SLIDE 1
From Enterprise Perimeter to Distributed, Virtual Enterprise Security
Ed Amoroso SVP, CSO – AT&T eamoroso@att.com
Page 1
Sandbags Piled in Front of AT&T Building – 12/15/41
Page 2
From Enterprise Perimeter to Distributed, Virtual Enterprise - - PowerPoint PPT Presentation
From Enterprise Perimeter to Distributed, Virtual Enterprise - - PowerPoint PPT Presentation
From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)
SLIDE 2
SLIDE 3
Enterprise Perimeter Untrusted External Actor “Inside the Firewall” “Outside the Firewall”
Original Perimeter Objective (Circa 1995)
Page 3
SLIDE 4
Web (External) Untrusted External Actor
Enabling Browser Access to Enterprise Website
Page 4
SLIDE 5
Web (External) Untrusted External Actor
Page 5
Rule Added to Firewall to Allow Inbound Access to TCP/Port 80 (http) Packets from Browsers “Anywhere” Enter the Perimeter “Off the Shelf” Web Software and Tools with Potentially Exploitable Vulnerabilities
SLIDE 6
FW SIEM Proxy A/V IPS DLP UTM Firewall Router Enterprise Access to Web Server Admin Access to Web Server RBAC 2FA Log “Allowed” A/S PKI Scan
Perimeter Design
Page 6
Web (External)
SLIDE 7
Page 7
Web (External)
SLIDE 8
VPN
Enabling External VPN Access to Enterprise
Page 8
Web (External) Designed for VPN/RA Client
SLIDE 9
FW SIEM Proxy A/V IPS DLP UTM Firewall Router Enterprise Access to Web Server Admin Access to Web Server RBAC 2FA Log “Allowed” A/S PKI Scan SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW Admin Access to VPN Server RBAC 2FA Log Firewall Router Enterprise Access to VPN Server “Allowed” Integrate into Common Physical Perimeter
Page 9
Perimeter Design
Web (External) VPN
SLIDE 10
Page 10
Web (External) VPN
SLIDE 11
Third Party Gateway
Adding Third Party Gateway Access to Enterprise
Page 11
Web (External) VPN Designed for Third Party Care, Contact, Support, etc.
SLIDE 12
FW SIEM Proxy A/V IPS DLP UTM Admin Access to Third Party Gateways A/S PKI Scan SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW 2FA Log RBAC SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW Typically Source IP-Based Authentication Enterprise Access to Third Party Gateways “Allowed”
Page 12
Web (External) VPN Third Party Gateway Integrate into Common Physical Perimeter Integrate into Common Physical Perimeter
Perimeter Design
SLIDE 13
Enterprise Assets
Page 13
Web (External) VPN Third Party Gateway
SLIDE 14
Enterprise Assets Email
Page 14
Web (External) VPN Third Party Gateway
Adding Inbound Email to Enterprise
SLIDE 15
FW SIEM Proxy A/V IPS DLP UTM A/S PKI Scan SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW Integrate into Common Physical Perimeter SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW Enterprise Access to Mail “Allowed” FW SIEM Proxy A/V IPS DLP UTM A/S PKI Scan Integrate into Common Physical Perimeter Allow Exchange with any Sender or Receiver
Page 15
Email Integrate into Common Physical Perimeter Web (External) VPN Third Party Gateway
Perimeter Design
SLIDE 16
Enterprise Assets
Page 16
Web (External) VPN Third Party Gateway Email
SLIDE 17
Enterprise Assets Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions
Page 17
Web (External) VPN Third Party Gateway Email
“Hundreds” to “Millions” of Rules (1995 – 2015)
SLIDE 18
Enterprise Assets
Page 18
Web (External) VPN Third Party Email
Expanded Third Party Gateways
Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Additional Third Parties, Retail Dealers, Outsourcing, Offshoring
SLIDE 19
Enterprise Assets Additional Remote Access, Employee Telework, Road Warriors
Page 19
Web (External) VPN Third Party Email
Expanded Employee Remote Access
Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Additional Third Parties, Retail Dealers, Outsourcing, Offshoring
SLIDE 20
Enterprise Assets Unauthorized Network Connections (Internet Exposing) Network Misconfigurations (Internet Exposing)
Page 20
Web (External) VPN Third Party Email
Network Vulnerabilities
Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Additional Remote Access, Employee Telework, Road Warriors Additional Third Parties, Retail Dealers, Outsourcing, Offshoring
SLIDE 21
Enterprise Assets Enterprise Use of Mobility
Page 21
Web (External) VPN Third Party Email
Employee Use of Mobile
Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Additional Remote Access, Employee Telework, Road Warriors Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Unauthorized Network Connections (Internet Exposing) Network Misconfigurations (Internet Exposing)
SLIDE 22
Enterprise Assets
Page 22
Web (External) VPN Third Party Email
Typical State of the Practice Enterprise Design
Additional Firewall Rule Exceptions Additional Firewall Rule Exceptions Unauthorized Network Connections (Internet Exposing) Network Misconfigurations (Internet Exposing) Enterprise Use of Mobility Additional Remote Access, Employee Telework, Road Warriors Additional Third Parties, Retail Dealers, Outsourcing, Offshoring
