SlideShare a Scribd company logo

Key Elements of a Security Delivery Platform

Download as PPTX, PDF
J
John Pollack

This document discusses the need for security delivery platforms to provide comprehensive network visibility. It notes that traditional security deployments have significant blind spots and challenges scaling to modern network traffic speeds and volumes. A security delivery platform provides targeted network traffic inspection, metadata extraction and decryption to optimize existing security tools and enable more effective threat detection and response. Continuous visibility into all network traffic is presented as a foundational requirement for effective security monitoring.

Related slideshows

How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)Cybersecurity 2020 threat landscape and its implications (AMER)
Cybersecurity 2020 threat landscape and its implications (AMER)
 
1 of 26
1©2017 Gigamon. All rights reserved. Edward J Smith Captain RMS Titanic Robert Watson-Watt Invention of Radar
2©2017 Gigamon. All rights reserved. Visibility Matters
You Can’t Secure What You Can’t See Key Elements of a Security Delivery Platform John Pollack Sr. Sales Engineer, Gigamon
4©2017 Gigamon. All rights reserved. Detecting a Compromise 65432 Phishing & zero day attack Back door Lateral movement Data gathering Exfiltration 1 Reconnaissance *Trustwave Holdings, Inc. "2016 Trustwave Global Security Report." 2016. Accessed April 5, 2017. **Verizon. "2016 Data Breach Investivation Report." 2016. Accessed April 5, 2017. OF BREACHES WERE DETECTED BY THE VICTIMS THEMSELVES* 41%81 THE MEDIAN NUMBER OF DAYS FROM INTRUSION TO DETECTION* OF BREACHES INVOLVE COMPANY INSIDERS** 89%OF APPLICATIONS HAD ONE OR MORE SECURITY VULNERABILITIES* 97%
5©2017 Gigamon. All rights reserved. *Cisco Global Cloud Index 2016. **Statista Global machine-to-machine (M2M) data traffic from 2014 to 2019 (in petabytes per month) The Data-in-Motion Dilemma VOLUME + SPEED + THREATS = COMPLEXITY + RISK + COST Time Volume Network Data Security Tool Security tools do not scale as fast as data Data Center transition to 100GbEmergence of Big Data Internet of Things Machine to Machine 4.7ZB of global data center traffic in 2016* 1.7PB of M2M traffic in 2017** 6.7ns available to process a network packet on a 100Gb link
6©2017 Gigamon. All rights reserved. Security Fundamentals Are Changing HOW WE ADDRESS THREATS HAS NOT A NEW APPROACH TO SECURITY IS REQUIRED Time to Detection and Time to Containment are Too Slow Fundamentally Unchanged Security Model Changed Traffic Patterns and Mobility Rising Use of Encryption
7©2017 Gigamon. All rights reserved. *Source: Gartner Data Center Infrastructure Operations and Management Conference, December 2016 Continuous Visibility Is at the Core of Security EXAMPLE: GARTNER’S ADAPTIVE SECURITY ARCHITECTURE Twelve Security Capabilities of the Gartner Adaptive (at the core of change) Security Architecture Predict Respond Prevent Detect Continuous Visibility and Verification Users Systems System activity Payload Network Adjust Posture Implement Posture Monitor Posture Adjust Posture Risk-prioritized Exposure Assessment Anticipate Threats / Attacks Baseline Systems and Security Remediate Design / Model Policy Change Investigate Incidents / Retrospective Analysis Harden Systems Isolate Systems Prevent Attacks Detect Incidents Confirm and Prioritize Risk Contain Incidents
