Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Similar documents
CSP 2017 Network Virtualisation and Security Scott McKinnon

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Redefining Hybrid Cloud Management with vcenter Hybrid Linked Mode

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

McAfee Cloud Workload Security Product Guide

vsphere Platform Security Update Day 2 Security Operations VMworld 2017 Content: Not for publication

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Stopping Advanced Persistent Threats In Cloud and DataCenters

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Dynamic Datacenter Security Solidex, November 2009

AppDefense Getting Started. VMware AppDefense

Un SOC avanzato per una efficace risposta al cybercrime

Securing the Modern Data Center with Trend Micro Deep Security

McAfee Network Security Platform 8.3

A Practitioner s Guide to Migrating Workloads to VMware Cloud on AWS

INTRODUCING SOPHOS INTERCEPT X

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Proactive Approach to Cyber Security

Symantec Ransomware Protection

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Datacenter Security: Protection Beyond OS LifeCycle

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

CloudSOC and Security.cloud for Microsoft Office 365

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Windows IoT Security. Jackie Chang Sr. Program Manager

NET1821BU THE FUTURE OF NETWORKING AND SECURITY WITH NSX-T Bruce Davie CTO, APJ 2

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

RSA NetWitness Suite Respond in Minutes, Not Months

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Table of Contents HOL NET

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Transforming Security from Defense in Depth to Comprehensive Security Assurance

IBM Cloud for VMware Solutions vrealize Automation 7.2 Chef Integration

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

ForeScout Extended Module for Carbon Black

Agenda Basecamp The Journey So Far Enhancements Into the Fear Zone Climbing The VM-Series Performance Peak New VM-Series Models and Licensing Best Pra

HOW CLOUD, MOBILITY AND SHIFTING APP ARCHITECTURES WILL TRANSFORM SECURITY: GAINING THE HOME-COURT ADVANTAGE

Management Product Overview and Glimpse into the Future

McAfee Network Security Platform 8.3

McAfee Network Security Platform 8.3

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

Trend Micro Deep Security

McAfee Network Security Platform 9.1

Next Generation Enduser Protection

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Building Resilience in a Digital Enterprise

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

CLOUD WORKLOAD SECURITY

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

The Software Defined Data Centre & vsphere 6.5 The foundation of the hybrid cloud Barry Coombs

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

McAfee Virtual Network Security Platform

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Policy Enforcer. Product Description. Data Sheet. Product Overview

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Security+ SY0-501 Study Guide Table of Contents

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

70-247: Configuring and Deploying a Private Cloud with System Center 2012

The Evolution of Data Center Security, Risk and Compliance

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Disclaimer CONFIDENTIAL 2

Changing face of endpoint security

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

IBM Cloud for VMware Solutions

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

McAfee Network Security Platform 9.1

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Symantec and VMWare why 1+1 makes 3

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

McAfee Network Security Platform 9.1

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMware Cloud Provider Platform

Copyright 2011 Trend Micro Inc.

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

Transcription:

NET3420BU Introducing VMware s Transformative Data Center Endpoint Security Solution Vijay Ganti Director, Product Management VMware Christopher Frenz Director of Infrastructure Interfaith Medical Center VMworld 2017 Content: Not for publication #VMworld #NET3420BU

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #NET3420BU CONFIDENTIAL 2

Where to Focus Infiltration Propagation Extraction Exfiltration Stop infiltration Stop exfiltration #NET3420BU CONFIDENTIAL 3

We re Protecting the Wrong Thing #NET3420BU CONFIDENTIAL 4

Mass Complexity Propagation Known good Unknown Known bad Extraction #NET3420BU CONFIDENTIAL 5

From our current model Focused on malicious behavior Highly complex and noisy Exposed, i.e., untrusted monitoring, limited context Manual and lacking orchestration #NET3420BU CONFIDENTIAL 6

Applying Least Privilege at an Application Level VMworld 2017 Content: Not for publication To a new model Focused on good (intended) behavior Simpler and smaller problem set Better signal to noise ratio Actionable and behavior-based alerts and responses #NET3420BU CONFIDENTIAL 7

Unique Properties of the Virtualization Layer It s in a unique position to understand the application Application Intended State Runtime State #NET3420BU CONFIDENTIAL 8

Unique Properties of the Virtualization Layer It s in a unique position to deliver isolation: maintain a separate trust domain for security Application Isolation #NET3420BU CONFIDENTIAL 9

Unique Properties of the Virtualization Layer It s in a unique position to deliver a high degree of automation Application Isolation Automation #NET3420BU CONFIDENTIAL 10

Application Isolation Automation We can leverage the unique properties of cloud and virtualization to secure critical applications #NET3420BU CONFIDENTIAL 11

AppDefense: Least Privilege Control for the DataCenter Application Control Runtime Anomaly Detection & Response Intentional State Communications Untrusted Zone (Guest) Processes Runtime Anomaly Detection Trusted Zone (ESXi) OS Kernel Remediation Comprehensive view/grouping of VMs in the datacenter, their intended state, and allowed behavior VMworld 2017 Content: Not for publication Monitor the real time state of the OS and user applications - alert and control process, network, and kernel events Process Analysis Built-in process analysis engine gives overall process maliciousness as well as specific traits that are potentially suspicious Orchestrate Remediation Our infrastructure reach provides a more effective way to orchestrate remediation during a security incident #NET3420BU CONFIDENTIAL 12

