From Enterprise Perimeter to Distributed, Virtual Enterprise Security

Size: px

Start display at page:

Download "From Enterprise Perimeter to Distributed, Virtual Enterprise Security"

Madeline Roberts
7 years ago
Views:

1 From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&T Page 1

2 Page 2 Sandbags Piled in Front of AT&T Building 12/15/41

3 Original Perimeter Objective (Circa 1995) Enterprise Perimeter Untrusted External Actor Inside the Firewall Outside the Firewall Page 3

4 Enabling Browser Access to Enterprise site (External) Untrusted External Actor Page 4

5 Rule Added to Firewall to Allow Inbound Access to TCP/Port 80 (http) (External) Untrusted External Actor Off the Shelf Software and Tools with Potentially Exploitable Vulnerabilities Packets from Browsers Anywhere Enter the Perimeter Page 5

6 Perimeter Design Firewall Router Scan UTM PKI Admin Access to Server Enterprise Access to Server 2FA Log Allowed RBAC (External) DLP A/V SIEM Proxy FW IPS A/S Page 6

7 Page 7 (External)

8 Enabling External VPN Access to Enterprise (External) VPN Designed for VPN/RA Client Page 8

9 Perimeter Design Firewall Router Scan UTM PKI Admin Access to Server Admin Access to VPN Server Enterprise Access to Server 2FA 2FA Log Log Allowed RBAC RBAC (External) VPN DLP A/V SIEM Proxy FW FW IPS A/S Integrate into Common Physical Perimeter Firewall Router Scan UTM PKI Enterprise Access to VPN Server Allowed DLP A/V SIEM Proxy IPS A/S Page 9

10 (External) VPN Page 10

11 Adding Third Party Gateway Access to Enterprise (External) Designed for Third Party Care, Contact, Support, etc. Third Party Gateway VPN Page 11

12 Perimeter Design Admin Access to Third Party Gateways Scan UTM PKI DLP SIEM IPS 2FA Log (External) A/V Proxy A/S Typically Source IP-Based Authentication RBAC Third Party Gateway VPN FW Integrate into Common Physical Perimeter FW FW Scan UTM PKI Scan UTM PKI DLP A/V SIEM Proxy IPS A/S Allowed Enterprise Access to Third Party Gateways DLP A/V SIEM Proxy IPS A/S Integrate into Common Physical Perimeter Page 12

13 Enterprise Assets (External) Third Party Gateway VPN Page 13

14 Adding Inbound to Enterprise Enterprise Assets (External) Third Party Gateway VPN Page 14

15 Perimeter Design Scan UTM PKI Scan UTM PKI DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S (External) A/V Proxy A/S FW FW Allow Exchange with any Sender or Receiver Third Party Gateway VPN Integrate into Common Physical Perimeter FW Allowed FW Integrate into Common Physical Perimeter Scan UTM PKI Enterprise Access to Mail Scan UTM PKI DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S A/V Proxy A/S Integrate into Common Physical Perimeter Page 15

16 Enterprise Assets (External) Third Party Gateway VPN Page 16

17 Hundreds to Millions of Rules ( ) Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party Gateway VPN Page 17

18 Expanded Third Party Gateways Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Page 18

19 Expanded Employee Remote Access Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Additional Remote Access, Employee Telework, Road Warriors Page 19

20 Network Vulnerabilities Network Misconfigurations (Internet Exposing) Unauthorized Network Connections (Internet Exposing) Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Additional Remote Access, Employee Telework, Road Warriors Page 20

21 Employee Use of Mobile Network Misconfigurations (Internet Exposing) Unauthorized Network Connections (Internet Exposing) Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Enterprise Use of Mobility Additional Remote Access, Employee Telework, Road Warriors Page 21

22 Typical State of the Practice Enterprise Design Network Misconfigurations (Internet Exposing) Unauthorized Network Connections (Internet Exposing) Enterprise Assets (External) Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Third Party VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Enterprise Use of Mobility Additional Remote Access, Employee Telework, Road Warriors Page 22

23 Enterprise Perimeter Reality (Circa 2015) Enterprise Perimeter Outside Page 23

24 Nation State Exfiltration Attacks North/South Exploit (Perimeter) Phishing Attack East/West Exploit (Enterprise) Data Exfiltration Successfully attack this... and gain access to this... Page 24

25 Nation State Exfiltration Attacks Many Solutions Exist to Reduce Risk Inbound North/South Exploit (Perimeter) Inbound Filtering East/West Exploit (Enterprise) Outbound Filtering Many Solutions Exist to Reduce Risk Outbound No Good Solutions Exist to Reduce Traversal Risk Page 25