8©2017 Gigamon. All rights reserved. Internet Public Cloud ✕ Significant blind spots ✕ Extraordinary costs ✕ Contention for access to traffic ✕ Inconsistent view of traffic ✕ Blind to encrypted traffic ✕ Too many false positives Challenges with Ad Hoc Security Deployments User Behavior Analytics Advanced Persistent Threat Email Threat Detection SIEM Next-Generation Firewall Data Loss Prevention SIEM Data Loss Prevention User Behavior Analytics Next-Generation Firewall Advanced Persistent Threat Email Threat Detection Data Loss Prevention Next-Generation Firewall Email Threat Detection Advanced Persistent Threat SIEM User Behavior Analytics Routers “Spine” Switches “Leaf” Switches Virtualized Server Farm It is time the balance of power shifted from attacker to defender! VISIBILITY LIMITED TO A POINT IN TIME OR PLACE
9©2017 Gigamon. All rights reserved. Internet Public Cloud Transform Security: The Security Delivery Platform LOOK INSIDE THE NETWORK Data Loss Prevention Data Loss PreventionData Loss Prevention Next-Generation Firewall Next-Generation Firewall Next-Generation Firewall Email Threat Detection Email Threat Detection Email Threat Detection SIEM SIEM SIEM User Behavior Analytics User Behavior AnalyticsUser Behavior Analytics Routers “Spine” Switches “Leaf” Switches Virtualized Server Farm Advanced Persistent Threat Advanced Persistent Threat Advanced Persistent Threat Security Delivery Platform: A foundational building block to effective security Targeted inspection Detection of encrypted threats Inline mode for visibility and control Reach physical and virtual networks Metadata for Improved Forensics Security Delivery Platform Public Cloud On-premise Data Center Remote Sites Private Cloud Next-Generation Firewall User Behavior Analytics Data Loss Prevention Email Threat Detection Advanced Persistent Threat SIEM
10©2017 Gigamon. All rights reserved. Internet Firewall DMZ IPS Spine Leaf IDS Server Farm Core Switch East-West Traffic Patterns Are a Blind Spot No visibility into lateral propagation of threats!
11©2017 Gigamon. All rights reserved. Application Mobility Impacts Security Internet Firewall DMZ IPS Spine Leaf IDS Server Farm Core Switch No visibility into lateral propagation of threats!
12©2017 Gigamon. All rights reserved. Reach Physical and Virtual Networks Key Components Network TAPs Switch SPAN ports Virtual network visibility appliances Network visibility appliances
13©2017 Gigamon. All rights reserved. Challenges with Packet Data VOLUME, TYPES AND AMOUNT OF DATA OVERWHELM SIEMS SIEM DNS, SSL, HTTP, RDP, Powershell 1010101000 1110010101 0100011100 1010101000 1010101000 1110010101 0100011101 Network Low Performance High Costs Low Visibility Poor Security
14©2017 Gigamon. All rights reserved. The Metadata Advantage REDUCE VOLUME, TYPES AND AMOUNT OF DATA THAT OVERWHELM SIEMS DNS, SSL, HTTP, RDP SIEM Metadata Engine DNS, SSL, HTTP, RDP, Powershell 1010101000 1110010101 0100011100 1010101000 1010101000 1110010101 0100011101 Network High Performance Low Costs Full Visibility Better Security Security Delivery Platform
15©2017 Gigamon. All rights reserved. Metadata Generation • Detect “low-and-slow” attacks. NetFlow/IPFIX records with additional info elements • Un-sampled (1:1) NetFlow/IPFIX record generation based on configurable policies • Offload NetFlow/IPFIX record generation from overloaded network infrastructure • Enable end-to-end security enforcement with visibility into every flow • Ideal to detect Command and Control communications • Send to SIEM and NetFlow forensics collectors Metadata examples • DNS transaction metadata useful for DNS monitoring • SSL certificate metadata (without decrypting traffic) • URL metadata extracted from http/https traffic Flow Metadata SIEM and NetFlow Forensics Integration
16©2017 Gigamon. All rights reserved. Protocols? All Web 2.0 use port 80 & 443 The Case for Targeted Inspection LIMITATIONS OF PORT BASED APPROACH TO APPLICATION VISIBILITY HTTPProtocol SMTP FTP TELNET NTP BGP 80 TCP/UDP Port # 25 20/21 23 123 179
17©2017 Gigamon. All rights reserved. Targeted Inspection OPTIMIZE SECURITY TOOLS Filter all traffic corresponding to an application session and maintain session integrity when delivering traffic to tools. ✓ Offload high-bandwidth media streams from reaching security detection tools ✓ Discover insecure applications based on specific signatures ✓ Improve efficiency of security appliances ✓ Analyze and respond to incidents using custom regex patterns 21 1 1312 12 1 3343 37 3 1465 58 2 2596 26 4 7849 14 3 256789 14 3 256789 14 3 256789 User Behavior Analytics SIEM Next Generation Firewall Security Delivery Platform Session Based Filtering
18©2017 Gigamon. All rights reserved. • Flag Unsecure or Obsolete HTTPs versions (SSL v2, v3) • Flag Unknown Certificate Authorities • Identify SSL Certificates with Weak Algorithms • Detect Signature Based Threats (worm, bots, etc.) Identify Specific Traffic to Offload Identify Specific Threats or Vulnerabilities Targeted Inspection WHAT CAN I DO WITH IT? • Streaming Media (Netflix, Hulu, etc.) • Specific URL’s • Windows Updates • SIP-Based VoIP traffic
19©2017 Gigamon. All rights reserved. 1 Source: Gartner “Predicts 2017: Network and Gateway Security”, December 13 2016. 2 Source: SSL Performance Problems, NSS Labs 3 Source: 2016 Trustwave Global Security Report Need for Visibility into SSL >80% of enterprise traffic will be encrypted through 20191 33% of malware uses encryption3 Visibility into SSL traffic leaving an organization (Internet servers, cloud services) 80% performance degradation of security appliances due to SSL2
20©2017 Gigamon. All rights reserved. Comprehensive SSL / TLS Decryption CONSIDERATIONS Requires a Man-in-the-Middle (MiTM) approach Requires support for modern cryptography suites Processor intensive—requires additional hardware & software Multiple design options based on available tools Must consider data privacy and regulatory mandates
21©2017 Gigamon. All rights reserved. Inline Tool Group (decrypted traffic) Comprehensive SSL / TLS Decryption INLINE SSL VISIBILITY Out-of-Band Tool (decrypted traffic) SSL Session Leg 1 (encrypted) SSL Session Leg 2 (encrypted) 1 2 2 3 Encrypted traffic Decrypted traffic Web Monitor Tool (decrypted traffic) 4 SecurityDeliveryPlatform
22©2017 Gigamon. All rights reserved. Inspect inbound and outbound traffic Uncovers advanced malware, trojans and nefarious C&C Exposes data exfiltration, loss and misuse Optimize Tool Performance Improve Application Latency Comprehensive SSL / TLS Decryption BENEFITS
23©2017 Gigamon. All rights reserved. Inline Security Monitoring Pain Points BARRIERS TO DEPLOYING INLINE TOOLS Points of Failure Does Not Scale Tuning or Learning Required Deploying Multiple, Different Tools Integrating Other Security Solutions
24©2017 Gigamon. All rights reserved. Active Security Remediation with Inline Bypass SCALING INLINE SECURITY WITH “INLINE BYPASS” T1 T2 T3T3T3 T1 T2 T3 E.g. WAN router E.g. Firewall E.g. IPS E.g. WAF E.g. ATD E.g. Core switch IPS WAF ATDATDATD Add, remove, and upgrade tools seamlessly Consolidate multiple points of failure into a single, bypass-protected solution Integrate Inline, Out-of-Band, and Flow-based tools through the Security Delivery Platform Maximize tool efficacy Increase scale of security monitoring Security Delivery Platform
25©2017 Gigamon. All rights reserved. Summary Security Delivery Platforms: A foundational approach to security tool deployment See More. Secure More. Pervasive and continuous visibility within the perimeter Optimize existing security tools and deploy new security tools cost effectively.  Accelerate time to detection  Faster implementation of changes  Deliver network packets, sessions and metadata of interest  Decrypt once, analyze multiple times
26©2017 Gigamon. All rights reserved. Visibility Matters

