The enterprise attack surface has exploded in recent years. More users on more devices in more locations are able to access ever more sensitive enterprise applications. The result is that the number of targets for attackers has gone up dramatically.
The expanding attack surface has been dubbed a “Cyber House of Horrors,” as insider risks, aggressive social engineering, exploitation of outdated access controls, and a range of other security issues have come to the fore.
Join Certes Networks and Intellyx for a webinar to explore:
What factors are driving the expansion of the attack surface?
What types of attacks and exploits are taking advantage of these changes?
How are segmentation techniques and access controls evolving in response?
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
The cyber house of horrors - securing the expanding attack surface
1. The Cyber House of Horrors:
Securing the Expanding
Enterprise Attack Surface
Welcome
CertesNetworks.com
2. A Little Housekeeping
• This webinar is being recorded a replay link will be
sent to you by email along with the slides.
• You are muted by default, please ask any
questions in the Q&A section or the chat window.
• We will have a Q&A section at the end of the
webinar.
• If you experience technical difficulties joining the
WebEx session please dial: 1-866-229-3239, or
you can message the WebEx Producer using the
Q&A panel.
Copyright 2016 Certes Networks. Visit CertesNetworks.com 2
3. Our Speakers
Jason Bloomberg, President of Intellyx & contributor
to Forbes - Presenter
Satyam Tyagi, CTO of Certes Networks - Presenter
Adam Boone, CMO of Certes Networks - Moderator
3Copyright 2016 Certes Networks. Visit CertesNetworks.com
4. The Original Attack Surface
Exposure
When application traffic and users stayed inside the LAN,
the attack surface was minimal
4Copyright 2016 Certes Networks. Visit CertesNetworks.com
5. New Exposure
The New Attack Surface
Exposure
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VPN
Remote Office
Access
Access
BYOD
IoT
As IT has evolved, attack surface has exploded
User & App Sprawl: mess of users accessing mess of applications
5Copyright 2016 Certes Networks. Visit CertesNetworks.com
6. New Exposure
But Same Perimeter Defense
Firewalled
Perimeter
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VPN
Remote Office
Access
Access
BYOD
20+ year old perimeter-oriented architecture
20+ year old trust model
20+ year old security model tied to enforcing security in infrastructure
Network Sprawl, IT Sprawl, Security Sprawl … creating silos and gaps exploited
by attackers in all the major data breaches
IoT
6Copyright 2016 Certes Networks. Visit CertesNetworks.com
20. IT has out-evolved IT Security
1990 2000 2010 2016
Enterprise
IT
Packet
networking
Digitization,
networked
application
IT Security
Firewalls,
gateways
inspecting
packet traffic at
perimeter
Internet Smart devices Cloud
MDM/EMM,
NAC, IDS,
threat
management
VPNs, remote
access,
network
access
Enterprise security continues to be based on inspecting traffic and making security
decisions based on packets: ports, IP addresses, header tags, etc.
This means the security model is tied to networks & infrastructure that are already
compromised; every major data breaches has exploited this failing
• Borderless
• Virtual
• Platforms
• Perimeter
• Device-based
• Point productsIdentity,
authentication
20Copyright 2016 Certes Networks. Visit CertesNetworks.com
21. The Original Attack Surface
21
Exposure
When application traffic and users stayed inside the LAN, the attack surface was minimal
Copyright 2016 Certes Networks. Visit CertesNetworks.com
22. New Exposure
The New Attack Surface
22
Exposure
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
VPN
Remote Office
Access
Access
BYOD
IoT
As IT has evolved, attack surface has exploded
User & App Sprawl: mess of users accessing mess of applications
Copyright 2016 Certes Networks. Visit CertesNetworks.com
23. Humanly Impossible Complexity,
Enemy of Security
23
New Exposure
Firewalled
Perimeter
Cloud
Apps
InternetAccess
Remote
Workers
Access
Contractor
Remote Office
Access
Access
BYOD
IoT
Security
Office
Business Requirements
• What are the assets/apps?
• Why are they valuable?
• Who needs access to them?
• Potential negative impact if
confidentiality, integrity or
availability breached
CATEGORIZE
Security Policy & Controls
• Access Control
• Awareness Training
• Audit Accountability
• Assessment Authorization
• Configuration Management
• Contingency Planning
• Identification Authentication
• Incident Response
• …
SELECT
CASBIoT
Gateways
Software-
Defined
Perimeter/
VPN
EMM/NAC
Micro-
Segmentation
FW/SWG
VPN
Mobility
Team
Data Center
Team
IoT
Team
Cloud App
Team
Remote Worker
Team
Internet
Network Firewall
Team
IMPLEMENT
Siloed Expensive Work + Slower to Market = $$$ (expensive)
Partner Access
Team
Copyright 2016 Certes Networks. Visit CertesNetworks.com
25. Business-Driven
Infrastructure-Independent Security
Security officer “Implements”
security policy and controls to
meet business requirements
• No dependence on type of
infrastructure
• No dependence on multiple
other teams
• Simply Categorize &
Segregate Business Assets
(Apps)
• Defines Access based on User
Roles & Business Needs
25
Security
Office
Business Requirements
• What are the assets/apps?
