Lessons From the Infrastructure and Operations Playbook
Transcription
Lessons From the Infrastructure and Operations Playbook
WHAT SECURITY PROS CAN LEARN FROM SHADOW IT: LESSONS FROM THE INFRASTRUCTURE AND OPERATIONS PLAYBOOK Bo Skeel, Chief Evangelist bskeel@bitdefender.com TOP IT INITIATIVES 2014 SECURITY & CLOUD ARE IN THE TOPS VIRTUALIZATION, CLOUD AND MOBILITY CLOUD & MOBILITY TWO MAJOR IT TRENDS End User Data access from any device Remote working Easy user experience Drivers DevOps Flexibility Instant provisioning Improved productivity CLOUD IS ATTRACTIVE • Designed for consumer or customers; continuous delivery • • • • App’s built/updated very rapidly Focused on functionality for users Wide variety, cross-platform Zero capital investment; scale to demand instantly • DevOps have the same goals • • Rapid try/fail try/grow cycle Scale with demand, no capital lag, approval process, etc. There is a high risk of corporate data being outside of corporate controls CLOUD AND SHADOW IT • Public cloud (IaaS/PaaS) is driving on ongoing explosion of services (SaaS) • Both DevOps (datacenter users) and end-users are embracing shadow IT • Traditional IT – including security - is being left behind Cloud Backup Evern ote DropB ox End-users Web mail Traditional IT = CONTROL IaaS Datacenter users PaaS Storage IT AS A SERVICE End Users • Embrace BYOD • Gain control of mobile devices • Provide services for end-users (large file transfer, edit-fromanywhere, etc.) IT epiphany Goals BYOD End-users Servic es DropB ox Web mail Traditional IT = CONTROL Datacenter users PaaS ITaaS Storage Poli cy WHAT NEEDS TO HAPPEN • Treat public cloud as an extension of the datacenter • Understand the needs of end-users • Treat DevOps as a customer • DON’T IGNORE INTERNAL CUSTOMER NEEDS SECURITY BEST PRACTICES • Asset tracking/lifecycle management • Common view of endpoint security • Elastic management • Define BYOD policy IMPROVING SECURITY THREAT OVERVIEW From 32.000 new unique malware every day to 390.000 in 6 years! Source: AV-Test in Germany. THREAT CONSEQUENCE 2015: 1GB disk space 150MB RAM @ idle 2009: 200MB disk space 40MB RAM @ idle AV SIGNATURE UPDATE FREQUENCY Every 24 hours Every 8 hours Every 8 hours Hourly Even with hourly updates present 16,250 possible infections per hour, when AV-Test is registering 390,000 new threats per day.. MALWARE IS NOW SERIOUS BIG BUSINESS Previously malware was used to prove capability, or to earn petty cash by stealing computer resources for manipulating banner advertising, SEO, renting botnets, etc. That’s still going on, but.. Now we have threats like Identity Theft, Credit Card Fraud, Ransomware, Advanced Persistent Threats and Industrial Espionage - and EVERYONE are at risk, by simply connecting to the Internet! “There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.” 60 minutes, October 5th 2014 SYMANTEC: AV IS DEAD CONCLUSION A: Signature based protection is dead! - There are simply too many new unique daily threats (390,000 according to AV-test) B: Infections are becoming a lot more dangerous - An infection is no longer a question of disruptive business, it poses serious financial threats. C: Local resource consumption is not unlimited - There is a limit to how much intelligent analysis you can run locally, detecting threats in business environments WE REALIZED THIS 4 YEARS AGO, SO THREAT MANAGEMENT SYSTEM The biggest, most advanced and fastest cloud-based security installation in the world. THREAT MANAGEMENT SYSTEM Project development started in 2010, fully implemented in 2014 Cloud requirement: Maximum response time of 20ms NIMBUS Infrastructure statistics 6 linked datacenters (5 running in AWS) + 1,200 virtual servers + 7 billion requests per day + 900k active connections at any given time + 80 TB of traffic per month + 100 different web services: Url checking, cleanset similarities, outbreak detection, antifraud, antispam, antiphishing, antitheft, real-time virus reporting, statistics, honeypots, etc. Multiple security technologies provide superior capabilities, speed and scaling Nimbus Security handles more than 7 billion requests daily Business GravityZone cloud-based multi-tenant manager Consumers Online or Shrink-wrapped GOAL: Higher protection level with a lower resource impact - Lighter and more aggressive local engines Faster reaction time: SPAM waves now detected in 10 seconds New