More Related Content

Key Elements of a Security Delivery Platform

  • 1. 1©2017 Gigamon. All rights reserved. Edward J Smith Captain RMS Titanic Robert Watson-Watt Invention of Radar
  • 2. 2©2017 Gigamon. All rights reserved. Visibility Matters
  • 3. You Can’t Secure What You Can’t See Key Elements of a Security Delivery Platform John Pollack Sr. Sales Engineer, Gigamon
  • 4. 4©2017 Gigamon. All rights reserved. Detecting a Compromise 65432 Phishing & zero day attack Back door Lateral movement Data gathering Exfiltration 1 Reconnaissance *Trustwave Holdings, Inc. "2016 Trustwave Global Security Report." 2016. Accessed April 5, 2017. **Verizon. "2016 Data Breach Investivation Report." 2016. Accessed April 5, 2017. OF BREACHES WERE DETECTED BY THE VICTIMS THEMSELVES* 41%81 THE MEDIAN NUMBER OF DAYS FROM INTRUSION TO DETECTION* OF BREACHES INVOLVE COMPANY INSIDERS** 89%OF APPLICATIONS HAD ONE OR MORE SECURITY VULNERABILITIES* 97%
  • 5. 5©2017 Gigamon. All rights reserved. *Cisco Global Cloud Index 2016. **Statista Global machine-to-machine (M2M) data traffic from 2014 to 2019 (in petabytes per month) The Data-in-Motion Dilemma VOLUME + SPEED + THREATS = COMPLEXITY + RISK + COST Time Volume Network Data Security Tool Security tools do not scale as fast as data Data Center transition to 100GbEmergence of Big Data Internet of Things Machine to Machine 4.7ZB of global data center traffic in 2016* 1.7PB of M2M traffic in 2017** 6.7ns available to process a network packet on a 100Gb link
  • 6. 6©2017 Gigamon. All rights reserved. Security Fundamentals Are Changing HOW WE ADDRESS THREATS HAS NOT A NEW APPROACH TO SECURITY IS REQUIRED Time to Detection and Time to Containment are Too Slow Fundamentally Unchanged Security Model Changed Traffic Patterns and Mobility Rising Use of Encryption
  • 7. 7©2017 Gigamon. All rights reserved. *Source: Gartner Data Center Infrastructure Operations and Management Conference, December 2016 Continuous Visibility Is at the Core of Security EXAMPLE: GARTNER’S ADAPTIVE SECURITY ARCHITECTURE Twelve Security Capabilities of the Gartner Adaptive (at the core of change) Security Architecture Predict Respond Prevent Detect Continuous Visibility and Verification Users Systems System activity Payload Network Adjust Posture Implement Posture Monitor Posture Adjust Posture Risk-prioritized Exposure Assessment Anticipate Threats / Attacks Baseline Systems and Security Remediate Design / Model Policy Change Investigate Incidents / Retrospective Analysis Harden Systems Isolate Systems Prevent Attacks Detect Incidents Confirm and Prioritize Risk Contain Incidents
  • 8. 8©2017 Gigamon. All rights reserved. Internet Public Cloud ✕ Significant blind spots ✕ Extraordinary costs ✕ Contention for access to traffic ✕ Inconsistent view of traffic ✕ Blind to encrypted traffic ✕ Too many false positives Challenges with Ad Hoc Security Deployments User Behavior Analytics Advanced Persistent Threat Email Threat Detection SIEM Next-Generation Firewall Data Loss Prevention SIEM Data Loss Prevention User Behavior Analytics Next-Generation Firewall Advanced Persistent Threat Email Threat Detection Data Loss Prevention Next-Generation Firewall Email Threat Detection Advanced Persistent Threat SIEM User Behavior Analytics Routers “Spine” Switches “Leaf” Switches Virtualized Server Farm It is time the balance of power shifted from attacker to defender! VISIBILITY LIMITED TO A POINT IN TIME OR PLACE
