from enterprise perimeter to distributed virtual
play

From Enterprise Perimeter to Distributed, Virtual Enterprise - PowerPoint PPT Presentation

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)


  1. From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO – AT&T eamoroso@att.com Page 1

  2. Sandbags Piled in Front of AT&T Building – 12/15/41 Page 2

  3. Original Perimeter Objective (Circa 1995) Enterprise Perimeter Untrusted External Actor “Inside the “Outside the Firewall” Firewall” Page 3

  4. Enabling Browser Access to Enterprise Website Web (External) Untrusted External Actor Page 4

  5. Rule Added to Firewall to Allow Inbound Access to TCP/Port 80 (http) Web (External) Untrusted External Actor “Off the Shelf” Web Software Packets from Browsers and Tools with Potentially “Anywhere” Enter the Exploitable Vulnerabilities Perimeter Page 5

  6. Perimeter Design Scan UTM PKI Firewall Router Enterprise DLP SIEM IPS Access to Web Server “Allowed” A/V Proxy A/S Web (External) Admin Access to 2FA Log RBAC FW Web Server Page 6

  7. Web (External) Page 7

  8. Enabling External VPN Access to Enterprise Web (External) VPN Designed for VPN/RA Client Page 8

  9. Perimeter Design Scan UTM PKI Firewall Router Enterprise DLP SIEM IPS Access to Web Server “Allowed” A/V Proxy A/S Web (External) Admin Access to 2FA Log RBAC FW Web Server Integrate into Common Physical Perimeter VPN Admin FW Access to 2FA Log RBAC VPN Server Firewall Scan UTM PKI Router Enterprise Access to DLP SIEM IPS VPN Server “Allowed” A/V Proxy A/S Page 9

  10. Web (External) VPN Page 10

  11. Adding Third Party Gateway Access to Enterprise Web (External) Third Party Gateway VPN Designed for Third Party Care, Contact, Support, etc. Page 11

  12. Perimeter Design Admin Scan UTM PKI Access to Third Party Gateways DLP SIEM IPS 2FA A/V Proxy A/S Web (External) Log Typically FW RBAC Source IP-Based Authentication Integrate into Common Physical Third Party Perimeter Gateway VPN FW FW Scan UTM PKI Scan UTM PKI “Allowed” DLP SIEM IPS DLP SIEM IPS Enterprise Access to A/V Proxy A/S A/V Proxy A/S Third Party Gateways Integrate into Common Physical Perimeter Page 12

  13. Enterprise Assets Web (External) Third Party Gateway VPN Page 13

  14. Adding Inbound Email to Enterprise Enterprise Assets Email Web (External) Third Party Gateway VPN Page 14

  15. Perimeter Design Scan UTM PKI Scan UTM PKI DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S A/V Proxy A/S Email Web (External) FW FW Allow Integrate into Exchange with Common Physical Third Party any Sender or Perimeter Gateway VPN Receiver FW FW “Allowed” Integrate into Enterprise Scan UTM PKI Scan UTM PKI Common Physical Access to Perimeter Mail DLP SIEM IPS DLP SIEM IPS A/V Proxy A/S A/V Proxy A/S Integrate into Common Physical Perimeter Page 15

  16. Enterprise Assets Email Web (External) Third Party Gateway VPN Page 16

  17. “Hundreds” to “Millions” of Rules (1995 – 2015) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party Exceptions Gateway VPN Page 17

  18. Expanded Third Party Gateways Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party Exceptions VPN Additional Third Parties, Retail Dealers, Outsourcing, Offshoring Page 18

  19. Expanded Employee Remote Access Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Road Warriors Page 19

  20. Network Vulnerabilities Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Road Warriors Page 20

  21. Employee Use of Mobile Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Enterprise Use of Mobility Road Warriors Page 21

  22. Typical State of the Practice Enterprise Design Network Unauthorized Network Misconfigurations Connections (Internet Exposing) (Internet Exposing) Enterprise Assets Additional Firewall Rule Email Web Exceptions (External) Additional Firewall Rule Third Party VPN Exceptions Additional Third Parties, Additional Remote Access, Retail Dealers, Outsourcing, Employee Telework, Offshoring Enterprise Use of Mobility Road Warriors Page 22

  23. Enterprise Perimeter Reality (Circa 2015) Enterprise Perimeter Outside Page 23

  24. Nation State Exfiltration Attacks North/South Exploit (Perimeter) East/West Exploit (Enterprise) Phishing Attack Data Exfiltration Successfully attack this . . . and gain access to this . . . Page 24

