Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Cyber House of Horrors:
Securing the Expanding
Enterprise Attack Surface
Welcome
CertesNetworks.com
A Little Housekeeping
• This webinar is being recorded a replay link will be
sent to you by email along with the slides.
•...
Our Speakers
Jason Bloomberg, President of Intellyx & contributor
to Forbes - Presenter
Satyam Tyagi, CTO of Certes Networ...
The Original Attack Surface
Exposure
When application traffic and users stayed inside the LAN,
the attack surface was mini...
New Exposure
The New Attack Surface
Exposure
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VPN
Remote Office
...
New Exposure
But Same Perimeter Defense
Firewalled
Perimeter
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VP...
The Cyber House
of Horrors
Securing the Expanding Enterprise
Attack Surface
Jason Bloomberg
President
jason@intellyx.com
@...
About Jason
Bloomberg
• President of
industry analyst
firm Intellyx
• Latest
book The Agile
Architecture
Revolution
• Rece...
Cybersecurity, the Old
Days
Copyright © 2016, Intellyx, LLC9
Cybersecurity Today
Copyright © 2016, Intellyx, LLC10
PhotoCredit:BjörnSöderqvisthttps://www.flickr.com/photos/kapten/
The Attack Surface
Copyright © 2016, Intellyx, LLC11
Humans are the weakest link
PhotoCredit:MarionDosshttps://www.flickr....
Human Attack Vectors
• Phishing
 Bulk emails seeking to
trick people into clicking
malicious links or
downloading malware...
Insider Attacks
• Rare: Edward Snowden
 Privileged user with political or
other principled motivation
• Uncommon: Comprom...
Advanced Persistent
Threats (APTs)
• Professional, technologically
advanced attacks
• Typically single out particular
targ...
Every Endpoint is
Vulnerable
• Computers
• Mobile Devices
• Network equipment
• Anything on the Internet
of Things
 Therm...
Cyber Assumptions
• Every endpoint can
be compromised
• Every user can be
compromised
• Malware is
everywhere
• Attackers ...
Jason Bloomberg
President, Intellyx
jason@intellyx.com
@theebizwizard
Download poster at AgileDigitalTransformation.com
Se...
Wrecking the Cyber
House of Horror
with Crypto-Segmentation
Satyam Tyagi, CTO
Certes Networks
Infrastructure-Centric
Security Mess
Why are we in
the House of Horrors?
19
IT has out-evolved IT Security
1990 2000 2010 2016
Enterprise
IT
Packet
networking
Digitization,
networked
application
IT ...
The Original Attack Surface
21
Exposure
When application traffic and users stayed inside the LAN, the attack surface was m...
New Exposure
The New Attack Surface
22
Exposure
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VPN
Remote Offi...
Humanly Impossible Complexity,
Enemy of Security
23
New Exposure
Firewalled
Perimeter
Cloud
Apps
InternetAccess
Remote
Wor...
Facing the
House of
Horrors
Decoupling Security from Infrastructure
Copyright 2016 Certes Networks. Visit CertesNetworks.c...
Business-Driven
Infrastructure-Independent Security
Security officer “Implements”
security policy and controls to
meet bus...
New Exposure
Firewalled
Perimeter
Infrastructure to Business,
Chaos to Harmony!
26
Cloud
Apps
InternetAccess
Access
Remote...
IT Security Evolution
1990 2000 2010 2016
Enterprise
IT
Packet
networking
Digitization,
networked
application
IT Security
...
Cryptography Decouples Security
From Infrastructure
28
‘No Trust’ with Micro-
segmentation
‘No Trust’ with Crypto-
segment...
Wrecking the
House of Horrors
Certes’ Role based Access to App Segments
Copyright 2016 Certes Networks. Visit CertesNetwor...
How to Wreck: Certes’ Role-based Access
to App Segments
30Copyright 2016 Certes Networks. Visit CertesNetworks.com
Wrecking in Action
31
• Each app isolated in its
own crypto-segments
• Users granted access
based on roles, applied
across...
Software Defined Security
Network Agnostic | Security overlay across silos
Reduce Security Complexity
Single point of poli...
Q&A
Type your questions into the chat panel.
Copyright 2016 Certes Networks. Visit CertesNetworks.com
33
Q&A
Please type your questions
into the chat panel.
Or contact us at
info@certesnetworks.com
CertesNetworks.com
Copyright ...
CLICK TO EDIT MASTER
TITLE STYLE
Thank you!
The slides and webinar replay will be
emailed to you.
Visit CertesNetworks.com...
Upcoming SlideShare
Loading in …5
×

The cyber house of horrors - securing the expanding attack surface

The enterprise attack surface has exploded in recent years. More users on more devices in more locations are able to access ever more sensitive enterprise applications. The result is that the number of targets for attackers has gone up dramatically.

