Securing Dynamic Data Centers Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan & Afghanistan @WajahatRajab
Modern Challenges
By 2020, 60% of Digital Businesses will suffer Major Service Failures due to the inability of IT Security Teams to manage Digital Risk! ~ Gartner http://www.gartner.com/newsroom/id/3337617
Lack of Security Talent 86% of respondents believe there is a shortage of skilled cybersecurity professionals 0% unemployment rate for cybersecurity professionals (Source: Information Systems Audit and Control Association - ISACA)
146 days before detecting Targeted Attacks 53% of attacks discovered externally
Source: Live proof of concepts 263 organizations, 2016 90% 65% 80% Had zero-day or Had active Had network Command and Control unknown attacks in their or malware exploits networks
60% 90% of malware only affects Only 60 seconds of to malicious encrypt domains endpoints are alive with for one less ransomware device than hour Sources: Trend Research, Verizon Data Breach Report, 2016
Data Center Challenges
Infrastructure Modernization Containers 1011 0100 0010 Serverless Public Cloud AWS Lambda Azure Functions Physical Servers Virtual Servers Virtual Desktops
Increasingly, organizations are asking what can t go to the cloud, rather than what can Source: Gartner Blog Network. The end of the beginning of cloud computing by Lydia Leong
Performance Protection Simplified management against without advanced compromising and operational threats across security across environments efficiency, legacy especially and with modern ability in light to architectures of audit skills shortage
Timely Patch Management Wishful Thinking Test Completed Time Patch Available (if in support) Begin Deployment Vulnerability disclosed or exploit available
Ransomware in the Modern Data Center Attacks typically focus on users, but spread to servers through file shares Some new attacks (WannaCry) are focusing on unpatched and vulnerable servers!
Data Center Security Approach
#1 - Focus on Time to Detect
Block and Prevent Detect and Respond
Gartner s Adaptive Security Architecture Policy Predict Risk-prioritized exposure assessment Adjust posture Implement posture Harden systems Prevent Anticipate threats/attacks Baseline systems and security posture Remediate Design/model policy change Adjust posture Continuous visibility and assessment Users Systems System activity Payload Network Monitor posture Isolate systems Prevent attacks Detect incidents Confirm and prioritize risk Respond Investigate incidents/ retrospective analysis Contain incidents Detect Compliance
#2 Machine Learning and AI
Artificial Intelligence Deep Learning Neural Networks Machine Learning SUPERVISED LEARNING Nearest Neighbor Decision Trees Support Vector Machine (SVM) and more Clustering UN-SUPERVISED LEARNING and more Perception: Vision, object tracking and more Language: NLP, Translation
ML tricked to recognize photos as an ostrich Researchers tuned the input images to maximize the prediction error and called these adversarial examples. Exactly what malware authors are going to do. doing. Source: Intriguing properties of Neural Networks, Szegedy et al., Feb 2014, https://arxiv.org/pdf/1312.6199.pdf
#3 - Servers are Not Endpoints
Application-Specific: WAF, DDOS Less Critical AV Deception Vulnerability Shielding Optional server protection strategies Advanced behavioral Detection and response IAAS data at rest Encryption Exploit Prevention/Memory Protection Application controls/whitelisting Integrity Monitoring/Management Core server protection strategies Network Segmentation and Traffic Visibility Foundational No Arbitrary Code No Email, Web Client Configuration and Vulnerability Management Operations Hygiene Admin privilege Management Change Management Log Management Gartner Cloud Workload Security Source: Gartner (March 2016)
#4 - Intelligence Sharing Across Security Controls
Your Security is as strong as your Vendor s Threat Intelligence
#5 Centralized Visibility and Control
Mining of Security Data Lots of information but no correlation!
Minimum Best Practices
Key Best Practices
Trend Micro Approach
Defend Against Network & App Threats Sandbox Analysis Intrusion Prevention Application Control Machine Learning Integrity Monitoring Behavioral Analysis Log Inspection Anti-Malware & Content Filtering
LEGEND The Good, The Bad and The Unknown Known Good Known Bad Unknown Anti-Malware & Web Reputation Intrusion Prevention (IPS) & Firewall Integrity Monitoring & Log Inspection Application Control MUST Machine Learning Behavioral Analysis Safe files & actions allowed Custom Sandbox Analysis Malicious files & actions blocked
Reduce Operational Impacts Reduce operational costs of emergency & ongoing patching Protect systems where no patches will be provided Secure server and application-level vulnerabilities Virtual patch available Time Patch Available (if in support) Continuous protection Test Begin Deployment Completed WannaCry ransomware protection delivered in March, 2017, with enhancements at public disclosure (May 2017) Vulnerability disclosed or exploit available
Stop Ransomware Use layered security to: Stop ransomware on servers with advanced malware prevention that includes behavioral monitoring Lock down Windows & Linux servers with application control Shield from network attacks with IPS, including the protection of network file shares (over SMB) Stop lateral movement and detect command & control (C&C) traffic File Servers C&C Communication Other Servers
We are the BEST!!! Leader for 14 straight years!
The MARKET LEADER in server security for 7 straight years Other Intel 30% Symantec Source: IDC, Securing the Server Compute Evolution: Hybrid Cloud Has Transformed the Datacenter, January 2017 #US41867116
Thank you MUHAMMAD WAJAHAT RAJAB, PRE-SALES CONSULTANT TREND MICRO, PAKISTAN & AFGHANISTAN