The biggest obstacle in security may well be an architectural gap between the apps and data we must protect, and the infrastructure in which we place controls. The cloud presents a unique opportunity to architect-in security, rather than bolt it on. Micro-segmentation opened the door—enabling us to see and control the infrastructure through the lens of the application.
(Source : RSA Conference USA 2017)
21. The Only Thing Outpacing Growth in Security
Spend is Growth in Security Breaches
IT Spend Security Spend Security Breaches
Annual Cost of Security
Breaches: $445B
(Source: Center for Strategic and Int’l Studies)
Security as a % of IT
Spend:
2012: 11%
2015: 21 %
(Source: Forrester)
Projected Growth Rate
in IT Spend from 2014-
2019: Zero (Flat)
(Source: Gartner)
22. 22
We need to align controls and
policies to the application
Security Policies
APPS DATA
Security Controls
COMPUTE NETWORK
Application
24. “Every program and every privileged
user of the system should operate using
the least amount of privilege necessary
to complete the job.”
Professor Jerome Saltzer,
MIT Communications of the ACM
25. Least Privilege Is More Than Just Blocking
Propagation Extraction ExfiltrationInfiltration
Attack vector/malware
Delivery mechanism
Entry point compromise
Escalate privileges
Install C2* infrastructure
Lateral movement
Break into data stores
Network eavesdropping
App-level extraction
Parcel and obfuscate
Exfiltration
Cleanup
26. Least Privilege Is More Than Just Blocking
Propagation Extraction
Application
Network
Data Plane
27. Least Privilege Is More Than Just Blocking
Static
Course Grained
Dynamic
Fine Grained
Prevent
Detect
Respond
Application
Network
Data Plane
28. 28
• Highly complex and noisy
• Exposed, i.e., untrusted monitoring, limited context
• Manual and lacking orchestration
From our current model
Focused on malicious behavior
29. 29
To a new model
Focused on good (intended) behavior
• Simpler and smaller problem set
• Better signal to noise ratio
• Actionable and behavior-based alerts and responses
30. Why Haven’t We Done This Already?
APPLICATION
UNDERSTANDING
INFRASTRUCTURE
ALIGNMENT
DATACENTER
DYNAMICS
Application context
and visibility
Connecting the dots
between apps and I/F
Datacenters are
highly dynamic
THE STAKES ARE HIGH
If we get it wrong…
At best: operational complexity
At worst: application disruption
31. What does this have to do with
virtualization and cloud?
33. Unique Properties of the Virtualization Layer
It’s in a unique position to see both Intentional and Runtime State
Intended State Runtime State
Application
34. Unique Properties of the Virtualization Layer
It’s in a unique position to understand the infrastructure and control topology
NGFWIPSWAF sFW ENC
TopologyApplication
35. Unique Properties of the Virtualization Layer
It’s in a unique position to maintain this alignment as the datacenter and applications evolve
Topology AlignmentApplication
36. Unique Properties of the Virtualization Layer
It’s in a unique position to deliver a high degree of automation
Topology Alignment AutomationApplication
37. Unique Properties of the Virtualization Layer
It’s in a unique position to deliver isolation: maintain a separate trust domain for security
Topology Alignment IsolationAutomationApplication
38. Isolation
We can leverage the unique
properties of cloud and virtualization to
secure critical applications
Application Topology Alignment Automation
49. The Application as a System of Components
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
DB
WEB
APP
APP
APP
50. Least Privilege for the Application Layer
Detection and Response
Intentional State
Intended State Runtime State
51. Least Privilege for the Application Layer
Detection and Response
Intentional State
Infrastructure Events
(vRA, vCenter, NSX, Chef, Puppet,
AWS, etc)
• Machine context
• Control and security policies
• Network topology
Developer Workflow
(Maven, Ansible, Jenkins, etc)
• Application flows down to process level
• Code signing/authorization
Runtime Behavior
(Agents, Netflow, Policy Changes, etc)
• Process and network behavior
• Ideal for brownfield apps
52. Least Privilege for the Application Layer
Detection and Response
Intentional State
Untrusted Zone (Guest)
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
53. Least Privilege for the Application Layer
Detection and Response
al State
Untrusted Zone (Guest)
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
54. Least Privilege for the Application Layer
Detection and Response
al State
Untrusted Zone (Guest)
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
Great Context | Lacks Isolation
Security In Hardware
Great Isolation | Lacks Context
Security In Software
Goldilocks
55. Least Privilege for the Application Layer
Detection and Response
al State Remediation
Untrusted Zone (Guest)
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
56. Least Privilege for the Application Layer
st)
ring
Outbound
Communications
)
tion Remediation
57. Least Privilege for the Application Layer
Intentional State Remediation
Untrusted Zone (Guest)
Processes
Security Agents / Monitoring
OS
Inbound
Communications
Outbound
Communications
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
58. Extending the Concept to the Security Ecosystem
Intentional State Remediation
Trusted Zone (Kernel)
Virtual Enclave
Runtime Attestation
Secure Context Store
SECURITY VENDORS
59. The Future of Software-Defined Security
Correlation/AnalyticsGovernance, Risk & Compliance
Network Security Controls Data Security ControlsCompute Security Controls
Network
Application-Centric
Micro-segmentation
Application-Centric
Detection & Response
Compute
PREVENT DETECT/RESPOND
ApplicationApplication
60. Propagation Extraction ExfiltrationInfiltration
Attack vector/malware
Delivery mechanism
Entry point compromise
Escalate privileges
Install C2* infrastructure
Lateral movement
Break into data stores
Network eavesdropping
App-level extraction
Parcel and obfuscate
Exfiltration
Cleanup