Gathering Intended State Intentional State Intended State Runtime State #NET3420BU CONFIDENTIAL 13

Gathering Intended State Intentional State VMworld 2017 Infrastructure Events (vra, vcenter, NSX, Chef, Puppet, AWS, etc) Developer Workflow (Maven, Ansible, Jenkins, etc) Runtime Behavior (Agents, Netflow, Policy Changes, etc) Machine context Control and security policies Network topology Application flows down to process level Content: Not for publication Code signing/authorization Process and network behavior Ideal for brownfield apps #NET3420BU CONFIDENTIAL 14

Leveraging Isolation Untrusted Zone (Guest) Application Behavior OS Runtime Attestation Secure Context Store Trusted Zone (Kernel) Virtual Enclave Great Context Lacks Isolation Security In Software Goldilocks Security In Hardware Great Isolation Lacks Context #NET3420BU CONFIDENTIAL 15

Providing Automated Remediation Remediation #NET3420BU CONFIDENTIAL 16

AppDefense Architecture Cloud NSX Manager On-Prem vcenter NSX Manager vcenter vra Security manager will always be a cloud deployment. We will use a proxy to configure policy and auth to mgmt networks Security Manager Security Management Proxy Config/ Policy Sync Security Management Proxy VMC Workloads Goldilocks Secure Enclave Goldilocks Host Module On-Prem Workloads Goldilocks Secure Enclave Goldilocks Host Module Guest Host Guest Host #NET3420BU CONFIDENTIAL 17

Interfaith Beta Experience

WannaCry Ransomware Ransomware attack of pandemic proportions #NET3420BU CONFIDENTIAL 19

Defense in Depth Against Ransomware A defense in depth based guide consisting of 45 suggested controls in the following categories Perimeter Defenses Network Defenses Endpoint Defenses Server Side Defenses SIEM and Log Management Backup and Recovery Awareness Training Incident Response IoT VMworld 2017 Content: Not for https://www.owasp.org/images/4/4a/ Anti-RansomwareGuidev1-5.pdf publication #NET3420BU CONFIDENTIAL 20

Criteria for Evaluation 70-90% of malware seen by an organization is unique to that organization according to the 2015 Verizon Data Breach Report Signature based defenses that match known malware or malicious behaviors are no longer sufficient for detecting and stopping threats Looking for a signatureless approach to securing servers that compliments other controls in our defense in depth strategy. Tested to see how well AppDefense would block an attack that successfully bypassed other security controls VMworld 2017 Content: Not for publication #NET3420BU CONFIDENTIAL 21

OWASP Mutillidae VMworld 2017 A deliberately vulnerable web application for training security testing skills Content: Not for publication #NET3420BU CONFIDENTIAL 22

XAMPP on Virtual Machine VMworld 2017 Content: Not for XAMPP is installed on a Windows 2012 R2 virtual machine that is running App Defense publication #NET3420BU CONFIDENTIAL 23

Mutillidae VMworld 2017 Content: Not for Mutillidae unzips into the htdocs folder of the Apache install and can be accessed via a Web browser publication #NET3420BU CONFIDENTIAL 24

App Defense Baseline VMworld 2017 Content: Not for App Defense monitors the VM for a period of 2 weeks to learn the typical behavior of the VM with regards to processes that establish inbound or outbound network connections publication #NET3420BU CONFIDENTIAL 25

DNS Lookup with Mutillidae The DNS lookup function passes the provided input to a system call that uses nslookup Inputs are not properly sanitized so lets append something to our domain name OS Command Injection google.com& C:\Program Files\Internet Explorer\iexplorer.exe google.com #NET3420BU CONFIDENTIAL 26

App Defense Alarm VMworld 2017 Content: Not for The OS command injection attempt to use IE to access an external resource caused app defense to block the connection attempt and trigger an alarm publication #NET3420BU CONFIDENTIAL 27

The Good AppDefense prevented internet explorer from connecting to the Web site used in the OS command injection This is a similar scenario to OS command injection being used to download malware or an exploit The alerts feature was very responsive and could provide a SOC a near real-time warning of a potential intrusion attempt The learning mode of AppDefense made the set up comparatively easy since rules and behaviors for the baseline were learned almost entirely during the learning period VMworld 2017 Content: Not for publication #NET3420BU CONFIDENTIAL 28

Areas for Improvement AppDefense currently only blocks processes that seek to establish network connections and not any process that does not normally run AppDefense could potentially be circumvented when the server executes scripts via interpreters (such as python.exe) as a part of its normal behavior by placing a malicious script with the same name as the one normally called on the server Support for older OSes (e.g. Windows 2008 R2) would be desirable even with a more limited feature set #NET3420BU CONFIDENTIAL 29

Demo

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback