Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

Similar documents
Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Advancing Security with Software Defined Datacenter. Karen Law Senior Systems Consultant VMware Hong Kong Ltd

Netzwerkvirtualisierung? Aber mit Sicherheit!

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

Advanced Security Services with Trend Micro Deep Security and VMware NSX Platforms

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Software Defined Data Centers Network Virtualization & Security. Jeremy van Doorn Director of Systems Engineering EMEA, Network & Security

How Network Virtualization can improve your Data Center Security

How To Protect A Data Center From A Hacker Attack

IT Security at the Speed of Business: Security Provisioning with Symantec Data Center Security

How To Build A Software Defined Data Center

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

Limiting the Spread of Threats: A Data Center for Every User

Itex VMware NSX Network Virtualization Presentation

Software defined networking. Your path to an agile hybrid cloud network

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

VMware NSX A Perspective for Service Providers part 2

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Securing the Virtualized Data Center With Next-Generation Firewalls

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Data Center Micro-Segmentation

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Designing Virtual Network Security Architectures Dave Shackleford

Virtualization, SDN and NFV

Enterprise Security Platform for Government

Palo Alto Networks. Security Models in the Software Defined Data Center

Shifting Roles for Security in the Virtualized Data Center: Who Owns What?

Secure Cloud-Ready Data Centers Juniper Networks

AppGuard. Defeats Malware

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Critical Security Controls

The Clock is Ticking on Windows Server 2003 Support

Securing Virtual Applications and Servers

How To Protect A Virtual Desktop From Attack

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Software Defined Environments

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Developing Secure Software in the Age of Advanced Persistent Threats

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Network Virtualization for the Enterprise Data Center. Guido Appenzeller Open Networking Summit October 2011

End to End Security do Endpoint ao Datacenter

Cloud and Data Center Security

Embrace SDN the Future of Networking is Here

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

Security in the Software Defined Data Center

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

SOFTWARE DEFINED NETWORKING

IT Infrastructure Services. White Paper. Utilizing Software Defined Network to Ensure Agility in IT Service Delivery

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

DYNAMIC DNS: DATA EXFILTRATION

SECURING YOUR MODERN DATA CENTER WITH CHECK POINT

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

Cloud, SDN and the Evolution of

Palo Alto Networks Cyber Security Platform for the Software Defined Data center. Zekeriya Eskiocak Security Consultant Palo Alto Networks

Network Virtualization Solutions - A Practical Solution

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

1518 Best Practices in Virtualization & Cloud Security with Symantec

Stephen Coty Director, Threat Research

Business Values of Network and Security Virtualization

Meeting the Challenges of Virtualization Security

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

SOFTWARE-DEFINED NETWORKS

Software Defined Networks Virtualized networks & SDN

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Architecting Security for the Private Cloud. Todd Thiemann

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Catbird 6.0: Private Cloud Security

Use Case Brief NETWORK SECURITY

Defending Against Data Beaches: Internal Controls for Cybersecurity

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SDN/Virtualization and Cloud Computing

Virtual Patching: a Proven Cost Savings Strategy

How To Manage Security On A Networked Computer System

Virtual Patching: a Compelling Cost Savings Strategy

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

RSA Security Analytics

Simplify IT. With Cisco Application Centric Infrastructure. Barry Huang Nov 13, 2014

Federated Application Centric Infrastructure (ACI) Fabrics for Dual Data Center Deployments

Agenda , Palo Alto Networks. Confidential and Proprietary.

VMware vcloud Networking and Security Overview

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

The Virtualization Practice

Protect Root Abuse privilege on Hypervisor (Cloud Security)

Simplifying Data Data Center Center Network Management Leveraging SDN SDN

PICO Compliance Audit - A Quick Guide to Virtualization

Leveraging SDN and NFV in the WAN

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Transcription:

SESSION ID: ANF-T08 Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain Sean Doherty VP Technology Partnerships and Alliances Symantec @SeandDInfo Deb Banerjee Chief Architect, Data Center Security Products Symantec

A Quick Level Set

The Phases of an APT Attack 1. Reconnaissance Attacker leverages information from a variety of sources to understand their target. 2. Incursion Attackers break into network by using social engineering to deliver targeted malware to vulnerable systems or by attacking public facing infrastructure. 3. Discovery Once in, the attackers stay low and slow to avoid detection. They then map the organization s defenses from the inside and create a battle plan and deploy multiple kill chains to ensure success. 5. Exfiltration Captured information is sent back to attack team s home base for analysis and further exploitation. 4. Capture Attackers access unprotected systems and capture information over an extended period. They may also install malware to secretly acquire data or disrupt operations. 3

Characteristics and Capabilities of Software Defined Things Characteristics Abstraction Instrumentation Automation Orchestration Capabilities Agility Adaptability Accuracy Assurance 4

What is SDN Definitions and Key Concepts This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs. Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, Source: https://www.opennetworking.org/sdn-resources/sdn-definition 5

Data Center Security Controls: Host-Based Controls IDS/IPS Anti-Malware Detection/Response Technologies Signature Behavioral Correlation Challenges Operational Complexity Impact Analysis Will updating a host-based security policy cause an outage? False Positives Shellshock Compensation: (CVE-2014-6271) 6