• Why are they valuable?
• Who needs access to them?
• Potential negative impact if
confidentiality, integrity or
availability breached
CATEGORIZE
Security Policy & Controls
• Access Control
• Awareness Training
• Audit Accountability
• Assessment Authorization
• Configuration Management
• Contingency Planning
• Identification Authentication
• Incident Response
• …
SELECT
IMPLEMENT
Copyright 2016 Certes Networks. Visit CertesNetworks.com
27. IT Security Evolution
1990 2000 2010 2016
Enterprise
IT
Packet
networking
Digitization,
networked
application
IT Security
Firewalls,
gateways
inspecting
packet traffic at
perimeter
Internet Smart devices Cloud
Intrusion
detection, traffic
inspection.
threat
management
VPNs, remote
access,
network
access
Certes redefines security by decoupling it from network devices
Security decisions are not based on ports, addresses or other network parameters
• Borderless
• Virtual
• Platforms
• Borderless
• Virtual
• PlatformIdentity,
authentication
Software-
defined,
application
access &
segmentation
27Copyright 2016 Certes Networks. Visit CertesNetworks.com
28. Cryptography Decouples Security
From Infrastructure
28
‘No Trust’ with Micro-
segmentation
‘No Trust’ with Crypto-
segmentation
How it works What it means for you How it works What it means for you
Basis of
Trust
Infrastructure Infrastructure compromised
& everything is at risk
Cryptographic credentials,
X.509 certificates,
Cryptographic keys
All assets are protected
unless attacker can break
each individual app key
(practical impossibility)
Basis of
Policy
VM instances, Layer 2 to
Layer 7 firewalls,
network flows
Compromised machine can
be used to laterally move
out of micro-segment
X.509 certificates
Cryptographic keys and
security associations
No credentials, no keys, no
lateral movement
Crypto
usage
Optional for
confidentiality and
privacy for
interconnecting
segments
Privacy and confidentiality
are already provided by
most apps
Cryptography is the fabric
of trust, policy decision and
segmentation; consistent
privacy is secondary
benefit
Non-crypto segmentation is
exploited in breach after
breach via lateral
movement
User
aware
Not user role aware Access is granted based
on layer 2-7 firewall rules
User identity and role are
basis for access
Business roles and strong
identity define access
Scope Data-Center or cloud Separate policies inside,
outside, user location
True end-to-end from user
devices to app workloads
One policy end-to-end
Copyright 2016 Certes Networks. Visit CertesNetworks.com
29. Wrecking the
House of Horrors
Certes’ Role based Access to App Segments
Copyright 2016 Certes Networks. Visit CertesNetworks.com
29
30. How to Wreck: Certes’ Role-based Access
to App Segments
30Copyright 2016 Certes Networks. Visit CertesNetworks.com
31. Wrecking in Action
31
• Each app isolated in its
own crypto-segments
• Users granted access
based on roles, applied
across all apps
consistently
• User is compromised,
lateral movement is
blocked
• Breach is contained,
attack surface shrinks
Copyright 2016 Certes Networks. Visit CertesNetworks.com
32. Software Defined Security
Network Agnostic | Security overlay across silos
Reduce Security Complexity
Single point of policy configuration and enforcement
Total Cost Reduction
Single point of policy ownership and operational management
End-to-End Security
Client to application security | Lateral movement prevention
Benefits of Wrecking
32Copyright 2016 Certes Networks. Visit CertesNetworks.com
33. Q&A
Type your questions into the chat panel.
Copyright 2016 Certes Networks. Visit CertesNetworks.com
33
34. Q&A
Please type your questions
into the chat panel.
Or contact us at
info@certesnetworks.com
CertesNetworks.com
Copyright 2016 Certes Networks. Visit CertesNetworks.com
34
35. CLICK TO EDIT MASTER
TITLE STYLE
Thank you!
The slides and webinar replay will be
emailed to you.
Visit CertesNetworks.com
Watch CryptoFlow Solutions in Action:
https://youtu.be/MDy8x9z7mIc
Copyright 2016 Certes Networks. Visit CertesNetworks.com