Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014

Dave FrymierVice President and CISO, Unisys

Don’t sweat the small stuff – protect what matters the most.

© 2014 Unisys Corporation. All rights reserved. 2

Two Big DriversIT EnvironmentConsumerization of IT

• New devices are everywhere;

employees will use them

– Consumer devices are not generally

MS domain aware

• Not just about devices—new services

on the Internet tunnel port 80

– gotomyPC, logmein

– Dropbox

• Organizational perimeter crumbling


• Enters through spam e-mail, bad websites

• “Beacons” back to command and

control servers

– Reports in

– Obtains instructions/more malware

• Evades anti-malware software

• Low and slow

• Looks laterally and vertically in network

for high value targets

• Can be found through beaconing activityRandom spamSpear phishingBad web site

Departmentalinfrastructure

EnterpriseAdministration

(Active Directory)

Corporate Jewels

ThreatAdvanced Persistent

Botnet

C&C


Who are the Adversaries?


Normalization of Element-specific log file data

Assets and Vulnerabilities

Threat Pattern

Database

Event Database

Asset Inventory and Vulnerability

Scanning

Scanner

Response and Remediation

Event

Correlation

Engine

Portal

Po

rta

lPortal

Portal

Portal

Reporting

IncidentsUnisys or Customer

Ticketing System

Dashboard & Reports

Portal Portal

Customer Managed Security Elements

Element-specific Agents



Security Infrastructure; Network Devices; OS, Application and Data Logs

Thre

at and

Vuln

era

bili

ty

Ale

rtin

g

UnisysMonitored or Managed Security Elements

Security Monitoring Model – SIEMCurrent countermeasures

Intrusion

Detection &

Prevention

Network

Firewall &

VPN

Secure

Remote

Access

Endpoint

Security

Security

Event

Monitoring

Vulnerability

Mgmt.

Threat &

Vulnerablity

Alerting

Email

Scanning

Web Content

Security

Web

Application

Security

Security Incident

Management

Application Security Services

Network Security Services


• It’s mostly after-the-fact

• Protects everything the same way

• Getting more and more expensive—like big data

– Software costs

– Storage of all the log and traffic data/meta data

– Processing

– Network resources to move data from endpoint to SIEM

For advanced adversaries, the traditional approach

just isn’t working.

SIEM

The New York Times article retrieved from www.nytimes.com

http://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html?_r=0


How is this possible?

• The real world follows the laws of physics—the cyber world follows manmade rules that govern the transfer of data

• We forget how young the Internet is; it grew like a weed—without much change in the underlying protocols

• There are fundamental design flaws

– Anonymity and spoofing

• Standardization cuts both ways

• Software has bugs

This is not going

to be fixed quickly.


Edward Snowden

Interview with Guardian readers, June 2013

Encryption works. Properly implemented

strong crypto systems are one of the few

things that you can rely on.“

”

SNOWDEN


Perimeter – to compartment

We’re going from this… … to this


Risk Analysis

• Perhaps mankind’s oldest security

technique

• FIPS-199 – find it on the internet

• Output – list of most important assets and who should have

access

• Build a compartmentalized security model based on need-

to-know

• Protect and enforce that security model by “hiding” your

most important assets so the APT can’t find them

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dAV9Wyl0tiyXBM&tbnid=1Os6ob0FPF1uEM:&ved=0CAUQjRw&url=http://en.wikipedia.org/wiki/Tower_of_London&ei=RysJUsuHGIGmyQG7kYAQ&psig=AFQjCNGjMoceTvQGmGmShv4TtnfZcLKZZw&ust=1376418681676938

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=dAV9Wyl0tiyXBM&tbnid=1Os6ob0FPF1uEM:&ved=0CAUQjRw&url=http://en.wikipedia.org/wiki/Tower_of_London&ei=RysJUsuHGIGmyQG7kYAQ&psig=AFQjCNGjMoceTvQGmGmShv4TtnfZcLKZZw&ust=1376418681676938


Jewels

Compartmentalized

Corporate

Jewels KMCOther BU

AppsBusiness

Unit Apps

BUIP

IAM

Any PC, Mac,

Linux

Authentication

Any device that can send a

username, password

and certificate

Messaging

Additional

Authentication/Authorization

as needed

11

Illustrative example only.