SLIDE 23
Enterprise Perimeter Outside
Page 23
Enterprise Perimeter Reality (Circa 2015)
SLIDE 24
North/South Exploit (Perimeter) East/West Exploit (Enterprise) Successfully attack this . . . and gain access to this . . . Phishing Attack Data Exfiltration
Page 24
Nation State Exfiltration Attacks
SLIDE 25
North/South Exploit (Perimeter) East/West Exploit (Enterprise)
Page 25
Nation State Exfiltration Attacks
Inbound Filtering Outbound Filtering Many Solutions Exist to Reduce Risk Inbound Many Solutions Exist to Reduce Risk Outbound No Good Solutions Exist to Reduce Traversal Risk
SLIDE 26
Page 26
Baseline Perimeter
SLIDE 27
Page 27
Web
Enabling Browser Access to Web Server
SLIDE 28
Virtual Micro Perimeter
Page 28
Web
Micro-Perimeter Design (Web Server)
SLIDE 29
Step 1: Provision Web Server into Integrated Cloud FW SIEM Proxy A/V IPS DLP UTM A/S PKI Scan Step 2: Provision Virtual Micro-Perimeter into Run Time System
Page 29
Web
Micro-Perimeter Provisioning to Cloud
SLIDE 30
Tenant Security Orchestration . . . Hypervisor FW Proxy A/S FW Web Cloud Virtual Appliances
Page 30
East-West Protection for Web
Virtual Perimeter
Sampling of Vendors with Virtual Appliances
SLIDE 31
Virtual Micro Perimeter
Page 31
Web
SLIDE 32
Security C&C Virtual Micro Perimeter Virtual Micro Perimeter
Page 32
Web
Adding Security Command & Control – Virtual
SLIDE 33
Step 1: Provision Security Cmd/Ctrl into Virtual Data Center Step 2: Provision Virtual Micro-Perimeter into Run Time System FW SIEM Proxy A/V IPS DLP UTM A/S PKI Scan FW SIEM Proxy A/V IPS DLP UTM A/S PKI Scan Integrate into Common Virtual Perimeter Security C&C
Page 33
Web
Micro-Perimeter Provisioning to Cloud
SLIDE 34
Tenant Security Orchestration . . . Hypervisor Web Server Tenant Security Alerting Security Reporting Risk Compliance Virtual Appliances Security APIs SIEM Tenant Security Orchestration . . . Hypervisor C&C Virtual Appliances FW Proxy A/S FW FW Proxy A/S FW Security APIs
Page 34
East-West Protection for Web and C&C
Cloud
SLIDE 35
Enterprise Assets Virtual Micro Perimeter Virtual Micro Perimeter SOC
Page 35
Web
SLIDE 36
Enterprise Assets Gateway Virtual Micro Perimeter Virtual Micro Perimeter Virtual Micro Perimeter SOC
Page 36
Web
Adding Gateway – Virtual
SLIDE 37
Tenant Security Orchestration . . . Hypervisor Web Server Tenant Security Alerting Security Reporting Risk Compliance Cloud Virtual Appliances Security APIs SIEM Tenant Security Orchestration . . . Hypervisor SOC Virtual Appliances FW Proxy A/S FW FW Proxy A/S FW Security APIs Tenant Security Orchestration . . . Hypervisor Gate way Virtual Appliances FW Proxy A/S FW
Page 37
East-West Protection for Web, C&C, and Gateway
SLIDE 38
Enterprise Assets Gateway Virtual Micro Perimeter Virtual Micro Perimeter Virtual Micro Perimeter SOC
Page 38
Web
SLIDE 39
North/South Exploit (Perimeter) East/West Exploit (Enterprise) Successfully attack this . . . and gain NO access to this . . .
Page 39
East-West Traversal Mitigated by Virtual Perimeter
SLIDE 40
Enterprise Assets Gateway Legacy Assets Virtual Micro Perimeter Virtual Micro Perimeter Virtual Micro Perimeter SOC
Page 40
Web
Legacy Assets Dependent on Existing Perimeter
SLIDE 41
Gateway Legacy Enterprise Perimeter (Legacy Assets) SOC
Page 41
Web
Legacy Assets Dependent on Existing Perimeter
SLIDE 42
Gateway Legacy Enterprise Perimeter Has Less to Defend SOC
Page 42
Web
SLIDE 43
Gateway Legacy SOC
Page 43
Web
SLIDE 44
Gateway Legacy Web Back-End SOC
Page 44
Web
SLIDE 45
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 45
Web
SLIDE 46
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 46
Web
SLIDE 47
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 47
Web
SLIDE 48
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 48
Web
SLIDE 49
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 49
Web
SLIDE 50
Gateway Legacy Web Back-End SOC (Primary) SOC (Backup)
Page 50
Web
SLIDE 51
Ring (Gateway) Ring (Legacy) Ring (Back-End) Ring (Web Server) SOC (Primary) SOC (Backup)
Page 51
SLIDE 52
SOC (Primary) SOC (Backup)
Page 52
SLIDE 53
Page 53
SLIDE 54
Page 54
SLIDE 55
Page 55
SLIDE 56
Page 56
SLIDE 57
Security Command and Control (C&C) Micro-Domain Rings Micro-Domain Rings
Page 57
SLIDE 58
Security Command and Control (C&C) Micro-Domain Rings Robust, Secure Communication with Multiple C&C Micro-Domain Rings Security Software Drop Locations
Page 58
SLIDE 59
Botnet Command and Control (C&C) Bots Robust, Secure Communication with Multiple C&C Botnet Software Drop Locations Bots
Page 59
SLIDE 60
ZeroAccess Botnet (Click Fraud) Massive Industry Botnet Takedown Effort Resilient!!
Page 60
Resilience of Botnets
SLIDE 61
Security Command and Control (C&C) Micro-Domain Rings Robust, Secure Communication with Multiple C&C Security Software Drop Locations Micro-Domain Rings
Page 61