  • 9. 9©2017 Gigamon. All rights reserved. Internet Public Cloud Transform Security: The Security Delivery Platform LOOK INSIDE THE NETWORK Data Loss Prevention Data Loss PreventionData Loss Prevention Next-Generation Firewall Next-Generation Firewall Next-Generation Firewall Email Threat Detection Email Threat Detection Email Threat Detection SIEM SIEM SIEM User Behavior Analytics User Behavior AnalyticsUser Behavior Analytics Routers “Spine” Switches “Leaf” Switches Virtualized Server Farm Advanced Persistent Threat Advanced Persistent Threat Advanced Persistent Threat Security Delivery Platform: A foundational building block to effective security Targeted inspection Detection of encrypted threats Inline mode for visibility and control Reach physical and virtual networks Metadata for Improved Forensics Security Delivery Platform Public Cloud On-premise Data Center Remote Sites Private Cloud Next-Generation Firewall User Behavior Analytics Data Loss Prevention Email Threat Detection Advanced Persistent Threat SIEM
  • 10. 10©2017 Gigamon. All rights reserved. Internet Firewall DMZ IPS Spine Leaf IDS Server Farm Core Switch East-West Traffic Patterns Are a Blind Spot No visibility into lateral propagation of threats!
  • 11. 11©2017 Gigamon. All rights reserved. Application Mobility Impacts Security Internet Firewall DMZ IPS Spine Leaf IDS Server Farm Core Switch No visibility into lateral propagation of threats!
  • 12. 12©2017 Gigamon. All rights reserved. Reach Physical and Virtual Networks Key Components Network TAPs Switch SPAN ports Virtual network visibility appliances Network visibility appliances
  • 13. 13©2017 Gigamon. All rights reserved. Challenges with Packet Data VOLUME, TYPES AND AMOUNT OF DATA OVERWHELM SIEMS SIEM DNS, SSL, HTTP, RDP, Powershell 1010101000 1110010101 0100011100 1010101000 1010101000 1110010101 0100011101 Network Low Performance High Costs Low Visibility Poor Security
  • 14. 14©2017 Gigamon. All rights reserved. The Metadata Advantage REDUCE VOLUME, TYPES AND AMOUNT OF DATA THAT OVERWHELM SIEMS DNS, SSL, HTTP, RDP SIEM Metadata Engine DNS, SSL, HTTP, RDP, Powershell 1010101000 1110010101 0100011100 1010101000 1010101000 1110010101 0100011101 Network High Performance Low Costs Full Visibility Better Security Security Delivery Platform
  • 15. 15©2017 Gigamon. All rights reserved. Metadata Generation • Detect “low-and-slow” attacks. NetFlow/IPFIX records with additional info elements • Un-sampled (1:1) NetFlow/IPFIX record generation based on configurable policies • Offload NetFlow/IPFIX record generation from overloaded network infrastructure • Enable end-to-end security enforcement with visibility into every flow • Ideal to detect Command and Control communications • Send to SIEM and NetFlow forensics collectors Metadata examples • DNS transaction metadata useful for DNS monitoring • SSL certificate metadata (without decrypting traffic) • URL metadata extracted from http/https traffic Flow Metadata SIEM and NetFlow Forensics Integration
  • 16. 16©2017 Gigamon. All rights reserved. Protocols? All Web 2.0 use port 80 & 443 The Case for Targeted Inspection LIMITATIONS OF PORT BASED APPROACH TO APPLICATION VISIBILITY HTTPProtocol SMTP FTP TELNET NTP BGP 80 TCP/UDP Port # 25 20/21 23 123 179
  • 17. 17©2017 Gigamon. All rights reserved. Targeted Inspection OPTIMIZE SECURITY TOOLS Filter all traffic corresponding to an application session and maintain session integrity when delivering traffic to tools. ✓ Offload high-bandwidth media streams from reaching security detection tools ✓ Discover insecure applications based on specific signatures ✓ Improve efficiency of security appliances ✓ Analyze and respond to incidents using custom regex patterns 21 1 1312 12 1 3343 37 3 1465 58 2 2596 26 4 7849 14 3 256789 14 3 256789 14 3 256789 User Behavior Analytics SIEM Next Generation Firewall Security Delivery Platform Session Based Filtering
