Rethinking Security: The Need For A Security Delivery Platform
Cybercrime In Asia: A Changing Environment & Shifting Focus Asia, more vulnerable to cybercrime because of diversity and breadth of countries and number of financial institutions and high value businesses. Jeff Price, Experian Southeast Asia Managing Director Organizations in the Asia-Pacific region were forecast to spend $230 billion to deal with cybersecurity breaches in 2014 the highest amount for any region in the world. - IDC and the National University of Singapore The problem with having a prevention-only focus is that if you're just putting your budget there, most often, you don't have a good solid investment in detection technology and the incident response process, Laurence Pingree, Gartner Research Director, Gartner Risk Summit, Dubai 2
Traditional Security Model Perimeter or Endpoint Based Inside vs. outside Focus on prevention Rule based Signature based Simple Trust Model Trusted vs Un-trusted Corporate vs. personal asset Insider-outsider boundary dissolved BYOD Static Environment Fixed locations, zones, perimeters Mobility of users, devices and applications 3
Traditional Security Model Perimeter or Endpoint Based Simple Trust Model Static Environment Inside vs. outside Focus on prevention More importantly Trusted vs Un-trusted THE VERY NATURE Corporate vs. personal asset OF CYBER THREATS HAS CHANGED! Fixed locations, zones, perimeters Rule based Signature based Insider-outsider boundary dissolved BYOD Mobility of users, devices and applications 4
Anatomy of an Advanced Persistent Threat (APT) 1 2 3 4 5 6 Reconnaissance Phishing & zero day attack Back door Lateral movement Data gathering Exfiltrate In Many Cases the System Stays Breached After Exfiltration! Source: RSA 5
Mitigating Risk Remains Difficult The mean number of days from initial intrusion to detection* The average lifespan of a zero-day before it is discovered or disclosed* of organizations in the study were breached during the test period** of organizations had active Command & Control (C&C) communications** Sources: *Trustwave 2014 global security report **FireEye: Maginot revisited 6
What Else Has Changed That Impacts Security? FUNDAMENTAL SHIFT IN TRAFFIC PATTERNS Internet Firewall DMZ IPS Core Switch IDS No visibility into lateral propagation of threats! Spine Leaf Server Farm 7
What Else Has Changed That Impacts Security? MOBILITY Internet Firewall DMZ IPS Core Switch IDS No visibility into lateral propagation of threats! Spine Leaf Server Farm 8
What Else Has Changed That Impacts Security? GROWING USE OF SSL 25%-35% of enterprise traffic today is SSL 1 Security and Performance management tools are either blind to SSL traffic or get overloaded if they decrypt SSL Large (2048b) ciphers cause an 81% performance degradation in existing SSL architectures 1 More than 50% of network attacks in 2017 will use encrypted traffic to bypass controls (vs. 5% today) 2 How to ensure security, manage risk, ensure compliance with growing use of encrypted traffic? 1 NSS Labs 2 Gartner 9
A Perfect Storm: The Need To Rethink Security Architecture Changed Threat Model Fundamentally Unchanged Security Trust Model At Will Security Breaches Rising Use of Encryption Changed Traffic Patterns and Mobility 10
Finding the Threat Within: Challenges With Ad Hoc Security Deployments VISIBILITY LIMITED TO A POINT IN TIME OR PLACE Significant blind spots Extraordinary costs Contention for access to traffic Inconsistent view of traffic Blind to encrypted traffic Too many false positives Intrusion Detection System Data Loss Prevention Email Threat Detection Leaf switches Virtualized Server Farm It is time the balance of power shifted from attacker to defender! Internet Routers Spine switches IPS (Inline) Anti-Malware (Inline) Forensics 11
Transformation through visibility: The Need For A Security Delivery Platform Internet IPS (Inline) Anti-Malware (Inline) Data Loss Prevention Intrusion Detection System Forensics Email Threat Detection Routers Spine switches Security Delivery Platform Leaf switches A complete network-wide reach: physical and virtual Scalable metadata extraction for improved forensics Isolation of applications for targeted inspection Visibility to encrypted traffic for threat detection Inline for prevention and 0ut-of-band for detection Virtualized Server Farm Security Delivery Platform: A foundational building block to effective security 12
Requirements For Network Wide Reach Terabit scale visibility nodes with the ability to cluster multiple nodes Traffic aggregation and intelligent filtering Replicate traffic to multiple security appliances without performance impact Non-intrusive access to virtual traffic via a lightweight user-space monitoring VM Follow the VM : Uninterrupted security monitoring during virtual workload migration Extend the security function to virtual traffic Non-intrusive access to TAP all network traffic from 10 Mb to 100 Gb links Cost effective options for retrieving traffic from all required segments 13
Requirements For NetFlow / IPFIX Generation Flow Metadata Unsampled (1:1) NetFlow/IPFIX record generation to detect low-and-slow attacks Filter records based on configurable parameters to predetermined tools Offload NetFlow/IPFIX record generation from overloaded network infrastructure SIEM and NetFlow Forensics Integration Enable end-to-end security enforcement with visibility into every flow Detect Command and Control communications Support for industry-leading SIEM and NetFlow forensics collectors Advanced information elements Support multiple NetFlow collectors and versions i.e. NetFlow v5/v9 and IPFIX Leverage LLDP / CDP information to pinpoint network source 14
Need For Application Traffic Steering 4 3 2 1 Video Monitor 4 4 3 3 2 2 1 1 4 3 2 1 Email Application Session Filtering Monitor 2 2 1 1 Collector Offloads security device from looking at irrelevant traffic Increases security application efficacy and reduces false positives Optimizes security device compute and deployment scale 15
LAN Workstations SSL Decryption OUT-OF-BAND SSL DECRYPTION USING THE SECURITY DELIVERY PLATFORM IDS at the Perimeter Server Rack Router Firewall TAP Switch (Physical / Virtual) SSL Decryption IDS Anti-malware for Web Apps SSL Decryption Anti- Malware DLP at remote sites Router SSL Decryption DLP Firewall with SSL Proxy HQ TAP Database Router Branch 16
Importance of Inline/Out of Band Toggling Inline Bypass Maximize tool efficacy Increase scale of security monitoring Add, Remove, and Upgrade tools without disruption Consolidate multiple points of failure into a single, bypass-protected solution Integrate Inline, Out-of-Band, and Flow-based tools 17
Benefits of a Security Delivery Platform FASTER DETECTION, FASTER CONTAINMENT Consistent network wide traffic view for all security appliances, all the time Eliminate departmental and appliance level contention for access to data No disruption to network traffic as security solutions get deployed or upgraded, or when moving from out-of-band to inline deployments Eliminate blind spots associated with encrypted traffic, mobility Significantly offload security appliances through full session offload and full flow metadata Faster identification of malware movement, faster time to containment 18
Sample Configuration SECURITY MONITORING USING THE SECURITY DELIVERY PLATFORM APM 19
Summary The security state of today s networks is catalyzing an acute need to shift security architecture from prevention toward detection and response This new security model has a critical reliance on network visibility with which to vet, deploy and scale security applications and devices A Security Delivery Platform (SDP), is poised to transform the way security services are deployed and leveraged by making them more effective at protection, more dynamic and more costeffective 20
Q&A