IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
•Download as PPTX, PDF•
1 like•958 views
SCOTT STEVENS, VP, Technology, WW Systems, Engineering, Palo Alto Networks and ALLAN FOSTER VP, Technology & Standards, Office of the CTO, ForgeRock, at the European IRM Summit 2014.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
Similar to IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY (20)
More from ForgeRock
More from ForgeRock (20)
Recently uploaded
Recently uploaded (20)
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
- 1. ForgeRock Using Network Security and Identity Management to Empower CISOs Today The Case For A Comprehensive Enterprise Security Policy
- 2. The Stolen Data Epidemic Target Replaces CEO Steinhafel Following Massive Holiday Breach - Wall Street Journal ‘Heartbleed Bug Exposes Millions of Web Sites To Security Risks - NBC News April 8, 2014 18 million email addresses and passwords stolen in Germany - ZDNet April 7, 2014 360m newly stolen passwords on the black market - The London Free Press Data breaches surge with 93,000 passwords stolen every hour - Computer Business Review Bitcoin miners unearth 30,000 college student SSNs - Next Gov April 24, 2014
- 3. Traditional Firewalls Had Limitations To be truly effective, you need to see all applications, all user identities and most importantly, all threats Confidential Data But traditional firewalls only gave you ports, protocols, and IP addresses – missing the malware threat completely Command & Control Traffic Regulated Data Copyrighted Material Exploits Malware
- 4. Palo Alto Networks Reinvented Network Security It’s no longer be about Ports and Protocols but instead it’s about User Identity, Applications, and how they communicate But without User Identity and Context, You Cannot Create a True Comprehensive Security Policy For the End User
- 5. FAILURE OF LEGACY SECURITY ARCHITECTURES 5 Limited visibility Lacks correlation Manual response Anti-APT for port 80 APTs Anti-APT for port 25 APTs Endpoint AV DNS protection cloud Network AV DNS protection for outbound DNS Internet Anti-APT cloud Enterprise Network UTM/Blades Vendor 1 Vendor 2 Vendor 3 Vendor 4 Internet Connection Malware Intelligence DNS Alert SMTP Alert Web Alert AV Alert Endpoint Alert DNS Alert SMTP Alert AV Alert Endpoint Alert Web Alert AV Alert DNS Alert Web Alert
- 6. Next-Generation Security Platform Palo Alto Networks • ~500,000 Wildfire Next-Generation samples/Threat Cloud day • ~5% determined to be Malware • 1 new Android Malware App every 20 minutes • 48% of all unknown PE files are Malware Palo Alto Networks Next-Generation Endpoint Next-Generation Firewall Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats Palo Alto Networks Next-Generation Firewall Next-Generation Threat Cloud Gathers potential threats from network and endpoints Analyses and correlates threat intelligence Disseminates threat intelligence to network and endpoints Next-Generation Endpoint Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based
- 7. Next-Generation Identity Management Highly Scalable, Modular, Easy To Deploy Architecture 7 “All-in-One” solution delivered as a single platform Access to any application – Enterprise, SaaS, Social, Mobile Flexible and extensible architecture Social sign-on and one-time mobile password Architected for consumer scale +100M users FORGEROCK.COM | CONFIDENTIAL
- 8. Combine Capabilities To Reinvent Security Creating A Unified Enterprise-wide Security Platform Next-gen Network Security & Identity Functions Natively Integrated In One Solution
- 9. 9 The Vision Deliver the only unified identity security platform that can make hyper intelligent decisions based on both network security and user identity context. FORGEROCK.COM | CONFIDENTIAL
- 10. 10 Key Benefits ■ Understand more about the user before granting them access to corporate resources ■ Create a feedback loop to take appropriate action on both ends: – The network blocks traffic when suspicious identity activity occurs – The identity platform blocks access when suspicious network activity occurs ■ Real-time, automated remediation of malicious activity ■ Organizations are much, much safer!!!!
