Nico Popp, Vice President, Information Protection, Symantec explains. As users, infrastructure and applications move to the cloud at a record-breaking pace, the cloud has become a paradox: both a dream and a nightmare. Accessibility, scale, price and elasticity drive high adoption while security is a source of constant concern. This session will focus on a practical four pillar model for enterprise cloud security, all supported by real-world implementation.
5. #RSAC
What cloud security is about
5
Native security offered by
IaaS vendors is
inadequate: Shared
responsibility model for
security
SECURITY FOR CLOUD
INFRASTRUCTURE
(VIRTUAL DATA-CENTER SECURITY)
Sensitive data is stored in
SaaS apps – authorized as
well as unauthorized apps,
sometimes beyond the
visibility or control by IT
SECURITY FOR CLOUD APPS
(CLOUD ACCESS SECURITY BROKER)
Managing security has
become complicated by
multiple solutions and
need for frequent
updates.
MANGING SECURITY FROM THE
CLOUD
(CLOUD SOC)
6. #RSAC
Use Cases: SaaS Security is about the data
(not the network)
• Identity
– How do I authenticate, provision , de-provision users
across my clouds?
• Shadow IT
– What unauthorized risky cloud service are being used?
• Data Protection
– What are my users storing in the cloud?
– What are they downloading from the cloud?
– What are they sharing in the cloud?
“SaaS security is
identity an data
centric not network
centric”
6
9. #RSAC
Seeing is believing
API CASB
Discovery of confidential data at Box by
scanning data at rest through the BOX APIs
Endpoint CASB
Inline protection of Box cloud storage from
the endpoint
9
11. #RSAC
Seeing is believing
Cloud KMS & Encryption
Selective (content-aware) file-encryption
in the cloud and mobile access by an
external user, with transparent decryption
based on authentication policy
11
12. #RSAC
Cloud SOC
IaaS: Protecting workloads across clouds
12
Public Cloud Private Cloud Public Cloud
• Hybrid cloud: public & private
• Many perimeters
• Single mgmt. & control plane
News that the
perimeter is dead
may be exaggerated…
13. #RSAC
Use Cases: Workload & network Centric
WORKLOAD PROTECTION
What workloads are running in the cloud? What technology stack?
How do I harden these workloads?
How do I protect against vulnerability (patching)?
NETWORK PROTECTION
How do I protect a multi-workloads system (EW segmentation)?
How do I lock down my IaaS perimeters?
SOC MONITORING & RESPONSE
How do I monitor all layers (workloads, segments, IaaS)?
How do I detect threats from monitoring?
13
Automation (DevOps Integration)
• Workloads are templated and built
• Velocity of deployments (3 pushes a day
to 100s of pushes a day)
• Security agents are part of orchestration
• Policy are suggested based on workload and
workload interactions
14. #RSAC
The new perimeters
IaaS Discovery APIs
Workload + agent Worlkoad Discovery
Gather Instance lifecycle events
Discover software on virtual instances
Host-Based perimeter
Harden OS, white-listing, app-level control
File & system integrity monitoring
Anti-virus & APT
Vulnerability patching (virtual patching)
Micro Segment Perimeter
EW traffic policy (control, encrypt)
HIPS
policy
Network
policy
IaaS Perimeter Security
IaaS
Network Perimeter
NS traffic policy
Micro-segment
Firewall
telemetr
y
CLOUD
SOC
+ Monitoring
through network
& host-based
telemetry
+ Event
correlation &
UEBA
+ Incident
investigation
+ Threat response
Segment
telemetr
y
Workloa
d
telemetr
y
Network
policy
MONITORING
& RESPONSE
ENFORCEMENT SECURITY POLICY
14
15. #RSAC
Seeing is believing
Amazon Workloads
Security
Discovering you amazon workloads and
applying host and application level
controls to protect them
15
16. #RSAC
The need for big data security analytics (UEBA)
• Identity & data as new threat planes
– SaaS networks are opaque
– From detecting bad IP addresses to bad users!
– From netflow to data flow
• SIEM versus Big Data
– Physical scaling: centralized versus distributed
architectures (Hadoop, Spark,…: more security
telemetry analyzed over longer time periods.
– Logical scaling: Rules versus machine learning
algorithms
16
17. #RSAC
UEBA: key concepts
17
• Profile the user to establish a normal
behavioral baseline
• Compute user risk-score based on
departure from baseline
• Refine risk score based on peer comparison
• Aggregate risk score across multiple security
data-sources
Single data-
source
User (Entity) Behavioral Analytics
18. #RSAC
UEBA: Cloud threat detection example
18
Potential malicious insider
12/9 Workday
Nico had a bad review and
was put on HR program
1/9 AD& VPN logs : Nico shows
increased login activity and
abnormal hours access (self &
peer) across SFDC, Box, Workday
1/13 DLP incidents:
DLP incidents shows changed
and abnormal data
movements (print, personal
email, removable media)
1/15: Firewall logs:
Nico shows abnormal
bandwidth consumption
in comparison to peers
1/12 SaaS activity APIs:
Nico shows increased download
activity of confidential
documents across SFDC & Box
Identity & Data Threat Plane
19. #RSAC
UEBA: Finding Julie Sutton in the Nico’s Shadow
19
APT VICTIM!!!
12/9 Email Gateway
Spear phishing campaign
against Nico detected
12/10 Endpoint:
Email attachment opened on
Nico’s win laptop
1/15: APT gateway
Nico’s laptop connected
to known APT CCC
Traditional Threat Plane
20. #RSAC
Identity
(user & SaaS access)
API CASB
(data at rest)
Cloud Activity
(SaaS -level activity )
Proxy/EP CASB
(data in motion & use)
Privileged
access events
Virtualized
workload activity
Cloud
S
O
C
Cloud SOC: converged security management
Virtualized
network activity
Vulnerability &
Threat
intelligence
20
Cloud SOC
Traditional SIEM data-sources
(network, endpoint, gateways, threat intelligence)
21. #RSAC
Conclusion: cloud security is an evolution
• From network to identity & data-
centric security
– Says the DLP guy!
• From one BIG to many smaller
perimeters
– More perimeters with smaller diameters
(containers, workloads,, micro-segments + user,
device/app sandboxing, data encryption…)
• From SIEM to Big Data security
analytics
– The explosion and complexity of security
telemetry drive the need for big data and machine
learning in the SOC
21
22. #RSAC
Applying what you have learned
• Develop a holistic cloud security strategy that includes:
– The protection of corporate SaaS applications
– The protection of corporate workloads and systems running in public or private IaaS
– New security management & monitoring services in the cloud
• Plan for a Cloud Access Security Broker
– Evaluate a phased approach (access & discovery first)
– Plan for active controls (DLP, encryption), understand implementation options (API, proxy, EP)
• Understand IaaS workloads security
– The workload and SDN-centric security controls that compliance and security will require
• Consider big data security analytics
– Integrate big data architectures & machine learning as part of your SIEM/SOC strategy
22