  • 18. 18©2017 Gigamon. All rights reserved. • Flag Unsecure or Obsolete HTTPs versions (SSL v2, v3) • Flag Unknown Certificate Authorities • Identify SSL Certificates with Weak Algorithms • Detect Signature Based Threats (worm, bots, etc.) Identify Specific Traffic to Offload Identify Specific Threats or Vulnerabilities Targeted Inspection WHAT CAN I DO WITH IT? • Streaming Media (Netflix, Hulu, etc.) • Specific URL’s • Windows Updates • SIP-Based VoIP traffic
  • 19. 19©2017 Gigamon. All rights reserved. 1 Source: Gartner “Predicts 2017: Network and Gateway Security”, December 13 2016. 2 Source: SSL Performance Problems, NSS Labs 3 Source: 2016 Trustwave Global Security Report Need for Visibility into SSL >80% of enterprise traffic will be encrypted through 20191 33% of malware uses encryption3 Visibility into SSL traffic leaving an organization (Internet servers, cloud services) 80% performance degradation of security appliances due to SSL2
  • 20. 20©2017 Gigamon. All rights reserved. Comprehensive SSL / TLS Decryption CONSIDERATIONS Requires a Man-in-the-Middle (MiTM) approach Requires support for modern cryptography suites Processor intensive—requires additional hardware & software Multiple design options based on available tools Must consider data privacy and regulatory mandates
  • 21. 21©2017 Gigamon. All rights reserved. Inline Tool Group (decrypted traffic) Comprehensive SSL / TLS Decryption INLINE SSL VISIBILITY Out-of-Band Tool (decrypted traffic) SSL Session Leg 1 (encrypted) SSL Session Leg 2 (encrypted) 1 2 2 3 Encrypted traffic Decrypted traffic Web Monitor Tool (decrypted traffic) 4 SecurityDeliveryPlatform
  • 22. 22©2017 Gigamon. All rights reserved. Inspect inbound and outbound traffic Uncovers advanced malware, trojans and nefarious C&C Exposes data exfiltration, loss and misuse Optimize Tool Performance Improve Application Latency Comprehensive SSL / TLS Decryption BENEFITS
  • 23. 23©2017 Gigamon. All rights reserved. Inline Security Monitoring Pain Points BARRIERS TO DEPLOYING INLINE TOOLS Points of Failure Does Not Scale Tuning or Learning Required Deploying Multiple, Different Tools Integrating Other Security Solutions
  • 24. 24©2017 Gigamon. All rights reserved. Active Security Remediation with Inline Bypass SCALING INLINE SECURITY WITH “INLINE BYPASS” T1 T2 T3T3T3 T1 T2 T3 E.g. WAN router E.g. Firewall E.g. IPS E.g. WAF E.g. ATD E.g. Core switch IPS WAF ATDATDATD Add, remove, and upgrade tools seamlessly Consolidate multiple points of failure into a single, bypass-protected solution Integrate Inline, Out-of-Band, and Flow-based tools through the Security Delivery Platform Maximize tool efficacy Increase scale of security monitoring Security Delivery Platform
  • 25. 25©2017 Gigamon. All rights reserved. Summary Security Delivery Platforms: A foundational approach to security tool deployment See More. Secure More. Pervasive and continuous visibility within the perimeter Optimize existing security tools and deploy new security tools cost effectively.  Accelerate time to detection  Faster implementation of changes  Deliver network packets, sessions and metadata of interest  Decrypt once, analyze multiple times
  • 26. 26©2017 Gigamon. All rights reserved. Visibility Matters

Editor's Notes

  1. That is the transformative power of a security delivery platform.