- 11. 11 Security/Identity Feedback Loop Data Center FORGEROCK.COM | CONFIDENTIAL Establish Identity Assert Identity
- 12. 12 Security/Identity Feedback Loop Data Center FORGEROCK.COM | CONFIDENTIAL Legitimate Traffic As defined by user rights
- 13. 13 Security/Identity Feedback Loop Feedback Identity of Malicious Traffic Data Center FORGEROCK.COM | CONFIDENTIAL Malware/Inappropriate Traffic Block & Alarm
- 14. Change Identity Rights- Restrict User Traffic to all resources 14 Security/Identity Feedback Loop Data Center FORGEROCK.COM | CONFIDENTIAL ■ Network violations modify Identity Rights ■ Feedback changes ID state and security state
- 15. 15 Identity & Security 2 sides of the same coin € ■ Identity Assertion is the first step to contextual security – Simplify IdM infrastructure – Ensure ID can be multifactor authenticated as needed – Stay connected to security to manage ID changes ■ NG Security enforces policy based on Application & on User Identity – Valid Identity allows for appropriate security – Changes in ID state can directly change security state – Direct linkages between security & Identity ensures that rules remain contextual
- 16. 16 Target data breach – APTs in action Maintain access Spearphishing third-party HVAC contractor Moved laterally within Target network and installed POS Malware Exfiltrated data command-and-control servers over FTP Recon on companies Target works with Compromised internal server to collect customer data Breached Target network with stolen payment system credentials
- 17. Innovative Approach To Securing Today’s Enterprise Eliminate Security Silios For A Unified Enterprise-wide Security Policy Identity Provisioning Management Centralized Management Any location All Key Identity & Network Security Functions Natively Integrated in One Solution Visibility & Control Threat prevention Any Infrastructure Closed Loop Single Enterprise Wide Policy
- 18. Unify Your Enterprise Security Strategy Protect the enterprise from known threats and zero-day attacks Gain full control over your identity and network security investments Make informed decisions based upon correlated events & data points Adaptable closed loop security policy enforcement Drive top line business initiatives faster
- 19. 19 Thank You! FORGEROCK.COM | CONFIDENTIAL
Editor's Notes
- Slide 1: Significant changes in Identity world. Shift from IAM to IRM
- Translate the business policy into a security policy SAP for the finance users = SAP for the finance users How does it work? Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development. Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux, Android, or iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, SharePoint, or Exchange, or any other application being accessed from the datacenter, no matter where or how the user is accessing the datacenter. Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community. Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. In the datacenter, application enablement translates to confirming the applications, users, and content are allowed and protected from threats – while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration.
- Most architectures today resemble what you see in this picture. A set of set of silo’d organizations, processes, and technical infrastructure that have largely been assembled like a manufacturing production line where a series of security events roll down a conveyor belt of individual point products, while different staff members perform their individual duties. Historically we’ve been able to get by. But as the attacks and the attackers evolve these architectures are beginning to show their weaknesses, and today we see how they’re costly both in their inability to prevent targeted attacks, and in their unnecessary cost to the organization. There are three specific issues we’ve pinpointed: Limited visibility: You can’t secure what you can’t see. Your security architecture must have the ability to see all applications, users and the individual devices on the network to prevent attacks that might utilize non-standard ports, protocols, or SSL encryption for evasion. Your security architecture must also have the ability to see and prevent new targeted attacks that are utilizing threats (malware, zero day vulnerability exploits) that have never been seen before. Eliminate all blind spots. Lacks correlation: If attacks are multi-dimensional so to must be your defenses. Your architecture must act like a system of systems where individual technologies work together in a coordinated manner to prevent attacks. Making each element within the system smarter. Manual response: With attacks evolving at a rapid pace it’s critical that we wean ourselves from the “man in the middle”. Your security architecture must employ a system of automation that’s constantly learning and applying new defenses without a requirement for any manual intervention. It must weed out the congestion, automatically handling low to medium level severity cases so you can focus your teams attention on only the highest priority incidents.
