the cyber house of horrors - securing the expanding attack surface

The Cyber House of Horrors:Securing the Expanding

Enterprise Attack Surface

WelcomeCertesNetworks.com

2

A Little Housekeeping

• This webinar is being recorded a replay link will be sent to you by email along with the slides.

• You are muted by default, please ask any questions in the Q&A section or the chat window.

• We will have a Q&A section at the end of the webinar.

• If you experience technical difficulties joining the WebEx session please dial: 1-866-229-3239, or you can message the WebEx Producer using the Q&A panel.

Copyright 2016 Certes Networks. Visit CertesNetworks.com

3

Our Speakers

Jason Bloomberg, President of Intellyx & contributor to Forbes - Presenter

Satyam Tyagi, CTO of Certes Networks - Presenter

Adam Boone, CMO of Certes Networks - Moderator


4

The Original Attack Surface

Exposure

When application traffic and users stayed inside the LAN, the attack surface was minimal


5

New Exposure

The New Attack Surface

Exposure

Cloud Apps

InternetAccess

RemoteWorkers

Access

Contractor

VPN

Remote Office

Access

AccessBYOD

IoT

As IT has evolved, attack surface has explodedUser & App Sprawl: mess of users accessing mess of applications


6

New Exposure

But Same Perimeter Defense

FirewalledPerimeter

Cloud Apps

InternetAccess

RemoteWorkers

Access

Contractor

VPN

Remote Office

Access

AccessBYOD

20+ year old perimeter-oriented architecture20+ year old trust model

20+ year old security model tied to enforcing security in infrastructure

Network Sprawl, IT Sprawl, Security Sprawl … creating silos and gaps exploited by attackers in all the major data breaches

IoT


The Cyber House of HorrorsSecuring the Expanding Enterprise Attack Surface

Jason BloombergPresident

[email protected]

@theebizwizard

Copyright © 2016, Intellyx, LLC

About Jason Bloomberg• President of

industry analyst firm Intellyx

• Latest book The Agile Architecture Revolution

• Recently published the Agile Digital Transformation Roadmap poster

Copyright © 2016, Intellyx, LLC8

Cybersecurity, the Old Days


Cybersecurity Today


Phot

o Cr

edit:

Bjö

rn S

öder

qvist

http

s://w

ww.fl

ickr.c

om/p

hoto

s/ka

pten

/

The Attack Surface


Humans are the weakest link

Phot

o Cr

edit:

Mar

ion

Doss

http

s://w

ww.fl

ickr.c

om/p

hoto

s/oo

ocha

/• The sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment (Wikipedia)

• Attack vectors can be code-centric Buffer overflow, SQL injection, etc.

• Today, most attack vectors are human-centric


Human Attack Vectors

• Phishing Bulk emails seeking to

trick people into clicking malicious links or downloading malware

• Spear phishing Targeted emails seeking

to trick people into taking specific action• Other cons

Dropping infected flash drives in parking lots Calls from “help desk”

Confidence Tricks

Pho

to C

redi

t: Jo

int T

ask

Forc

e G

uant

anam

o ht

tps:

//ww

w.fl

ickr

.com

/pho

tos/

jtfgt

mo/


Insider Attacks• Rare: Edward Snowden

Privileged user with political or other principled motivation

• Uncommon: Compromised employee Target of blackmail or other

extortion• More common: Disgruntled

employee More likely to do damage than

steal something• Very common: Careless employee

Click on phishing link or open phishing email Using unauthorized cloud storage

Don

keyH

otey

http

s://w

ww

.flic

kr.c

om/p

hoto

s/do

nkey

hote

y/

and

Lau

ra P

oitra

s La

ura

Poi

tras

https://commons.wikimedia.org/wiki/File:Edward_Snowden.jpg

https://commons.wikimedia.org/wiki/File:Edward_Snowden.jpg

Advanced Persistent Threats (APTs)