range of products Unify Bitdefender technologies Consequence: Ranked #1 in detection since 2012, especially on zero-day-attacks Ranked #1 in performance, since 2013 NIMBUS “NOT ONLY A RANGE OF LOOKUP TOOLS, BUT A REFLECTIVE INTELLIGENT SYSTEM, CAPABLE OF MAKING ANALYTIC SECURITY DECISIONS BASED ON ADVANCED TECHNOLOGY, SUCH AS APPLICATION REPUTATION, EVENT COLORATION, MACHINE LEARNING AND MEMORY INTROSPECTION.” MERGING THE TECHNOLOGY INTO CUSTOMER BENEFITS NEW DELIVERY CONCEPT AV LEGACY MODEL Distribution AV Management New signature Local AV Installation - Local signature DB - Local scanning engines with signature dependency LEARN NIMBUS MODEL LEARN LEARN Local Bitdefender Installation - Local scanning engines without signature dependency - Local intelligence through B-Have and AVC (300+ heuristics) - NIMBUS queries and response - Local signature DB for offline usage NIMBUS MODEL “AS-A-SERVICE” Local Bitdefender Installation - Local scanning engines without signature dependency - Local intelligence through B-Have and AVC (300+ heuristics) - NIMBUS queries and response - Local signature DB for offline usage Security Virtual Appliance NIMBUS MODEL “AS-A-SERVICE” Local Bitdefender Installation - Security broker - User interface Security Virtual Appliance Major benefits - Very high protection at almost zero local resource impact - No AV maintenance needed on endpoint - Protection is now provided “as-a-service” from the network NIMBUS MODEL “AS-A-SERVICE” Security Virtual Appliance (SVA) • • • • • • Import into any hypervisor (VMware, Citrix, Microsoft, others) Loaded with all Bitdefender protective technologies Extremely fast on a firmware built Linux core Deploy multiple (unlimited): • Eliminates single-point-of-failure • Enables load-balance of protective services • Share knowledge on local endpoints through • Multi-level caching • Machine learning Will protect all major operating systems Will protect all computers on the network – physical or virtual NIMBUS MODEL “AS-A-SERVICE” NIMBUS MODEL “AS-A-SERVICE” Bitdefender Security Tools: A. Install on all physical computers B. Install on all virtual computers Now everything is protected is protected by the SVA instances…. and NIMBUS Result: a) Extremely high protection b) Unnoticeable local resource cost c) AV maintenance reduced to SVA instances d) High Availability and Load-Balancing included BITDEFENDER SECURITY TOOLS Minimum configuration for network service only Windows, Linux and Mac version Static installation – requires no updating 70~100 MB disk space inside each VM/Workstation/Server Three main components: Gateway (broker), allowing centralized engine to access the system Maximum 15MB memory footprint No CPU load Local tools (uncompressing, file move, file deletion, encryption, neutralizer, etc. Optional UI, including pop-up notification, policy controlled BITDEFENDER SECURITY TOOLS Additional options for physical, external and offline support 2-way firewall with Intrusion Detection System Local Active Virus Control components Device Control (Hardware Control) Content/Web Control Application Control Data Loss Protection All adjustable through security policies. When deployed with all scanning technologies, the actual protection can be provided either Central Scan Hybrid Scan Local Scan AV MANAGEMENT MADE EASY GRAVITYZONE VIRTUAL APPLIANCE BASED Server Roles LAN GravityZone Virtual Appliance D Database (MongoDB) C Communication Server U Update Server M Management Console VIRTUAL APPLIANCE BASED Server Roles LAN D M U C GravityZone Virtual Appliance D Database (MongoDB) C Communication Server U Update Server M Management Console VIRTUAL APPLIANCE BASED Server Roles AWS LAN D M GravityZone Virtual Appliance DMZ U C GravityZone Virtual Appliance D Database (MongoDB) C Communication Server U Update Server M Management Console Internet (SSL) Remote Devices BITDEFENDER PROPOSAL AND SUMMATION Near real-time protection against new threats using NIMBUS, B-Have and AVC Option for “Security-as-a-Service”, using virtual appliances • • • • • No AV maintenance needed on endpoints Remove single point of failure Provide Load-Balanced AV protection Minimal local resource consumption Support for all major operating systems – physical and virtual Fast, scalable and flexible management with GravityZone, extending even to cloud providers such as Amazon, etc. UNFOLLOW THE TRADITIONAL