The expanding attack surface has been dubbed a “Cyber House of Horrors,” as insider risks, aggressive social engineering, exploitation of outdated access controls, and a range of other security issues have come to the fore.

Join Certes Networks and Intellyx for a webinar to explore:

What factors are driving the expansion of the attack surface?
What types of attacks and exploits are taking advantage of these changes?
How are segmentation techniques and access controls evolving in response?

Related Books

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

  • Be the first to like this

The cyber house of horrors - securing the expanding attack surface

  1. 1. The Cyber House of Horrors: Securing the Expanding Enterprise Attack Surface Welcome CertesNetworks.com
  2. 2. A Little Housekeeping • This webinar is being recorded a replay link will be sent to you by email along with the slides. • You are muted by default, please ask any questions in the Q&A section or the chat window. • We will have a Q&A section at the end of the webinar. • If you experience technical difficulties joining the WebEx session please dial: 1-866-229-3239, or you can message the WebEx Producer using the Q&A panel. Copyright 2016 Certes Networks. Visit CertesNetworks.com 2
  3. 3. Our Speakers Jason Bloomberg, President of Intellyx & contributor to Forbes - Presenter Satyam Tyagi, CTO of Certes Networks - Presenter Adam Boone, CMO of Certes Networks - Moderator 3Copyright 2016 Certes Networks. Visit CertesNetworks.com
  4. 4. The Original Attack Surface Exposure When application traffic and users stayed inside the LAN, the attack surface was minimal 4Copyright 2016 Certes Networks. Visit CertesNetworks.com
  5. 5. New Exposure The New Attack Surface Exposure Cloud Apps InternetAccess Remote Workers Access Contractor VPN Remote Office Access Access BYOD IoT As IT has evolved, attack surface has exploded User & App Sprawl: mess of users accessing mess of applications 5Copyright 2016 Certes Networks. Visit CertesNetworks.com
  6. 6. New Exposure But Same Perimeter Defense Firewalled Perimeter Cloud Apps InternetAccess Remote Workers Access Contractor VPN Remote Office Access Access BYOD 20+ year old perimeter-oriented architecture 20+ year old trust model 20+ year old security model tied to enforcing security in infrastructure Network Sprawl, IT Sprawl, Security Sprawl … creating silos and gaps exploited by attackers in all the major data breaches IoT 6Copyright 2016 Certes Networks. Visit CertesNetworks.com
  7. 7. The Cyber House of Horrors Securing the Expanding Enterprise Attack Surface Jason Bloomberg President jason@intellyx.com @theebizwizard Copyright © 2016, Intellyx, LLC
  8. 8. About Jason Bloomberg • President of industry analyst firm Intellyx • Latest book The Agile Architecture Revolution • Recently published the Agile Digital Transformation Roadmap poster Copyright © 2016, Intellyx, LLC8
  9. 9. Cybersecurity, the Old Days Copyright © 2016, Intellyx, LLC9
  10. 10. Cybersecurity Today Copyright © 2016, Intellyx, LLC10 PhotoCredit:BjörnSöderqvisthttps://www.flickr.com/photos/kapten/
  11. 11. The Attack Surface Copyright © 2016, Intellyx, LLC11 Humans are the weakest link PhotoCredit:MarionDosshttps://www.flickr.com/photos/ooocha/ • The sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment (Wikipedia) • Attack vectors can be code-centric  Buffer overflow, SQL injection, etc. • Today, most attack vectors are human-centric
  12. 12. Human Attack Vectors • Phishing  Bulk emails seeking to trick people into clicking malicious links or downloading malware • Spear phishing  Targeted emails seeking to trick people into taking specific action • Other cons  Dropping infected flash drives in parking lots  Calls from “help desk” Copyright © 2016, Intellyx, LLC12 Confidence Tricks PhotoCredit:JointTaskForceGuantanamohttps://www.flickr.com/photos/jtfgtmo/
  13. 13. Insider Attacks • Rare: Edward Snowden  Privileged user with political or other principled motivation • Uncommon: Compromised employee  Target of blackmail or other extortion • More common: Disgruntled employee  More likely to do damage than steal something • Very common: Careless employee  Click on phishing link or open phishing email  Using unauthorized cloud storage Copyright © 2016, Intellyx, LLC13 DonkeyHoteyhttps://www.flickr.com/photos/donkeyhotey/