• Professional, technologically advanced attacks

• Typically single out particular target• Take careful, step-by-step approach

Introduce malware (often by spear phishing)

Malware moves around network ‘Phones home’ to establish command

& control link Exfiltrates valuable data/money


Phot

o Cr

edit:

Pau

l van

de

Veld

e ht

tps:

//www

.flick

r.com

/pho

tos/

dord

rech

t-hol

land

/

Every Endpoint is Vulnerable

• Computers• Mobile Devices• Network equipment• Anything on the Internet

of Things Thermostats Industrial equipment Appliances Automobiles And many, many more…


Phot

o Cr

edit:

tom

emric

h ht

tps:

//www

.flick

r.com

/pho

tos/

9094

1490

@N0

6/

Cyber Assumptions• Every endpoint can

be compromised• Every user can be

compromised• Malware is

everywhere• Attackers have the

run of your organization


Mitigation is Essential

Phot

o Cr

edit:

Rob

http

s://w

ww.fl

ickr.c

om/p

hoto

s/ro

b060

/

Jason BloombergPresident, Intellyx

[email protected]@theebizwizard

Download poster at AgileDigitalTransformation.com

Send email NOW to [email protected] to download this presentation

Thank You!

Copyright © 2016, Intellyx, LLC

Thank You!

Wrecking the Cyber House of Horror

with Crypto-Segmentation

Satyam Tyagi, CTO Certes Networks

Infrastructure-Centric Security Mess

Why are we in the House of Horrors?

19

IT has out-evolved IT Security

1990 2000 2010 2016

Enterprise IT

Packet networking

Digitization, networked application

IT SecurityFirewalls, gateways inspecting

packet traffic at perimeter

Internet Smart devices Cloud

MDM/EMM, NAC, IDS,

threat management

VPNs, remote access, network access

Enterprise security continues to be based on inspecting traffic and making security decisions based on packets: ports, IP addresses, header tags, etc.

This means the security model is tied to networks & infrastructure that are already compromised; every major data breaches has exploited this failing

• Borderless• Virtual• Platforms

• Perimeter• Device-based• Point productsIdentity,

authentication

20Copyright 2016 Certes Networks. Visit CertesNetworks.com

The Original Attack Surface

21

Exposure

When application traffic and users stayed inside the LAN, the attack surface was minimal


New Exposure

The New Attack Surface

22

Exposure

Cloud Apps

InternetAccess

RemoteWorkers

Access

Contractor

VPN

Remote Office

Access

AccessBYOD

IoT

As IT has evolved, attack surface has explodedUser & App Sprawl: mess of users accessing mess of applications


Humanly Impossible Complexity,Enemy of Security

23

New Exposure

Firewalled Perimeter

Cloud Apps

InternetAccess

RemoteWorkers

Access

Contractor

Remote Office

Access

AccessBYOD

IoT

Security Office

Business Requirements• What are the assets/apps?• Why are they valuable?• Who needs access to them?• Potential negative impact if

confidentiality, integrity or availability breached

CATEGORIZESecurity Policy & Controls• Access Control• Awareness Training• Audit Accountability• Assessment Authorization• Configuration Management• Contingency Planning• Identification Authentication• Incident Response• …

SELECT

CASBIoT Gateways

Software-Defined

Perimeter/VPN

EMM/NAC

Micro-Segmentation

FW/SWG

VPN

Mobility Team Data Center

Team

IoTTeam

Cloud AppTeam

Remote WorkerTeam

InternetNetwork Firewall

Team

IMPLEMENT

Siloed Expensive Work + Slower to Market = $$$ (expensive)

Partner AccessTeam


24

Facing the House of Horrors

Decoupling Security from Infrastructure


Business-Driven Infrastructure-Independent Security

Security officer “Implements” security policy and controls to meet business requirements• No dependence on type of

infrastructure• No dependence on multiple

other teams• Simply Categorize &

Segregate Business Assets (Apps)

• Defines Access based on User Roles & Business Needs

25

Security Office

Business Requirements• What are the assets/apps?• Why are they valuable?• Who needs access to them?• Potential negative impact if

confidentiality, integrity or availability breached

CATEGORIZESecurity Policy & Controls• Access Control• Awareness Training• Audit Accountability• Assessment Authorization• Configuration Management• Contingency Planning• Identification Authentication• Incident Response• …

SELECT

IMPLEMENT


New Exposure

Firewalled Perimeter

Infrastructure to Business,Chaos to Harmony!