26 Page 26 Baseline Perimeter

27 Enabling Browser Access to Server Page 27

28 Micro-Perimeter Design ( Server) Virtual Micro Perimeter Page 28

29 Micro-Perimeter Provisioning to Cloud Scan UTM PKI Step 2: Provision Virtual Micro-Perimeter into Run Time System DLP SIEM IPS Step 1: Provision Server into Integrated Cloud A/V Proxy FW A/S Page 29

30 East-West Protection for Cloud Tenant Hypervisor Security Orchestration FW... A/S Proxy FW Virtual Appliances Virtual Perimeter Sampling of Vendors with Virtual Appliances Page 30

31 Virtual Micro Perimeter Page 31

32 Adding Security Command & Control Virtual Virtual Micro Perimeter Security C&C Virtual Micro Perimeter Page 32

33 Micro-Perimeter Provisioning to Cloud Scan UTM PKI DLP SIEM IPS A/V Proxy A/S FW Step 1: Provision Security Cmd/Ctrl into Virtual Data Center Security C&C Scan DLP UTM SIEM PKI IPS Integrate into Common Virtual Perimeter A/V Proxy A/S Step 2: Provision Virtual Micro-Perimeter into Run Time System FW Page 33

34 East-West Protection for and C&C Cloud Tenant Hypervisor Security Orchestration Server FW... A/S Proxy FW Virtual Appliances Tenant Security APIs SIEM Risk Compliance Security Reporting Security Alerting Tenant Security APIs Hypervisor Security Orchestration C&C FW... A/S Proxy FW Virtual Appliances Page 34

35 Enterprise Assets Virtual Micro Perimeter SOC Virtual Micro Perimeter Page 35

36 Adding Gateway Virtual Enterprise Assets Virtual Micro Perimeter Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 36

37 Cloud Tenant Hypervisor Security Orchestration Gate way FW... A/S Proxy FW Virtual Appliances Tenant Hypervisor Security Orchestration Server FW... A/S Proxy FW Virtual Appliances SIEM Tenant Tenant Risk Compliance Security APIs Security Reporting Security APIs Security Alerting East-West Protection for, C&C, and Gateway Hypervisor Security Orchestration SOC FW... A/S Proxy FW Virtual Appliances Page 37

38 Enterprise Assets Virtual Micro Perimeter Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 38

39 East-West Traversal Mitigated by Virtual Perimeter North/South Exploit (Perimeter) East/West Exploit (Enterprise) Successfully attack this... and gain NO access to this... Page 39

40 Legacy Assets Dependent on Existing Perimeter Legacy Assets Enterprise Assets Virtual Micro Perimeter Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 40

41 Legacy Assets Dependent on Existing Perimeter Enterprise Perimeter (Legacy Assets) Legacy Gateway SOC Page 41

42 Enterprise Perimeter Has Less to Defend Legacy Gateway SOC Page 42

43 Legacy Gateway SOC Page 43

44 Back-End Legacy Gateway SOC Page 44

45 Back-End Legacy Gateway SOC (Primary) SOC (Backup) Page 45

46 Back-End Legacy Gateway SOC (Primary) SOC (Backup) Page 46

47 Back-End Legacy Gateway SOC (Primary) SOC (Backup) Page 47

48 Legacy Back-End Gateway SOC (Primary) SOC (Backup) Page 48

49 Gateway Legacy Back-End SOC (Primary) SOC (Backup) Page 49

50 Gateway Legacy Back-End SOC (Primary) SOC (Backup) Page 50

51 Ring (Gateway) Ring (Legacy) Ring (Back-End) Ring ( Server) SOC (Primary) SOC (Backup) Page 51

52 SOC (Primary) SOC (Backup) Page 52

53 Page 53

54 Page 54

55 Page 55

56 Page 56

57 Micro-Domain Rings Micro-Domain Rings Security Command and Control (C&C) Page 57

58 Micro-Domain Rings Micro-Domain Rings Security Command and Control (C&C) Robust, Secure Communication with Multiple C&C Security Software Drop Locations Page 58

59 Bots Bots Botnet Command and Control (C&C) Robust, Secure Communication with Multiple C&C Botnet Software Drop Locations Page 59

60 Resilience of Botnets ZeroAccess Botnet (Click Fraud) Resilient!! Massive Industry Botnet Takedown Effort Page 60

61 Distributed, Virtual Enterprise Perimeter Design Micro-Domain Rings Micro-Domain Rings Security Command and Control (C&C) Security Software Drop Locations Robust, Secure Communication with Multiple C&C Page 61

Networking for Caribbean Development

Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n