  14. 14. Advanced Persistent Threats (APTs) • Professional, technologically advanced attacks • Typically single out particular target • Take careful, step-by-step approach  Introduce malware (often by spear phishing)  Malware moves around network  ‘Phones home’ to establish command & control link  Exfiltrates valuable data/money Copyright © 2016, Intellyx, LLC14 PhotoCredit:PaulvandeVeldehttps://www.flickr.com/photos/dordrecht-holland/
  15. 15. Every Endpoint is Vulnerable • Computers • Mobile Devices • Network equipment • Anything on the Internet of Things  Thermostats  Industrial equipment  Appliances  Automobiles  And many, many more… Copyright © 2016, Intellyx, LLC15 PhotoCredit:tomemrichhttps://www.flickr.com/photos/90941490@N06/
  16. 16. Cyber Assumptions • Every endpoint can be compromised • Every user can be compromised • Malware is everywhere • Attackers have the run of your organization Copyright © 2016, Intellyx, LLC16 Mitigation is Essential PhotoCredit:Robhttps://www.flickr.com/photos/rob060/
  17. 17. Jason Bloomberg President, Intellyx jason@intellyx.com @theebizwizard Download poster at AgileDigitalTransformation.com Send email NOW to zombie@intellyx.com to download this presentation Thank You! Copyright © 2016, Intellyx, LLC Thank You!
  18. 18. Wrecking the Cyber House of Horror with Crypto-Segmentation Satyam Tyagi, CTO Certes Networks
  19. 19. Infrastructure-Centric Security Mess Why are we in the House of Horrors? 19
  20. 20. IT has out-evolved IT Security 1990 2000 2010 2016 Enterprise IT Packet networking Digitization, networked application IT Security Firewalls, gateways inspecting packet traffic at perimeter Internet Smart devices Cloud MDM/EMM, NAC, IDS, threat management VPNs, remote access, network access Enterprise security continues to be based on inspecting traffic and making security decisions based on packets: ports, IP addresses, header tags, etc. This means the security model is tied to networks & infrastructure that are already compromised; every major data breaches has exploited this failing • Borderless • Virtual • Platforms • Perimeter • Device-based • Point productsIdentity, authentication 20Copyright 2016 Certes Networks. Visit CertesNetworks.com
  21. 21. The Original Attack Surface 21 Exposure When application traffic and users stayed inside the LAN, the attack surface was minimal Copyright 2016 Certes Networks. Visit CertesNetworks.com
  22. 22. New Exposure The New Attack Surface 22 Exposure Cloud Apps InternetAccess Remote Workers Access Contractor VPN Remote Office Access Access BYOD IoT As IT has evolved, attack surface has exploded User & App Sprawl: mess of users accessing mess of applications Copyright 2016 Certes Networks. Visit CertesNetworks.com
  23. 23. Humanly Impossible Complexity, Enemy of Security 23 New Exposure Firewalled Perimeter Cloud Apps InternetAccess Remote Workers Access Contractor Remote Office Access Access BYOD IoT Security Office Business Requirements • What are the assets/apps? • Why are they valuable? • Who needs access to them? • Potential negative impact if confidentiality, integrity or availability breached CATEGORIZE Security Policy & Controls • Access Control • Awareness Training • Audit Accountability • Assessment Authorization • Configuration Management • Contingency Planning • Identification Authentication • Incident Response • … SELECT CASBIoT Gateways Software- Defined Perimeter/ VPN EMM/NAC Micro- Segmentation FW/SWG VPN Mobility Team Data Center Team IoT Team Cloud App Team Remote Worker Team Internet Network Firewall Team IMPLEMENT Siloed Expensive Work + Slower to Market = $$$ (expensive) Partner Access Team Copyright 2016 Certes Networks. Visit CertesNetworks.com
  24. 24. Facing the House of Horrors Decoupling Security from Infrastructure Copyright 2016 Certes Networks. Visit CertesNetworks.com 24