26

Cloud Apps

InternetAccess

Access

RemoteWorkers

Contractor

Remote Office

Access

AccessBYOD

IoT

SalesOpsCopyright 2016 Certes Networks. Visit CertesNetworks.com

IT Security Evolution

1990 2000 2010 2016

Enterprise IT

Packet networking

Digitization, networked application

IT SecurityFirewalls, gateways inspecting

packet traffic at perimeter

Internet Smart devices Cloud

Intrusion detection,

traffic inspection.

threat management

VPNs, remote access, network access

Certes redefines security by decoupling it from network devicesSecurity decisions are not based on ports, addresses or other network parameters

• Borderless• Virtual• Platforms

• Borderless• Virtual• PlatformIdentity,

authentication

Software-defined,

application access &

segmentation


Cryptography Decouples Security From Infrastructure

28

‘No Trust’ with Micro-segmentation ‘No Trust’ with Crypto-segmentationHow it works What it means for you How it works What it means for you

Basis of Trust

Infrastructure Infrastructure compromised & everything is at risk

Cryptographic credentials, X.509 certificates,Cryptographic keys

All assets are protected unless attacker can break each individual app key (practical impossibility)

Basis of Policy

VM instances, Layer 2 to Layer 7 firewalls,network flows

Compromised machine can be used to laterally move out of micro-segment

X.509 certificatesCryptographic keys and security associations

No credentials, no keys, no lateral movement

Cryptousage

Optional for confidentiality and privacy for interconnecting segments

Privacy and confidentiality are already provided by most apps

Cryptography is the fabric of trust, policy decision and segmentation; consistent privacy is secondary benefit

Non-crypto segmentation is exploited in breach after breach via lateral movement

User aware

Not user role aware Access is granted based on layer 2-7 firewall rules

User identity and role are basis for access

Business roles and strong identity define access

Scope Data-Center or cloud Separate policies inside, outside, user location

True end-to-end from user devices to app workloads

One policy end-to-end


29

Wrecking the House of Horrors

Certes’ Role based Access to App Segments


How to Wreck: Certes’ Role-based Access to App Segments


Wrecking in Action

31

• Each app isolated in its own crypto-segments

• Users granted access based on roles, applied across all apps consistently

• User is compromised, lateral movement is blocked

• Breach is contained, attack surface shrinks


Software Defined SecurityNetwork Agnostic | Security overlay across silos

Reduce Security ComplexitySingle point of policy configuration and enforcement

Total Cost ReductionSingle point of policy ownership and operational management

End-to-End SecurityClient to application security | Lateral movement prevention

Benefits of Wrecking


33

Q&A Type your questions into the chat panel.


34

Q&A Please type your questions

into the chat panel.Or contact us at

[email protected] 2016 Certes Networks. Visit CertesNetworks.com

mailto:[email protected]

http://www.certesnetworks.com/

CLICK TO EDIT MASTER TITLE STYLE

Thank you!The slides and webinar replay will be

emailed to you.Visit CertesNetworks.com

Watch CryptoFlow Solutions in Action: https://youtu.be/MDy8x9z7mIc


http://certesnetworks.com/

http://certesnetworks.com/

https://youtu.be/MDy8x9z7mIc

https://youtu.be/MDy8x9z7mIc

the cyber house of horrors - securing the expanding attack surface

Technology