- And that’s what we have built here at Palo Alto Networks. We believe that our next generation platform delivers on this promise, and with this platform, we think and hope that prevention becomes the byword for the battle and it is technically possible and can be continuously improved over time. It is fundamentally built on three leading technologies: The industries leading next-generation firewall, which was just recognized again as a leader in the Gartner Magic Quadrant. Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats The most advanced next-generation threat cloud [WildFire, Threat Prevention, URL Filtering] Gathers potential threats from network and endpoints Analyses and correlates threat intelligence Disseminates threat intelligence to network and endpoints The market’s most compelling next-generation endpoint protection Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based And the result of that is better security at a lower cost for the good guys and less effective attacks at ever increasing costs for the bad guys. Through this security platform we can deliver complete and integrated protection across the kill-chain…
- Slide 7: OpenAM Took open source code from Sun Open SSO Built out at ForgeRock with former sun folks like developers, engineers, Sun's director of engineering, the OpenAM product engineer etc. Built thru R&D and open community – so it’s built the way customers want it Traditional access management solutions authentication and authorization product, federation product web services security product adaptive auth product entitlements product – all would need to be incorporated. A lot of headaches and integration. They all have diff processes for their UIs, APIs, ways of connecting, documentation differences, etc. accidental acquisition architecture. One system to manage all your resources Traditional access management you can do. Federate to the cloud or apps outside the perimeter, you can do that, protect web services we also do thru the product, same with adaptive auth and fine grained auth and one time password and so on. Gives you a model where you adopt what you need and you add on additional things. Enabling an app outside the perimeter and need one time password, you just enable it, you don’t have to deploy additional soft and hardware and maintain and upgrade diff things AM is optimized for enterprise SaaS social and mobile deployments Support Oauth2 and rest making it very easy to connect to iOS and android and other mobile platforms. Architecture built for 100s of millions of users Social sign on and one time mobile password built into this as well. You buy the modules that you want and you just add them thru the license instead of having to deploy all these diff things as you want to move on to diff services
- Let’s get into the details of how the Target data breach happened, which is a great archetype for the type of multi-staged and complex attack APTs typically use: First the attacker did sophisticated Recon activity, understand all the third-party contractors who worked with Target, and may have been a potential pivot point into their network. They scoured public records, corporate websites, social media, and could have gone so far as calling in and pretending to be a representative of one of the companies to get further information. There is a wealth of freely available information online if you just look for it. They then identified their “target” – a third-party HVAC contractor who had an ongoing relationship with Target. They breached this contractor with a Spearphishing email and gained access to their network, and all the information they had on their clients – including credentials to Target’s systems. The attackers used this stolen credential information to log into a third-party payment system within Target’s network, which gave them an initial foothold to begin their persistent movement throughout the network. With this foothold, they are able to take that lateral movement and install the “BlackPOS” malware on POS systems. The malware was able to read customer credit card data, which it was held in memory on the POS systems, before it was encrypted. At the same time the attackers also took control of an internal server that acted as a repository for all the stolen customer information, being fed from each compromised POS system All this time, the malware and compromised systems were reaching out and communicating with the attackers with sophisticated command-and-control traffic to receive additional instruction. Once enough data had been collected on the internet server, it was exfiltrated out using FTP to those same CnC servers all around the world. With this in mind a few key pieces of information bubble to the surface: The attack was complex, and multi-threaded. Attackers always think of new ways to get in – and this requires the ability to do prevention at all key points in the network, and look at all the traffic as it comes in or goes out. Third-party tools and applications, such as the payment processing software, were used by the attackers to gain access to the Target network. Think about what could have happened if they have enabled only the applications their business needed, with specific users or “security zones” only able to use them. Segmentation of critical resources is critical, such as segmenting the “POS zone” so only finance employees, using approved applications could traverse it Common protocols, over standard ports were used, such as FTP, SSL and Netbios – which can make the attack hard to spot when it is blending into normal traffic
- What’s the ideal solution? End-to-end security platform with all key security funcitons natively integrated.