  25. 25. Business-Driven Infrastructure-Independent Security Security officer “Implements” security policy and controls to meet business requirements • No dependence on type of infrastructure • No dependence on multiple other teams • Simply Categorize & Segregate Business Assets (Apps) • Defines Access based on User Roles & Business Needs 25 Security Office Business Requirements • What are the assets/apps? • Why are they valuable? • Who needs access to them? • Potential negative impact if confidentiality, integrity or availability breached CATEGORIZE Security Policy & Controls • Access Control • Awareness Training • Audit Accountability • Assessment Authorization • Configuration Management • Contingency Planning • Identification Authentication • Incident Response • … SELECT IMPLEMENT Copyright 2016 Certes Networks. Visit CertesNetworks.com
  26. 26. New Exposure Firewalled Perimeter Infrastructure to Business, Chaos to Harmony! 26 Cloud Apps InternetAccess Access Remote Workers Contractor Remote Office Access Access BYOD IoT SalesOps Copyright 2016 Certes Networks. Visit CertesNetworks.com
  27. 27. IT Security Evolution 1990 2000 2010 2016 Enterprise IT Packet networking Digitization, networked application IT Security Firewalls, gateways inspecting packet traffic at perimeter Internet Smart devices Cloud Intrusion detection, traffic inspection. threat management VPNs, remote access, network access Certes redefines security by decoupling it from network devices Security decisions are not based on ports, addresses or other network parameters • Borderless • Virtual • Platforms • Borderless • Virtual • PlatformIdentity, authentication Software- defined, application access & segmentation 27Copyright 2016 Certes Networks. Visit CertesNetworks.com
  28. 28. Cryptography Decouples Security From Infrastructure 28 ‘No Trust’ with Micro- segmentation ‘No Trust’ with Crypto- segmentation How it works What it means for you How it works What it means for you Basis of Trust Infrastructure Infrastructure compromised & everything is at risk Cryptographic credentials, X.509 certificates, Cryptographic keys All assets are protected unless attacker can break each individual app key (practical impossibility) Basis of Policy VM instances, Layer 2 to Layer 7 firewalls, network flows Compromised machine can be used to laterally move out of micro-segment X.509 certificates Cryptographic keys and security associations No credentials, no keys, no lateral movement Crypto usage Optional for confidentiality and privacy for interconnecting segments Privacy and confidentiality are already provided by most apps Cryptography is the fabric of trust, policy decision and segmentation; consistent privacy is secondary benefit Non-crypto segmentation is exploited in breach after breach via lateral movement User aware Not user role aware Access is granted based on layer 2-7 firewall rules User identity and role are basis for access Business roles and strong identity define access Scope Data-Center or cloud Separate policies inside, outside, user location True end-to-end from user devices to app workloads One policy end-to-end Copyright 2016 Certes Networks. Visit CertesNetworks.com
  29. 29. Wrecking the House of Horrors Certes’ Role based Access to App Segments Copyright 2016 Certes Networks. Visit CertesNetworks.com 29
  30. 30. How to Wreck: Certes’ Role-based Access to App Segments 30Copyright 2016 Certes Networks. Visit CertesNetworks.com
  31. 31. Wrecking in Action 31 • Each app isolated in its own crypto-segments • Users granted access based on roles, applied across all apps consistently • User is compromised, lateral movement is blocked • Breach is contained, attack surface shrinks Copyright 2016 Certes Networks. Visit CertesNetworks.com
  32. 32. Software Defined Security Network Agnostic | Security overlay across silos Reduce Security Complexity Single point of policy configuration and enforcement Total Cost Reduction Single point of policy ownership and operational management End-to-End Security Client to application security | Lateral movement prevention Benefits of Wrecking 32Copyright 2016 Certes Networks. Visit CertesNetworks.com
  33. 33. Q&A Type your questions into the chat panel. Copyright 2016 Certes Networks. Visit CertesNetworks.com 33
  34. 34. Q&A Please type your questions into the chat panel. Or contact us at info@certesnetworks.com CertesNetworks.com Copyright 2016 Certes Networks. Visit CertesNetworks.com 34
  35. 35. CLICK TO EDIT MASTER TITLE STYLE Thank you! The slides and webinar replay will be emailed to you. Visit CertesNetworks.com Watch CryptoFlow Solutions in Action: https://youtu.be/MDy8x9z7mIc Copyright 2016 Certes Networks. Visit CertesNetworks.com

×