Report found issues to product vendor Apply patches provided by product vendor Repeat process Report Any Findings To Vendor Launch Security Attacks Perform Fuzzing Testing 19

Key Takeaways The movement to virtual is increasing the threat landscape DDoS Malware Exploits It is important to test all avenues for traffic North / South East / West Confirm only allowed, legitimate traffic is crossing through protected zones Only use testing solutions that provide a holistic view 20

Apply What You Learned Today Next week you should Identify the critical paths within your virtual deployments (North / South, East / West) Confirm only allowed traffic traverses security policies into protected zones Over the next four weeks you should Implement the security testing lifecycle within your organization Begin collecting metrics on efficacy of your security policies (i.e., are there holes you are unaware of?) product updates (i.e., security efficacy, critical performance metrics) Over the next three months Fully integrate security testing lifecycle within your organization Begin reporting on how your organization is doing with its virtual security 21

Thank You! @david_desanto https://www.linkedin.com/in/ddesanto

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback