SESSION ID:SESSION ID:

#RSAC

Tom Corn

Transforming Security Part 1: Cloud & Virtualization

SPO1-R10

Senior Vice President, Security Products VMware@therealtomcorn

GLASS. WOOD.

CONCRETE.

THE PLANNING

PHASE

DEVELOPMENT

PHASE

FUNCTIONAL

TEST

GENERAL

AVAILABILITY

THE PLANNING

PHASE

DEVELOPMENT

PHASE

FUNCTIONAL

TEST

GENERAL

AVAILABILITY

DAY 2

OPERATIONS

THREAT

THREAT

THREAT THREAT

THREAT

THREAT

7

11

YOUR CRITICAL APPLICATION

IS YOUR BABY

12

From Monolithic Stack to Distributed Apps

The Application is a Network

Securing the InfrastructurePERIMETER SECURITY

The Impact of Architectural Shifts on SecurityPERIMETER SECURITY

The Impact of Architectural Shifts on SecurityPERIMETER SECURITY

18

Misalignment

Security Policies Security Controls

APPS DATA COMPUTE NETWORK

Propagation Extraction ExfiltrationInfiltration

Attack vector/malware

Delivery mechanism

Entry point compromise

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Parcel and obfuscate

Exfiltration

Cleanup

Stop infiltration Stop exfiltration

Propagation Extraction

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Known good

Known bad

Unknown

Mass Complexity

The Only Thing Outpacing Growth in Security Spend is Growth in Security Breaches

IT Spend Security Spend Security Breaches

Annual Cost of Security

Breaches: $445B(Source: Center for Strategic and Int’l Studies)

Security as a % of IT

Spend:

2012: 11%

2015: 21 %(Source: Forrester)

Projected Growth Rate

in IT Spend from 2014-

2019: Zero (Flat)(Source: Gartner)

22

We need to align controls and policies to the application

Security Policies

APPS DATA

Security Controls

COMPUTE NETWORK

Application

23

Application

We need to establish least privilege environments

“Every program and every privileged

user of the system should operate using

the least amount of privilege necessary

to complete the job.”

Professor Jerome Saltzer,MIT Communications of the ACM

Least Privilege Is More Than Just Blocking

Propagation Extraction ExfiltrationInfiltration

Attack vector/malware

Delivery mechanism

Entry point compromise

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Parcel and obfuscate

Exfiltration

Cleanup

Least Privilege Is More Than Just Blocking

Propagation Extraction

Application

Network

Data Plane

Least Privilege Is More Than Just Blocking

StaticCourse Grained

DynamicFine Grained

Prevent

Detect

Respond

Application

Network

Data Plane

28

• Highly complex and noisy

• Exposed, i.e., untrusted monitoring, limited context

• Manual and lacking orchestration

From our current modelFocused on malicious behavior

29

To a new modelFocused on good (intended) behavior

• Simpler and smaller problem set

• Better signal to noise ratio

• Actionable and behavior-based alerts and responses

Why Haven’t We Done This Already?

APPLICATION

UNDERSTANDING

INFRASTRUCTURE

ALIGNMENT

DATACENTER

DYNAMICS

Application context and visibility

Connecting the dots between apps and I/F

Datacenters are highly dynamic

THE STAKES ARE HIGH

If we get it wrong…

At best: operational complexity

At worst: application disruption

What does this have to do with virtualization and cloud?

It Provides an Abstraction Layer Between I/F and Apps

Unique Properties of the Virtualization LayerIt’s in a unique position to see both Intentional and Runtime State

Intended State Runtime State

Application

Unique Properties of the Virtualization LayerIt’s in a unique position to understand the infrastructure and control topology

NGFWIPSWAF sFW ENC

TopologyApplication

Unique Properties of the Virtualization LayerIt’s in a unique position to maintain this alignment as the datacenter and applications evolve

Topology AlignmentApplication

Unique Properties of the Virtualization LayerIt’s in a unique position to deliver a high degree of automation

Topology Alignment AutomationApplication

Unique Properties of the Virtualization LayerIt’s in a unique position to deliver isolation: maintain a separate trust domain for security

Topology Alignment IsolationAutomationApplication

Isolation

We can leverage the unique properties of cloud and virtualization to

secure critical applications

Application Topology Alignment Automation

VMVM

VMVM

APPVMVM

VMVM

APPVMVM

VMVM

APP

Software-Defined Security

Attack Vectors

Application

Data Plane

Network

Attack Vectors

Traditional Segmentation

Micro-Segmentation

FW

FW

DB

WEB

APP

APP

APP

Attack Vectors

What About Exposure from the Physical Underlay?

Listening Inserting

DB

WEB

APP

APP

APP

You Can Solve that with Encryption…. But that turns out to be enormously complex

DB

WEB

APP

APP

APP

Encryption as a Distributed Service

DB

WEB

APP

APP

APP

Application-Focused Least Privilege

The Application as a System of Components

Processes

Security Agents / Monitoring

OS

Inbound

Communications

Outbound

Communications

Processes

Security Agents / Monitoring

OS

Inbound

Communications

Outbound

Communications

Processes

Security Agents / Monitoring

OS

Inbound

Communications

Outbound

Communications

DB

WEB

APP

APP

APP

Least Privilege for the Application LayerDetection and Response

Intentional State

Intended State Runtime State

Least Privilege for the Application LayerDetection and Response

Intentional State

Infrastructure Events(vRA, vCenter, NSX, Chef, Puppet,

AWS, etc)

• Machine context

• Control and security policies

• Network topology

Developer Workflow(Maven, Ansible, Jenkins, etc)

• Application flows down to process level

• Code signing/authorization

Runtime Behavior(Agents, Netflow, Policy Changes, etc)

• Process and network behavior

• Ideal for brownfield apps

Least Privilege for the Application LayerDetection and Response

Intentional State

Untrusted Zone (Guest)

Processes

Security Agents / Monitoring

OS

InboundCommunications

OutboundCommunications

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

Least Privilege for the Application LayerDetection and Response

Intentional State

Untrusted Zone (Guest)

Processes

Security Agents / Monitoring

OS

InboundCommunications

OutboundCommunications

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

Least Privilege for the Application LayerDetection and Response

Intentional State

Untrusted Zone (Guest)

Processes

Security Agents / Monitoring

OS

InboundCommunications

OutboundCommunications

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

Great Context | Lacks Isolation

Security In Hardware

Great Isolation | Lacks Context

Security In Software

Goldilocks

Least Privilege for the Application LayerDetection and Response

Intentional State Remediation

Untrusted Zone (Guest)

Processes

Security Agents / Monitoring

OS

InboundCommunications

OutboundCommunications

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

Least Privilege for the Application Layer

Untrusted Zone (Guest)

Security Agents / Monitoring

OutboundCommunications

Trusted Zone (Kernel)

Runtime AttestationSecure Context Store

Remediation

Least Privilege for the Application Layer

Intentional State Remediation

Untrusted Zone (Guest)

Processes

Security Agents / Monitoring

OS

InboundCommunications

OutboundCommunications

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

Extending the Concept to the Security Ecosystem

Intentional State Remediation

Trusted Zone (Kernel)

Virtual Enclave

Runtime AttestationSecure Context Store

SECURITY VENDORS

The Future of Software-Defined Security

Correlation/AnalyticsGovernance, Risk & Compliance

Network Security Controls Data Security ControlsCompute Security Controls

Network

Application-Centric

Micro-segmentation

Application-Centric

Detection & Response

Compute

PREVENT DETECT/RESPOND

ApplicationApplication

Propagation Extraction ExfiltrationInfiltration

Attack vector/malware

Delivery mechanism

Entry point compromise

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Parcel and obfuscate

Exfiltration

Cleanup

Propagation Extraction

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Known good

Known bad

Unknown

Propagation Extraction

Escalate privileges

Install C2* infrastructure

Lateral movement

Break into data stores

Network eavesdropping

App-level extraction

Known good

Known bad

Unknown

How do you secure virtualization?

How do you use virtualization to secure?

64

Practitioners Vendors Cloud Infrastructure

What will you deliver next?

SESSION ID:SESSION ID:

#RSAC

Tom Corn

Transforming Security Part 1: Cloud & Virtualization

SPO1-R10

Senior Vice President, Security Products VMware@therealtomcorn