  25. Nation State Exfiltration Attacks North/South Exploit (Perimeter) Inbound Outbound Filtering Filtering Many Solutions Many Solutions Exist to Reduce Risk Exist to Reduce Risk East/West Inbound Outbound Exploit (Enterprise) No Good Solutions Exist to Reduce Traversal Risk Page 25

  26. Baseline Perimeter Page 26

  27. Enabling Browser Access to Web Server Web Page 27

  28. Micro-Perimeter Design (Web Server) Virtual Micro Perimeter Web Page 28

  29. Micro-Perimeter Provisioning to Cloud Scan UTM PKI Step 2: Provision Virtual Micro-Perimeter DLP SIEM IPS into Run Time System A/V Proxy A/S Web Step 1: Provision Web Server into FW Integrated Cloud Page 29

  30. East-West Protection for Web Cloud Tenant Hypervisor Security Orchestration . . . Web FW FW A/S Proxy Virtual Appliances Virtual Perimeter Sampling of Vendors with Virtual Appliances Page 30

  31. Virtual Micro Perimeter Web Page 31

  32. Adding Security Command & Control – Virtual Virtual Micro Perimeter Web Security C&C Virtual Micro Perimeter Page 32

  33. Micro-Perimeter Provisioning to Cloud Scan UTM PKI DLP SIEM IPS A/V Proxy A/S Web FW Integrate into Common Virtual Perimeter Scan UTM PKI Security C&C Step 1: Provision DLP SIEM IPS Security Cmd/Ctrl into Virtual Data Center A/V Proxy A/S Step 2: Provision FW Virtual Micro-Perimeter into Run Time System Page 33

  34. East-West Protection for Web and C&C Cloud Tenant Hypervisor Security Orchestration . . . Web FW FW A/S Proxy Server Virtual Appliances Security APIs Tenant Risk Compliance Security Reporting Security Alerting SIEM Security APIs Tenant Hypervisor Security Orchestration . . . C&C FW FW A/S Proxy Virtual Appliances Page 34

  35. Virtual Micro Perimeter Enterprise Assets Web SOC Virtual Micro Perimeter Page 35

  36. Adding Gateway – Virtual Virtual Micro Perimeter Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 36

  37. Cloud Tenant Hypervisor Security Orchestration . . . Gate FW FW A/S Proxy way Virtual Appliances Tenant Hypervisor Security Orchestration . . . Web FW FW Proxy A/S Server Virtual Appliances East-West Security APIs Tenant Protection for Risk Compliance Security Alerting Security Reporting SIEM Web, C&C, and Gateway Security APIs Tenant Hypervisor Security Orchestration . . . FW SOC FW A/S Proxy Virtual Appliances Page 37

  38. Virtual Micro Perimeter Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 38

  39. East-West Traversal Mitigated by Virtual Perimeter North/South Exploit (Perimeter) East/West Exploit (Enterprise) Successfully attack this . . . and gain NO access to this . . . Page 39

  40. Legacy Assets Dependent on Existing Perimeter Virtual Micro Legacy Perimeter Assets Enterprise Assets Web Virtual Micro Perimeter Gateway SOC Virtual Micro Perimeter Page 40

  41. Legacy Assets Dependent on Existing Perimeter Enterprise Perimeter (Legacy Assets) Legacy Web Gateway SOC Page 41

  42. Enterprise Perimeter Has Less to Defend Legacy Web Gateway SOC Page 42

  43. Legacy Web Gateway SOC Page 43

  44. Web Back-End Legacy Web Gateway SOC Page 44

  45. Web Back-End Legacy Web Gateway SOC SOC (Primary) (Backup) Page 45

  46. Web Back-End Legacy Web Gateway SOC SOC (Primary) (Backup) Page 46

  47. Web Web Back-End Legacy Gateway SOC SOC (Primary) (Backup) Page 47

  48. Legacy Web Web Back-End Gateway SOC SOC (Primary) (Backup) Page 48

  49. Legacy Gateway Web Web Back-End SOC SOC (Primary) (Backup) Page 49

  50. Legacy Gateway Web Web Back-End SOC SOC (Primary) (Backup) Page 50

  51. Ring Ring Ring Ring (Gateway) (Legacy) (Back-End) (Web Server) SOC SOC (Primary) (Backup) Page 51

  52. SOC SOC (Primary) (Backup) Page 52

  53. Page 53

  54. Page 54

Recommend


More recommend