Data Center Security Controls: Network-Based Controls Firewalls/VLAN-based Segmentation: Zones, Applications, Tiers, Network IDS/IPS Packet Inspection for exploit payloads DLP : data egress detection Challenges Operational Complexity Resource Consumption False Positives Can t scan all traffic for all exploits 7

A Typical Data Center Network

Application A Load Balancer Application B WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 Firewall CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB 9

Attack Scenario APT that leverages public facing infrastructure vulnerabilities Lots of these to chose from Our scenario a classic 3 tier public web facing application in traditional infrastructure 25% have critical vulnerabilities unpatched 53% of legitimate websites have unpatched vulnerabilities Source: Symantec ISTR : Volume 18 10 1 0

The Attack Application A Load Balancer Application B WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 Firewall CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB 11

Micro-segmentation A new model for data center security STARTING ASSUMPTIONS 1 DESIGN PRINCIPLES Isolation and segmentation Assume everything is a threat and act accordingly. 2 3 Unit-level trust / least privilege Ubiquity and centralized control 12

Application A Load Balancer Application B WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 Firewall CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB 13

Application A Load Balancer Application B WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 Firewall Firewall CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB 14

If only everything was as easy as a diagram in PowerPoint 15

Logical View of SDN Architecture NSX Manager, APIC Manager NSX Controller, Nexus 9000 Firewalls, Network IDS/IPS, Network DLP 16

Orchestration SDN Creating the Dynamic and Secure Data Center Micro Segmentation Service Chaining Dynamic and Secure State Data Center Policy

Micro-Segmented Architecture Load Balancer Private Cloud with Application A & B ESXPRD01 ESXPRDA1 ESXPRDD6 ESXPRDB3 PRDSVR01 ESXPRDFA ESXPRDFE ESXPRDD D ESXPRDA2 Firewall 18

Micro-segmentation with SDN Data Plane Distributed switching, rou ng, firewall Each Workload is: Isolated Requires all routing to be pre defined Control Plane NSX Manager REST API Management Plane vcenter Example Using VMware NSX Physical workloads and VLANS

Traffic Steering Service Chaining with SDN Security Policy Dashboard Security Admin Security controls including IPS Firewall DLP can be dynamically added to any traffic flow Example VMWare NSX and Symantec DCS:Server

State Static State Applications Vulnerabilities/Exploits Anomaly detection Applicati ons Vulnerabilit ies/exploits Dynamic State IoCs Network Traffic Data Flow and DLP Events Host and Network Intrusion Events Anomaly detection Host and Network Intrusion Events Data Flow and DLP Events State Network Traffic IoCs

Policy Infrastructure Provisioning vcenter NSX ACI AWS Security Provisioning Policies Firewall, Segmentation IPS Anti-Malware DLP Host Integrity Security Response Policies Currently Ad-Hoc in the future standards required

Orchestration = SDN + State + Policy Change App Event 2. Host-based Security detects change App Event and reports. 6. Security Orchestrator recommends mi ga ons op ons -Network Security policy (E.g. quaran ne) -Host-based Security(System Hardening) 7. Sec Admin selects Network Security policy. 1. Applica on Admin Upgrades Web Services 4. VA conducts scan Vulnerability Manager CVSS High Exploitable 5. VA returns results to Security Orchestrator: CVSS High and Exploitable. Hypervisor Security Orchestrator 3. Security Orchestrator: Based on a ributes of applica on determines Vulnerability Assessment is required. SDN Manager 8. Quaran ne Tag to Network Security device Quaran ne Network Security Device 9. PAN applies access control to allow only admin access to VM. 10. VM is placed in SDN Quaran ne Security Group

Orchestration SDN Creating the Dynamic and Secure Data Center Micro Segmentation Service Chaining Dynamic and Secure State Data Center Policy

Orchestrating SDNs to disrupt APTs Automated Policy Based Provisioning Consistently apply appropriate controls Moves with the workload, and cleans up behind itself Remove Legacy or Temporary Rules and Routes Restrict the ability for the attacker to traverse the network east-west Transparent Service Chaining of Compensating Controls Add, change or remove controls without detection Leverage real-time intelligence to automate this process 25

Orchestrating SDNs to disrupt APTs cont. Tap/Probe insertion during IR Systematic Workload Provisioning Give the attacker a moving target to hit without disrupting the application Honey-Pots and Honey-Nets 26

Summary SDN is a key capability for introducing micro-segmentation and service chaining to facilitate dynamic response to APT attacks Security controls must offer API s for feeds and for automated response for incidents Apply the persistence of malware against the attack Security orchestration systems can automate policy updates to network and host-based security controls for faster and targeted APT responses SDN s enable us to optimize infrastructure and operational resource consumption for APT responses 27

Apply What You Have Learned Today Short Term Evaluate how SDN can help you create fine-grained segmentation zones with lower operational costs Medium Term Redefine your data center strategy for orchestration Threat Detection: malware, data loss, behavioral and IoC s Vulnerability Management: assessment, prioritization and compensation Automation: Controls with APIs, application level policies and context Pilot Security Automation on SDN Long Term Change the asymmetry of the APT attack 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information