Corporate

Standard

Hardened

PC

Voice

Over IP

Low Business Impact High Business Impact Medium Business Impact

Web

User

Mobile

Gateway

Enterprise

Architecture


Traditional “buffer area” model

• Used to separate corporate network from foreign networks

• Defense-in-depth

• Extending the concept internally is overkill


Security zones

No defense-in-depth, but much more manageable and less expensive


Software defined communities

• Systems and users running common software that implements communities of interest (COI)

– Strong encryption

– Endpoint protection

– Trusted encryption key

management

• Manage users and

identities, not IP

addresses

• Emerging class of

products

• Vormetric, Unisys,

Koolspan


Stealth Shim

7. Application

6. Presentation

5. Session

4. Transport

3. Network

1. Physical

2. Link

NIC

• Software, running on Windows and Linux computers

• FIPS 140-2 AES-256 certified cryptography module

• Provides compartmentalized security by implementing virtual communities of interest (COI) for predetermined endpoint users

• Authenticates and authorizes users based on identity, not network topology

• Because it executes between the network and link protocol layers, it has no effect on applications or existing networks

• Makes systems undiscoverable by attackers

• Supports “clear COI” to allow for incremental integration into existing environments

What is Unisys Stealth™?


Comparison

Tiers Zones Software

Defined

Hides endpoints Yes Yes Yes

Network/LAN

changes

Yes Yes No

Application

changes

No No No

Installation

disruption

High High Low

Ongoing

maintenance

High High Low

Staff skill High High Low

Cost $$$ $$ $


Unisys Stealth Solution

Proactive. Scalable.

Consistent.

A Virtual Web Server

B Virtual Web Server

A Virtual App Server

B Virtual App Server

A Virtual DB Server

B Virtual DB Server

Stealth for Cloud

“Safe” Site

Corporate Site

“Risky” Site

Internet

Stealth Regional Isolation

Stealth Secure Remote Access

Enterprise

Amazon EC2

VM

VM

VM

VM

External Network

Windows

Client

SSVT

ProtectedApp

Server

Protected Database

Server

Stealth Data Center Segmentation

ProtectedApp

Server

Email

Server

(unprotected)

Internet

Stealth for Mobile

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZUdJBr4oGnmJEM&tbnid=0MDfUlr80s2GoM:&ved=0CAUQjRw&url=http://www.amazon.com/Cisco-10-User-Bundle-100Base-TX-Management/dp/B006C6FP56&ei=sOzfUvPUMKHG2wWkmIGoCQ&bvm=bv.59568121,d.b2I&psig=AFQjCNGRLgctaj4nsXdGHM5ntTHsfhLong&ust=1390492463860204

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ZUdJBr4oGnmJEM&tbnid=0MDfUlr80s2GoM:&ved=0CAUQjRw&url=http://www.amazon.com/Cisco-10-User-Bundle-100Base-TX-Management/dp/B006C6FP56&ei=sOzfUvPUMKHG2wWkmIGoCQ&bvm=bv.59568121,d.b2I&psig=AFQjCNGRLgctaj4nsXdGHM5ntTHsfhLong&ust=1390492463860204


Summing it up

• CoIT and APTs are a fact of life

• Adversaries are extremely sophisticated and capable

• Current tools aren’t working

• The base problems won’t be fixed soon

• Modern encryption, properly implemented, WORKS

• Identify the most important information and who needs access

• Hide this information using compartmentalized need-to-know communities of interest

• Keep BYO and consumer devices away from the COIs

Thank YouDavid Frymier, Vice President and CISO, Unisys Corporation

Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014

Technology

Transcript of Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014